mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 855ff7095b49e99e27b8ff3145da74d5
SHA1: ae759bb60b39c72f48381c6b23b145dfec996ce6
SHA256: 0a8be0b24df9c0640e3e816e960c4528433f29e2b605be4997e954c63c366a1f
SSDeep: 196608:MUNaSTLvDBn dH1Bj8dTivH0Mk2mWut sT7L7laObT3JA6R hPuu:lwS3vDY7B025b67EObDW6R luu
Size: 8728176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Free Software Group
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
FreeMediaPlayer.exe:720
tsassist.exe:3364
tsassist.exe:2836
_silent_full_bundleZenSearch_prod.exe:3052
SetupFileTypes.exe:3008
tsasetup.exe:1992
tsasetup.exe:3208
tsasetup.tmp:3180
tsasetup.tmp:1380
netsh.exe:1256
prepare.exe:1480
makecab.exe:3856
singleZenSearchUpdater.exe:3040
install.exe:3552
TPAutoConnSvc.exe:1844
%original file name%.exe:1660
855ff7095b49e99e27b8ff3145da74d5.tmp:2224
TrustedInstaller.exe:3828
Cloud_Backup_Setup.exe:2672
singleZenSearch.exe:928
zensearchsetup.exe:720
vcredist_x64.exe:3528
MyPC Backup.exe:3888
updater.exe:1952
BackupSetup.exe:3224
helper.exe:3476
zensearchsetup.tmp:2652
taskeng.exe:2836
The Worm injects its code into the following process(es):
ftacfg.exe:1752
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process FreeMediaPlayer.exe:720 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe (274 bytes)
The process tsassist.exe:3364 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FileTypeAssistant\log.txt (564 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.pci (63 bytes)
The process tsassist.exe:2836 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\log.txt (1655 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.pci (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\prefs.dat (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\req.dat (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\rsp.dat (65 bytes)
%Program Files% (x86)\File Type Assistant\itdownload.dll (208 bytes)
The process _silent_full_bundleZenSearch_prod.exe:3052 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearchUpdater.exe (36747 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe (63999 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\resources.zip (966 bytes)
The process tsasetup.exe:1992 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-JUP7C.tmp\tsasetup.tmp (1416 bytes)
The process tsasetup.exe:3208 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\Temp\is-OJD5P.tmp\tsasetup.tmp (1416 bytes)
The process tsasetup.tmp:3180 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\File Type Assistant\unins000.msg (771 bytes)
%Program Files% (x86)\File Type Assistant\unins000.ref (34 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\is-P1HEA.tmp (4549 bytes)
C:\Windows\Temp\is-6TP9C.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\unins000.dat (12497 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_setup64.tmp (6 bytes)
The process tsasetup.tmp:1380 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\File Type Assistant\is-KHAIO.tmp (9098 bytes)
%Program Files% (x86)\File Type Assistant\is-V741D.tmp (8281 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\is-7J4AT.tmp (1281 bytes)
%Program Files% (x86)\File Type Assistant\unins000.dat (11020 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.id (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\File Type Assistant\is-9QDMO.tmp (4549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\File Type Assistant\is-R5A85.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\unins000.msg (771 bytes)
%Program Files% (x86)\File Type Assistant\ftacfg.exe (49 bytes)
The process makecab.exe:3856 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\Logs\CBS\CbsPersist_20141212153428.cab (11744 bytes)
C:\Windows\Temp\cab_3856_4 (564989 bytes)
C:\Windows\Temp\cab_3856_5 (76 bytes)
C:\Windows\Temp\cab_3856_6 (8 bytes)
C:\Windows\Temp\cab_3856_2 (564989 bytes)
C:\Windows\Temp\cab_3856_3 (76 bytes)
The process singleZenSearchUpdater.exe:3040 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch Updater\updater.exe (28535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\ZenSearch Updater.bat (215 bytes)
%Program Files% (x86)\ZenSearch Updater\uninstall.exe (8281 bytes)
%Program Files% (x86)\ZenSearch Updater\resources.zip (2472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\report[1].htm (2 bytes)
The process install.exe:3552 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\29b8fe1277d49fe83693\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI1267.txt (205235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWL930C.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI1267.txt (132562 bytes)
The process %original file name%.exe:1660 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-FJGAI.tmp\855ff7095b49e99e27b8ff3145da74d5.tmp (1429 bytes)
The process 855ff7095b49e99e27b8ff3145da74d5.tmp:2224 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-I0L4E.tmp (783 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-E95GE.tmp (55 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9JB09.tmp (22284 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe (716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\tsasetup.exe (9147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-OTDJ8.tmp (10 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VLNPC.tmp (7385 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-D425V.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-0BOH6.tmp (14 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VQSHR.tmp (2321 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-BFFP6.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-U6OIC.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-N04MB.tmp (6841 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-173KK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zen.txt (18 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-JJ202.tmp (25 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9PGPG.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-C166H.tmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.msg (363 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-3PRFD.tmp (1281 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-H7OJQ.tmp (26 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free All-In-One Media Player.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Uninstall.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-6DUV3.tmp (1425 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-LKF4U.tmp (54589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\Cloud_Backup_Setup.exe (678 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.dat (9740 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-DDS08.tmp (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zensearchsetup.exe (20650 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-78P5N.tmp (24 bytes)
The process TrustedInstaller.exe:3828 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00110000000f40efc0e_manifest (5 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d0012a000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00147000000f40efc0e_vcomp90.dll (120 bytes)
C:\Windows\System32\config\SOFTWARE (46584 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (21016 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00114000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00124000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014d000000f40efc0e_manifest (676 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\ab90c6212116d00105000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00138000000f40efc0e_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00132000000f40efc0e_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00130000000f40efc0e_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00113000000f40efc0e_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00135000000f40efc0e_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014e000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00146000000f40efc0e_manifest (864 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00104000000f40efc0e_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00103000000f40efc0e_manifest (859 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00148000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e (4 bytes)
C:\Windows\System32\config\COMPONENTS (203596 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00141000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00111000000f40efc0e_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\d5e473262116d0011a000000f40efc0e_catalog (21 bytes)
C:\Windows\Logs\CBS\CBS.log (84188 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00122000000f40efc0e_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\b02b5d272116d00120000000f40efc0e_mfcm90.dll (670 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00137000000f40efc0e_mfc90ita.dll (129 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (80713 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00140000000f40efc0e_manifest (766 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00131000000f40efc0e_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00139000000f40efc0e_mfc90kor.dll (95 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d00129000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4395 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\566caa282116d0013b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00123000000f40efc0e_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00133000000f40efc0e_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0012f000000f40efc0e_manifest (13 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (43534 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (14760 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0013a000000f40efc0e_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\50ca5a272116d0011f000000f40efc0e_manifest (6 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010a000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM (3248 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00136000000f40efc0e_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00121000000f40efc0e_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00134000000f40efc0e_mfc90deu.dll (670 bytes)
C:\Windows (288 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\System32\config (772 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\758371262116d00119000000f40efc0e_manifest (760 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00112000000f40efc0e_msvcp90.dll (7701 bytes)
The process Cloud_Backup_Setup.exe:2672 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse281.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BackupSetup.exe (25515 bytes)
The process singleZenSearch.exe:928 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\ZenSearch\ZenSearch\settings\settings.js (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\btn-search2.png (918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (18978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\input-430.png (480 bytes)
%Program Files% (x86)\ZenSearch\resources.zip (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\icons\readme.txt (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\testPrsys.js (2 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\sprs.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery-1.9.1.min.js (601 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\background.html (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery.min.map (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\browser_util.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons (4 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery-1.9.1.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\product.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\sprs.png (56 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\testPrsys.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\settings\settings.js (502 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js (4 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery.min.map (2392 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\browser_util.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\input-430.png (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WDUL1PG1\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch\uninstall000.exe (14988 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\background.html (509 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch (4 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\zensearch.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\product.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\zensearch.png (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\icons\readme.txt (33 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\btn-search2.png (918 bytes)
The process zensearchsetup.exe:720 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-ME10U.tmp\zensearchsetup.tmp (1408 bytes)
The process vcredist_x64.exe:3528 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\29b8fe1277d49fe83693\install.res.1036.dll (1355 bytes)
C:\29b8fe1277d49fe83693\eula.1033.txt (10 bytes)
C:\29b8fe1277d49fe83693 (8 bytes)
C:\29b8fe1277d49fe83693\install.res.1040.dll (2110 bytes)
C:\29b8fe1277d49fe83693\install.res.3082.dll (989 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\29b8fe1277d49fe83693\eula.1031.txt (229 bytes)
C:\29b8fe1277d49fe83693\eula.1040.txt (657 bytes)
C:\29b8fe1277d49fe83693\install.res.2052.dll (1632 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1042.txt (650 bytes)
C:\29b8fe1277d49fe83693\eula.1028.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.res.1041.dll (1126 bytes)
C:\29b8fe1277d49fe83693\eula.1041.txt (5 bytes)
C:\29b8fe1277d49fe83693\install.res.1033.dll (1452 bytes)
C:\29b8fe1277d49fe83693\eula.1049.txt (13 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.3082.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\29b8fe1277d49fe83693\globdata.ini (1 bytes)
C:\29b8fe1277d49fe83693\install.exe (13918 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\$shtdwn$.req (788 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\29b8fe1277d49fe83693\vc_red.cab (65618 bytes)
C:\29b8fe1277d49fe83693\install.res.1042.dll (1988 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1036.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\29b8fe1277d49fe83693\install.res.1049.dll (1720 bytes)
C:\29b8fe1277d49fe83693\install.res.1031.dll (1160 bytes)
C:\29b8fe1277d49fe83693\eula.2052.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.ini (844 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\install.res.1028.dll (1130 bytes)
C:\29b8fe1277d49fe83693\vc_red.msi (3176 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs (8 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\29b8fe1277d49fe83693\vcredist.bmp (5 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
The process MyPC Backup.exe:3888 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5F7E.tmp (56 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5F7F.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)
The process updater.exe:1952 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\UpdaterTimeOut[1] (81 bytes)
The process BackupSetup.exe:3224 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuC03.tmp (16365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (385701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (320115 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)
The process helper.exe:3476 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\CityHash.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\System.dll (23 bytes)
The process zensearchsetup.tmp:2652 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_silent_full_bundleZenSearch_prod.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.dat (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.exe (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\InstallerScreen2d.bmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\is-FLUOA.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_RegDLL.tmp (4 bytes)
Registry activity
The process FreeMediaPlayer.exe:720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rm" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mkv" = "1"
".mp4" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup]
"fir" = "0"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".MP2" = "1"
".MP3" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mp4" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".dts" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mka" = "1"
".dts" = "1"
".APE" = "1"
".m4v" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".OGG" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup]
"vol" = "127"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".AAC" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".3gp" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".ogm" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".flv" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3gp" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".ra" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".avi" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".rm" = "1"
".TTA" = "1"
".M4A" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mpa" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mkv" = "1"
".OFR" = "1"
".divx" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mov" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup]
"mut" = "0"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".TTA" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Direct3D\MostRecentApplication]
"Name" = "FreeMediaPlayer.exe"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".m4v" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AAC" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mka" = "1"
".OFR" = "1"
".ogm" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".MP2" = "1"
".MP3" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".MPC" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".FLAC" = "1"
".divx" = "1"
".WAV" = "1"
".wma" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mpg" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".ra" = "1"
".vob" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".M4A" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3g2" = "1"
".flv" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".wmv" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".WAV" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".AC3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".rmvb" = "1"
".avi" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rmvb" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FreeMediaPlayer.exe"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".OGG" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".wmv" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AC3" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".APE" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".FLAC" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mpg" = "1"
".mpeg" = "1"
".MPC" = "1"
".vob" = "1"
".mpa" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".mpeg" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1345038576"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".3g2" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Unassociated]
".wma" = "1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Supported]
".mov" = "1"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process tsassist.exe:2836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\FileTypeAssistant]
"CHK_GUID" = "9600c9de-ba93f2b5-bddd7810-69819463"
"CHK_ID" = "16696878"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"
The process _silent_full_bundleZenSearch_prod.exe:3052 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process SetupFileTypes.exe:3008 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mp4" = "1"
[HKCR\Free All-In-One Media Player.M4V\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".FLAC" = "1"
[HKCR\Free All-In-One Media Player.MP4\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.MKV]
"(Default)" = "Free All-In-One Media Player MKV file"
[HKCR\Free All-In-One Media Player.3GP\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"
[HKCR\Free All-In-One Media Player.AAC\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.AC3\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3gp" = "1"
[HKCR\.ra]
"(Default)" = "Free All-In-One Media Player.RA"
[HKCR\Free All-In-One Media Player.RMVB\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rm" = "1"
[HKCR\Free All-In-One Media Player.MKA]
"(Default)" = "Free All-In-One Media Player MKA file"
[HKCR\Free All-In-One Media Player.3G2\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\.m4v]
"(Default)" = "Free All-In-One Media Player.M4V"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AAC" = "1"
".3g2" = "1"
[HKCR\.3g2]
"(Default)" = "Free All-In-One Media Player.3G2"
[HKCR\Free All-In-One Media Player.DTS\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".ra" = "1"
[HKCR\.flv]
"(Default)" = "Free All-In-One Media Player.FLV"
[HKCR\Free All-In-One Media Player.TTA\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.OFR]
"(Default)" = "Free All-In-One Media Player OFR file"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".flv" = "1"
[HKCR\Free All-In-One Media Player.MP4]
"(Default)" = "Free All-In-One Media Player MP4 file"
[HKCR\Free All-In-One Media Player.APE\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.AC3]
"(Default)" = "Free All-In-One Media Player AC3 file"
[HKCR\Free All-In-One Media Player.FLAC\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.DIVX]
"(Default)" = "Free All-In-One Media Player DIVX file"
[HKCR\Free All-In-One Media Player.MPC\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.DTS]
"(Default)" = "Free All-In-One Media Player DTS file"
[HKCR\.mp4]
"(Default)" = "Free All-In-One Media Player.MP4"
[HKCR\Free All-In-One Media Player.VOB\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.MKV\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.MKV\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".APE" = "1"
".m4v" = "1"
[HKCR\Free All-In-One Media Player.RM\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.TTA\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.FLAC]
"(Default)" = "Free All-In-One Media Player FLAC file"
[HKCR\Free All-In-One Media Player.OFR\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.RA]
"(Default)" = "Free All-In-One Media Player RA file"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".vob" = "1"
[HKCR\Free All-In-One Media Player.RM]
"(Default)" = "Free All-In-One Media Player RM file"
[HKCR\Free All-In-One Media Player.3GP\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".MPC" = "1"
[HKCR\Free All-In-One Media Player.APE\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.MP4\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.FLAC\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.AAC]
"(Default)" = "Free All-In-One Media Player AAC file"
[HKCR\.aac]
"(Default)" = "Free All-In-One Media Player.AAC"
[HKCR\Free All-In-One Media Player.MKA\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.3G2]
"(Default)" = "Free All-In-One Media Player 3G2 file"
[HKCR\.flac]
"(Default)" = "Free All-In-One Media Player.FLAC"
[HKCR\Free All-In-One Media Player.VOB]
"(Default)" = "Free All-In-One Media Player VOB file"
[HKCR\Free All-In-One Media Player.AAC\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.3G2\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.M4V\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.3GP]
"(Default)" = "Free All-In-One Media Player 3GP file"
[HKCR\.rm]
"(Default)" = "Free All-In-One Media Player.RM"
[HKCR\Free All-In-One Media Player.MKA\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.RMVB\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.RA\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.RMVB]
"(Default)" = "Free All-In-One Media Player RMVB file"
[HKCR\Free All-In-One Media Player.M4V]
"(Default)" = "Free All-In-One Media Player M4V file"
[HKCR\Free All-In-One Media Player.RA\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".OFR" = "1"
[HKCR\.mka]
"(Default)" = "Free All-In-One Media Player.MKA"
[HKCR\Free All-In-One Media Player.RM\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\.3gp]
"(Default)" = "Free All-In-One Media Player.3GP"
[HKCR\Free All-In-One Media Player.MPC\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.TTA]
"(Default)" = "Free All-In-One Media Player TTA file"
[HKCR\.ape]
"(Default)" = "Free All-In-One Media Player.APE"
[HKCR\.vob]
"(Default)" = "Free All-In-One Media Player.VOB"
[HKCR\.divx]
"(Default)" = "Free All-In-One Media Player.DIVX"
[HKCR\.dts]
"(Default)" = "Free All-In-One Media Player.DTS"
[HKCR\Free All-In-One Media Player.VOB\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".dts" = "1"
[HKCR\Free All-In-One Media Player.APE]
"(Default)" = "Free All-In-One Media Player APE file"
[HKCR\.ac3]
"(Default)" = "Free All-In-One Media Player.AC3"
[HKCR\.rmvb]
"(Default)" = "Free All-In-One Media Player.RMVB"
[HKCR\.ofr]
"(Default)" = "Free All-In-One Media Player.OFR"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mka" = "1"
".divx" = "1"
[HKCR\Free All-In-One Media Player.DIVX\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\.mkv]
"(Default)" = "Free All-In-One Media Player.MKV"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".mkv" = "1"
".TTA" = "1"
[HKCR\Free All-In-One Media Player.DIVX\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.MPC]
"(Default)" = "Free All-In-One Media Player MPC file"
[HKCR\.mpc]
"(Default)" = "Free All-In-One Media Player.MPC"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".AC3" = "1"
[HKCR\.tta]
"(Default)" = "Free All-In-One Media Player.TTA"
[HKCR\Free All-In-One Media Player.FLV\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.DTS\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.FLV]
"(Default)" = "Free All-In-One Media Player FLV file"
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".rmvb" = "1"
[HKCR\Free All-In-One Media Player.OFR\shell\open\command]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe %1"
[HKCR\Free All-In-One Media Player.FLV\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
[HKCR\Free All-In-One Media Player.AC3\DefaultIcon]
"(Default)" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FREEMEDIAPLAYER.exe,0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Free Software Group\Free All-In-One Media Player\Setup\Associated]
".3G2"
".MP4"
".3GP"
".AC3"
".MKA"
".RMVB"
".RM"
".DIVX"
".FLAC"
".APE"
".M4V"
".RA"
".VOB"
".MKV"
".OFR"
".MPC"
".TTA"
".DTS"
".FLV"
".AAC"
The process tsasetup.tmp:3180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"InstallLocation" = "%Program Files% (x86)\File Type Assistant\"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"InstallDate" = "20141212"
"MinorVersion" = "4"
[HKCR\Unknown\shell\openas\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\File Type Assistant"
"Inno Setup: Setup Version" = "5.4.0 (a)"
"QuietUninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe /SILENT"
"DisplayVersion" = "2013.4.8.0"
"NoRepair" = "1"
[HKCR\Unknown\shell\opendlg\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"UninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe"
"Inno Setup: User" = "SYSTEM"
"EstimatedSize" = "691"
[HKCR\*\shell\!fta\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe /showinfo %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"DisplayName" = "File Type Assistant"
[HKCR\*\shell\!fta]
"(Default)" = "Show how to open this file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"MajorVersion" = "2013"
"Inno Setup: Language" = "default"
"Inno Setup: Icon Group" = "File Type Assistant"
"NoModify" = "1"
"URLInfoAbout" = "http://www.trustedsoftware.com"
[HKCR\Unknown\shell\openas\command]
"DelegateExecute" = ""
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
The Worm deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"
The process tsasetup.tmp:1380 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"InstallLocation" = "%Program Files% (x86)\File Type Assistant\"
"InstallDate" = "20141212"
"MinorVersion" = "4"
[HKCR\*\shell\!fta]
"(Default)" = "Show how to open this file"
[HKCR\Unknown\shell\openas\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\File Type Assistant"
[HKCR\Unknown\shell\openas\command]
"tsa_backup" = "%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"Inno Setup: Setup Version" = "5.4.0 (a)"
"QuietUninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe /SILENT"
"DisplayVersion" = "2013.4.8.0"
"NoRepair" = "1"
[HKCR\Unknown\shell\opendlg\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"UninstallString" = "%Program Files% (x86)\File Type Assistant\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"EstimatedSize" = "6363"
[HKCR\*\shell\!fta\command]
"(Default)" = "%Program Files% (x86)\File Type Assistant\tsassist.exe /showinfo %1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"DisplayName" = "File Type Assistant"
[HKCR\Unknown\shell\opendlg\command]
"tsa_backup" = "%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKCR\Unknown\shell\openas\command]
"tsa_de_backup" = "{e44e9428-bdbc-4987-a099-40dc8fd255e7}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1]
"MajorVersion" = "2013"
"Inno Setup: Language" = "default"
"Inno Setup: Icon Group" = "File Type Assistant"
"NoModify" = "1"
"URLInfoAbout" = "http://www.trustedsoftware.com"
[HKCR\Unknown\shell\openas\command]
"DelegateExecute" = ""
The process netsh.exe:1256 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"napipsec.dll,-4" = "1.0"
"tsgqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-102" = "1.0"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"eapqec.dll,-102" = "1.0"
"eapqec.dll,-103" = "Microsoft Corporation"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-3" = "Microsoft Corporation"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-102" = "Microsoft Corporation"
The process prepare.exe:1480 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process singleZenSearchUpdater.exe:3040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\ZenSearch\updater]
"sum" = "0100351876eac0c8f432fd010c8d3356"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\ZenSearch]
"Guid" = "{AC3269D3-A9B6-497F-82DD-345F2637B13C}"
[HKCU\Software\ZenSearch\updater]
"need_update" = "true"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"SID" = "1010"
"sum" = "0100351876eac0c8f432fd010c8d3356"
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\ZenSearch\updater]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch Updater"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"ID" = "1010"
[HKCU\Software\ZenSearch\updater]
"SID" = "1010"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch Updater"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\ZenSearch\updater\heal]
"aa7906b26bccabcda7a608c600284784" = "%Program Files% (x86)\ZenSearch Updater\updater.exe"
[HKCU\Software\ZenSearch\updater]
"ID" = "1010"
"ver" = "2"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\updater]
"need_update" = "true"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process TPAutoConnSvc.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"
[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:3" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
The process 855ff7095b49e99e27b8ff3145da74d5.tmp:2224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash" = "CC 96 B8 B0 42 CC 11 07 12 DA 74 F5 9F 79 E4 0C"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"InstallDate" = "20141212"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe, %Program Files% (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe, %Program Files% (x86)\FreeAllInOneMediaPlayer\avcodec-52.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avcore-0.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avdevice-52.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avfilter-1.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avformat-52.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\avutil-50.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\SDL.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\swscale-0.dll, %Program Files% (x86)\FreeAllInOneMediaPlayer\myutil.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\FreeAllInOneMediaPlayer"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "8F 34 29 2C 98 E5 45 7A 5B 45 8E 79 A8 50 A0 E2"
"Owner" = "B0 08 00 00 E1 45 82 02 21 16 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"Inno Setup: Deselected Tasks" = ""
"Publisher" = "Free Software Group"
"Inno Setup: Setup Version" = "5.5.3 (a)"
"UninstallString" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe"
"NoModify" = "1"
"EstimatedSize" = "11144"
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\FreeAllInOneMediaPlayer]
"SetupFileTypes.exe" = "WINXPSP2"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"InstallLocation" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\"
"Inno Setup: Language" = "default"
"NoRepair" = "1"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Free Media Player_is1]
"Inno Setup: Icon Group" = "Free All-In-One Media Player"
"DisplayIcon" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe"
"DisplayName" = "Free All-In-One Media Player"
"QuietUninstallString" = "%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe /SILENT"
"Inno Setup: Selected Tasks" = "desktopicon,startmenuicon,quicklaunchicon"
The Worm deletes the following registry key(s):
[HKCU\Software\Microsoft\RestartManager\Session0000]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
The process ftacfg.exe:1752 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process TrustedInstaller.exe:3828 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\COMPONENTS\CanonicalData\Catalogs\333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"S1H" = "14 AA 6E 76 31 91 54 C4 03 11 34 8A 36 B3 FF AB"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"CatalogThumbprint" = "0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba4Ã…â€â€"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 0F 8E 52 01 4B 08 00 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 5A 96 52 01 4B 08 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"sf" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 2E 00 64 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 B9 C8 52 01 CE 04 00 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90kor.dll" = "4D 00 46 00 43 00 39 00 30 00 4B 00 4F 00 52 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 00 F9 52 01 E0 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll" = "41 54 4C 39 30 2E 64 6C 6C"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"CatalogThumbprint" = "fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3nÃ…â€â€"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"S256H" = "24 BE B9 75 C2 7B 1D 95 FD D4 FE 4E 13 54 0E 21"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 98 E5 52 01 68 13 00 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"S1H" = "38 09 81 95 0B 31 B2 00 22 13 37 FF CF FB FF 41"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"CT" = "36 00 64 00 63 00 31 00 62 00 39 00 63 00 33 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"S1H" = "FE 8C 92 2C 75 1D 5B CC FB 3B D3 CB 22 A9 B8 23"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 B0 52 01 C6 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"S1H" = "AE 6F 51 9A C7 46 73 82 69 39 92 25 65 46 09 57"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll" = "4D 46 43 39 30 43 48 53 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90u.dll" = "6D 00 66 00 63 00 39 00 30 00 75 00 2E 00 64 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"S1H" = "76 C9 DC 05 BC 6B 6B 4C A3 FA EB 6F 47 42 95 CE"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"sf" = "2"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\CanonicalData\Catalogs\6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4e]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 A5 9E 52 01 3E 08 00 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"CatalogThumbprint" = "333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"S256H" = "26 93 44 15 5C 4C F6 E2 AE DE 35 F5 1F 79 11 C0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"sf" = "2"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"CatalogThumbprint" = "cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 24 08 53 01 6C 05 00 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90enu.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 4E 00 55 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"(Default)" = "10"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
"CatalogThumbprint" = "522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 59 D2 52 01 3F 13 00 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"ClosureFlags" = "3"
[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 42 89 52 01 CD 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"S1H" = "E4 EC 8B 0B 75 55 36 62 51 1D 04 0E 86 AD 97 AC"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"CatalogThumbprint" = "d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a"
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90fra.dll" = "4D 00 46 00 43 00 39 00 30 00 46 00 52 00 41 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 CD 52 01 D2 04 00 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90rus.dll" = "4D 00 46 00 43 00 39 00 30 00 52 00 55 00 53 00"
[HKLM\COMPONENTS\CanonicalData\Catalogs\a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 90 0D 53 01 8F 04 00 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 1F 12 53 01 D6 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 74 84 52 01 CE 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"S1H" = "EF 36 D4 10 E0 A9 EA 70 90 91 65 79 2A 07 E7 18"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 E3 A6 52 01 D4 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)]
"UtilizedSpace_MCP_c22d037d" = "F7 22 52 01 00 00 00 00"
[HKLM\COMPONENTS\CanonicalData\Catalogs\fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"CT" = "64 00 32 00 63 00 61 00 38 00 66 00 33 00 35 00"
[HKLM\COMPONENTS\CanonicalData\Catalogs\0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\CanonicalData\Catalogs\522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"S1H" = "83 EB 34 D7 CE D2 B9 DC 71 DB B8 49 AA 21 EA 78"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"S256H" = "69 55 F7 F5 CC 99 69 B8 69 B9 90 86 6D B9 02 DA"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll" = "4D 46 43 39 30 46 52 41 2E 44 4C 4C"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"CT" = "30 00 32 00 34 00 34 00 65 00 61 00 63 00 36 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"CatalogThumbprint" = "95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"S1H" = "DD 16 14 4C C5 08 00 43 4F CC B2 B6 FE 9C 3F 5E"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"S1H" = "AA 99 E7 4A 4B C1 C0 3A D2 57 8D E2 4A 0B 3A 42"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
"S256H" = "6C E2 C2 01 E1 39 B8 B7 FD D6 B0 15 1A D0 20 DB"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 B3 02 53 01 71 05 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"S1H" = "23 CA 6B 65 00 D5 28 6A FC B4 CD 40 F3 13 09 16"
"sf" = "2"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"S256H" = "34 66 B6 B0 1E 23 20 74 33 3A E8 90 DE BA 8F D9"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esn.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 4E 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"f!atl90.dll" = "41 00 54 00 4C 00 39 00 30 00 2E 00 64 00 6C 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"CatalogThumbprint" = "4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343Ã…â€â€"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 9F 79 52 01 6B 05 00 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"sf" = "1"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90.dll" = "6D 00 66 00 63 00 39 00 30 00 2E 00 64 00 6C 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"sf" = "2"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\CanonicalData\Catalogs\d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"S1H" = "59 FC 44 3F E4 A9 36 69 AC E0 F5 9F A7 98 6B C9"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 FC BE 52 01 BD 09 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 B7 AB 52 01 D0 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90enu.dll" = "4D 46 43 39 30 45 4E 55 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90jpn.dll" = "4D 00 46 00 43 00 39 00 30 00 4A 00 50 00 4E 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"(Default)" = "6"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"CT" = "39 00 35 00 63 00 65 00 30 00 36 00 33 00 38 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\9.0]
"9.0.21022.8" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90deu.dll" = "4D 00 46 00 43 00 39 00 30 00 44 00 45 00 55 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"sf" = "2"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcp90.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"CatalogThumbprint" = "6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4eÃ…â€â€"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"S1H" = "4F C7 D7 36 AD BC B2 7C 10 86 7E 21 90 BD D1 34"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"CT" = "34 00 63 00 34 00 31 00 39 00 37 00 31 00 63 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"(Default)" = "6"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"S1H" = "DA 6E 20 D5 AE 2F 76 AF 71 19 31 70 48 42 36 52"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"sf" = "1"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll" = "4D 46 43 39 30 4B 4F 52 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"CT" = "61 00 38 00 30 00 39 00 35 00 65 00 66 00 65 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"sf" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"CT" = "63 00 63 00 37 00 30 00 61 00 38 00 36 00 31 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"sf" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PublisherPolicyChangeTime" = "Type: REG_QWORD, Length: 8"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 E0 FD 52 01 D3 04 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"S1H" = "E6 CA F0 F6 A2 0D C9 9F 62 27 42 55 D7 B2 1B 34"
"CT" = "66 00 65 00 30 00 66 00 61 00 63 00 34 00 65 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"CT" = "35 00 32 00 32 00 65 00 64 00 34 00 30 00 31 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcm90.dll" = "6D 00 73 00 76 00 63 00 6D 00 39 00 30 00 2E 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2014/12/12:15:34:34.920 6.1.7601.17592 (win7sp1_gdr.110408-1631)"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"S1H" = "64 21 A7 13 7F 81 51 EC C9 C6 32 1F CB 89 4E ED"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"f!vcomp90.dll" = "76 00 63 00 6F 00 6D 00 70 00 39 00 30 00 2E 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esp.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 50 00"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"CatalogThumbprint" = "a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7dGÃ…â€â€"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"S1H" = "CC E5 48 A1 81 09 83 7C D5 26 1A F8 35 AB 54 9D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esp.dll" = "4D 46 43 39 30 45 53 50 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"S1H" = "74 EA A7 88 4B 21 D7 1F 33 34 94 89 89 7C 0A F6"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90ita.dll" = "4D 00 46 00 43 00 39 00 30 00 49 00 54 00 41 00"
[HKLM\COMPONENTS\CanonicalData\Catalogs\95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"(Default)" = "6"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90cht.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 54 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll" = "4D 46 43 39 30 45 53 4E 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcp90.dll" = "6D 00 73 00 76 00 63 00 70 00 39 00 30 00 2E 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"S1H" = "80 93 28 44 A9 44 70 27 55 3E C3 07 5D F5 63 DF"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"sf" = "1"
[HKLM\COMPONENTS\CanonicalData\Catalogs\4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"S1H" = "31 95 AA CA BF 6A 85 7B 8A 02 CC 29 B3 F8 BA 35"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 4D B5 52 01 AF 09 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"S256H" = "08 8C D1 14 A3 5A A0 03 0F 8A C8 09 40 2C 7C 22"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"CT" = "33 00 33 00 33 00 63 00 33 00 63 00 38 00 61 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"(Default)" = "10"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll" = "4D 46 43 39 30 4A 50 4E 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"S256H" = "8D C0 05 84 25 4A F1 6C 47 CA 9C 96 C9 44 75 51"
[HKLM\COMPONENTS]
"ExecutionState" = "2"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 0A 7F 52 01 6A 05 00 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"ClosureFlags" = "3"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"S256H" = "FE AE 5D B0 21 40 AA 1D 6C CD 8E EF 81 27 94 DF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"S256H" = "EB E1 76 88 C7 DC EA 0B F8 87 58 62 C8 C7 2A 58"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll" = "4D 46 43 39 30 52 55 53 2E 44 4C 4C"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll" = "4D 46 43 39 30 44 45 55 2E 44 4C 4C"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"
[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\9.0]
"9.0.30729.1" = "01"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcr90.dll" = "6D 00 73 00 76 00 63 00 72 00 39 00 30 00 2E 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"S1H" = "9E 2C 9A 79 1D 8E C7 78 4A 73 08 8C 2E 1E AF C1"
[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"S256H" = "0E DF 78 65 CB 6E 59 40 E6 8D 63 1A FE E7 83 B0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\9.0]
"9.0.21022.8" = "01"
[HKLM\COMPONENTS\CanonicalData\Catalogs\cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"S1H" = "E3 17 DA F8 C4 AE B9 52 16 AF B2 EE 85 45 57 D7"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"sf" = "1"
[HKLM\COMPONENTS]
"StoreDirty" = "01"
[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90chs.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 53 00"
[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90u.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 75 00 2E 00"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll" = "4D 46 43 39 30 43 48 54 2E 44 4C 4C"
"mfc90ita.dll" = "4D 46 43 39 30 49 54 41 2E 44 4C 4C"
The Worm deletes the following registry key(s):
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
The Worm deletes the following value(s) in system registry:
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll"
"mfc90esp.dll"
[HKLM\COMPONENTS]
"PoqexecFailure"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll"
"mfc90enu.dll"
[HKLM\COMPONENTS]
"PendingXmlIdentifier"
"LastScavengeFlags"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll"
"msvcp90.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll"
[HKLM\COMPONENTS]
"RepairTransactionPended"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll"
[HKLM\COMPONENTS]
"LastScavengeCookie"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll"
[HKLM\COMPONENTS]
"ExecutionState"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS]
"StoreDirty"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471]
"SomeUnparsedVersionsExist"
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90ita.dll"
The process singleZenSearch.exe:928 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".session.restore_on_startup_migrated#1" = "true"
[HKCU\Software\ZenSearch\ZenSearch]
"sum" = "temp_hash"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".homepage_is_newtabpage#0" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"QuietUninstallString" = "%Program Files% (x86)\ZenSearch\uninstall000.exe /uninstall"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"SID" = "1010"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"DisplayName" = "ZenSearch"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Policies\Microsoft\Internet Explorer\Infodelivery]
"Restrictions|UsePolicySearchProvidersOnly|0" = "Internet Explorer\Infodelivery\Restrictions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.newtab.url" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"DisplayIcon" = "%Program Files% (x86)\ZenSearch\uninstall000.exe"
"URLUpdateInfo" = "http://zensearch.com/"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483650|SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]
"Ext|IgnoreFrameApprovalCheck|0" = "Ext"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"InstallLocation" = "%Program Files% (x86)\ZenSearch\"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Policies\Microsoft\Internet Explorer]
"SearchScopes|DefaultScope|0" = "Internet Explorer\SearchScopes"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.startup.homepage" = "user_pref(browser.startup.homepage_override.buildID, 20140506152807);"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\WebData]
"DefSearchEngine" = "UPDATE meta SET value=2 where key='Default Search Provider ID'"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"HelpLink" = "http://zensearch.com/"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
"3|1609|1" = "1"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"MAO Settings|AddonLoadTimeThreshold|0" = ""
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"Guid" = "{AC3269D3-A9B6-497F-82DD-345F2637B13C}"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.search.defaultenginename" = ""
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".session.restore_on_startup#0" = ""
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"ContinuousBrowsing|Enabled|1" = "0"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"TabbedBrowsing|Enabled|0" = ""
"Recovery|AutoRecover|0" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "4F BA F2 15 21 16 D0 01"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.search.selectedEngine" = ""
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData]
"FFProfilePath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default"
[HKCU\Software\ZenSearch\ZenSearch]
"InstallDirectory" = "%Program Files% (x86)\ZenSearch"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"ID" = "1001"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Policies\Microsoft\Internet Explorer\Infodelivery]
"Restrictions|NoChangeDefaultSearchProvider|0" = "Internet Explorer\Infodelivery\Restrictions"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\FFPrefs]
"browser.startup.page" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"UninstallString" = "%Program Files% (x86)\ZenSearch\uninstall000.exe /uninstall"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"ver" = "2"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483650|SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]
"Ext|DisableAddonLoadTimePerformanceNotifications|0" = "Ext"
[HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\ZenSearch\ZenSearch]
"sum" = "temp_hash"
"need_update" = "true"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"
[HKCU\Software\ZenSearch\ZenSearch]
"HomePageWasInstalledCH" = "1"
"Guid" = "{AC3269D3-A9B6-497F-82DD-345F2637B13C}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"URLInfoAbout" = "http://zensearch.com/"
[HKCU\Software\ZenSearch\ZenSearch]
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\ZenSearch\ZenSearch]
"need_update" = "true"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"Main|Start Page|1" = "about:Tabs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "4F BA F2 15 21 16 D0 01"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"MINIE|ShowTabsBelowAddressBar|0" = ""
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Chrome\Prefs]
".homepage#0" = ""
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"TabbedBrowsing|NewTabPageShow|0" = ""
[HKCU\Software\ZenSearch\ZenSearch]
"SID" = "1010"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch]
"Publisher" = "ZenSearch"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483650|Software\Policies\Microsoft\Internet Explorer]
"Restrictions|NoCrashDetection|0" = "Internet Explorer\Restrictions"
[HKCU\Software\ZenSearch\ZenSearch]
"ID" = "1001"
[HKCU\Software\ZenSearch\ZenSearch\SavedSystemData\Registry\2147483649|Software\Microsoft\Internet Explorer]
"SearchScopes|DefaultScope|1" = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process MyPC Backup.exe:3888 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"
The process updater.exe:1952 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process BackupSetup.exe:3224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayName" = "MyPC Backup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"
"Publisher" = "JDi Backup Ltd"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayIcon" = "%Program Files% (x86)\MyPC Backup\MyPC Backup.exe"
"UninstallString" = "%Program Files% (x86)\MyPC Backup\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup]
"(Default)" = "%Program Files% (x86)\MyPC Backup\BackupStack.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"HelpLink" = "http://support.mypcbackup.com"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process helper.exe:3476 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\%Program Files% (x86)]
"Mozilla Firefox" = "8A9158DB3763B7C8"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "FirefoxURL"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "36"
[HKCU\Software\Classes\FirefoxURL\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "FirefoxURL"
[HKCU\Software\Classes\FirefoxHTML\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Classes\FirefoxURL]
"FriendlyTypeName" = "Firefox URL"
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\FirefoxURL\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\FirefoxHTML\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\FirefoxURL\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\FirefoxHTML]
"(Default)" = "Firefox HTML Document"
[HKCU\Software\Classes\FirefoxHTML\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "FirefoxURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Classes\FirefoxHTML]
"FriendlyTypeName" = "Firefox HTML Document"
[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKCU\Software\Classes\FirefoxURL]
"(Default)" = "Firefox URL"
[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "FIREFOX.EXE"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "c:\program files (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid" = "FirefoxHTML"
The Worm deletes the following registry key(s):
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
[HKCU\Software\Classes\https\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
[HKCU\Software\Classes\http\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"
The process zensearchsetup.tmp:2652 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZS_cleanup1" = "C:\Windows\system32\cmd.exe /c rmdir /q /s C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process taskeng.exe:2836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{49A380DA-87FA-49EE-B405-28A5BBFBBBAC}]
"data" = "4D 45 4F 57 01 00 00 00 E4 B7 BD 92 8B F2 A0 46"
Dropped PE files
MD5 | File path |
---|---|
cec66e3ca216a4783c6fc54b4fe36dbd | c:\Program Files (x86)\File Type Assistant\TSASetup.exe |
e328186d80be4a621b7b3d47441385a6 | c:\Program Files (x86)\File Type Assistant\ftacfg.exe |
d82a429efd885ca0f324dd92afb6b7b8 | c:\Program Files (x86)\File Type Assistant\itdownload.dll |
88b6d362e111d87cbca6ca94e152b7c6 | c:\Program Files (x86)\File Type Assistant\tsassist.exe |
6b741cb59f745ae8f8785717207c0d9c | c:\Program Files (x86)\File Type Assistant\unins000.exe |
cf9d8d598ae756ad699879532273450f | c:\Program Files (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe |
4f55ea944891d501adb2afcee5a1130a | c:\Program Files (x86)\FreeAllInOneMediaPlayer\SDL.dll |
e403d24f4fea7915d6e3324bdd8ebdc3 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe |
abbbbc9fdddfc9aac6297cfb7115cf77 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\avcodec-52.dll |
7005b8271fe80f7900325d3bbe908708 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\avcore-0.dll |
3fc95f12ece46be26eaa1a690db5a7cb | c:\Program Files (x86)\FreeAllInOneMediaPlayer\avdevice-52.dll |
47441ae6b4efc6f8e5cbbbf8d65f1ead | c:\Program Files (x86)\FreeAllInOneMediaPlayer\avfilter-1.dll |
3debed69443e52e7060db6be79ad5088 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\avformat-52.dll |
032bacb31a6b64a76ff72d170eafbcd1 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\avutil-50.dll |
362c0f67ce58b7e58f5d86ee9ff23268 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\myutil.dll |
082c25627166874e1860baf697c5df64 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\swscale-0.dll |
877ece348a0735bcb698423013d59c14 | c:\Program Files (x86)\FreeAllInOneMediaPlayer\unins000.exe |
96f6e497f8ce5bc21b9d3140965104aa | c:\Program Files (x86)\MyPC Backup\AlphaFS.dll |
5bfc53c0daee82e70ef02b9cf7ae3042 | c:\Program Files (x86)\MyPC Backup\AlphaVSS.51.x86.dll |
ba1d420f7fa1b4eef8cc127bee74a023 | c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x64.dll |
568754948b2aa5fcc41217fb28425cc5 | c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x86.dll |
a3ef02398e089dcd9708cbc4e427d0f7 | c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x64.dll |
057cf7fd20135899d616714534d0b7a8 | c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x86.dll |
3116e40a8b9709917e1dc1db4e068152 | c:\Program Files (x86)\MyPC Backup\AlphaVSS.Common.dll |
a0a4dd8d711d55884c163a3784eac55e | c:\Program Files (x86)\MyPC Backup\BackupStack.exe |
3c3cb9d58660b527d47e7d46d292940c | c:\Program Files (x86)\MyPC Backup\BackupStackUI.dll |
d15d57943417ca58884e643da0ce2464 | c:\Program Files (x86)\MyPC Backup\BplusDotNet.dll |
f5b669bd36f27089b36323ccbf8ebcda | c:\Program Files (x86)\MyPC Backup\Configuration Updater.exe |
76928476bdcf7ea4dbe8589d85793315 | c:\Program Files (x86)\MyPC Backup\GetText.dll |
c97cc489f20c67c3b2f36782ca139ce4 | c:\Program Files (x86)\MyPC Backup\InstMgr.dll |
6ded8fcbf5f1d9e422b327ca51625e24 | c:\Program Files (x86)\MyPC Backup\Ionic.Zip.dll |
e5cc3997457cd365e43c19f0f9110148 | c:\Program Files (x86)\MyPC Backup\LinqBridge.dll |
9b2ac62a9aab3369b253411c14b92fcb | c:\Program Files (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll |
e4da474b2f2415664a286c07022222a0 | c:\Program Files (x86)\MyPC Backup\MPCBClient.dll |
dddf97700f9d4a951783b73d5971ce48 | c:\Program Files (x86)\MyPC Backup\MPCBContextMenu.dll |
24b83d9a02acf4b10c3fe0e9f7153eef | c:\Program Files (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll |
01623e484d03fe777a733f3f6f28d673 | c:\Program Files (x86)\MyPC Backup\MyPC Backup.exe |
f89e670f3f9de99e80b4d39436a27d9e | c:\Program Files (x86)\MyPC Backup\NativeHashWrapper.dll |
16da92c91e58f6d8a22e493ae442edbf | c:\Program Files (x86)\MyPC Backup\Newtonsoft.Json.dll |
6e0e7abd35565d70986eedc71f1a7bb5 | c:\Program Files (x86)\MyPC Backup\ObjectListView.dll |
6605874ea071ad6904aa8f67e75c18a1 | c:\Program Files (x86)\MyPC Backup\PipeDiff.dll |
4bb211393828d585cb5396a273008d94 | c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe |
74a8c01b69adedd7f1330245cd994821 | c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe |
bb830033c3e24a0b82caf23662918278 | c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe |
a6a26e38b3596fa740f7039d98bd3a22 | c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe |
0d8aa68059d0103b04ef5afdf755f779 | c:\Program Files (x86)\MyPC Backup\Service Start.exe |
6f5ab2bf45a14dedcb642e804480c9c7 | c:\Program Files (x86)\MyPC Backup\Shared Stack.dll |
9d0cc110ab0605885d98ae08377f6f66 | c:\Program Files (x86)\MyPC Backup\Signup Wizard.exe |
eeabc4815562083a50a666e2709c5998 | c:\Program Files (x86)\MyPC Backup\SignupWizard.dll |
0790e1d72901d1b98a9abfd43d1c592c | c:\Program Files (x86)\MyPC Backup\System.Data.SQLite.DLL |
ba95c010731d3a1b20816242995e5a5a | c:\Program Files (x86)\MyPC Backup\UnRegisterExtensions.exe |
da063ab4cd89efa829dbdce1fcb1cf70 | c:\Program Files (x86)\MyPC Backup\Updater.exe |
0cc8dad6c96bb0f2a833e0cb460d4191 | c:\Program Files (x86)\MyPC Backup\Updater_.dll |
53b9dfe8be74f29dc10d12df6b438f31 | c:\Program Files (x86)\MyPC Backup\uninst.exe |
1688cecb8af9cedde1b60163c98d1765 | c:\Program Files (x86)\MyPC Backup\websocket-sharp.dll |
fd666249228fb1be3f9fc9399aa70d3a | c:\Program Files (x86)\MyPC Backup\x64\SQLite.Interop.dll |
f25a493607f771a033a3afe8ac26a505 | c:\Program Files (x86)\MyPC Backup\x86\SQLite.Interop.dll |
0100351876eac0c8f432fd010c8d3356 | c:\Program Files (x86)\ZenSearch Updater\uninstall.exe |
aa7906b26bccabcda7a608c600284784 | c:\Program Files (x86)\ZenSearch Updater\updater.exe |
a81fec94b89b1c35d70f206a739ea094 | c:\Program Files (x86)\ZenSearch\uninstall000.exe |
bcba8747ab53932f8613c006444078e9 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BackupSetup.exe |
a81fec94b89b1c35d70f206a739ea094 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe |
d8278cf7b83f9d09d1555ed5e400ef6f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_silent_full_bundleZenSearch_prod.exe |
a091b7148ce0e1851ec1df67dd560119 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\Cloud_Backup_Setup.exe |
62efa7b730eb0523a026ea4325403b77 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll |
40395c175553cb14d2050888efccdf00 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe |
c101f49f8fbdc203757ebf954d83af12 | c:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8 |
45e475fa46d8f04a682eb5eed5476e08 | c:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818\ATL90.dll |
1e7ce519349ca4b49930ad843470a3f9 | c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcm90.dll |
1f914c93052445e6629c37b81d421f7b | c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcp90.dll |
425d035880430fbed64dd6205c77f5b2 | c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcr90.dll |
e75de70a944462a9912c93e888b4106f | c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90.dll |
6962af1e97d8566e9c3496dc118fd3b7 | c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90u.dll |
e6ffdd8f997366fd88a799743579d389 | c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90.dll |
f668d2f0c2377cc3b1459506a00b0f0b | c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90u.dll |
deebddd75a0ecb8afd463bd3b2d9131a | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHS.DLL |
b0552cba0f603e1730762056add5eb9a | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHT.DLL |
2822498a5df669d223e6b093c00cb93a | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90DEU.DLL |
91e5d7df820fb0fe7ead68c32bead0da | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ENU.DLL |
85bdf40f2af1944f579a7a134bd08a34 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESN.DLL |
390ab412debb2be22fcaca5a59c9a3c2 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESP.DLL |
598dcb951afd9a3d3d2e1abf7603de60 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90FRA.DLL |
9e87f90e281ea1f41669920b349189c5 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ITA.DLL |
67695d68d782b48625a6c3ec08954216 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90JPN.DLL |
91f1a8b875354dd5a1939e329af45656 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90KOR.DLL |
32a4c8c6c2d09b98b14af92cd991a6d8 | c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90RUS.DLL |
63e472c8410a0e9ce25c35a0482bbbbf | c:\Windows\winsxs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633\vcomp90.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
FreeMediaPlayer.exe:720
tsassist.exe:3364
tsassist.exe:2836
_silent_full_bundleZenSearch_prod.exe:3052
SetupFileTypes.exe:3008
tsasetup.exe:1992
tsasetup.exe:3208
tsasetup.tmp:3180
tsasetup.tmp:1380
netsh.exe:1256
prepare.exe:1480
makecab.exe:3856
singleZenSearchUpdater.exe:3040
install.exe:3552
TPAutoConnSvc.exe:1844
%original file name%.exe:1660
855ff7095b49e99e27b8ff3145da74d5.tmp:2224
TrustedInstaller.exe:3828
Cloud_Backup_Setup.exe:2672
singleZenSearch.exe:928
zensearchsetup.exe:720
vcredist_x64.exe:3528
MyPC Backup.exe:3888
updater.exe:1952
BackupSetup.exe:3224
helper.exe:3476
zensearchsetup.tmp:2652
taskeng.exe:2836 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Program Files% (x86)\FreeAllInOneMediaPlayer\SetupFileTypes.exe (274 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FileTypeAssistant\log.txt (564 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.pci (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\log.txt (1655 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\prefs.dat (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\req.dat (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\FileTypeAssistant\rsp.dat (65 bytes)
%Program Files% (x86)\File Type Assistant\itdownload.dll (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearchUpdater.exe (36747 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe (63999 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\resources.zip (966 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-JUP7C.tmp\tsasetup.tmp (1416 bytes)
C:\Windows\Temp\is-OJD5P.tmp\tsasetup.tmp (1416 bytes)
%Program Files% (x86)\File Type Assistant\unins000.msg (771 bytes)
%Program Files% (x86)\File Type Assistant\unins000.ref (34 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\is-P1HEA.tmp (4549 bytes)
C:\Windows\Temp\is-6TP9C.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\unins000.dat (12497 bytes)
C:\Windows\Temp\is-6TP9C.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\File Type Assistant\is-KHAIO.tmp (9098 bytes)
%Program Files% (x86)\File Type Assistant\is-V741D.tmp (8281 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\File Type Assistant\is-7J4AT.tmp (1281 bytes)
%Program Files% (x86)\File Type Assistant\tsassist.id (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\File Type Assistant\is-9QDMO.tmp (4549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\File Type Assistant\is-R5A85.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QP494.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\File Type Assistant\ftacfg.exe (49 bytes)
C:\Windows\Logs\CBS\CbsPersist_20141212153428.cab (11744 bytes)
C:\Windows\Temp\cab_3856_4 (564989 bytes)
C:\Windows\Temp\cab_3856_5 (76 bytes)
C:\Windows\Temp\cab_3856_6 (8 bytes)
C:\Windows\Temp\cab_3856_2 (564989 bytes)
C:\Windows\Temp\cab_3856_3 (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch Updater\updater.exe (28535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\ZenSearch Updater.bat (215 bytes)
%Program Files% (x86)\ZenSearch Updater\uninstall.exe (8281 bytes)
%Program Files% (x86)\ZenSearch Updater\resources.zip (2472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\report[1].htm (2 bytes)
C:\29b8fe1277d49fe83693\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI1267.txt (205235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWL930C.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI1267.txt (132562 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-FJGAI.tmp\855ff7095b49e99e27b8ff3145da74d5.tmp (1429 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-I0L4E.tmp (783 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-E95GE.tmp (55 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9JB09.tmp (22284 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.exe (716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\tsasetup.exe (9147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-OTDJ8.tmp (10 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VLNPC.tmp (7385 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-D425V.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-0BOH6.tmp (14 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-VQSHR.tmp (2321 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-BFFP6.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-U6OIC.tmp (601 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-N04MB.tmp (6841 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-173KK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zen.txt (18 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-JJ202.tmp (25 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-9PGPG.tmp (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-C166H.tmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.msg (363 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-3PRFD.tmp (1281 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-H7OJQ.tmp (26 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\FreeMediaPlayer.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free All-In-One Media Player.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free All-In-One Media Player\Uninstall.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-6DUV3.tmp (1425 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-LKF4U.tmp (54589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\Cloud_Backup_Setup.exe (678 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\unins000.dat (9740 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-DDS08.tmp (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RA8DH.tmp\zensearchsetup.exe (20650 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Free All-In-One Media Player.lnk (1 bytes)
%Program Files% (x86)\FreeAllInOneMediaPlayer\is-78P5N.tmp (24 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e (4 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00110000000f40efc0e_manifest (5 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d0012a000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00147000000f40efc0e_vcomp90.dll (120 bytes)
C:\Windows\System32\config\SOFTWARE (46584 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (21016 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00114000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00124000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014d000000f40efc0e_manifest (676 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\ab90c6212116d00105000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00138000000f40efc0e_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00132000000f40efc0e_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00130000000f40efc0e_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00113000000f40efc0e_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00135000000f40efc0e_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\3ceaf2292116d0014c000000f40efc0e\9c4bf5292116d0014e000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00146000000f40efc0e_manifest (864 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00104000000f40efc0e_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\4b2fc4212116d00102000000f40efc0e\4b2fc4212116d00103000000f40efc0e_manifest (859 bytes)
C:\Windows\winsxs\Temp\941fa9292116d00145000000f40efc0e\941fa9292116d00148000000f40efc0e_catalog (22 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00141000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\ffb3b0252116d00111000000f40efc0e_msvcr90.dll (4811 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\d5e473262116d0011a000000f40efc0e_catalog (21 bytes)
C:\Windows\Logs\CBS\CBS.log (84188 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00122000000f40efc0e_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\b02b5d272116d00120000000f40efc0e_mfcm90.dll (670 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00137000000f40efc0e_mfc90ita.dll (129 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (80713 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\2b925a292116d0013f000000f40efc0e\2b925a292116d00140000000f40efc0e_manifest (766 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00131000000f40efc0e_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00139000000f40efc0e_mfc90kor.dll (95 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\504b71282116d00128000000f40efc0e\504b71282116d00129000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4395 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\566caa282116d0013b000000f40efc0e_catalog (21 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\71ee61272116d00123000000f40efc0e_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00133000000f40efc0e_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0012f000000f40efc0e_manifest (13 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (43534 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (14760 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d0013a000000f40efc0e_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\50ca5a272116d0011f000000f40efc0e_manifest (6 bytes)
C:\Windows\winsxs\Temp\2678da242116d00109000000f40efc0e\2678da242116d0010a000000f40efc0e_manifest (760 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00136000000f40efc0e_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\50ca5a272116d0011e000000f40efc0e\108d5f272116d00121000000f40efc0e_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\f60aa8282116d0012e000000f40efc0e\f60aa8282116d00134000000f40efc0e_mfc90deu.dll (670 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\winsxs\Temp\758371262116d00118000000f40efc0e\758371262116d00119000000f40efc0e_manifest (760 bytes)
C:\Windows\winsxs\Temp\ffb3b0252116d0010f000000f40efc0e\bf76b5252116d00112000000f40efc0e_msvcp90.dll (7701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse281.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BackupSetup.exe (25515 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\settings\settings.js (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\btn-search2.png (918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (18978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\input-430.png (480 bytes)
%Program Files% (x86)\ZenSearch\resources.zip (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\icons\readme.txt (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\testPrsys.js (2 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\sprs.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery-1.9.1.min.js (601 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\main.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\html\background.html (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\jquery.min.map (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\browser_util.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\newTab.html (9 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery-1.9.1.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\css\readme.txt (37 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\product.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\sprs.png (56 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\testPrsys.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\settings\settings.js (502 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\log.js (696 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\jquery.min.map (2392 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\browser_util.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\input-430.png (480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WDUL1PG1\report[1].htm (2 bytes)
%Program Files% (x86)\ZenSearch\uninstall000.exe (14988 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\html\background.html (509 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\manifest.json (709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\newtab_icons\zensearch.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\js\_prsys\product.js (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\zensearch.png (1 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\js\_prsys\activity.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\lificnbhpecdikcjmcpdinkjbigomafg\1.0_0\images\icons\readme.txt (33 bytes)
%Program Files% (x86)\ZenSearch\ZenSearch\images\newtab_icons\btn-search2.png (918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-ME10U.tmp\zensearchsetup.tmp (1408 bytes)
C:\29b8fe1277d49fe83693\install.res.1036.dll (1355 bytes)
C:\29b8fe1277d49fe83693\eula.1033.txt (10 bytes)
C:\29b8fe1277d49fe83693\install.res.1040.dll (2110 bytes)
C:\29b8fe1277d49fe83693\install.res.3082.dll (989 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\29b8fe1277d49fe83693\eula.1031.txt (229 bytes)
C:\29b8fe1277d49fe83693\eula.1040.txt (657 bytes)
C:\29b8fe1277d49fe83693\install.res.2052.dll (1632 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1042.txt (650 bytes)
C:\29b8fe1277d49fe83693\eula.1028.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.res.1041.dll (1126 bytes)
C:\29b8fe1277d49fe83693\eula.1041.txt (5 bytes)
C:\29b8fe1277d49fe83693\eula.1049.txt (13 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.3082.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\29b8fe1277d49fe83693\globdata.ini (1 bytes)
C:\29b8fe1277d49fe83693\install.exe (13918 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\29b8fe1277d49fe83693\$shtdwn$.req (788 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\29b8fe1277d49fe83693\vc_red.cab (65618 bytes)
C:\29b8fe1277d49fe83693\install.res.1042.dll (1988 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\29b8fe1277d49fe83693\eula.1036.txt (12 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\29b8fe1277d49fe83693\install.res.1049.dll (1720 bytes)
C:\29b8fe1277d49fe83693\install.res.1031.dll (1160 bytes)
C:\29b8fe1277d49fe83693\eula.2052.txt (3 bytes)
C:\29b8fe1277d49fe83693\install.ini (844 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\install.res.1028.dll (1130 bytes)
C:\29b8fe1277d49fe83693\vc_red.msi (3176 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\29b8fe1277d49fe83693\vcredist.bmp (5 bytes)
C:\29b8fe1277d49fe83693\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5F7E.tmp (56 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5F7F.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\UpdaterTimeOut[1] (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuC03.tmp (16365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (385701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (320115 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjC13.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\CityHash.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj1758.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_silent_full_bundleZenSearch_prod.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.dat (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\prepare.exe (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\InstallerScreen2d.bmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\is-FLUOA.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp\_isetup\_RegDLL.tmp (4 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZS_cleanup1" = "C:\Windows\system32\cmd.exe /c rmdir /q /s C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GU8FI.tmp" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Free Software Group
Product Name: Free All-In-One Media Player
Product Version: 2012
Legal Copyright: Copyright 2011-2012 Free Software Group
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2012
File Description: Free All-In-One Media Player Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Free Software Group Product Name: Free All-In-One Media Player Product Version: 2012Legal Copyright: Copyright 2011-2012 Free Software Group Legal Trademarks: Original Filename: Internal Name: File Version: 2012File Description: Free All-In-One Media Player Setup Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40240 | 40448 | 4.59679 | c3bd95c4b1a8e5199981e0d9b45fd18c |
DATA | 45056 | 592 | 1024 | 1.90742 | 1ee71d84f1c77af85f1f5c278f880572 |
BSS | 49152 | 3724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 11264 | 11264 | 3.13561 | 3ac8fba529cc16ce83dd89c6fafb567c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
e7f868919bbaceb5e34a6738ea345461
cf6ccc9ab044360a34a424e26c72baae
170d5cdf182b20775eff4cbc0e86edc4
Network Activity
URLs
URL | IP |
---|---|
hxxp://file.org/updatecheck/updcheck.php?v=20130408&p=pmoiafgsf | 66.39.64.146 |
hxxp://zensearch.com/_searchbar/api/report?r=api/report&action=4&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 | 216.92.114.3 |
hxxp://zensearch.com/_searchbar/api/report?r=api/report&action=7&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 | 216.92.114.3 |
hxxp://zensearch.com/_searchbar/api/product/UpdaterTimeOut?product=1010&cb=12817 | 216.92.114.3 |
hxxp://zensearch.com/_searchbar/api/report?action=4&pid=1001&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 | 216.92.114.3 |
hxxp://track.mypcbackup.com/0ebf8ab7/D0wnloads/MyPCBackup_Setup.exe | 184.154.150.131 |
hxxp://mypcbackup.jdibackup.netdna-cdn.com/MyPCBackup_Setup.exe | |
hxxp://track.mypcbackup.com/aadebc4830c51c2794a960fe5a9e11df.php | 184.154.150.131 |
hxxp://freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419 | |
hxxp://a767.dscms.akamai.net/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe | |
hxxp://freemediaplayer.net/css/style.css | |
hxxp://freemediaplayer.net/js/jquery.js | |
hxxp://freemediaplayer.net/js/jqueryslidemenu.js | |
hxxp://freemediaplayer.net/js/jquery.prettyPhoto.js | |
hxxp://freemediaplayer.net/js/functions.js | |
hxxp://freemediaplayer.net/js/jquery.tools.tabs.min.js | |
hxxp://freemediaplayer.net/js/cufon-yui.js | |
hxxp://freemediaplayer.net/js/fonts/TitilliumText14L_400.font.js | |
hxxp://freemediaplayer.net/images/favicon.ico | |
hxxp://freemediaplayer.net/css/reset.css | |
hxxp://freemediaplayer.net/css/jqueryslidemenu.css | |
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US | |
hxxp://freemediaplayer.net/images/free-media-player.png | |
hxxp://freemediaplayer.net/images/topwrapper.png | |
hxxp://freemediaplayer.net/images/mainwrapper.png | |
hxxp://freemediaplayer.net/images/bg-header.png | |
hxxp://freemediaplayer.net/images/sidebar-line.jpg | |
hxxp://freemediaplayer.net/images/bottomwrapper.png | |
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar | |
hxxp://ep.backupgrid.net/install/win/1/live/net2 | 184.154.150.137 |
hxxp://backupgrid.jdibackup.netdna-cdn.com/mypcbackup.1.5.0.2.101.7z | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32c8ac288c5b764f | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?10c977ff9b187534 | |
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= | |
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://file.org/updatecheck/ftaupdcheck.php?v=20130408&i=16696878&g=9600c9de-ba93f2b5-bddd7810-69819463 | 66.39.64.146 |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRtl6lMY2+iPob4twryIF+FfgUdvwQUK8NGq7oOyWUqRtF5R8Ri4uHa/LgCEBBwnU/1VAjXMGAB2OqRdbs= | 178.255.83.1 |
hxxp://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG+EAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQDEU71+eIGhmN3szB/EMtPt | 178.255.83.1 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
hxxp://www.freemediaplayer.net/css/reset.css | 216.92.13.169 |
hxxp://www.freemediaplayer.net/js/jqueryslidemenu.js | 216.92.13.169 |
hxxp://www.freemediaplayer.net/js/functions.js | 216.92.13.169 |
hxxp://clients1.google.com/ocsp | 173.194.113.196 |
hxxp://www.freemediaplayer.net/images/bg-header.png | 216.92.13.169 |
hxxp://www.freemediaplayer.net/js/cufon-yui.js | 216.92.13.169 |
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar | 87.245.202.43 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32c8ac288c5b764f | 87.245.202.24 |
hxxp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z | 94.31.29.237 |
hxxp://www.freemediaplayer.net/js/jquery.js | 216.92.13.169 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
hxxp://www.freemediaplayer.net/images/favicon.ico | 216.92.13.169 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?10c977ff9b187534 | 87.245.202.24 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
hxxp://www.freemediaplayer.net/images/mainwrapper.png | 216.92.13.169 |
hxxp://www.freemediaplayer.net/images/sidebar-line.jpg | 216.92.13.169 |
hxxp://cdn.mypcbackup.com/MyPCBackup_Setup.exe | 94.31.29.238 |
hxxp://www.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419 | 216.92.13.169 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US | 63.245.217.36 |
hxxp://www.freemediaplayer.net/images/free-media-player.png | 216.92.13.169 |
hxxp://www.freemediaplayer.net/js/fonts/TitilliumText14L_400.font.js | 216.92.13.169 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://www.freemediaplayer.net/css/style.css | 216.92.13.169 |
hxxp://www.freemediaplayer.net/js/jquery.tools.tabs.min.js | 216.92.13.169 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= | 93.184.220.29 |
hxxp://www.freemediaplayer.net/css/jqueryslidemenu.css | 216.92.13.169 |
hxxp://www.freemediaplayer.net/images/topwrapper.png | 216.92.13.169 |
hxxp://www.freemediaplayer.net/images/bottomwrapper.png | 216.92.13.169 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
hxxp://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe | 95.101.0.90 |
hxxp://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG+EAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQDEU71+eIGhmN3szB/EMtPt | 178.255.83.1 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= | 93.184.220.29 |
hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
hxxp://www.freemediaplayer.net/js/jquery.prettyPhoto.js | 216.92.13.169 |
safebrowsing-cache.google.com | 74.125.232.5 |
safebrowsing.google.com | 173.194.113.197 |
aus3.mozilla.org | 63.245.217.137 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /updatecheck/ftaupdcheck.php?v=20130408&i=16696878&g=9600c9de-ba93f2b5-bddd7810-69819463 HTTP/1.0
Host: file.org
User-Agent: InnoTools_Downloader
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:36:01 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
GET /_searchbar/api/product/UpdaterTimeOut?product=1010&cb=12817 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: zensearch.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:11 GMT
Server: Apache/2.2.29
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: json
{"start_at_login":true,"period_day_in_time":"1;13:00:00","period_second":"43200"}HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:11 GMT..Server: Apache/2.2.29..Content-Length: 81..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: json..{"start_at_login":true,"period_day_in_time":"1;13:00:00","period_second":"43200"}..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=568740, public, no-transform, must-revalidate
Last-Modified: Fri, 12 Dec 2014 05:33:31 GMT
Expires: Fri, 19 Dec 2014 05:33:31 GMT
Date: Fri, 12 Dec 2014 15:37:58 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141212053331Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20141212053331Z....20141219053331Z0...*.H.............!......VV^.Fv.#.....<........../...=..G.`.S...c....P...X4C.....l...?.d.s.....l.."...N..[....Ig..Kv@...o.......OsQ.?..A..VD...&*....].%...d.....35..D....L.k...n......A..#..<Q7j...rT1`t>J.k.....b.......BJ.K............=i.`..C...O.ve,%.h.y\C\.V{...3HH.IR..#.....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?10c977ff9b187534 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Fri, 12 Dec 2014 15:34:35 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /js/functions.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Tue, 01 Apr 2014 13:40:12 GMT
Accept-Ranges: bytes
Content-Length: 3102
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/javascript
$(document).ready(function() {. . if ($.browser.msie && $.browser.version < 7) return; // Don't execute code if it's IE6 or below cause it doesn't support it.. . $(".fade").fadeTo(1, 1);. $(".fade").hover(. function () {. $(this).fadeTo("fast", 0.6);. },. function () {. $(this).fadeTo("slow", 1);. }. ); . . /* initialize prettyphoto */. $("a[rel^='prettyPhoto']").prettyPhoto({. ..theme: 'dark_square'. });. .. $(".tabs_container").each(function(){. .$("ul.tabs",this).tabs("div.panes > div", {tabs:'li',effect: 'fade', fadeOutSpeed: -400});. });. $(".mini_tabs_container").each(function(){. .$("ul.mini_tabs",this).tabs("div.panes > div", {tabs:'li',effect: 'fade', fadeOutSpeed: -400});. });. $.tools.tabs.addEffect("slide", function(i, done) {. .this.getPanes().slideUp();. .this.getPanes().eq(i).slideDown(function() {. ..done.call();. .});. });. . $('.toggle .toggle_content:first').show();. $(".toggle_title").toggle(. .function(){. ..$(this).addClass('toggle_active');. ..$(this).siblings('.toggle_content').slideDown("fast");. .},. .function(){. ..$(this).removeClass('toggle_active');. ..$(this).siblings('.toggle_content').slideUp("fast");. .}. );. . . $('#buttonsend').click( function() {.....var name = $('#contactname').val();...var subject = $('#contactsubject').val();...var email = $('#contactemail').val();...var message = $('#contactmessag
<<< skipped >>>
GET /js/fonts/TitilliumText14L_400.font.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 04 Aug 2011 16:53:44 GMT
Accept-Ranges: bytes
Content-Length: 33704
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript
/*!. * The following copyright notice may not be removed under any circumstances.. * . * Copyright:. * Generated in 2009 by FontLab Studio. Copyright info pending.. * . * Full name:. * TitilliumText14L-400wt. */.Cufon.registerFont({"w":190,"face":{"font-family":"TitilliumText14L","font-weight":400,"font-stretch":"normal","units-per-em":"360","panose-1":"0 0 0 0 0 0 0 0 0 0","ascent":"270","descent":"-90","x-height":"4","bbox":"-14 -342 336 88","underline-thickness":"18","underline-position":"-18","unicode-range":"U 0020-U 2122"},"glyphs":{" ":{"w":84},"C":{"d":"177,-30r1,25v0,0,-41,9,-69,9v-75,0,-91,-47,-91,-129v0,-85,18,-129,91,-129v33,0,69,8,69,8r-1,25v0,0,-40,-6,-65,-6v-56,0,-65,33,-65,102v0,68,9,102,66,102v22,0,64,-7,64,-7","w":192},"c":{"d":"93,-184v17,0,48,6,48,6r0,23v0,0,-29,-3,-43,-3v-41,0,-52,17,-52,65v0,53,8,71,52,71v14,0,43,-3,43,-3r1,24v0,0,-34,5,-50,5v-58,0,-74,-26,-74,-97v0,-65,21,-91,75,-91","w":157},"d":{"d":"164,-252r0,252r-27,0r0,-12v0,0,-28,16,-55,16v-35,0,-64,-15,-64,-93v0,-83,49,-107,119,-90r0,-73r27,0xm45,-89v0,93,61,67,92,54r0,-120v-5,-1,-28,-4,-42,-4v-38,0,-50,23,-50,70","w":195},"e":{"d":"93,-21v27,0,66,-3,66,-3r0,22v0,0,-40,6,-69,6v-54,0,-72,-32,-72,-93v0,-68,30,-95,76,-95v55,0,78,41,71,106r-120,0v0,38,12,57,48,57xm45,-100r94,0v0,-43,-14,-59,-45,-59v-31,0,-49,17,-49,59","w":182},"f":{"d":"59,-156r0,156r-26,0r0,-156r-23,0r0,-24r23,0v-2,-53,7,-82,48,-82v13,0,36,3,36,3r0,22v-29,-1,-65,-9,-58,41r0,16r53,0r0,24r-53,0","w":120},"g":{"d":"94,86v-85,0,-99,-68,-49,-100v-17,-9,-4,-47,3,-54v-15,-
<<< skipped >>>
GET /images/free-media-player.png HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:17 GMT
Server: Apache/2.2.29
Last-Modified: Sat, 07 Apr 2012 03:52:14 GMT
Accept-Ranges: bytes
Content-Length: 15157
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR.......-.....a.(.....tEXtSoftware.Adobe ImageReadyq.e<..:.IDATx..}.|.E..lK.IH.%.F.*=........T...?.E9=..N.....{..6...Ai*..wH.P.....u.I6[.....f..}......g....;....}.gf.Q......~....`..........L..............b....\E............>..o..o..o...j....V.\.Q.g(..`...P4Wty%...o!.......,....Zm..C...}..uy...b=.m/X{.7x.7x...P.].vQ``._...B.j..^. W.t......W..^z..........g..L.~...j.6..aaa9../.B....<k..~..&...W.T*..~.....?..$MgWH. G*t..=m..E.h-.:....q..#..W.q^W...w.q*.oG.._..&...a.:T..k..........OM9x.Q..|..E.N..Gz.g.....W(TM........|]..,..:..........u.3...|5.....y)....!O....7........V...*.R.....h.6o.O...j.M.8k..i..X.............j#O..R....Q.W.U8J[.9...W.....x>.X."U<........J..U...\..........T.J/[.............V.Z..<..:.....g.T=.Ic..<.g....*_....h(....ZS[[;}..10I.....Q.v....W....{.....UTT4... ..73.K....u.)..2....E./.c..k.k........Z..Y......<.G.y.(...%K.`}j.&..r..:.i......m.N.{.. y].FS.f...W...T..}........|>c.....D.R.._........h.......1.b..@NT~.a..I....mM.i..y..I..l..Wj.."@5.t;..:....d.y.......y.dn...b.S&.......W......!.>H..u.<......__.....Z...K.<...c...#.F....-4..X..|.O.......!`n5g......4.M.3.....0.&.|...xsf..........>-0........../....k......{s.A...*//'.322F...#..U...... . ..{..."............'L.. n...A9..|........V.....\Dy......%Ls.....}...B..B?....e.._....*.g>..........h....g.yf.;.....WI.1.4..h|.. .......R.Q.}*E.."..R...De(%....T..H4.f5.:$....|...eg.JBl@.#.m...]..(. /.$....a.jjjF.:th.......{;..>.:@.....c....C...6........^^W.O31...a,..<..c.!..*q. .}C[..........M....'-1|..
<<< skipped >>>
POST /updatecheck/updcheck.php?v=20130408&p=pmoiafgsf HTTP/1.0
Host: file.org
User-Agent: InnoTools_Downloader
Content-Type: Application/octet-stream
Content-Length: 51
NEWPC2|6.1.7601|48|1|0|1|0409|0409|1|64|pmoiafgsf
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:08 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Length: 63
Connection: close
Content-Type: text/html; charset=utf-8
PCID|16696878|9600c9de-ba93f2b5-bddd7810-69819463|.TIMERS|4|2|...
GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG+EAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQDEU71+eIGhmN3szB/EMtPt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:38:00 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Fri, 12 Dec 2014 05:42:16 GMT
Expires: Tue, 16 Dec 2014 05:42:16 GMT
ETag: 172BF0EFB9C25DF0E168ED0B822B8CFB7897A204
Cache-Control: max-age=309255,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp4
Content-Length: 472
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........,}...h|%....?......20141212054216Z0t0r0J0... .........%.6..Ga....e............,}...h|%....?........S.~x........2......20141212054216Z....20141216054216Z0...*.H...............*....n.ze.r....k.k...G.nM...l5 ...KX<....w~(..=.7VF7..`..[......H._....V*.*>.......VjL..9....Q...q.)z......&.o........{.2.8.U.c....h.T.P.Xr.K...y&...l.8G.tn.d....8.F>>.._...E.W..}D.n.o.....K@........ ..I..R'-.`..dVs7..D...........i6.......H...w........>...
GET /_searchbar/api/report?r=api/report&action=4&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: zensearch.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:10 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 22
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
................X.....HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:10 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 22..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..................X.........
GET /_searchbar/api/report?r=api/report&action=7&pid=1010&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: zensearch.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:10 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 22
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
................X.....HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:10 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 22..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html..................X.......
GET /_searchbar/api/report?action=4&pid=1001&ver=2&guid={AC3269D3-A9B6-497F-82DD-345F2637B13C}&sid=1010&agent=iexplore&isUpdate=0 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: zensearch.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:12 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 22
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
................X.....HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:12 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 22..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..................X.......
GET /installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419 HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1341
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
...........Wmo.6..<...W.X: ........:i.,M..].O.-....TI........Gr..m...xw..w..1.........Hl*......)./....Ap<;..Og..a...G.yd.....I..^.AQ.~q. }.........5...l...$.y0.v.O.4.............8..Sf)8U.}..rB.JZ&.7 3F ..&..{.8.7.%T.f'.]x........).......).1.....B.N..m...}.i..H..Lz..y.X.)\.Z2.\.K.`.C...T...b.Ix4W..j...8.......4..b..m.....$.-..).a&X..[.....U.....[....i...I...,...e...M.yf..[...*.....5.......5....~...<f)......f..W....p.R......r.}P.\F. i..<..Jze..swd..f.r!x..Po8:.2......@......k.....;.p79.MF........d.5.X....~{..K..P..j...6...t|...0Wq.\..|.<..B.,c...#A...H0..1q..:&Ve .M..r..u..J.......n."...]q.M ..M...B.......U%.g....m..5.X.R(.=%a.&A.. ...m...{X...........d'....Z.9.\Tmc.iZ3...,v..T..r.dT.b..3.......pb..q.....h.7.[ ..Gw`U.o.....6.U{..h..`@.._]..Q.8...`.g..%.T.%......(7I...\{..-.;z......W..._x.82.......qw.Z..k...uu..`D..89..&$l..X..=...C.1[2.2......G...&..k.g>\3(...%!....j.&.b...........M..t...i..K.v.;../..........5..*... R!$]"Y`.sa=......\(...l.h....Sw..mJ.F.dZ..5......v...]...-...U.......4..............ZV.m........l.u.#..d...9T.....O..v.......i..?..M4t...-kN...#...0..t.:.....i..v.^..{..'.|....f. .GX..y.|..x..RRw...N.......M......q...Z...>..;8..8.... <WH>.'........>..........j/.L.....~.S...M.g.}6....e.R....q....X.l.....d..=1.V...../?a.eH=g.q.=g....Y.S..HW.Z.}_# ..[....[~..{.!x.g...n.H.J..j.uI?...c...p...NV..T....../...d..u........
<<< skipped >>>
GET /css/style.css HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 20 Feb 2014 14:38:46 GMT
Accept-Ranges: bytes
Content-Length: 32990
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/css
/*.Title:..AVANIX CSS File .Author:..imediapixel@gmail.com.*/../* ----------------------- SUMMARY -----------------------..- GENERAL LAYOUT. - BODY..- HEADINGS..- PARAGRAPH,BLOCKQUOTE,CODE, . - ORDER LIST. - ARROW LIST. - CHECK LIST. - BULLET LIST. - DROPCAPS, PULLQUOTE..- CLEAR FLOAT ELEMENTS..- IMAGE ALIGNMENT & STYLING;. - CUSTOM MESSAGE STYLING. - BUTTON..- WRAPPER. - TOP WRAPPER. - MAIN WRAPPER. - BOTTOM WRAPPER . - CENTER . .- HEADER. - HEADER WRAPPER..- LOGO. - SEARCH BOX....- SLIDESHOW..- FEATURES BOX...- HOMEPAGE CONTENT..- PAGE HEADING ..- PRODUCTS PAGE / TABLE PRICING..- PORTFOLIO PAGE. - PORTFOLIO LIST. - FILTER PORTFOLIO. .- BLOG PAGE. - BLOG LIST ITEMS. - POST META BOX. - AUTHOR BOX. - COMMENTS LIST. - COMMENT FORM . .- CONTACT PAGE. - CONTACT FORM. - CONTACT ADDRESS..- FAQ PAGE..- SIDEBAR. - NEWS LIST. - ITEM LIST. - TWITTER WIDGET. .- FOOTER..- FOOTER BOX. - ADDRESS LIST. - COPYRIGHT. .*/../* Import CSS Reset File */.@import url("reset.css");./* Import Drop down Menu Styling File */.@import url("jqueryslidemenu.css"); ../* ----------------------- GENERAL LAYOUT -----------------------*/.body {. background-color: #cccccc;./* background-image: url(../images/pattern/minimalist11.png);. background-repeat: repeat;*/. font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;. font-size: 12px;. line-height: 21px;. color: #787878;.}../* Heading */.h1, h2, h3, h4, h5, h6{..font-weight: 400;..color:#555555;..font-family: "Helvetica Neue", Helvetica, Arial, sa
<<< skipped >>>
GET /css/reset.css HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Mon, 13 Dec 2010 22:22:20 GMT
Accept-Ranges: bytes
Content-Length: 1014
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/css
/* hXXp://meyerweb.com/eric/tools/css/reset/ */./* v1.0 | 20080212 */..html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del, dfn, em, font, img, ins, kbd, q, s, samp,.small, strike, strong, sub, sup, tt, var,.b, u, i, center,.dl, dt, dd, ol, ul, li,.fieldset, form, label, legend,.table, caption, tbody, tfoot, thead, tr, th, td {..margin: 0;..padding: 0;..border: 0;..outline: 0;..font-size: 100%;..vertical-align: baseline;..background: transparent;.}.body {..line-height: 1;.}.ol, ul {..list-style: none;.}.blockquote, q {..quotes: none;.}.blockquote:before, blockquote:after,.q:before, q:after {..content: '';..content: none;.}../* remember to define focus styles! */.:focus {..outline: 0;.}../* remember to highlight inserts somehow! */.ins {..text-decoration: none;.}.del {..text-decoration: line-through;.}../* tables still need 'cellspacing="0"' in the markup */.table {..border-collapse: collapse;..border-spacing: 0;.}HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:16 GMT..Server: Apache/2.2.29..Last-Modified: Mon, 13 Dec 2010 22:22:20 GMT..Accept-Ranges: bytes..Content-Length: 1014..Keep-Alive: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/css../* hXXp://meyerweb.com/eric/tools/css/reset/ */./* v1.0 | 20080212 */..html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del, dfn, em, font, img, ins, kbd, q, s, samp,.small, strike, strong,
<<< skipped >>>
GET /images/mainwrapper.png HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:17 GMT
Server: Apache/2.2.29
Last-Modified: Fri, 18 Nov 2011 19:14:58 GMT
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR.....................pHYs................ cHRM..z%..............u0...`..:....o._.F...WIDATx......@...=..O..D..L.&....6.9.T53..V..9..w....w....G....I......9....r.............H1..........IEND.B`.HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:17 GMT..Server: Apache/2.2.29..Last-Modified: Fri, 18 Nov 2011 19:14:58 GMT..Accept-Ranges: bytes..Content-Length: 209..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR.....................pHYs................ cHRM..z%..............u0...`..:....o._.F...WIDATx......@...=..O..D..L.&....6.9.T53..V..9..w....w....G....I......9....r.............H1..........IEND.B`...
GET /js/jquery.tools.tabs.min.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Tue, 20 Sep 2011 19:44:58 GMT
Accept-Ranges: bytes
Content-Length: 2968
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/javascript
/*. . jQuery Tools 1.2.5 Tabs- The basics of UI design... NO COPYRIGHTS OR LICENSES. DO WHAT YOU LIKE... hXXp://flowplayer.org/tools/tabs/.. Since: November 2008. Date: Wed Sep 22 06:02:10 2010 0000 .*/.(function(c){function p(d,b,a){var e=this,l=d.add(this),h=d.find(a.tabs),i=b.jquery?b:d.children(b),j;h.length||(h=d.children());i.length||(i=d.parent().find(b));i.length||(i=c(b));c.extend(this,{click:function(f,g){var k=h.eq(f);if(typeof f=="string"&&f.replace("#","")){k=h.filter("[href*=" f.replace("#","") "]");f=Math.max(h.index(k),0)}if(a.rotate){var n=h.length-1;if(f<0)return e.click(n,g);if(f>n)return e.click(0,g)}if(!k.length){if(j>=0)return e;f=a.initialIndex;k=h.eq(f)}if(f===j)return e;.g=g||c.Event();g.type="onBeforeClick";l.trigger(g,[f]);if(!g.isDefaultPrevented()){o[a.effect].call(e,f,function(){g.type="onClick";l.trigger(g,[f])});j=f;h.removeClass(a.current);k.addClass(a.current);return e}},getConf:function(){return a},getTabs:function(){return h},getPanes:function(){return i},getCurrentPane:function(){return i.eq(j)},getCurrentTab:function(){return h.eq(j)},getIndex:function(){return j},next:function(){return e.click(j 1)},prev:function(){return e.click(j-1)},destroy:function(){h.unbind(a.event).removeClass(a.current);.i.find("a[href^=#]").unbind("click.T");return e}});c.each("onBeforeClick,onClick".split(","),function(f,g){c.isFunction(a[g])&&c(e).bind(g,a[g]);e[g]=function(k){k&&c(e).bind(g,k);return e}});if(a.history&&c.fn.history){c.tools.history.init(h);a.event="history"}h.each(
<<< skipped >>>
GET /images/favicon.ico HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 404 Not Found
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 188
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
..........M....@..{.b..ECy.B~"."1Ga....p........Mfw..a....{..Y\...S..`...PD......q......u.rVSQ......\.R.!.S_2.............y....EM0.{"......6].".U17O.;f..P...ZX.=..Q.h.it..K..b.................
GET /images/favicon.ico HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 404 Not Found
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 188
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
..........M....@..{.b..ECy.B~"."1Ga....p........Mfw..a....{..Y\...S..`...PD......q......u.rVSQ......\.R.!.S_2.............y....EM0.{"......6].".U17O.;f..P...ZX.=..Q.h.it..K..b.............HTTP/1.1 404 Not Found..Date: Fri, 12 Dec 2014 15:34:16 GMT..Server: Apache/2.2.29..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 188..Keep-Alive: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1............M....@..{.b..ECy.B~"."1Ga....p........Mfw..a....{..Y\...S..`...PD......q......u.rVSQ......\.R.!.S_2.............y....EM0.{"......6].".U17O.;f..P...ZX.=..Q.h.it..K..b.................
GET /images/bottomwrapper.png HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:17 GMT
Server: Apache/2.2.29
Last-Modified: Fri, 02 Dec 2011 23:33:04 GMT
Accept-Ranges: bytes
Content-Length: 5170
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR............. .......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32c8ac288c5b764f HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Fri, 12 Dec 2014 15:34:22 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>
GET /aadebc4830c51c2794a960fe5a9e11df.php HTTP/1.0
Host: track.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:15 GMT
Server: Apache
Set-Cookie: SESSID=ensl8htsj8k8l0miv5mhn2f063; path=/; domain=.mypcbackup.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:15 GMT; path=/; domain=.mypcbackup.com
Content-Length: 8
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: MPBWWW=3171957029.1.1047620528.117384224; path=/
Complete..
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
Accept-Ranges: bytes
ETag: "58cddbea90dfcf1:0"
Server: Microsoft-IIS/8.5
VTag: 279619316300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Fri, 12 Dec 2014 15:34:54 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141003211553Z..150102093553Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......00... .....7......150101212553Z0...*.H.............:...h:O..9..a.M8.}*.........A....f......SG....(...g...>.!.4o7P....O...`x.h.W.F..x.9...1....C.......5..9..p ....1 ........$..P.......?.6...2.....(.."C1aF..B....I.V.u.4=Cs....~d5X..R...BRo............1Q-b.... ..P.M/SfvX..l..Mm.j9..A|.q.W=...Wy.Y]<....._!.../nt>....
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791939326400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Fri, 12 Dec 2014 15:34:54 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G........t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...OW~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....dI2.#...h.Y.._e........H.%2.r.w..M.(~...W.{?...@n0.X.v..Wa.^o]...K....f[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)....
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
Accept-Ranges: bytes
ETag: "3e1c83923e1cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438466244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Fri, 12 Dec 2014 15:34:54 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......20... .....7......150103214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(..8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ...'.0.6...o. ..(.......1..TU[..<..|F.>x..j.....xA2....b.'..{.t.H......A...@.{{ip......
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Fri, 12 Dec 2014 15:34:54 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7ffcf1:0"..Server: Microsoft-IIS/8.5..VTag: 791936916300000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Fri, 12 Dec 2014 15:34:54 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\.
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Fri, 12 Dec 2014 15:37:52 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <..........-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: Apache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT..Date: Fri, 12 Dec 2014 15:37:52 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>
GET /MyPCBackup_Setup.exe HTTP/1.0
Host: cdn.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:14 GMT
Content-Type: application/octet-stream
Content-Length: 297672
Connection: close
x-amz-id-2: ITSfTeTXt7nuSaLoUJg24XmzZcO6StHVwLM5wJapi75duw8Sx8YDdBsZh0xfQyneSKJD7WgytLk=
x-amz-request-id: 3805B55A5D27E049
Last-Modified: Mon, 24 Nov 2014 22:28:10 GMT
ETag: "bcba8747ab53932f8613c006444078e9"
Server: NetDNA-cache/2.2
X-Cache: HIT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..................................c..................................................(m..........hx..`............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata.......p...........................rsrc...(m.......n..................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /mypcbackup.1.5.0.2.101.7z HTTP/1.0
Host: cdn.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:21 GMT
Content-Type: application/octet-stream
Content-Length: 4072385
Connection: close
x-amz-id-2: HzXvZ4/bLHecjygMyom4QXZKoRhUh gVTkEqw5S6J oE4njKp9Y6eyveAzc2F5Ay
x-amz-request-id: A1B26A84E547586F
Last-Modified: Tue, 25 Nov 2014 19:49:29 GMT
ETag: "dea41132628ea08c816693a67102fd48"
Server: NetDNA-cache/2.2
X-Cache: HIT
7z..'.....p.|#>.....%........8l...`...\..I.})R...M.....f=o}.hcJ..7./.3..._....A.._-.PJE$..Y[f.j/..S.o;.r7J........E..."..j.....nb....I...:....bal...?.....[.....S}....[. -...jG..U..y....8.....Q..,l........r...........W2]o.f....2..6.B....~.....#-..U)a.\.....q..!.../...A..6.A.p....P..7Vf....zki..Tx.h.B.6.u..x.txXD.)..k..U....Co...B..........q........C.\........j.1.q......4....@k....k.r*6...L.mni...dj....t.(..!.....'.....Q.Q.|Rx............A...D......$....~...';.bU...\.<?#.X.....yu$....Y..t..BBh...M.........p...{_c..$Z.I..#b..Hd-6.....#&4=..v...5..i............ouZ]K.^D.UK...b...Gu\.........i....f..I.w.....V.H.V.J&....W.hO.......F..{S...W.(.....f..<.......Dg.d....{..$zkV..X...oc..... .!.k.i..b. .Q(..p..w......&C.X..D.M.Y...PI...Ol.C ...M.wO...K.......lk....w..O.)...a`2.H..b:....w 7.WU@(8-....V....G.;......|.....q?|4.j....%.........Rg;.ZgN..~.............w*3...0.^.IySd...F_..6.".!..c.3...N:.kc.._.R...[....o^..\..FmH....Q...T..T.O8....x\.>k'......<.^.\3NL1.....v.n~O.=.F....Hp...,-GhuA..L.?......-.w.........J.R...<.......y.g.......&.....J}..W...4...r..A...............R.R.m...yB....47.....5.!.......3.v.q.9]....S...(.3.!.iX........)...v...!G.#.]4....w..I4.?...`..E..._.An.0........._..H... .q......h...W!....|..(...G[@.[..5Te..l..~.> ...|v..\.......K..........7ho..v4.ZHn. .. @.#.I. C`E.5....jx.....o.).'{._.J.....t.c..........H,.7..d....`..J...........(..Q.5.)....8.).m.N...;.......S."....a..:........?..~.....So(=....?5o.=...s<....6..&.B......zD...%...'Pg7....'.>.~...h...2....S..".2......L..|r"?...
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=576514, public, no-transform, must-revalidate
Last-Modified: Fri, 12 Dec 2014 07:43:05 GMT
Expires: Fri, 19 Dec 2014 07:43:05 GMT
Date: Fri, 12 Dec 2014 15:37:52 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20141212074305Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20141212074305Z....20141219074305Z0...*.H.............0...2T...h........Q....L..... D......PrHYs..t.GB..Mi{W....E.!p.:.N:1...v.&3....5i.......A....(o2]V=..X..j.O....n.w..yE.. ..&/../Z.....hS.................<r.8' .`9......=...1..>..1E..s2.U...-~. .YY.hpX.a..G.*..........,.....f....H. .F.5.0II.M.H.d.,0...%.b......0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>
GET /download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe HTTP/1.0
Host: download.microsoft.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.0 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 08 Aug 2008 21:48:10 GMT
Accept-Ranges: bytes
ETag: "df115773a0f9c81:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Content-Length: 4961800
Date: Fri, 12 Dec 2014 15:34:15 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K...K...K.......D...K... ......._.......J.......J...RichK...........PE..L...{..B.................z..........rY... ........... ..............................9.L.......... ..........................@...........t.............K..$...........!............................................... ...............................text....x... ...z.................. ..`.data................~..............@....rsrc...t.........K.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................t...Z...................&...<...L............................................... ...:...J...V...^...x.......................................&...<...J...^...t.......................................(...:...R...b...p...................................&...N...b...|...............r.......\...L...:...,...........................................~...f.......................z...............................&...0...D...:...............:...........$...................{..B.............&..................Z.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=513594
Content-Type: application/ocsp-response
Date: Fri, 12 Dec 2014 15:34:36 GMT
Etag: "548ae9a7-1d7"
Expires: Fri, 19 Dec 2014 03:34:36 GMT
Last-Modified: Fri, 12 Dec 2014 13:12:07 GMT
Server: ECS (ams/D1BF)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0......E.......1-Q...!..m....20141211200000Z0s0q0I0... ............@..D3=?..Mn8...Q..E.......1-Q...!..m........_..fuSC.o.P.....20141211200000Z....20141218200000Z0...*.H.............=2.VR..[...6P>Fb.o .."....%.f..E|. .Gm.d....U?1...6.Xb.....5.!..%@.B...Q.tM..u...`.....>p.)G.g.{...../..l....].Ov...1g2.:.Y.m.p..H.d6.....s7.&Z?>....P..-..N....z..2-.u.\..?Rp.v......\..e...!..CPs.... .......g@.........8.....Z.Y..2.../......k.g....2...6........
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=515208
Content-Type: application/ocsp-response
Date: Fri, 12 Dec 2014 15:34:36 GMT
Etag: "548af15f-1d7"
Expires: Fri, 19 Dec 2014 03:34:36 GMT
Last-Modified: Fri, 12 Dec 2014 13:45:03 GMT
Server: ECS (ams/D1C4)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0......Z..{*....q..`.-.eu.X..20141212133000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*....q..`.-.eu.X......2hT........\....20141212133000Z....20141219134500Z0...*.H.............{....gM.n^P...qkw.><6c?q.....E.V..O..... #_-.q.*M.y...l.........(.....?..O....vP..7.@.)....Q5%."..L@.x.Y/"CPpJ.q..N.!.....p.s....mS..YbR}..c.is.O.|....m..l.(..6n\f.c.T.B#.}..9.....h.......T..zti.U.b.....'~xS..`.t.`....*v.)x........n....d..l3..s..LXg...W...HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=515208..Content-Type: application/ocsp-response..Date: Fri, 12 Dec 2014 15:34:36 GMT..Etag: "548af15f-1d7"..Expires: Fri, 19 Dec 2014 03:34:36 GMT..Last-Modified: Fri, 12 Dec 2014 13:45:03 GMT..Server: ECS (ams/D1C4)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...0......Z..{*....q..`.-.eu.X..20141212133000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*....q..`.-.eu.X......2hT........\....20141212133000Z....20141219134500Z0...*.H.............{....gM.n^P...qkw.><6c?q.....E.V..O..... #_-.q.*M.y...l.........(.....?..O....vP..7.@.)....Q5%."..L@.x.Y/"CPpJ.q..N.!.....p.s....mS..YbR}..c.is.O.|....m..l.(..6n\f.c.T.B#.}..9.....h.......T..zti.U.b.....'~xS..`.t.`....*v.)x........n....d..l3..s..LXg...W.....
<<< skipped >>>
GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=0-299999
Connection: keep-alive
HTTP/1.1 206 Partial Content
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
ETag: "4b1e700-2dc5623-508c5f506dac8"
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
X-Cache-Info: cached
Cache-Control: max-age=298443
Expires: Tue, 16 Dec 2014 02:28:20 GMT
Date: Fri, 12 Dec 2014 15:34:17 GMT
Content-Range: bytes 0-299999/47994403
Content-Length: 300000
Connection: keep-alive
MAR1..M.......V#............^^...{...6.N[.>7F...#...].[..N..K.^i._..AP..z.|....~/G6..:.....A....G..hio.j.66\..*.7..(g!W6Pj..X.\.....s.....Z.A....&..A.f.-...?&.m...%..)z5^.N&.W......7..b.j..y_O.p.....7HN..-.?......S.%$N..,...$.Og.v...?3xv"{.c6G....`|?,?(....R....g."%F.x\.9.~{I..}\\..........h....firefox-mozilla-release.34.0.5..................................................................BZh91AY&SYs.-........P...~.......P.............%4....ML....h.h....H&L..@&.z.h..0H.D.OP......4.0..@..h4.@...&MMO).i.5$......$u.6z..bi...m6..6.kn,..c.}@..j._*..J..Qn.\..J..b".-.,D$u..;T6...p..........$..ou...d...p."...j...........t.8.....{I........w."..g:.P..8..pq...@a..ng..j.m.....=!..B...v..XCxp.a...j...G5....~...,..P........P.........9....D.jHb....B..}_.........^..~f.EU..fA.....g......r.n......X|.....h.hE?.....qt.H3g...n..k). ..o.....L...<...i...~/..M. .3.*.....M.X.).I....f..^......yH.... ...~9`.P.&w5...B..:.v=..e.h..#.d....e.....i..]o1b../U.......D....R%v.>y..U...")n.W..".'....((..r).Z..U_...)E.&....Z!V.#...w.Y..mG....).....F..G...]...*L.....D..!.Q.~*,(..jE.Ub%.c.....$f... ..r...$...-.. .P..T...E...a,.G&..&dr...T#. ....F."1B{...ehdo...$..H.a.e.....9...X...FP...h.!.$Q...G99M...{.w..V<.Ae.....I.E............f.e.......`.....(....m..4O.h.B..'........../....[..#.U.l9.;.b.a....=_K..G[;.h..O..CdlH..Z..!....t...".?.....N.$..KA.BZh91AY&SY.t....._...P...~.......P.8..V.M2TP.$..Sz.$0.4..FM2h`4...4.h..4.....@#.Q...........4.....I.j.....F...M.@.I....G..n..HD.Q...l..mR......n<<>5....|k..P4.........L.....4.....9...]....
<<< skipped >>>
GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=300000-599999
If-Range: "4b1e700-2dc5623-508c5f506dac8"
Connection: keep-alive
HTTP/1.1 206 Partial Content
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
ETag: "4b1e700-2dc5623-508c5f506dac8"
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
X-Cache-Info: cached
Cache-Control: max-age=298381
Expires: Tue, 16 Dec 2014 02:28:20 GMT
Date: Fri, 12 Dec 2014 15:35:19 GMT
Content-Range: bytes 300000-599999/47994403
Content-Length: 300000
Connection: keep-alive
.]..a.....E.9H......M...nX...~:\...}..|9}R.;S/."....)G..tQ.y*">s.....6l.k.6..d.w...../.....u.........h../...3}...]8..OB.~.*a....p.lc.....$.D..<l..r9}..Pp....\..4I$.1. w.Q.^..I....'s.=.....$.7../....~ S..o.g$.&.Jv.......'F..,......a.g.d..c.....fm..eH.P].E.~../I...ywy...:....S./.uj.z..ej..>.:.......t}.....'(...i..,($.............[.u96.T....u'8...Mh..:q.F&. ...c...@..h...]."6.;qJ!......:......A..#Sf..&.....LW.U<3DU9.....zY......F...d6r.......\...{|cvc...z.=......R.G.6.;..........'F...^..F........O..........n.....3J^....7...{.]...../.n&...|...;.2.0.U;..J5...F.7..E..@...el.).Z.;...Y..8..O.)Y?..{\.....m.U....K[d...pw\_.j..b..e$....)3...gj.JJ.-.0JIH.^%7..!..2X.q}..ffmv....&z.'.............=.|..[9........@.]..b.....z._..F.}...xb...e....t.*.....$...I.Zfc!..R....8..}F...K.S).[&!7.q.!y..(.....8..1..:G...vk..Oj....".O.........r.$9v.B.B.......f......~V....&.....ZIQ1....#7/.......c.K.z..M.J.=._...4[.x.ty?..iD.bt]}...*8.t.m9..NjJ.l..:,J.5...C.r.n..c..T.D....s.*..w...h..#..2......X)....7....a..h<5...^.{*6....N.....qO...[c..1U.....6....tc\.g.G.K..b.. .@....!..M8$.........=....T_..........N%....j..m..Dd.'O.....^'..o.'!..{.#/}.p..;.uQ..q..:..po[.n..1e.............xn?UU;}dL..Y.R....#].p. .[.>e.8..Y..3..,....z.9..n._......}.nL.n......A.......t.g1.jJ..Y.=y...$....T..T.....]...evi.3.a.j.9...D-J'.0..IGc5Y.g...fW.Q.C.DM..r.w...l.........R>.a.P.iA.......*{dk,...5.u=.....e..3Bl..dv..5.v.Hm..">....ow..w.............C...m..hC....kc#s...a.....t.cc)..(..._.....z.......<@." .R%S.s......|.1A..}X...Y*'O....3*Y}.G....~
<<< skipped >>>
GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=600000-899999
If-Range: "4b1e700-2dc5623-508c5f506dac8"
Connection: keep-alive
HTTP/1.1 206 Partial Content
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
ETag: "4b1e700-2dc5623-508c5f506dac8"
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
X-Cache-Info: cached
Cache-Control: max-age=298321
Expires: Tue, 16 Dec 2014 02:28:20 GMT
Date: Fri, 12 Dec 2014 15:36:19 GMT
Content-Range: bytes 600000-899999/47994403
Content-Length: 300000
Connection: keep-alive
.b.w..&35....b....c..U.....-.l.6..a......$6.Y.?~.6.-......2.Kt.Y...@zP...#.8s..Z;.........W3......~c6J.=WWy.Mqh...";..........E.&H.v......)..*...K..9.....r>..>..6ze...6..........K...$..*K...3......K...2..!k.|%..5.....j...Hc..5......a.#<....dVN.p..."...u.Jjzm.j....4.o...o.]....4..>.........nM.....hX..[....D..v......G..E....0.}...$(.i.......bu(..H#.U.t....#.M....H.9h.=..".P. .c.....l.nq]u...$....0.....,..-....x.6-....]..rj5M..*..U.#.ippF....s.q..l.3.B...........e~.DT....w.K...m....e..4.W.....m[.U.....Ms.G. ...~x..i...;.z....un}c..<i.k.~...D..\...#.~....x|..\e.6..#V.a.&..c<k..l.W....?...7..}.<...9......d......3.x.y....t.J9.qV.q............Lb`.....b......L.m.....p. ;.<..l...."mZ....[.7.w..D0.....4y.\...5n.i.....Lw...~.G?8........IU.....%.!7...|.....rG.}S...y.V.[...Kf.....!}..Ll....k.8C.%./..>..r......f....V.6..ks......5...1.>......F........XE.nqN...N.AU..}..z...E...B.6. ..@(.. P.GQp6{;.Q..........F,Qliqes.y2.....S5O.:`0.g..a.]F..t....;.;.pk...0.....*...M._1 ^.7>|...3.X>J.........!.............'.r..<.3......te...U.ap..~.*}.u.....X.....s...?.8.".......s...JFP.....}gl.7.(.....eN...w.pYm%.Re.....Y..%..k........i....D.......S....:.;i.y...p.H:.i:.U.o..m..;....L.2......;.y.&@.j...=..j...v..E.....@Adk|.A.T...5....k4.....;.|.&.2.t...I.....C...........v>..-./.X.....u......l).l..0fn..'.7....A...^..j....0.... ......5..J>.B=0...R!z..jI.......gg.n..r6".)Rc..D.Y.....-.......6..5... ..}/[......7=..-....X^.5(..'.-....5..!.)..$..U....?........^^...E...:..X..m..K...1uQw<....\o...p.s.V..
<<< skipped >>>
GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
If-Range: "4b1e700-2dc5623-508c5f506dac8"
Connection: keep-alive
HTTP/1.1 206 Partial Content
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
ETag: "4b1e700-2dc5623-508c5f506dac8"
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
X-Cache-Info: cached
Cache-Control: max-age=298260
Expires: Tue, 16 Dec 2014 02:28:20 GMT
Date: Fri, 12 Dec 2014 15:37:20 GMT
Content-Range: bytes 900000-1199999/47994403
Content-Length: 300000
Connection: keep-alive
d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._......y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3...I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8....2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/.@.mJg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u..yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. .k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w.......&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i......(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q..nZ@..|....@l4....z...f..ll..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.....u.$...&}.......Od.. ....".......;[.7@.......n....h$.n.[...B?n......$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....9...I.m IW..a1.$u8..o..@........h<...i.v./-.\-......d..~h..H. ..6.M..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$...s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3...1...'Ki../...n.A.........cs...0n@Zh.W....B..<.M$..2..|.v.n/6...V........lE/......w8-........-R..\e...WA...756.H.]/d.....-......'......... ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._...c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......
<<< skipped >>>
GET /js/jqueryslidemenu.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Wed, 23 Feb 2011 06:28:48 GMT
Accept-Ranges: bytes
Content-Length: 2511
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/javascript
/*********************.//* jQuery Multi Level CSS Menu #2- By Dynamic Drive: hXXp://VVV.dynamicdrive.com/.//* Last update: Nov 7th, 08': Limit # of queued animations to minmize animation stuttering.//* Menu avaiable at DD CSS Library: hXXp://VVV.dynamicdrive.com/style/.*********************/..//Update: April 12th, 10: Fixed compat issue with jquery 1.4x..//Specify full URL to down and right arrow images (23 is padding-right to add to top level LIs with drop downs):.var arrowimages={down:['downarrowclass', '', 23], right:['rightarrowclass', '']}..var jqueryslidemenu={..animateduration: {over: 200, out: 100}, //duration of slide in/ out animation, in milliseconds..buildmenu:function(menuid, arrowsvar){..jQuery(document).ready(function($){...var $mainmenu=$("#" menuid ">ul")...var $headers=$mainmenu.find("ul").parent()...$headers.each(function(i){....var $curobj=$(this)....var $subul=$(this).find('ul:eq(0)')....this._dimensions={w:this.offsetWidth, h:this.offsetHeight, subulw:$subul.outerWidth(), subulh:$subul.outerHeight()}....this.istopheader=$curobj.parents("ul").length==1? true : false....$subul.css({top:this.istopheader? this._dimensions.h "px" : 0})....$curobj.children("a:eq(0)").css(this.istopheader? {paddingRight: arrowsvar.down[2]} : {}).append(.....'<img src="' (this.istopheader? arrowsvar.down[1] : arrowsvar.right[1])..... '" class="' (this.istopheader? arrowsvar.down[0] : arrowsvar.right[0])..... '" style="border:0;" />'....)....$curobj.hover(.....function(e){......var $targetul=$(this).ch
<<< skipped >>>
GET /js/cufon-yui.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Sun, 04 Dec 2011 00:11:18 GMT
Accept-Ranges: bytes
Content-Length: 18258
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript
/*. * Copyright (c) 2009 Simo Kinnunen.. * Licensed under the MIT license.. *. * @version 1.09i. */.var Cufon=(function(){var m=function(){return m.replace.apply(null,arguments)};var x=m.DOM={ready:(function(){var C=false,E={loaded:1,complete:1};var B=[],D=function(){if(C){return}C=true;for(var F;F=B.shift();F()){}};if(document.addEventListener){document.addEventListener("DOMContentLoaded",D,false);window.addEventListener("pageshow",D,false)}if(!window.opera&&document.readyState){(function(){E[document.readyState]?D():setTimeout(arguments.callee,10)})()}if(document.readyState&&document.createStyleSheet){(function(){try{document.body.doScroll("left");D()}catch(F){setTimeout(arguments.callee,1)}})()}q(window,"load",D);return function(F){if(!arguments.length){D()}else{C?F():B.push(F)}}})(),root:function(){return document.documentElement||document.body}};var n=m.CSS={Size:function(C,B){this.value=parseFloat(C);this.unit=String(C).match(/[a-z%]*$/)[0]||"px";this.convert=function(D){return D/B*this.value};this.convertFrom=function(D){return D/this.value*B};this.toString=function(){return this.value this.unit}},addClass:function(C,B){var D=C.className;C.className=D (D&&" ") B;return C},color:j(function(C){var B={};B.color=C.replace(/^rgba\((.*?),\s*([\d.] )\)/,function(E,D,F){B.opacity=parseFloat(F);return"rgb(" D ")"});return B}),fontStretch:j(function(B){if(typeof B=="number"){return B}if(/%$/.test(B)){return parseFloat(B)/100}return{"ultra-condensed":0.5,"extra-condensed":0.625,condensed:0.75,"semi-condensed":0.875
<<< skipped >>>
GET /css/jqueryslidemenu.css HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Mon, 05 Dec 2011 01:41:00 GMT
Accept-Ranges: bytes
Content-Length: 2387
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/css
#myslidemenu {. width: 100%;.}..jqueryslidemenu{.}...jqueryslidemenu ul{. margin: 0 ;. padding: 0;. list-style-type: none;.}../*Top level list items*/..jqueryslidemenu ul li {. position: relative;. display: inline;. float: left;. z-index:999;. margin: 0 15px 5px 0;. padding-right: 10px;. /*background: url(../images/menudivider.png) top right no-repeat;*/.}./*Top level menu link items style*/..jqueryslidemenu ul li a {. font-size: 15px;. color: #2a92bd;. text-shadow: #ffffff 1px 1px;. font-family: "Lucida Grande", "Lucida Sans Unicode", Arial, Verdana, sans-serif;.}..jqueryslidemenu ul li.last {. margin-right: 0;. padding-right: 15px; . background: none;.}.* html .jqueryslidemenu ul li a{ /*IE6 hack to get sub menu links to behave correctly*/.display: inline-block;.}...jqueryslidemenu ul li a:link, .jqueryslidemenu ul li a:visited{ . color: #2a92bd;.}..jqueryslidemenu ul li a.selected {. color: #555555;.}..jqueryslidemenu ul li a:hover{. color: #555555;. text-decoration: none;.}.../*1st sub level menu*/..jqueryslidemenu ul li ul{. position: absolute;. left: 0;. display: block;. visibility: hidden;. padding-top: 13px;. z-index: 99999;. background: url(../images/topmenu.png) top left no-repeat;.}../*Sub level menu list items (undo style from Top level List Items)*/..jqueryslidemenu ul li ul li{. margin: 0;. padding: 0;. border: none;. z-index: 99999;. background-color: #fafafa;.}../*All subsequent sub menu levels vertical offset after 1st level sub menu */..jqueryslidemenu ul li
<<< skipped >>>
GET /images/sidebar-line.jpg HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:17 GMT
Server: Apache/2.2.29
Last-Modified: Tue, 02 Sep 2014 20:07:00 GMT
Accept-Ranges: bytes
Content-Length: 531
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: image/jpeg
......JFIF.....H.H.....C....................................................................C............................................................................".......................................................................................................O..............................?................................?.........................1........?...................................?!...............................................?................................?..................................?..G..HTTP/1.1 200 OK..Date: Fri, 12 Dec 2014 15:34:17 GMT..Server: Apache/2.2.29..Last-Modified: Tue, 02 Sep 2014 20:07:00 GMT..Accept-Ranges: bytes..Content-Length: 531..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: image/jpeg........JFIF.....H.H.....C....................................................................C............................................................................".......................................................................................................O..............................?................................?.........................1........?...................................?!...............................................?................................?..................................?..G....
<<< skipped >>>
GET /js/jquery.prettyPhoto.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 25 Nov 2010 09:19:24 GMT
Accept-Ranges: bytes
Content-Length: 21810
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/javascript
/* ------------------------------------------------------------------------. * Class: prettyPhoto. * Use: Lightbox clone for jQuery. * Author: Stephane Caron (hXXp://VVV.no-margin-for-errors.com). * Version: 3.0.1. * ------------------------------------------------------------------------- */..(function($){$.prettyPhoto={version:'3.0'};$.fn.prettyPhoto=function(pp_settings){pp_settings=jQuery.extend({animation_speed:'fast',slideshow:false,autoplay_slideshow:false,opacity:0.80,show_title:true,allow_resize:true,default_width:500,default_height:344,counter_separator_label:'/',theme:'facebook',hideflash:false,wmode:'opaque',autoplay:true,modal:false,overlay_gallery:true,keyboard_shortcuts:true,changepicturecallback:function(){},callback:function(){},markup:'<div class="pp_pic_holder"> \. <div class="ppt"> </div> \. <div class="pp_top"> \. <div class="pp_left"></div> \. <div class="pp_middle"></div> \. <div class="pp_right"></div> \. </div> \. <div class="pp_content_container"> \. <div class="pp_left"> \. <div class="pp_right"> \. <div class="pp_content"> \. <div class="pp_loaderIcon"></div> \. <div class="pp_fade"> \. <a href="#" class="pp_expand" title="Expand the image">Expand</a> \. <div class="pp_hoverContainer"> \. <a class="pp_next" href="#">next</a> \. <a
<<< skipped >>>
GET /images/bg-header.png HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:17 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 01 Dec 2011 09:34:00 GMT
Accept-Ranges: bytes
Content-Length: 2818
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR.......?......R.W....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>
GET /js/jquery.js HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/installed.html?adm=1&fta=on&zs=on&mypc=on&v=20120419
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:16 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 25 Nov 2010 09:17:04 GMT
Accept-Ranges: bytes
Content-Length: 78600
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/javascript
/*!. * jQuery JavaScript Library v1.4.4. * hXXp://jquery.com/. *. * Copyright 2010, John Resig. * Dual licensed under the MIT or GPL Version 2 licenses.. * hXXp://jquery.org/license. *. * Includes Sizzle.js. * hXXp://sizzlejs.com/. * Copyright 2010, The Dojo Foundation. * Released under the MIT, BSD, and GPL Licenses.. *. * Date: Thu Nov 11 19:04:53 2010 -0500. */.(function(E,B){function ka(a,b,d){if(d===B&&a.nodeType===1){d=a.getAttribute("data-" b);if(typeof d==="string"){try{d=d==="true"?true:d==="false"?false:d==="null"?null:!c.isNaN(d)?parseFloat(d):Ja.test(d)?c.parseJSON(d):d}catch(e){}c.data(a,b,d)}else d=B}return d}function U(){return false}function ca(){return true}function la(a,b,d){d[0].type=a;return c.event.handle.apply(b,d)}function Ka(a){var b,d,e,f,h,l,k,o,x,r,A,C=[];f=[];h=c.data(this,this.nodeType?"events":"__events__");if(typeof h==="function")h=.h.events;if(!(a.liveFired===this||!h||!h.live||a.button&&a.type==="click")){if(a.namespace)A=RegExp("(^|\\.)" a.namespace.split(".").join("\\.(?:.*\\.)?") "(\\.|$)");a.liveFired=this;var J=h.live.slice(0);for(k=0;k<J.length;k ){h=J[k];h.origType.replace(X,"")===a.type?f.push(h.selector):J.splice(k--,1)}f=c(a.target).closest(f,a.currentTarget);o=0;for(x=f.length;o<x;o ){r=f[o];for(k=0;k<J.length;k ){h=J[k];if(r.selector===h.selector&&(!A||A.test(h.namespace))){l=r.elem;e=null;if(h.preType==="mouseenter"||.h.preType==="mouseleave"){a.type=h.preType;e=c(a.relatedTarget).closest(h.selector)[0]}if(!e||e!==l)C.push({elem:l,handleObj:h,level:r.le
<<< skipped >>>
GET /images/topwrapper.png HTTP/1.1
Host: VVV.freemediaplayer.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: hXXp://VVV.freemediaplayer.net/css/style.css
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:34:17 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 01 Dec 2011 09:34:34 GMT
Accept-Ranges: bytes
Content-Length: 5057
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR............. .......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>
GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=0-299999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1
Connection: keep-alive
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer2.webapp.phx1.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Dec 2014 15:34:16 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
Keep-Alive: timeout=3, max=500
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer2.webapp.phx1.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; charset=UTF-8..Date: Fri, 12 Dec 2014 15:34:16 GMT..Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=500..Content-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..
GET /install/win/1/live/net2 HTTP/1.0
Host: ep.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 302 Found
Date: Fri, 12 Dec 2014 15:34:21 GMT
Server: Apache
Set-Cookie: SESSID=5o7r34ot62bc5ipac9our9i7g7; path=/; domain=.backupgrid.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BGWWW=3171957029.1.1047655536.117394240; path=/
GET /0ebf8ab7/D0wnloads/MyPCBackup_Setup.exe HTTP/1.0
Host: track.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 301 Moved Permanently
Date: Fri, 12 Dec 2014 15:34:13 GMT
Server: Apache
Set-Cookie: SESSID=u3vvf9pcicbte3vpudglsa67u0; path=/; domain=.mypcbackup.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: LC_CURRENCY=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Mon, 22-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: 748a7624422584634822bd3a2bf604ae=6ed4d5c319bd2bb2f73b6f2aadac5196; expires=Sat, 11-Apr-2015 15:34:13 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: intc=1; expires=Sat, 13-Dec-2014 15:34:13 GMT; path=/; domain=.mypcbackup.com
P3P: CP="We do not have a P3P policy"
location: hXXp://cdn.mypcbackup.com/MyPCBackup_Setup.exe
Set-Cookie: aff_id=62639; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_name=62639; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_id=88621; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hash=8bc87423cceb4e406cf46fbe94f33f2c; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: tid=D0wnloads; expires=Tue, 13-Jan-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: 0ebf8ab7unique=true; expires=Thu, 12-Mar-2015 15:34:13 GMT; path=/; domain=mypcbackup.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: MPBWWW=3171957029.1.1047620528.117384224; path=/
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRtl6lMY2+iPob4twryIF+FfgUdvwQUK8NGq7oOyWUqRtF5R8Ri4uHa/LgCEBBwnU/1VAjXMGAB2OqRdbs= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com
HTTP/1.1 200 OK
Date: Fri, 12 Dec 2014 15:38:00 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Fri, 12 Dec 2014 03:13:37 GMT
Expires: Tue, 16 Dec 2014 03:13:37 GMT
ETag: 88AA22A36C9E9428A79B665B930D01ADC1CB423E
Cache-Control: max-age=300336,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp4
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...... .F....e*F.yG.b.......20141212031337Z0s0q0I0... ........m..Lco.>..... _.~..... .F....e*F.yG.b........p.O.T..0`....u.....20141212031337Z....20141216031337Z0...*.H..............u..zA.E....N.<....<.y..!5\.(;..D......9|.j....^N..m.E..b...j..3{.....X6..4.%....%...AK,b._....9...*.N...1%^^.Y....R.I3.q#55....QX.y....6.'~...R...3AU.U%.z.p..1.v..=....4L..{.`..u...E.D":.59..W}(..W.o.....Zwwg...).........a.....;&...;j.=..O"-.~..M...n.H.....
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=445778, public, no-transform, must-revalidate
Last-Modified: Wed, 10 Dec 2014 19:23:09 GMT
Expires: Wed, 17 Dec 2014 19:23:09 GMT
Date: Fri, 12 Dec 2014 15:37:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20141210192309Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20141210192309Z....20141217192309Z0...*.H..............uL..c..`*..T.&-.62..y.Zk.&.....^.......Y...`j,... \...D.*.(...%~.8.^...kE}.E.......A.;....M..E....h..xJ..lM...(J4R|xQ..u.'W$.qM.......8J........$.Y...@)..b.Q..^... P{...A...!.&...3..&!io> .... ...0.....h.i2..<).mrl....C.....Mas..Z.WN^.j....B ......^d|..6.....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=405531, public, no-transform, must-revalidate
Last-Modified: Wed, 10 Dec 2014 08:12:45 GMT
Expires: Wed, 17 Dec 2014 08:12:45 GMT
Date: Fri, 12 Dec 2014 15:37:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141210081245Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20141210081245Z....20141217081245Z0...*.H............./2.7jy.wVv.....8.....t7.[..O...C._..{...Ch.}...!...<..t..z.n....%...-S0..Nq..-.._`.....v.s. m..[1?LX...Y..?{.m.y.......W.lX..<Kg8^).p/...-...E. ....../..:(..H..X@....iZ?.6.o....Rx.%..OU..5..$.d..,......7e....R.F.s.f..\.SR$.MR..;%.....g.Sh.....)..;h....[L.X...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>
POST /ocsp HTTP/1.1
Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 107
Content-Type: application/ocsp-request
Connection: keep-alive
0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..&...m..U..0.0... .....0...0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Fri, 12 Dec 2014 15:36:39 GMT
Expires: Tue, 16 Dec 2014 15:36:39 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
0..........0..... .....0......0...0......J......h.v....b..Z./..20141212130314Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..&...m..U....20141212130314Z....20141219130314Z0...*.H.............z...S.....YH9. ../...*Os......#.....^g......k..<.^c.N.[P..:D6M.n._.............L...;.og.......?..ZH...X(.&$.m..t.TDv.6..w..TJ_...>.$RQ.`l.&.&u.^6............ ..7.......xm@.:....~iy.k#v).E".&'Y..i;..Do.Ry..9.\q....5......?.......\...!...(0...h...]. ".....RHTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Fri, 12 Dec 2014 15:36:39 GMT..Expires: Tue, 16 Dec 2014 15:36:39 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=0.002..0..........0..... .....0......0...0......J......h.v....b..Z./..20141212130314Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..&...m..U....20141212130314Z....20141219130314Z0...*.H.............z...S.....YH9. ../...*Os......#.....^g......k..<.^c.N.[P..:D6M.n._.............L...;.og.......?..ZH...X(.&$.m..t.TDv.6..w..TJ_...>.$RQ.`l.&.&u.^6............ ..7.......xm@.:....~iy.k#v).E".&'Y..i;..Do.Ry..9.\q....5......?.......\...!...(0...h...]. ".....R..
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=450202, public, no-transform, must-revalidate
Last-Modified: Wed, 10 Dec 2014 20:37:53 GMT
Expires: Wed, 17 Dec 2014 20:37:53 GMT
Date: Fri, 12 Dec 2014 15:37:54 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141210203753Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20141210203753Z....20141217203753Z0...*.H.............8.Y.....a.al..aR........zdZ..v.P..\W.5..e.<...@V.q.....{]..-...g}J.F......1....7r..z...._xK...,.H.JD..._...r3S.ua0...a A.1.xg.G.s.-...b....F..Tw....11U.....#....<.4".....@..'._)_.......A..(...`."...EXo.)} .........F...?....q.(....?3..3.R./z..M..Q.1.&...B.....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
singleZenSearch.exe_928:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
D$@j.Xf
D$@j.Xf
j.Xf9
j.Xf9
<:>
<:>
t8Ht.HHt#
t8Ht.HHt#
#t.Ht
#t.Ht
.RRhH
.RRhH
2 34 567
2 34 567
SSShe
SSShe
u.WWS
u.WWS
[j.XPV
[j.XPV
j.Yf;
j.Yf;
t>j.Xf9
t>j.Xf9
_tcPVj@
_tcPVj@
.PjRW
.PjRW
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
' or keyword='
' or keyword='
delete from keywords where short_name='
delete from keywords where short_name='
insert into keywords (short_name, keyword, favicon_url, url, show_in_default_list, safe_for_autoreplace, input_encodings) values("
insert into keywords (short_name, keyword, favicon_url, url, show_in_default_list, safe_for_autoreplace, input_encodings) values("
insert into meta(key,value) values('Default Search Provider ID',
insert into meta(key,value) values('Default Search Provider ID',
SELECT id FROM keywords where short_name='
SELECT id FROM keywords where short_name='
delete from keywords where id=
delete from keywords where id=
SELECT min(id) id FROM keywords
SELECT min(id) id FROM keywords
where key='Default Search Provider ID'
where key='Default Search Provider ID'
chrome_url_overrides
chrome_url_overrides
SELECT k.id, k.short_name, k.keyword, k.url, k.favicon_url FROM keywords k INNER JOIN meta m ON m.value=k.id WHERE m.key='Default Search Provider ID' LIMIT 1
SELECT k.id, k.short_name, k.keyword, k.url, k.favicon_url FROM keywords k INNER JOIN meta m ON m.value=k.id WHERE m.key='Default Search Provider ID' LIMIT 1
webRequest
webRequest
webRequestInternal
webRequestInternal
extensions.known_disabled
extensions.known_disabled
from_webstore
from_webstore
insert into locale(name,description,creator,homepageURL) values('
insert into locale(name,description,creator,homepageURL) values('
select seq from SQLITE_SEQUENCE where name='locale'
select seq from SQLITE_SEQUENCE where name='locale'
insert into addon (pendingUninstall,type,visible,active,userDisabled,appDisabled,installDate,updateDate,applyBackgroundUpdates,softDisabled,id,location,descriptor,defaultLocale) values ('0','extension','1','1','0','0',strftime('%s'), strftime('%s'),'1','0','
insert into addon (pendingUninstall,type,visible,active,userDisabled,appDisabled,installDate,updateDate,applyBackgroundUpdates,softDisabled,id,location,descriptor,defaultLocale) values ('0','extension','1','1','0','0',strftime('%s'), strftime('%s'),'1','0','
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
.addons
.addons
extensions.installCache
extensions.installCache
updateURL
updateURL
updateKey
updateKey
optionsURL
optionsURL
aboutURL
aboutURL
iconURL
iconURL
icon64URL
icon64URL
homepageURL
homepageURL
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
user_pref("browser.search.selectedEngine", "
user_pref("browser.search.selectedEngine", "
Line %d, Column %d
Line %d, Column %d
-echo print commands before execution
-echo print commands before execution
-version show SQLite version
-version show SQLite version
SQLite format 3
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
3.7.8
3.7.8
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
sqlite_sequence
sqlite_sequence
sqlite_stat1
sqlite_stat1
sqlite_
sqlite_
sqlite_master
sqlite_master
sqlite_temp_master
sqlite_temp_master
iskeyword
iskeyword
SQLITE_
SQLITE_
d-d-d d:d:d
d-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
922337203685477580
922337203685477580
API call with %s database connection pointer
API call with %s database connection pointer
RowKey
RowKey
OsError 0x%x (%u)
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
delayed %dms for lock/sharing conflict
%s-shm
%s-shm
%s\etilqs_
%s\etilqs_
Recovered %d frames from WAL file %s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
cannot limit WAL size: %s
invalid page number %d
invalid page number %d
2nd reference to page %d
2nd reference to page %d
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
failed to get page %d
failed to get page %d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
Page %d:
Page %d:
unable to get the page. error code=%d
unable to get the page. error code=%d
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On tree page %d cell %d:
On page %d at right child:
On page %d at right child:
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Page %d is never used
Pointer map page %d is referenced
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
unknown database %s
unknown database %s
keyinfo(%d
keyinfo(%d
%s(%d)
%s(%d)
%s-mjX
%s-mjX
foreign key constraint failed
foreign key constraint failed
unable to use function %s in the requested context
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
zeroblob(%d)
zeroblob(%d)
abort at %d in [%s]: %s
abort at %d in [%s]: %s
constraint failed at %d in [%s]
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
no such savepoint: %s
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
database table is locked: %s
database table is locked: %s
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open value of type %s
cannot open virtual table: %s
cannot open virtual table: %s
cannot open view: %s
cannot open view: %s
no such column: "%s"
no such column: "%s"
foreign key
foreign key
indexed
indexed
cannot open %s column for writing
cannot open %s column for writing
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s.%s
%s: %s.%s
%s: %s
%s: %s
not authorized to use function: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many SQL variables
too many SQL variables
too many columns in %s
too many columns in %s
EXECUTE %s%s SUBQUERY %d
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
misuse of aggregate: %s()
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_parent
sqlite_rename_parent
%s OR name=%Q
%s OR name=%Q
type='trigger' AND (%s)
type='trigger' AND (%s)
table %s may not be altered
table %s may not be altered
there is already another table or index with this name: %s
there is already another table or index with this name: %s
view %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
invalid name: "%s"
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
no such database: %s
no such database: %s
cannot detach database %s
cannot detach database %s
database %s is locked
database %s is locked
sqlite_detach
sqlite_detach
sqlite_attach
sqlite_attach
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
too many columns on %s
too many columns on %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
table "%s" has more than one primary key
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
no such collation sequence: %s
CREATE %s %.*s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat2
sqlite_stat2
table %s may not be dropped
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
indexed columns are not unique
indexed columns are not unique
table %s may not be indexed
table %s may not be indexed
views may not be indexed
views may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
there is already a table named %s
there is already a table named %s
index %s already exists
index %s already exists
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
a JOIN clause is required before %s
unable to identify the object to be reindexed
unable to identify the object to be reindexed
table %s may not be modified
table %s may not be modified
cannot modify %s because it is a view
cannot modify %s because it is a view
sqlite_version
sqlite_version
sqlite_source_id
sqlite_source_id
sqlite_log
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_compileoption_get
foreign key mismatch
foreign key mismatch
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
%d values for %d columns
%d values for %d columns
table %S has no column named %s
table %S has no column named %s
%s.%s may not be NULL
%s.%s may not be NULL
PRIMARY KEY must be unique
PRIMARY KEY must be unique
sqlite3_extension_init
sqlite3_extension_init
unable to open shared library [%s]
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
error during initialization: %s
automatic extension loading failed: %s
automatic extension loading failed: %s
foreign_keys
foreign_keys
foreign_key_list
foreign_key_list
*** in database %s ***
*** in database %s ***
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
unsupported file format
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s.%s
%s:%d
%s:%d
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
no such index: %s
sqlite_subquery_%p_
sqlite_subquery_%p_
no such table: %s
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such trigger: %S
-- TRIGGER %s
-- TRIGGER %s
no such column: %s
no such column: %s
cannot VACUUM - SQL statements in progress
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s SUBQUERY %d
%s TABLE %s
%s TABLE %s
%s AS %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid=?)
%s (rowid>? AND rowid)
%s (rowid>? AND rowid)
%s (rowid>?)
%s (rowid>?)
%s (rowid)
%s (rowid)
%s VIRTUAL TABLE INDEX %d:%s
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
%s (~%lld rows)
at most %d tables in a join
at most %d tables in a join
cannot use index: %s
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unable to close due to unfinished backup operation
SQL logic error or missing database
SQL logic error or missing database
unknown operation
unknown operation
large file support is disabled
large file support is disabled
unknown database: %s
unknown database: %s
no such %s mode: %s
no such %s mode: %s
%s mode not allowed: %s
%s mode not allowed: %s
no such vfs: %s
no such vfs: %s
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
C:\projects\git\git.zensearch\ZenSearch.20131230\installers\_ZenSearch\single_installer\Release\singleZenSearch.pdb
C:\projects\git\git.zensearch\ZenSearch.20131230\installers\_ZenSearch\single_installer\Release\singleZenSearch.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyW
RegOpenKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHCopyKeyW
SHCopyKeyW
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
URLDownloadToCacheFileW
URLDownloadToCacheFileW
urlmon.dll
urlmon.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AVCChromeExtension@@
.?AVCChromeExtension@@
.timer ON|OFF Turn the CPU timer measurement on or off
.timer ON|OFF Turn the CPU timer measurement on or off
.backup ?DB? FILE Backup DB (default "main") to FILE
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
insert SQL insert statements for TABLE
list Values delimited by .separator string
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.timeout MS Try opening locked tables for MS milliseconds
.width NUM1 NUM2 ... Set column widths for "column" mode
.width NUM1 NUM2 ... Set column widths for "column" mode
IEStart.exe
IEStart.exe
ZyrL*%U
ZyrL*%U
j.KL9
j.KL9
"%s}M
"%s}M
1.QJp
1.QJp
}(..fs
}(..fs
.tYsx
.tYsx
d^6.PZ
d^6.PZ
IEStart_x64.exe
IEStart_x64.exe
&.JlvuP
&.JlvuP
rZ%XN
rZ%XN
TH%Ck
TH%Ck
.Alzs
.Alzs
>u.IMS
>u.IMS
IEWrap.dll
IEWrap.dll
ü/A
ü/A
\H%umgC
\H%umgC
.Mr-Y
.Mr-Y
'k.gx3j.O
'k.gx3j.O
_.aiGO
_.aiGO
IEWrap_x64.dll
IEWrap_x64.dll
n.umk[q
n.umk[q
<.nx0>
<.nx0>
.HbG2v
.HbG2v
<.qr6>
<.qr6>
.Hk^W
.Hk^W
QjG%f`
QjG%f`
r.BN?
r.BN?
IeZenSearch.dll
IeZenSearch.dll
\=?.IR
\=?.IR
].VQ9-
].VQ9-
Et.bz
Et.bz
.KokFhE
.KokFhE
1.Wj\
1.Wj\
7.oV(
7.oV(
i.dA4w
i.dA4w
(5.QL
(5.QL
$uDJ.IV
$uDJ.IV
.sI*QV
.sI*QV
F.NfI
F.NfI
dK%DjAf
dK%DjAf
/9(%c
/9(%c
O;.Uml
O;.Uml
-[
-[
BG%c#
BG%c#
"?%x(9
"?%x(9
\.Tz3
\.Tz3
ooo.fl
ooo.fl
%9Xy"
%9Xy"
.Yb/s
.Yb/s
3]%xH
3]%xH
\I"{ .wo
\I"{ .wo
W1X.UK
W1X.UK
3333333
3333333
/.hB3
/.hB3
"!.AxK
"!.AxK
Ip%c"U
Ip%c"U
|iy.Yp
|iy.Yp
l3lm>\.ze
l3lm>\.ze
{8#'/%7u
{8#'/%7u
5.VMm
5.VMm
IeZenSearch_x64.dll
IeZenSearch_x64.dll
.aj[qI
.aj[qI
)0T.Iq
)0T.Iq
YL%FO
YL%FO
*|l%d
*|l%d
%X X/
%X X/
%F]Pj
%F]Pj
%U@R2
%U@R2
!q_M7.nCvP"O
!q_M7.nCvP"O
.Ys$'^
.Ys$'^
?t.Ok
?t.Ok
..kQE
..kQE
-X.WJ
-X.WJ
C8.BH
C8.BH
48.uO
48.uO
%u? K
%u? K
@s<.qh>
@s<.qh>
%cLd ;
%cLd ;
BM.es
BM.es
:S%SKt
:S%SKt
>%dJ:
>%dJ:
5},.Kh
5},.Kh
,..Nsp
,..Nsp
u9.fO
u9.fO
%3U[\J
%3U[\J
/O!.Qm
/O!.Qm
n%6UCU
n%6UCU
bS.Hjew
bS.Hjew
$&%UWW
$&%UWW
ZenSearch.xml
ZenSearch.xml
ZenSearch@ZenSearch.com/PK
ZenSearch@ZenSearch.com/PK
ZenSearch@ZenSearch.com/chrome.manifest
ZenSearch@ZenSearch.com/chrome.manifest
ZenSearch@ZenSearch.com/content/PK
ZenSearch@ZenSearch.com/content/PK
ZenSearch@ZenSearch.com/content/browserOverlay.xul
ZenSearch@ZenSearch.com/content/browserOverlay.xul
t:A.Sy
t:A.Sy
ZenSearch@ZenSearch.com/content/browserUtil.js
ZenSearch@ZenSearch.com/content/browserUtil.js
ZenSearch@ZenSearch.com/content/jquery-1.9.1.min.js
ZenSearch@ZenSearch.com/content/jquery-1.9.1.min.js
r8}.Pc
r8}.Pc
.zI89
.zI89
ZenSearch@ZenSearch.com/content/locale.js
ZenSearch@ZenSearch.com/content/locale.js
ZenSearch@ZenSearch.com/content/log.js
ZenSearch@ZenSearch.com/content/log.js
ZenSearch@ZenSearch.com/content/main.js
ZenSearch@ZenSearch.com/content/main.js
ZenSearch@ZenSearch.com/content/newTab/PK
ZenSearch@ZenSearch.com/content/newTab/PK
ZenSearch@ZenSearch.com/content/newTab/images/PK
ZenSearch@ZenSearch.com/content/newTab/images/PK
ZenSearch@ZenSearch.com/content/newTab/images/btn-search2.png
ZenSearch@ZenSearch.com/content/newTab/images/btn-search2.png
.]q.Iq
.]q.Iq
ZenSearch@ZenSearch.com/content/newTab/images/input-430.png
ZenSearch@ZenSearch.com/content/newTab/images/input-430.png
ZenSearch@ZenSearch.com/content/newTab/images/sprs.png$
ZenSearch@ZenSearch.com/content/newTab/images/sprs.png$
yd.BK
yd.BK
h$.Oi
h$.Oi
ZenSearch@ZenSearch.com/content/newTab/images/zensearch.png
ZenSearch@ZenSearch.com/content/newTab/images/zensearch.png
ZenSearch@ZenSearch.com/content/newTab/newTab.html
ZenSearch@ZenSearch.com/content/newTab/newTab.html
ZenSearch@ZenSearch.com/content/newTab/newTab.js
ZenSearch@ZenSearch.com/content/newTab/newTab.js
ZenSearch@ZenSearch.com/content/newTab/newTab.xulM
ZenSearch@ZenSearch.com/content/newTab/newTab.xulM
ZenSearch@ZenSearch.com/content/searchControl/PK
ZenSearch@ZenSearch.com/content/searchControl/PK
ZenSearch@ZenSearch.com/content/searchControl/css/PK
ZenSearch@ZenSearch.com/content/searchControl/css/PK
ZenSearch@ZenSearch.com/content/searchControl/css/searchControl.css
ZenSearch@ZenSearch.com/content/searchControl/css/searchControl.css
ZenSearch@ZenSearch.com/content/searchControl/images/PK
ZenSearch@ZenSearch.com/content/searchControl/images/PK
ZenSearch@ZenSearch.com/content/searchControl/images/small_arrow.png
ZenSearch@ZenSearch.com/content/searchControl/images/small_arrow.png
ZenSearch@ZenSearch.com/content/searchControl/images/zenSearch.ico
ZenSearch@ZenSearch.com/content/searchControl/images/zenSearch.ico
ZenSearch@ZenSearch.com/content/searchControl/searchControl.js
ZenSearch@ZenSearch.com/content/searchControl/searchControl.js
ZenSearch@ZenSearch.com/content/searchControl/searchControl.xul
ZenSearch@ZenSearch.com/content/searchControl/searchControl.xul
ZenSearch@ZenSearch.com/content/settings.js
ZenSearch@ZenSearch.com/content/settings.js
ZenSearch@ZenSearch.com/content/_prsys/PK
ZenSearch@ZenSearch.com/content/_prsys/PK
ZenSearch@ZenSearch.com/content/_prsys/activity.js
ZenSearch@ZenSearch.com/content/_prsys/activity.js
ZenSearch@ZenSearch.com/content/_prsys/product.js
ZenSearch@ZenSearch.com/content/_prsys/product.js
ZenSearch@ZenSearch.com/content/_prsys/prsys.xulm
ZenSearch@ZenSearch.com/content/_prsys/prsys.xulm
ZenSearch@ZenSearch.com/content/_prsys/testPrsys.js
ZenSearch@ZenSearch.com/content/_prsys/testPrsys.js
ZenSearch@ZenSearch.com/install.rdfu
ZenSearch@ZenSearch.com/install.rdfu
ZenSearch@ZenSearch.com/locale/PK
ZenSearch@ZenSearch.com/locale/PK
ZenSearch@ZenSearch.com/locale/en-US/PK
ZenSearch@ZenSearch.com/locale/en-US/PK
ZenSearch@ZenSearch.com/locale/en-US/searchbar.dtd]
ZenSearch@ZenSearch.com/locale/en-US/searchbar.dtd]
ZenSearch@ZenSearch.com/locale/en-US/zensearch.propertiesnewtabLabel=ZenSearchPK
ZenSearch@ZenSearch.com/locale/en-US/zensearch.propertiesnewtabLabel=ZenSearchPK
ZenSearch@ZenSearch.com/locale/ru/PK
ZenSearch@ZenSearch.com/locale/ru/PK
ZenSearch@ZenSearch.com/locale/ru/searchbar.dtd]
ZenSearch@ZenSearch.com/locale/ru/searchbar.dtd]
ZenSearch@ZenSearch.com/locale/ru/zensearch.propertiesnewtabLabel=ZenSearchPK
ZenSearch@ZenSearch.com/locale/ru/zensearch.propertiesnewtabLabel=ZenSearchPK
ZenSearch/css/readme.txtDirectory for the extension css filesPK
ZenSearch/css/readme.txtDirectory for the extension css filesPK
ZenSearch/html/background.html
ZenSearch/html/background.html
ZenSearch/html/newTab.html
ZenSearch/html/newTab.html
ZenSearch/images/icons/readme.txtDirectory for the extension iconsPK
ZenSearch/images/icons/readme.txtDirectory for the extension iconsPK
ZenSearch/images/newtab_icons/btn-search2.png
ZenSearch/images/newtab_icons/btn-search2.png
ZenSearch/images/newtab_icons/input-430.png
ZenSearch/images/newtab_icons/input-430.png
ZenSearch/images/newtab_icons/sprs.png$
ZenSearch/images/newtab_icons/sprs.png$
ZenSearch/images/newtab_icons/zensearch.png
ZenSearch/images/newtab_icons/zensearch.png
ZenSearch/js/browser_util.js
ZenSearch/js/browser_util.js
ZenSearch/js/jquery-1.9.1.min.js
ZenSearch/js/jquery-1.9.1.min.js
ZenSearch/js/jquery.min.map
ZenSearch/js/jquery.min.map
e%C,pi
e%C,pi
.Mm
.Mm
ZenSearch/js/log.js
ZenSearch/js/log.js
ZenSearch/js/main.jsuRMo
ZenSearch/js/main.jsuRMo
ZenSearch/js/_prsys/activity.js
ZenSearch/js/_prsys/activity.js
ZenSearch/js/_prsys/product.js
ZenSearch/js/_prsys/product.js
ZenSearch/js/_prsys/testPrsys.js
ZenSearch/js/_prsys/testPrsys.js
ZenSearch/manifest.jsoneP]o
ZenSearch/manifest.jsoneP]o
ZenSearch/settings/settings.js
ZenSearch/settings/settings.js
ZenSearch@ZenSearch.com/
ZenSearch@ZenSearch.com/
ZenSearch@ZenSearch.com/content/
ZenSearch@ZenSearch.com/content/
ZenSearch@ZenSearch.com/content/newTab/
ZenSearch@ZenSearch.com/content/newTab/
ZenSearch@ZenSearch.com/content/newTab/images/
ZenSearch@ZenSearch.com/content/newTab/images/
ZenSearch@ZenSearch.com/content/newTab/images/sprs.png
ZenSearch@ZenSearch.com/content/newTab/images/sprs.png
ZenSearch@ZenSearch.com/content/newTab/newTab.xul
ZenSearch@ZenSearch.com/content/newTab/newTab.xul
ZenSearch@ZenSearch.com/content/searchControl/
ZenSearch@ZenSearch.com/content/searchControl/
ZenSearch@ZenSearch.com/content/searchControl/css/
ZenSearch@ZenSearch.com/content/searchControl/css/
ZenSearch@ZenSearch.com/content/searchControl/images/
ZenSearch@ZenSearch.com/content/searchControl/images/
ZenSearch@ZenSearch.com/content/_prsys/
ZenSearch@ZenSearch.com/content/_prsys/
ZenSearch@ZenSearch.com/content/_prsys/prsys.xul
ZenSearch@ZenSearch.com/content/_prsys/prsys.xul
ZenSearch@ZenSearch.com/install.rdf
ZenSearch@ZenSearch.com/install.rdf
ZenSearch@ZenSearch.com/locale/
ZenSearch@ZenSearch.com/locale/
ZenSearch@ZenSearch.com/locale/en-US/
ZenSearch@ZenSearch.com/locale/en-US/
ZenSearch@ZenSearch.com/locale/en-US/searchbar.dtd
ZenSearch@ZenSearch.com/locale/en-US/searchbar.dtd
ZenSearch@ZenSearch.com/locale/en-US/zensearch.properties
ZenSearch@ZenSearch.com/locale/en-US/zensearch.properties
ZenSearch@ZenSearch.com/locale/ru/
ZenSearch@ZenSearch.com/locale/ru/
ZenSearch@ZenSearch.com/locale/ru/searchbar.dtd
ZenSearch@ZenSearch.com/locale/ru/searchbar.dtd
ZenSearch@ZenSearch.com/locale/ru/zensearch.properties
ZenSearch@ZenSearch.com/locale/ru/zensearch.properties
ZenSearch/css/readme.txt
ZenSearch/css/readme.txt
ZenSearch/images/icons/readme.txt
ZenSearch/images/icons/readme.txt
ZenSearch/images/newtab_icons/sprs.png
ZenSearch/images/newtab_icons/sprs.png
ZenSearch/js/main.js
ZenSearch/js/main.js
ZenSearch/manifest.json
ZenSearch/manifest.json
6%7/7 ;/;=;
6%7/7 ;/;=;
9‘9U9v9
9‘9U9v9
1"2d2|2
1"2d2|2
>$>(>,>0>
>$>(>,>0>
7 7$7(7,70747~7
7 7$7(7,70747~7
="=1=8=_=
="=1=8=_=
9%9s:
9%9s:
8 8$8(8,808
8 8$8(8,808
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
4585
4585
; ;@;`;|;
; ;@;`;|;
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
Google\Chrome\User Data\Local State
Google\Chrome\User Data\Local State
dchrome://newtab
dchrome://newtab
Web Data
Web Data
nmanifest.json
nmanifest.json
Software\Google\Chrome\Extensions
Software\Google\Chrome\Extensions
em:homepageURL
em:homepageURL
install.rdf
install.rdf
extensions.sqlite
extensions.sqlite
extensions.ini
extensions.ini
q\extensions.json
q\extensions.json
sSoftware\Mozilla\Firefox
sSoftware\Mozilla\Firefox
Advapi32.dll
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
regsvr32.exe
regsvr32.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext
Software\Microsoft\Windows\CurrentVersion\Ext\Settings
Software\Microsoft\Windows\CurrentVersion\Ext\Settings
Firefox
Firefox
Mozilla
Mozilla
profiles.ini
profiles.ini
prefs.js
prefs.js
%s\%s\%s%s
%s\%s\%s%s
search.json
search.json
%s\%s\%s
%s\%s\%s
user_pref("%s", "%s");
user_pref("%s", "%s");
user_pref("%s", %u);
user_pref("%s", %u);
user_pref("%s", %s);
user_pref("%s", %s);
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox
%s\%s
%s\%s
FaviconURLFallback
FaviconURLFallback
SuggestionsURLFallback
SuggestionsURLFallback
TopResultURLFallback
TopResultURLFallback
777705555443332
777705555443332
5555443332
5555443332
5555443332
5555443332
Chrome
Chrome
WebData
WebData
%s%s%i
%s%s%i
http\shell\open\command
http\shell\open\command
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\%s
%s\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\%s
%s%s%s
%s%s%s
{EC740D8D-BAA6-4BAF-9183-2406AB943D3A}
{EC740D8D-BAA6-4BAF-9183-2406AB943D3A}
\content\_prsys\product.js
\content\_prsys\product.js
\content\settings.js
\content\settings.js
browser.newtab.url
browser.newtab.url
browser.startup.page
browser.startup.page
browser.startup.homepage
browser.startup.homepage
\js\_prsys\product.js
\js\_prsys\product.js
chrome://newtab/
chrome://newtab/
.extensions.chrome_url_overrides.newtab
.extensions.chrome_url_overrides.newtab
ZenSearch@ZenSearch.com
ZenSearch@ZenSearch.com
browser.search.selectedEngine
browser.search.selectedEngine
browser.search.defaultenginename
browser.search.defaultenginename
firefox.exe
firefox.exe
chrome.exe
chrome.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZenSearch
hXXp://zensearch.com/
hXXp://zensearch.com/
URLInfoAbout
URLInfoAbout
URLUpdateInfo
URLUpdateInfo
uninstall000.exe
uninstall000.exe
firefox
firefox
chrome
chrome
{0001612C-7A4C-413E-AE24-A0533160057F}
{0001612C-7A4C-413E-AE24-A0533160057F}
hXXp://VVV.zensearch.com/?q={searchTerms}
hXXp://VVV.zensearch.com/?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
hXXp://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}
hXXp://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}
hXXp://VVV.bing.com/favicon.ico
hXXp://VVV.bing.com/favicon.ico
hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR
hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
hXXp://zensearch.com/_searchbar/api/report?
hXXp://zensearch.com/_searchbar/api/report?
iexplore.exe
iexplore.exe
{E34DF4AF-06FF-46E9-9183-865A9B4466E9}
{E34DF4AF-06FF-46E9-9183-865A9B4466E9}
\resources.zip
\resources.zip
resources.zip
resources.zip
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
singleZenSearchUpdater.exe
singleZenSearchUpdater.exe
singleZenSearch.exe
singleZenSearch.exe
ZenSearch.bat
ZenSearch.bat
ping 1.1.1.1 -n 1 -w 1500 > nul
ping 1.1.1.1 -n 1 -w 1500 > nul
del "%s"
del "%s"
rmdir "%s"
rmdir "%s"
%s_%i
%s_%i
%u|%s|%s|%u
%u|%s|%s|%u
.homepage
.homepage
.homepage_is_newtabpage
.homepage_is_newtabpage
.session.restore_on_startup
.session.restore_on_startup
.session.restore_on_startup_migrated
.session.restore_on_startup_migrated
UPDATE meta SET value=%s where key='Default Search Provider ID'
UPDATE meta SET value=%s where key='Default Search Provider ID'
%s%s\%s\%s
%s%s\%s\%s
%u|%[^|]|%[^|]|%u
%u|%[^|]|%[^|]|%u
\uninstall.exe
\uninstall.exe
npapi.dll
npapi.dll
Uninstall requires closing all browser windows.
Uninstall requires closing all browser windows.
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ZenSearch\singleZenSearch.exe
firefox.exe_1752:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
hXXps://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=29.0.1&buildid=20140506152807
hXXps://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=29.0.1&buildid=20140506152807
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
20140506152807
20140506152807
29.0.1
29.0.1
Firefox
Firefox
Mozilla
Mozilla
Couldn't read application.ini
Couldn't read application.ini
Couldn't set %s.
Couldn't set %s.
XUL_APP_FILE=%s
XUL_APP_FILE=%s
application.ini path not recognized: '%s'
application.ini path not recognized: '%s'
Incorrect number of arguments passed to -app
Incorrect number of arguments passed to -app
Invalid path found: '%s'
Invalid path found: '%s'
Could not find the Mozilla runtime.
Could not find the Mozilla runtime.
xul.dll
xul.dll
.gtest
.gtest
dependentlibs.list
dependentlibs.list
\dependentlibs.list
\dependentlibs.list
c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\obj-firefox\browser\app\firefox.pdb
c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\obj-firefox\browser\app\firefox.pdb
KERNEL32.dll
KERNEL32.dll
_amsg_exit
_amsg_exit
MSVCR100.dll
MSVCR100.dll
mozglue.dll
mozglue.dll
_crt_debugger_hook
_crt_debugger_hook
version="1.0.0.0"
version="1.0.0.0"
name="Firefox"
name="Firefox"
Firefox
Firefox
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
f^.mHuQ8
f^.mHuQ8
.KscP
.KscP
yy.QG
yy.QG
c"=Ãp
c"=Ãp
.CE&I8
.CE&I8
%d>ZZ
%d>ZZ
\LMQ!)%C
\LMQ!)%C
Wuser32.dll
Wuser32.dll
kernel32.dll
kernel32.dll
Firefox and Mozilla Developers; available under the MPL 2 license.
Firefox and Mozilla Developers; available under the MPL 2 license.
Mozilla Corporation
Mozilla Corporation
Firefox is a Trademark of The Mozilla Foundation.
Firefox is a Trademark of The Mozilla Foundation.
firefox.exe
firefox.exe
firefox.exe_1752_rwx_24090000_00010000:
cRtL
cRtL