Trojan.GenericKD.1949042_89e0913ade – Adaware

Trojan-Downloader.Win32.Genome.kfmh (Kaspersky), Trojan.GenericKD.1949042 (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 89e0913adeecdd75df30124d88706ccb

SHA1: 572e09f091ae7efa88bb97b336ec5c8a5da0901f

SHA256: c211a115953e9f04de6b412bcd852a1af0399699d3c62682b9f44782f58f7545

SSDeep: 768:H24gVhXXOHDYCoaBXcrhTnmI0tSda/qA/Nx/MgyxCc PnW/HC2dNze0JjJ2uUSsh:HcgjYCnXsALqoP/k0PnW/HC22YJGTjYU

Size: 61499 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Popeler

Created at: 2014-07-27 00:58:31

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

PCSpeedUp.exe:1792
taskkill.exe:1044
taskkill.exe:1772
taskkill.exe:1628
taskkill.exe:456
taskkill.exe:228
taskkill.exe:1888
taskkill.exe:1032
taskkill.exe:1656
taskkill.exe:424
MSI87.tmp:444
install.exe:664
PCSUService.exe:340
PCSUService.exe:532
PCSpeedUp.tmp:1508
Silverlight.exe:1476
coregen.exe:832
coregen.exe:204
coregen.exe:1060
coregen.exe:1156
coregen.exe:1064
coregen.exe:1276
coregen.exe:588
coregen.exe:1352
coregen.exe:1464
coregen.exe:240
PCSULauncher.exe:1664
MsiExec.exe:1788
sllauncher.exe:336
regsvr32.exe:1744
regsvr32.exe:536
PCSUSD.exe:752
PCSUSD.exe:640
%original file name%.exe:468
mscorsvw.exe:1912
PCSUNotifier.exe:1164
PCSUNotifier.exe:1772
PCSUNotifier.exe:1060
PCSUNotifier.exe:864
PCSUNotifier.exe:736
PCSUNotifier.exe:1756

The Trojan injects its code into the following process(es):

sllauncher.exe:632
PCSUQuickScan.exe:2668

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process PCSpeedUp.exe:1792 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (0 bytes)

The process install.exe:664 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\c575b8170f28869a833ee80321b1\Silverlight.msp (149529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Silverlight0.log (6424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SilverlightMSI.log (94845 bytes)

The Trojan deletes the following file(s):

C:\c575b8170f28869a833ee80321b1\Silverlight.msp (0 bytes)

The process PCSUService.exe:340 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Speed Up\PCSUService-Timer.log (58 bytes)
%Program Files%\PC Speed Up\PCSUService.log (708958 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db (1040924 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (2213480 bytes)

The Trojan deletes the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)

The process PCSUService.exe:532 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db (13272 bytes)
%Program Files%\PC Speed Up\PCSUService.log (523 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (27928 bytes)

The Trojan deletes the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)

The process PCSpeedUp.tmp:1508 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MT0V4.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-V0L2Q.tmp (4 bytes)
%Program Files%\PC Speed Up\unins000.msg (864 bytes)
%Program Files%\PC Speed Up\is-TASLC.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (2105 bytes)
%Program Files%\PC Speed Up\is-8N8LB.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-NE98B.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-L177B.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (715 bytes)
%Program Files%\PC Speed Up\is-VM1SV.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (735 bytes)
%Documents and Settings%\%current user%\Desktop\PC Speed Up.lnk (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp (4 bytes)
%Program Files%\PC Speed Up\is-LIRCS.tmp (601 bytes)
%Program Files%\PC Speed Up\is-E9A56.tmp (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (1526144 bytes)
%Program Files%\PC Speed Up\is-EQ1MK.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-8F289.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (13 bytes)
%Program Files%\PC Speed Up\is-2JPPF.tmp (2105 bytes)
%Program Files%\PC Speed Up\unins000.dat (50325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BU0HK.tmp (5 bytes)
%Program Files%\PC Speed Up\is-JOC2L.tmp (4185 bytes)
%Program Files%\PC Speed Up\is-LIUB1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (8 bytes)
%Program Files%\PC Speed Up\is-QQIDO.tmp (31891 bytes)
%Program Files%\PC Speed Up\is-SFCGG.tmp (2321 bytes)
%Program Files%\PC Speed Up\is-V6O7K.tmp (2321 bytes)
%Program Files%\PC Speed Up\App.config (4199 bytes)
%Program Files%\PC Speed Up\is-D44GU.tmp (3361 bytes)
%Program Files%\PC Speed Up\PCSUService.conf (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-2LMEU.tmp (53142 bytes)
%Program Files%\PC Speed Up\is-P9DQG.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (2321 bytes)
%Program Files%\PC Speed Up\is-GE08A.tmp (601 bytes)
%Program Files%\PC Speed Up\uninstaller.dat (673 bytes)
%Program Files%\PC Speed Up\is-7RHIK.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup Log 2014-10-30 #001.txt (477286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-5HERK.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Speed Up\is-G763Q.tmp (40 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_installOffer.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (0 bytes)

The process Silverlight.exe:1476 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\c575b8170f28869a833ee80321b1 (4 bytes)
C:\c575b8170f28869a833ee80321b1\install.exe (2961 bytes)
C:\c575b8170f28869a833ee80321b1\$shtdwn$.req (788 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (973 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (92550 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (5848 bytes)

The Trojan deletes the following file(s):

C:\c575b8170f28869a833ee80321b1\install.exe (0 bytes)
C:\_665281_ (0 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (0 bytes)
C:\c575b8170f28869a833ee80321b1 (0 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (0 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (0 bytes)

The process coregen.exe:832 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll (656923 bytes)

The process coregen.exe:204 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ni.dll (77425 bytes)

The process coregen.exe:1060 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll (100641 bytes)

The process coregen.exe:1156 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll (425332 bytes)

The process coregen.exe:1064 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll (16757 bytes)

The process coregen.exe:1276 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll (75293 bytes)

The process coregen.exe:588 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll (244582 bytes)

The process coregen.exe:1352 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll (141274 bytes)

The process coregen.exe:1464 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll (45897 bytes)

The process coregen.exe:240 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll (112277 bytes)

The process sllauncher.exe:632 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\PCSpeedUp\App.log (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qs_limit[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)

The process PCSUSD.exe:752 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db (14350 bytes)
%WinDir%\Tasks\PC SpeedUp Service Deactivator.job (312 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (6982 bytes)

The Trojan deletes the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)

The process %original file name%.exe:468 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc7F.tmp (2100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (0 bytes)

Registry activity

The process PCSpeedUp.exe:1792 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A4 1D 05 82 E3 23 BE 9C EB 4A 90 A5 97 E5 5B"

The process taskkill.exe:1044 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 36 29 23 17 1A 20 06 60 D7 1A 06 25 AA 1A DA"

The process taskkill.exe:1772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AB 7B 47 1C AC 8B 7B E9 81 E1 25 11 6A 25 E7"

The process taskkill.exe:1628 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 DF 46 80 B3 E3 EB 61 FC 7B D7 89 19 DE C1 F5"

The process taskkill.exe:456 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 C0 1D 65 0C BB 7B 58 6E CA 62 A2 D6 F2 03 A8"

The process taskkill.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 B1 0A A7 A7 1E 57 9D 67 16 55 0E 06 76 71 3D"

The process taskkill.exe:1888 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 BB C4 FB 98 FA FD 24 D9 D3 3A 28 70 09 49 AE"

The process taskkill.exe:1032 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4C FC BF 0E C0 F7 74 33 90 8B D2 FB 6D AD C1"

The process taskkill.exe:1656 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 41 6D E8 85 54 8D 6E 63 61 42 D5 72 47 48 7B"

The process taskkill.exe:424 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B CA D9 76 1B 50 99 AE D2 FB 55 90 FF 2E 87 74"

The process MSI87.tmp:444 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 0F 51 0E 8C 32 78 39 F2 C0 62 B5 6F 0D 70 E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Microsoft Silverlight\4.0.60310.0]
"coregen.exe" = "Microsoft Common Language Runtime native compiler"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process install.exe:664 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 F4 3E 43 B9 FA A2 16 2E 2A 20 AA 94 38 72 07"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process PCSUService.exe:340 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4E 07 8B 36 18 83 45 5D 6A 03 0E 83 AB BD E0"

The process PCSUService.exe:532 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 BE B7 05 67 99 21 02 56 6A 92 31 6F 13 DF 61"

The process PCSpeedUp.tmp:1508 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Icon Group" = "PC Speed Up"
"MajorVersion" = "3"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"RequestID" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"QuietUninstallString" = "%Program Files%\PC Speed Up\unins000.exe /SILENT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"ApplicationPath" = "%Program Files%\PC Speed Up"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayName" = "PC Speed Up"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayIcon" = "%Program Files%\PC Speed Up\Icon.ico"
"Inno Setup: App Path" = "%Program Files%\PC Speed Up"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"UniqueID" = "08C4552D-D8DB-4386-8CE7-723FB995F06A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: User" = "%CurrentUserName%"
"InstallLocation" = "%Program Files%\PC Speed Up\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Language" = "uk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Speedchecker Limited\PC Speed Up]
"UniqueID" = "08C4552D-D8DB-4386-8CE7-723FB995F06A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"InstallDate" = "20141030"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"InstallDate" = "20141030"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"UninstallString" = "%Program Files%\PC Speed Up\unins000.exe"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CountryCode" = "uk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"Uninstaller" = "%Program Files%\PC Speed Up\unins000.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"MinorVersion" = "7"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"AVList" = "&av=300"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"keyword" = ""
"CampaignID" = "ppi_2712_installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Publisher" = "Speedchecker Limited"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 B8 10 07 48 BB 4A 78 75 F9 4B 0B CF C5 FC F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayVersion" = "3.7.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CrashDumpEnabled" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"Installer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\PCSpeedUp\pcsu_ppi_2712_installer_.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"URLInfoAbout" = "http://www.pcspeedup.com"
"Inno Setup: Setup Version" = "5.4.3 (u)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\System\CurrentControlSet\Services\PCSUService]
"Group" = "UIGroup"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"affid" = "2712"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files%\PC Speed Up\PCSUNotifier.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Silverlight.exe:1476 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 AC D0 88 CC 4D D8 80 03 3A 71 B8 D6 D5 DF B8"

The process coregen.exe:832 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 EC 19 65 81 2B 01 19 D0 95 85 B3 41 50 8E F4"

The process coregen.exe:204 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 10 47 D6 83 78 A1 DE 2B BE 55 E2 8A 80 28 B2"

The process coregen.exe:1060 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 9E 0B 38 CB 2B 92 A0 DE CA E2 EA 84 CB ED EE"

The process coregen.exe:1156 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 BC 44 03 3E 66 B4 30 0C 03 8A EB 72 3B 85 1D"

The process coregen.exe:1064 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 F0 A4 D1 6C 6E 13 EE 4D 46 76 C9 DF 46 56 86"

The process coregen.exe:1276 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 63 46 8E F3 36 58 04 BE 9F 25 71 9C 94 29 54"

The process coregen.exe:588 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 DF F7 13 6E 9D 98 44 66 4C 99 AA 7A 6B D3 19"

The process coregen.exe:1352 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF BD F9 9B 99 CC E0 FF 3C 15 15 E2 7D FB 63 E0"

The process coregen.exe:1464 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 D7 15 86 FA F4 FE 97 FC F7 9C D8 33 90 32 AA"

The process coregen.exe:240 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 F3 7C 62 3D 0E CA B4 78 2C EF 2C BD D4 00 6D"

The process PCSULauncher.exe:1664 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 E9 73 37 F3 D4 1C 14 9C 0A 4B AF 83 8B BB 70"

The process MsiExec.exe:1788 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B B9 13 54 82 AC F6 25 E2 3E 95 48 31 68 36 FB"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\PlayReady]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Microsoft\PlayReady"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

The process sllauncher.exe:632 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Type" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Count" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Type" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 21 00 2B 00 E7 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 21 00 2B 00 B8 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Count" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CachePrefix" = ":2014103020141031:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216" = "My Computer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}\iexplore]
"Type" = "1"
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 22 00 22 00 58 03"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 A3 9C 31 6E 0E F8 4B 9F EA AB 8F 19 C2 89 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheLimit" = "8192"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014103020141031\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}\iexplore]
"Count" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sllauncher.exe:336 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 0B AE 10 B9 2B 5D 02 93 A4 3E 35 D3 CD 31 D3"

The process regsvr32.exe:1744 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B D8 E4 36 CE BD 65 39 6F 8A 09 95 F9 A7 BA 14"

The process regsvr32.exe:536 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0]
"(Default)" = "PCSUHelperLib"

[HKCR\PCSU.Registry]
"(Default)" = "RegistryHelper Class"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\ProgID]
"(Default)" = "PCSU.Registry.1"

[HKCR\PCSU.SysUtils.1\CLSID]
"(Default)" = "{B89F5C49-51DB-4974-AB5A-E25901AA339C}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PC Speed Up"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\0\win32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"

[HKCR\PCSU.SysUtils\CurVer]
"(Default)" = "PCSU.SysUtils.1"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}]
"(Default)" = "SysUtils Class"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.SysUtils.1]
"(Default)" = "SysUtils Class"

[HKCR\PCSU.SysUtils]
"(Default)" = "SysUtils Class"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}]
"(Default)" = "RegistryHelper Class"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry\CurVer]
"(Default)" = "PCSU.Registry.1"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\ProgID]
"(Default)" = "PCSU.SysUtils.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 CD 47 0E A1 81 D3 BA 7E D7 5B 07 BB 7B 90 CD"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\VersionIndependentProgID]
"(Default)" = "PCSU.Registry"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PCSU.Registry.1\CLSID]
"(Default)" = "{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\VersionIndependentProgID]
"(Default)" = "PCSU.SysUtils"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry.1]
"(Default)" = "RegistryHelper Class"

The process PCSUSD.exe:752 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB F1 AA 53 39 6E C3 22 82 17 5B 47 C1 7B 34 95"

The process PCSUSD.exe:640 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5F 22 43 29 C8 2E DA 38 80 DB 70 A5 80 AF D3"

The process %original file name%.exe:468 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 01 40 FE BE EF B1 6E 2F 6F 30 67 72 F6 7F 76"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process mscorsvw.exe:1912 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process PCSUNotifier.exe:1164 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 FE 33 A8 C4 5B 0F 90 D2 94 3B E3 0F 6B 03 2D"

The process PCSUNotifier.exe:1772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AD F0 5B 9C CD 3A 49 6A 48 62 8A 91 CC 3E 54"

The process PCSUNotifier.exe:1060 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB C7 90 76 AE 64 3D 09 3E 60 58 32 9E 5C FC 51"

The process PCSUNotifier.exe:864 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD BD 30 F5 F3 2D C4 D1 73 33 EA 04 24 14 1F 77"

The process PCSUNotifier.exe:736 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 8F FD 74 05 C9 4B 59 20 DD 54 42 F5 43 D8 E4"

The process PCSUNotifier.exe:1756 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 9D AE DE C0 E4 70 59 75 BE 6F 04 E3 BF 45 48"

Dropped PE files

MD5	File path
13fdc3c91e53f49981e570ca1ae18c50	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe
3b7b22df6043964089a2a7ef4eab5ea9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp
5b98f3dc538562555101a796433ccdad	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe
e881e7df65cd92ea25fa6bb9fbb5fb5f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll
9cabb0d216e5502addb80756fa2f046c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe
a7e8090522fd160ca308507a651e720c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll
1919e1c9aa2e6a10e897a8b3a56da636	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll
92dc6ef532fbb4a5c3201469a5b5eb63	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll
d82a429efd885ca0f324dd92afb6b7b8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\itdownload.dll
1fc1fbb2c7a14b7901fc9abbd6dbef10	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc80.tmp\inetc.dll
13fdc3c91e53f49981e570ca1ae18c50	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe
dda7e7403991c4f2a2a2b245ad855319	c:\Program Files\Microsoft Silverlight\4.0.60310.0\Microsoft.VisualBasic.dll
34211a0228cf5287e9524ec51814fac0	c:\Program Files\Microsoft Silverlight\4.0.60310.0\SLMSPRBootstrap.dll
910b8184ee0b6ccce4b4c59b8b2fe9d2	c:\Program Files\Microsoft Silverlight\4.0.60310.0\Silverlight.Configuration.exe
5fb428a045f861ad88625fe90971686a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\Silverlight.ConfigurationUI.dll
a2e98f31109404986e30ec4f80a0b02d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Core.dll
616354eb318d340f7704fa2fbc51eab8	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll
21a8b51dc4585624794804532ea8b770	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Net.dll
973c5c81d5e4155a32dcfebcadf2c4df	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll
1dc8528fc3724d22d8fb9341ddf3a148	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.dll
15054621291bdc4d93ba0f3541d26298	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll
69cdfcdc4351140c0df9f7431cb02f83	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.dll
e1fcf55ce15e5caf230d59a87e52cbb7	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll
338d9e6809841943c7b2f9b0459e3a0f	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.dll
b2b5b10e3dc62cd597425446afbea7be	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll
8ddc3792b943fa436080fc3f7ee0a62d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.dll
31f70cd2628716c46f96f4aa86a6dc0e	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll
bf5aa294b6111536dc2f71f9c27d1277	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.dll
588bbe1fcde2378772280b97012845c4	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll
940b248b6e34436e6461654d15c5da26	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Xml.dll
8324aca48274f395ee92ed8d609b6e1c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll
f758831e1249ff575d6049b93288223a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ni.dll
86b931199ba434f8e20cc6ad7535a42d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\agcore.dll
8e9c02b623523e273a195868e879d1d9	c:\Program Files\Microsoft Silverlight\4.0.60310.0\agcp.exe
a98ef87279ab026b7bdfb3ce9df206ae	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\Microsoft.VisualBasic.resources.dll
b7d32d5a4468cc2c9c2ae35418a4e3da	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\mscorlib.resources.dll
f20da6f9c32dc794cc2d809fa2b7ecc8	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\mscorrc.dll
229a568d2d15c52ac3ea8264bc879925	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\system.resources.dll
740244ceefa5d4de100a2028435ad1fd	c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\Microsoft.VisualBasic.resources.dll
f116025a9b96d01f218554889cf7a08d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\mscorlib.resources.dll
82f9479de23f785d3842d1f37de810e8	c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\mscorrc.dll
78ff9f5d13a6dacd6c6f42f2eb58abe5	c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\system.resources.dll
64eca3dc309dad3933cd626099ffc614	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\Microsoft.VisualBasic.resources.dll
f6e0e42457e70b4085f71e24d71bbd7f	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\mscorlib.resources.dll
e4741351290d225ed7f4bf6fca40d782	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\mscorrc.dll
146fb5df4aceab2f0b4e1b1f5905f969	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\system.resources.dll
0ce088d397fedeb81e737c447c367d90	c:\Program Files\Microsoft Silverlight\4.0.60310.0\coreclr.dll
28b538decd18bbadadfbc87e50e95f1c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\coregen.exe
996b98d2a09e2f05157a0d93ec35c490	c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\Microsoft.VisualBasic.resources.dll
11899b8883b47e5b7e33c12ee2dad9a3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\mscorlib.resources.dll
a1e2fa516030c59ad5c482e02f7775cf	c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\mscorrc.dll
779e3d60d53778b850de2c5d4d9bade6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\system.resources.dll
1cc709215725f3dc371f04086dc5f0a7	c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\Microsoft.VisualBasic.resources.dll
d656e02d9827fe0a8b5317e4ce2f25e2	c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\mscorlib.resources.dll
e0b76be64b49b6e3718fdfa3acf2169a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\mscorrc.dll
a2c3291ce15b9b771490bddbfda724fd	c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\system.resources.dll
0e5af43c88e68ca9c34b0b4fe8b380ef	c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\Microsoft.VisualBasic.resources.dll
31d278ee11dc82bbbf5d654fbb7ca9f3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\mscorlib.resources.dll
8d47e6cd31e31c5dc1bba4fabc842c1c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\mscorrc.dll
9f39e54a89333e75c60dcc21a4376abd	c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\system.resources.dll
86c43391198bc5ca923d4d10165a927f	c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\Microsoft.VisualBasic.resources.dll
db198bc15099b854605e2187f2e72d8d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\mscorlib.resources.dll
50a625ad344262558c24cdb43757f6b5	c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\mscorrc.dll
3dca4e41c6095a325e963513046aaee3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\system.resources.dll
29bc165c51ecd9229637ac75f65cbb2d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\Microsoft.VisualBasic.resources.dll
0fab65233b1c1295be3e42b312e182a6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\mscorlib.resources.dll
04ee39507f51f0de749d12063771305e	c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\mscorrc.dll
b2b1be442d59b1581c97968c9e1018e6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\system.resources.dll
48e113bf08a000e879268b35d7a376ad	c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\Microsoft.VisualBasic.resources.dll
98441ccd86a16b90456f04c3e0a50a7c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\mscorlib.resources.dll
29caa35e3209e7e91c5d71e99f3677cc	c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\mscorrc.dll
9b16fae36ca5a335448d2f1d51aa1e06	c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\system.resources.dll
3ba7d079c680fe38673a5ff39ae17015	c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\Microsoft.VisualBasic.resources.dll
56da59679011e04333b9258b130eb640	c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\mscorlib.resources.dll
935488a2e147215ada811fbf18014a77	c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\mscorrc.dll
02040ca2d9ece26e708f9e428fbe4f11	c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\system.resources.dll
8f6a34997cec539dbdc3705eb236c265	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\Microsoft.VisualBasic.resources.dll
9fd5eecf4479aef9d0acf6af59302080	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\mscorlib.resources.dll
7455fc891f3942332f4bc3daee50057b	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\mscorrc.dll
d59c5a85fe3b8d6cf6f07a80d8684f1d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\system.resources.dll
70344d2df1d7e719d16a7800cda00a05	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\Microsoft.VisualBasic.resources.dll
1611ce8f69b3aa0fa4a9488e610ffcbf	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\mscorlib.resources.dll
a7ef42c7eeb9c5533f30d40c53763dc3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\mscorrc.dll
6ae68aa30d81fa7dda96f2dff21a6482	c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\system.resources.dll
ea1fb893fc7555bdb027e0a4c1a131cb	c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\Microsoft.VisualBasic.resources.dll
39e60911fa11c4589f375d56f20f266c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\mscorlib.resources.dll
b73b23971c8b85a42b383ec9bf6db954	c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\mscorrc.dll
bf87bcb45046f505751b38c6defb67d6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\system.resources.dll
e2ec581055cd46102348b693054a10bc	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\Microsoft.VisualBasic.resources.dll
c2d065d89e959fadef82f0dab02b00d1	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\mscorlib.resources.dll
f4a04ac6247cfe0ce515f0d6d1c8309c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\mscorrc.dll
2259c8431d62b7fb68255422e8f65851	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\system.resources.dll
d7f90ab528f9220efa692462a2b95b61	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\Microsoft.VisualBasic.resources.dll
d48c729e913eb6d7218bdd5229474b9b	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\mscorlib.resources.dll
6880b7b588d9c4ebcf16207b2627d925	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\mscorrc.dll
b49c2621719813f570f9269de647611c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\system.resources.dll
65b390d6c4023c7c28370d06417bf482	c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\Microsoft.VisualBasic.resources.dll
d424f7e1bc879fbe6483657125b942d3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\mscorlib.resources.dll
ef77dca5141168f21aa63a6753cc5612	c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\mscorrc.dll
fd4fbfd43dd5f153bc7082be5874e979	c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\system.resources.dll
845f93271629ac3d4702427e7f77a589	c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\Microsoft.VisualBasic.resources.dll
ef4987b69195eba07c8268a0adae6824	c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\mscorlib.resources.dll
8d907050702c0f5a81b83588c0d144dd	c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\mscorrc.dll
e342eb1bf12a567c8b588a7a326a1fbb	c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\system.resources.dll
4e72d0ac32048e49ec71dc883c3a903f	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\Microsoft.VisualBasic.resources.dll
099eaf234c43d6e8ce4ec231cd98b3fe	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\mscorlib.resources.dll
dadadc469095bb2216bc486fa56a6f22	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\mscorrc.dll
de46d973259b68906458725b5c26ed35	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\system.resources.dll
57fe6c216e7a94aae4bcbe2afc0455b6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\Microsoft.VisualBasic.resources.dll
51ebb84406cd322e9c69472bc08aec7b	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\mscorlib.resources.dll
939dfc462f4b11e2f8a1b665189183f8	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\mscorrc.dll
d3f1e8db30cc7bb933fef4a53df75827	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\system.resources.dll
01903310b53a139e7dc1550f4bcd2e72	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\Microsoft.VisualBasic.resources.dll
5828f61a193f9d8ddfbc09786b6a873c	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\mscorlib.resources.dll
ab81de520e190008f97cf6eb0d316792	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\mscorrc.dll
0a85bc3e2edf898c17c376b894953ea6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\system.resources.dll
a6663475b1da60b4009347251fcd6541	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\Microsoft.VisualBasic.resources.dll
2b4b6d1918af270fd608da24b6b9a6ba	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\mscorlib.resources.dll
3d01554ade59bdc03e62a384e0aa7334	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\mscorrc.dll
fcea49f81f09920de272e9b0d0b07bfe	c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\system.resources.dll
80a4dd24a1f2655750f4b459e98997cc	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\Microsoft.VisualBasic.resources.dll
f5122a5b59e919c9d738036be6eefce3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\mscorlib.resources.dll
a00b2c33f30e224f11610346188e2b87	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\mscorrc.dll
31ff2cb1a7ba9c1290caf486280cd686	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\system.resources.dll
81a4cd70d57f64e046bd945a45e2415e	c:\Program Files\Microsoft Silverlight\4.0.60310.0\mscorlib.dll
54a3d027bbb4eb571c7c48d096ee0d4a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll
96b6b98a6abbdb7278d6a62b1f9655e6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\mscorrc.dll
fcadce8748f68bde4da4db74962c9ceb	c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\Microsoft.VisualBasic.resources.dll
da06f47b6657bb741dae5d0ccc956b3e	c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\mscorlib.resources.dll
0be3e9e1372a1d36b5e7e8ec2fa4baa1	c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\mscorrc.dll
4ca257510bffc524a7b06f582c04ff1a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\system.resources.dll
6fc0a8266113a062ca6fdc1b452fc049	c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\Microsoft.VisualBasic.resources.dll
f3dac902326bf547e5d230b2ae2215b3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\mscorlib.resources.dll
55a0100162047835ecac80c3c9f3487a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\mscorrc.dll
98e0dbb05eb4465a61a5547126c5e052	c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\system.resources.dll
8e151a2a185daf9852322028abe55534	c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll
8b93ef56bef58f2eb6b6d92b57715131	c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
d447a36f6d077f7ba4aee7c1c9a6d29a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\Microsoft.VisualBasic.resources.dll
83e0f5720d1fc910d1cc158d06a014d3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\mscorlib.resources.dll
fd6e1c26ec29d85406c8ab878d37e2e0	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\mscorrc.dll
ec6e33b7705759ad2ba52e909b09d5b3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\system.resources.dll
2204dd6ed09440638362ee33689b9b98	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\Microsoft.VisualBasic.resources.dll
6ea844d42e3d447258cef882d5a3d521	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\mscorlib.resources.dll
88fc3794b551ec9efaf43d48f0397192	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\mscorrc.dll
768263c8fac574cb43e36e0eb9be9d2b	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\system.resources.dll
9da3db7d39cf1094d983d5c9075884b9	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\Microsoft.VisualBasic.resources.dll
14670acec0249c1c732868af4eede9c3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\mscorlib.resources.dll
be56e32c3010f2e8cca0f92449e408a7	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\mscorrc.dll
c4db4616be190c3f6ec74789d48abcaf	c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\system.resources.dll
7e0d2a1e6c6d65f8d43ed6f6252d5e89	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\Microsoft.VisualBasic.resources.dll
dcce963625d82ba51ea2f42de3e60934	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\mscorlib.resources.dll
7e48a4ec1d12272e2f1e25a97b57934f	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\mscorrc.dll
b3306b56fb7f2df1648350e961993a65	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\system.resources.dll
e4a058d380954604aa0b54159af7ab90	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\Microsoft.VisualBasic.resources.dll
a9ee3797880974de764d17d973b5c575	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\mscorlib.resources.dll
7fe0fbfeb39d5d120f7d91885ca9a23e	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\mscorrc.dll
29ee982522e840ddf6eaf3cfe44815df	c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\system.resources.dll
958c056d2a335a61ff9b13ce98973ebb	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\Microsoft.VisualBasic.resources.dll
cb66600f1268f400c2939ae83a3b2b81	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\mscorlib.resources.dll
e062d096cfd16df787b97a2bb564c3b2	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\mscorrc.dll
002b68a5e5a135f76be749c9f8c1866d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\system.resources.dll
0d0115ecba8c7909817570a492bee664	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\Microsoft.VisualBasic.resources.dll
508b76bfe9fbff5755d2d5583bf749ac	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\mscorlib.resources.dll
ee7262ab88bd56eb89abf41f61905cbe	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\mscorrc.dll
2081988c0c1417fb01e7fbcd211475af	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\system.resources.dll
35e0c2177554ebff992743b87a1a476d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\Microsoft.VisualBasic.resources.dll
0cb8ac78ae33cfcbb5af4027848ff7a5	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\mscorlib.resources.dll
ebe6848f268b5773c3c96ea8485d04d5	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\mscorrc.dll
d4d057d4666e28261b0cfbf2c7927bff	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\system.resources.dll
3603ac8a2a052e648181cc81c0ac0b8d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\Microsoft.VisualBasic.resources.dll
1a1d3871b5a70867f30e27665f528d8d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\mscorlib.resources.dll
8e50d5dd3583d877af949ea7aa167d80	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\mscorrc.dll
87ccbb06b06a255b17feba7b465629d3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\system.resources.dll
5f91aa1428aeb3aaf291d4d1908e6c86	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\Microsoft.VisualBasic.resources.dll
f451b5e8e79733ed1d2d303475d248a6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\mscorlib.resources.dll
a1b03b93d1c388ced687bd72a4d78734	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\mscorrc.dll
8c954e9c495b67114194ec414031ce59	c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\system.resources.dll
7df6a16f125b59c9a8afd43d5ffe3319	c:\Program Files\Microsoft Silverlight\4.0.60310.0\system.dll
e3384bbeb3a2dd6a5cb73386567a110a	c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\Microsoft.VisualBasic.resources.dll
3e90b48e5d65a4e11307daf70081f6ea	c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\mscorlib.resources.dll
c91de4231db93e6aa43814a8dfd17ece	c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\mscorrc.dll
84add9052724cfd13732e611e79483a3	c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\system.resources.dll
4110e3db953513e7136f0bafd7be216d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\Microsoft.VisualBasic.resources.dll
3b03af2e713e16cd710590b26f745b09	c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\mscorlib.resources.dll
7cfa6b8bf525c4f3a66bc45300ee8f4b	c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\mscorrc.dll
18704df881492c8904555f1d4cfce209	c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\system.resources.dll
9eefc1cf2c36e12a22da5f21d78dd3c9	c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\Microsoft.VisualBasic.resources.dll
ad26ed8da155ccf4b1675c714832aee5	c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\mscorlib.resources.dll
4e2a0315efade90257da0efe7bdddbb1	c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\mscorrc.dll
5efe72d85ffb4473bb5ba1fe40ddc931	c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\system.resources.dll
f34ce31a44bba8a34193acc34d553269	c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\Microsoft.VisualBasic.resources.dll
ad1936069c18085bad4f46596e096e6b	c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\mscorlib.resources.dll
754db3c969035be56dfb73d93ca2ab83	c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\mscorrc.dll
9de8d1a8d07326122ce0e040356e6280	c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\system.resources.dll
ea3d1945b622cdac3de3b29021828cfd	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\Microsoft.VisualBasic.resources.dll
3955e856c350473773301f319a40ccb1	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\mscorlib.resources.dll
cadc3a21f9e0f144472da8211bff52cf	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\mscorrc.dll
f9cdd3fe790b0eb9213a9725992787d6	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\system.resources.dll
cfd295d6b8309b206ef9b4e1d8f8e95d	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\Microsoft.VisualBasic.resources.dll
1a9e36ce41c9f44fb08962aab6c8b516	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\mscorlib.resources.dll
79fdff61c75be995c802217bb7d1b3f5	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\mscorrc.dll
42888be4920e4d3988a08c3b46d3c191	c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\system.resources.dll
a8751ee4924c8d5165599ef43adf45d5	c:\Program Files\Microsoft Silverlight\sllauncher.exe
afc858e7152f99575c54d6c6418a44ab	c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll
814374e4ab90e30c64eefaacf1da140b	c:\WINDOWS\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
PCSpeedUp.exe:1792
taskkill.exe:1044
taskkill.exe:1772
taskkill.exe:1628
taskkill.exe:456
taskkill.exe:228
taskkill.exe:1888
taskkill.exe:1032
taskkill.exe:1656
taskkill.exe:424
MSI87.tmp:444
install.exe:664
PCSUService.exe:340
PCSUService.exe:532
PCSpeedUp.tmp:1508
Silverlight.exe:1476
coregen.exe:832
coregen.exe:204
coregen.exe:1060
coregen.exe:1156
coregen.exe:1064
coregen.exe:1276
coregen.exe:588
coregen.exe:1352
coregen.exe:1464
coregen.exe:240
PCSULauncher.exe:1664
MsiExec.exe:1788
sllauncher.exe:336
regsvr32.exe:1744
regsvr32.exe:536
PCSUSD.exe:752
PCSUSD.exe:640
%original file name%.exe:468
mscorsvw.exe:1912
PCSUNotifier.exe:1164
PCSUNotifier.exe:1772
PCSUNotifier.exe:1060
PCSUNotifier.exe:864
PCSUNotifier.exe:736
PCSUNotifier.exe:1756
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (7386 bytes)
C:\c575b8170f28869a833ee80321b1\Silverlight.msp (149529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Silverlight0.log (6424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SilverlightMSI.log (94845 bytes)
%Program Files%\PC Speed Up\PCSUService-Timer.log (58 bytes)
%Program Files%\PC Speed Up\PCSUService.log (708958 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db (1040924 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (2213480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MT0V4.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-V0L2Q.tmp (4 bytes)
%Program Files%\PC Speed Up\unins000.msg (864 bytes)
%Program Files%\PC Speed Up\is-TASLC.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (2105 bytes)
%Program Files%\PC Speed Up\is-8N8LB.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-NE98B.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-L177B.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (715 bytes)
%Program Files%\PC Speed Up\is-VM1SV.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (735 bytes)
%Documents and Settings%\%current user%\Desktop\PC Speed Up.lnk (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (1281 bytes)
%Program Files%\PC Speed Up\is-LIRCS.tmp (601 bytes)
%Program Files%\PC Speed Up\is-E9A56.tmp (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (1526144 bytes)
%Program Files%\PC Speed Up\is-EQ1MK.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-8F289.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (13 bytes)
%Program Files%\PC Speed Up\is-2JPPF.tmp (2105 bytes)
%Program Files%\PC Speed Up\unins000.dat (50325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BU0HK.tmp (5 bytes)
%Program Files%\PC Speed Up\is-JOC2L.tmp (4185 bytes)
%Program Files%\PC Speed Up\is-LIUB1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (8 bytes)
%Program Files%\PC Speed Up\is-QQIDO.tmp (31891 bytes)
%Program Files%\PC Speed Up\is-SFCGG.tmp (2321 bytes)
%Program Files%\PC Speed Up\is-V6O7K.tmp (2321 bytes)
%Program Files%\PC Speed Up\App.config (4199 bytes)
%Program Files%\PC Speed Up\is-D44GU.tmp (3361 bytes)
%Program Files%\PC Speed Up\PCSUService.conf (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-2LMEU.tmp (53142 bytes)
%Program Files%\PC Speed Up\is-P9DQG.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (2321 bytes)
%Program Files%\PC Speed Up\is-GE08A.tmp (601 bytes)
%Program Files%\PC Speed Up\uninstaller.dat (673 bytes)
%Program Files%\PC Speed Up\is-7RHIK.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup Log 2014-10-30 #001.txt (477286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-5HERK.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Speed Up\is-G763Q.tmp (40 bytes)
C:\c575b8170f28869a833ee80321b1\install.exe (2961 bytes)
C:\c575b8170f28869a833ee80321b1\$shtdwn$.req (788 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (973 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (92550 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (5848 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll (656923 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ni.dll (77425 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll (100641 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll (425332 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll (16757 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll (75293 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll (244582 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll (141274 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll (45897 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll (112277 bytes)
%Documents and Settings%\%current user%\My Documents\PCSpeedUp\App.log (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qs_limit[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%WinDir%\Tasks\PC SpeedUp Service Deactivator.job (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7F.tmp (2100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files%\PC Speed Up\PCSUNotifier.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	26526	26624	4.49045	71f6ed20ad21579b10cb8828a7bb6a5c
.rdata	32768	6438	6656	3.3982	31f148bd55194b44b534fe4099cbde16
.data	40960	419324	512	0.980766	4c7fd8b37c8cd61d9ada11edc15bc3b8
.ndata	462848	606208	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	1069056	2552	2560	3.15581	cc5d86fe1323be31da31079f593a8769
.reloc	1073152	3728	4096	3.65185	0ee460ed01a8153e12813cea2480afd1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://safedownloadapi.cloudapp.net/getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300
hxxp://a767.dscms.akamai.net/download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe
hxxp://212.71.248.160/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://li621-160.members.linode.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://li621-160.members.linode.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
hxxp://safedownloadapi.cloudapp.net/reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID=
hxxp://pcspeedup.go2cloud.org/SP4C?aff_id=2712&source=installer
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
hxxp://www.pcsuapi.net/reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID=	168.63.102.240
hxxp://www.pcsuservice.com/getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300	168.63.102.240
hxxp://download.microsoft.com/download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe	184.84.243.41
hxxp://link.pcspeedup.com/SP4C?aff_id=2712&source=installer	107.23.165.131
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 104

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceConnected":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:53 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID= HTTP/1.1

User-Agent: PCSUInstaller

Accept: */*

Host: VVV.pcsuapi.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.0

Set-Cookie: ASP.NET_SessionId=gbph5e1vkpefgmdzcctunse0; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 30 Oct 2014 16:38:52 GMT

Content-Length: 8

ca..SP4C..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 216

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Silverlight":"Install","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:35 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 100

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceStart":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:53 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 204

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","installerStart":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:37:46 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 255

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","installerEnd":"WV-5.1.2600-SP3-DNF-4.0.30319-RID--TC0-ca-Silent-AX0","silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:57 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 102

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceRunning":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:53 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300 HTTP/1.0

Host: VVV.pcsuservice.com

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/8.0

Set-Cookie: ASP.NET_SessionId=ya1w5xo4fujobf443cti3g4k; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 30 Oct 2014 16:37:46 GMT

Connection: close

Content-Length: 0

GET /SP4C?aff_id=2712&source=installer HTTP/1.0

Host: link.pcspeedup.com

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html

Date: Thu, 30 Oct 2014 16:38:54 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

Server: nginx/1.4.4

tracking_id: 102c8f15e4ba45b7a8266467b35b34

Content-Length: 13

Connection: Close

success=true;..

GET /download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe HTTP/1.1

User-Agent: PCSUInstaller

Accept: */*

Host: download.microsoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Thu, 10 Mar 2011 08:49:12 GMT

Accept-Ranges: bytes

ETag: "3075d70dfcb1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6280056

Date: Thu, 30 Oct 2014 16:37:46 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K...K...K.......D...K...!......._.......J.......J...RichK...................PE..L...Hn.@.................x...........X... ........... ..............................k.`.......... .......................... ........................._.x............!............................................... ...............................text...`w... ...x.................. ..`.data................|..............@....rsrc............>_..~..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................n...D...4...................................Z...............|...................................&...2...:...T...n...........................................&...:...P...n...x...........................................>...L...f...~..............................."...<...R...h.......N...\...8...(.......................................b...........>...&...................n...:...H...T...`...................................................................................Hn.@.............&..............

<<< skipped >>>

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 111

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceAction":"--install"

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:52 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 206

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Link":"SP4C","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:55 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 326

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","ReportInstall":"affID=2712|keyword=installer|campaignID=ppi_2712_installer|uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A|requestID=","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:54 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 219

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Silverlight":"Download","OK":200,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:37:50 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

PCSUService.exe_340:

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

127.0.0.1

C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb

WS2_32.dll

IPHLPAPI.DLL

sqlite3_exec

sqlite3_free

sqlite3_open16

sqlite3_close

sqlite3_extended_result_codes

sqlite3.dll

CreatePipe

GetProcessHeap

KERNEL32.dll

RegEnumKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

pdh.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WINHTTP.dll

Secur32.dll

GetCPInfo

PeekNamedPipe

zcÃ

.PA_W

1&282R2

58W8

55f5

4!4&4,454;4

8"8&8*8.82868

8 8$8(8,808

9 9@9\9`9

>,>4>@>`>

2 2$2(2,20242

srclient.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

PCSUService-Timer.log

Wevtapi.dll

ERROR: GetWindowsBoottimes(): could not load Wevtapi.dll

Subscribing for Microsoft-Windows-Diagnostics-Performance/Operational - Event/System[EventID=100]

Microsoft-Windows-Diagnostics-Performance/Operational

ntdll.dll

ERROR: WaitUntilSystemIdle(): could not load Wevtapi.dll

ERROR: InitializePerformanceCounters(): check the registry keys in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

iexplore.exe

firefox.exe

chrome.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

RemoveExeImageHook(%s)...

DeleteValue failed: %d

DeleteKey failed: %d

registry key is not empty!

HKEY_LOCAL_MACHINE

ERROR: ProcessHelper.Start: hChildProcess != NULL

CreateOutputPipe

CreateInputPipe

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

RegistryHelper::GetValue():RegOpenKeyEx()

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

WinHttpClient

3.7.0.0

dddddd.d000

WindowsBoottimes

|userlogin|

PCSUBootTimes.log

,"LoginToIdle":

INSERT OR REPLACE INTO Boots(Idle, LoginToIdle, WinlogonToIdle, UptimeAtIdle, USBCacheActive) VALUES('

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

/update.aspx?uniqueID=

\PCSpeedUp-Silent-Update.exe

/SP- /VERYSILENT /updateMode=true /LOG=update.log /countryCode=

HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up

ERROR:RegistryHelper::CreateValue(HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up, UpdateChecked):

FileUploader.exe

Checking HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up key for USBCacheFill value...

DELETE FROM UC_STAT WHERE file LIKE '%.sys';

DELETE FROM UC_STAT WHERE file LIKE '%.tmp' AND read_counterDELETE FROM UC_STAT WHERE file NOT LIKE '%.exe%' AND file NOT LIKE '%.dll%' AND read_counter=1;
hXXp://VVV.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
PCSUService: WinHttpClient.SendHttpRequest():
PCSUService: SendHTTPRequestAsync:
PCSUSD.exe
PCSUUCC.exe
PCSUQuickScan.exe
hXXp://qslimit.pcspeedup.co/qs_limit.aspx?productID=1&uniqueID=
SendHttpRequest
RegistryHelper.SetValue
RegistryHelper.DeleteValue
RegistryHelper.CreateKey
RegistryHelper.DeleteKey
SysUtils.SetRestorePoint
IOHelper.FileCopy
IOHelper.Delete
Process.Start
The Process.Start didn't receive 7 arguments.
Process.HasExited
The Process.HasExited didn't receive 2 arguments.
Process.Stop
The Process.Stop didn't receive 2 arguments.
Process.Terminate
DB.ExecuteNonQuery
The DB.ExecuteNonQueryEx didn't receive the query/sql to execute.
DB.ExecuteScalar
The DB.ExecuteScalarEx didn't receive the query/sql to execute.
DB.ExecuteReader
The DB.ExecuteReader didn't receive the query/sql to execute.
NetworkHelper.GetAllMACAddresses
Service.Start
Service.Stop
Remove.IFEO
PCSUSD.Scan
PCSUSD.Enable
PCSUSD.Disable
Process.CheckBrowsers
PCSUUCC.Scan
PCSUUCC.Refresh
PCSUUCC.Update
PCSUUCC.Clean
PCSUUCC.Fill
PCSUUCC.Install
PCSpeedUp.sys"
PCSUService.exe
PCSUUCC.Uninstall
PCSUUCC.On
PCSUUCC.Off
PCSUUCC.Status
PCSUUCC.Usage
cmd /c PCSUUCC.exe /usage > CacheUsage.txt
HTTP.Send
server_port
PCSUService.conf
service status: PID = %d, state = %s, CheckPoint = %d, WaitHint = %d
EnumDependentServices failed (err=%d)
Stop dependent service "%s"...
OpenService failed (err=%d)
ControlService failed (err=%d)
QueryServiceStatusEx failed (err=%d)
Timeout! (%d sec)
StartService(%s)...
ERROR! OpenSCManager failed! (err=%d)
ERROR! OpenService(%s) failed! (err=%d)
ERROR! StartService failed! (err=%d)
ERROR! QueryServiceStatusEx failed (err=%d)
Current State: %d
Exit Code: %d
Check Point: %d
Wait Hint: %d
StopService(%s)...
Service stop timed out. (%d sec)
ERROR! StopDependentServices failed! (err = %d)
ERROR! ControlService failed (err=%d)
Wait timed out (%d sec)
ExecuteNonQuery: sqlite3_exec:
ExecuteScalar: sqlite3_exec:
ExecuteReader: sqlite3_exec:
LocalExecuteNonQuery: sqlite3_exec:
LocalExecuteScalar: sqlite3_exec:
LocalExecuteReader: sqlite3_exec:
sqlite3_open16:
sqlite3_close:
PRAGMA foreign_keys = ON;
SELECT DISTINCT s.ID, s.ValueName, s.ValueData, l.Path, s.ValueType FROM Startups s, ScanStartupApplications ssa, Locations l WHERE (s.Action = 2) AND (s.ID = ssa.IDStartup) AND (ssa.IDLocation = l.ID) ORDER BY s.ValueType DESC;
hXXp://VVV.pcsuapi.com
hXXp://VVV.pcsuapi.net
hXXp://VVV.pcsuservice.com
hXXp://VVV.pcsuapi.info
hXXp://VVV.pcsuapi.org
hXXp://VVV.sdapi.co
hXXp://VVV.sdltdapi.com
hXXp://VVV.sdservice.co
hXXp://VVV.sdltdapi.net
hXXp://VVV.safedownloadapi.com
ERROR:CheckUpdateURL():ResponseContent:
%Program Files%\PC Speed Up\PCSUService.exe
sllauncher.exe_632:.text
`.data
.rsrc
@.reloc
CWebBrowser2
hhctrl.ocx
CCmdTarget
CNotSupportedException
Client hook allocation failure at file %hs line %d.
Memory allocated at %hs(%d).
Client hook re-allocation failure at file %hs line %d.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to a heap buffer that was freed.
crt block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
%hs(%d) :
#File Error#(%d) :
Data:  %s
mscoree.dll
kernel32.dll
f:\sp\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\sp\vctools\crt_bld\self_x86\crt\src\stdargv.c
KERNEL32.DLL
.mixcrt
This is an unsupported way to load Visual C   DLLs. You need to modify your application to build with a manifest.
- Attempt to initialize the CRT more than once.
- CRT not initialized
Please contact the application's support team for more information.
- floating point support not loaded
_CrtDbgReport: String too long or Invalid characters in String
_CrtDbgReport: String too long or IO Error
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s%s
f:\sp\vctools\crt_bld\self_x86\crt\src\output.c
GetProcessWindowStation
USER32.DLL
%s(%d) : %s
convrtcp.c
operator
MSPDB80.DLL
OLEACC.dll
sllauncher.pdb
SSSSh
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegEnumKeyW
RegOpenKeyW
RegCreateKeyExW
ADVAPI32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExW
CreateDialogIndirectParamW
USER32.dll
WINSPOOL.DRV
SHLWAPI.dll
SHFileOperationW
SHELL32.dll
ole32.dll
COMDLG32.dll
OLEAUT32.dll
oledlg.dll
VERSION.dll
sllauncher.exe
.?AVCCmdTarget@@
.PAVCException@@
.PAVCMemoryException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÃ
1411989{989
9SLLauncherPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
7 7$7(7,7074787
5'535_5{5
;.6&6 6=6}6
6&7 7=7|7
4 4WindowStartupLocation
WindowStyle
npctrl.dll
agcore.dll
CLSID\{DFEAF541-F3E1-4c24-ACAC-99C30715084A}\InprocServer32
Usage: SLLauncher.exe [app_id] [debug] [/install:] [/emulate:] [/overwrite] /origin: /uninstall /shortcut: [/pid]
durlmon.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
accKeyboardShortcut
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
mfcm90u.dll
comctl32.dll
comdlg32.dll
shell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
user32.dll
F:\SP\vctools\crt_bld\SELF_X86\crt\src\tcscat_s.inl
F:\SP\vctools\crt_bld\SELF_X86\crt\src\tcscpy_s.inl
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtSetDbgFlag
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
_CrtIsValidHeapPointer
_CrtMemCheckpoint
F:\SP\vctools\crt_bld\SELF_X86\crt\src\tcsncpy_s.inl
f:\sp\vctools\crt_bld\self_x86\crt\src\vswprint.c
crt0dat.c
f:\sp\vctools\crt_bld\self_x86\crt\src\xtoa.c
strcat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), rterrs[tblindx].rterrtxt)
strcat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), "\n\n")
strcpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), "Runtime Error!\n\nProgram: ")
_NMSG_WRITE
crt0msg.c
f:\sp\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
strcpy_s(szaFormat, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
_CrtDbgReportWV
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
wcsncpy_s(szShortProgName, 260 - (szShortProgName - szExeName), dotdotdot, 3)
wcscpy_s(szExeName, 260, L"")
__crtMessageWindowW
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
__crtLCMapStringW_stat
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
_mbsnbcpy_s(szShortProgName, 260 - (szShortProgName - szExeName), dotdotdot, 3)
strcpy_s(szExeName, 260, "")
__crtMessageWindowA
typname.cpp
__crtInitCritSecAndSpinCount
__crtMessageBoxA
crtmbox.c
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportA
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportW
__crtMessageBoxW
f:\sp\vctools\crt_bld\self_x86\crt\src\crtmbox.c
WUSER32.DLL
f:\sp\vctools\crt_bld\self_x86\crt\src\vsprintf.c
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
strcpy_s(resultstr, resultsize, autofos.man)
F:\SP\vctools\crt_bld\SELF_X86\crt\src\mbsncpy_s.inl
f:\sp\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
../include\strgtold12.inl
("CRT Logic error during setenv",0)
__crtsetenv
index.html
update.html
update.meta
Microsoft.Silverlight.Offline.
%Program Files%\Microsoft Silverlight\sllauncher.exe
4.0.60310.0
sllauncher.exe_632_rwx_02490000_0000E000:hY0.yd
sllauncher.exe_632_rwx_047B2000_00009000:System.Windows.Browser
sllauncher.exe_632_rwx_047D6000_00001000:Ph.bO
sllauncher.exe_632_rwx_047DC000_00004000:Zh.bO
sllauncher.exe_632_rwx_05130000_00010000:PCSpeedUp.resources
sllauncher.exe_632_rwx_05D30000_00010000:%UBsPj
sllauncher.exe_632_rwx_05DE0000_00010000:%7s;w
sllauncher.exe_632_rwx_05DF0000_00010000:,.TsP
sllauncher.exe_632_rwx_06A30000_00010000:.rrPj
PCSUQuickScan.exe_2668:.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUQuickScan.pdb
KERNEL32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
GetCPInfo
zcÃ
1 131>1|1
?!?'? ?1?5?
:$:,:4:<:>0 0$0(0,00040`0
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
=%% %-60s
pcsuservice.exe
explorer.exe
Adding folder to scan: %s
Adding file to scan: %s
ERROR: ScannerAddFile(): %d
ERROR: FindNextFileW(): %d
ERROR: FindFirstFileW(): %d
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Opening key: %s
qs.dll
Failed to load: %s
PCSUQuickScan.log
PCSUQuickScan.xml
Scanned %d files and %d modules in %d seconds.
Uploaded files: %d
Scan result: %s
Installed AVs: %s
Warnings: %s
Infections: %d
%s: %s
Failed to unload: %s
%Program Files%\PC Speed Up\PCSUQuickScan.exe
PCSUQuickScan.exe_2668_rwx_10001000_00260000:RSSSSSSh
u.VWj
xSSSh
FTPjKS
FtPj;S
C.PjRV
[%s %s %s]
Send failure: %s
Failed writing body (%d != %d)
Internal error removing splay node = %d
Internal error clearing splay node = %d
Pipe broke: handle 0x%x, url = %s
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Invalid LDAP URL
Unrecognized HTTP Content-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with known CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH md5 fingerprint was not OK
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: weird server reply
URL using bad/illegal format or missing URL
Unsupported protocol
Please call curl_multi_perform() soon
CURLSHcode unknown
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
%s:%d
WARNING: failed to save cookies in %s
About to connect() to %s%s port %d (#%d)
Connected to %s (%s) port %d (#%d)
 malformed
:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:]:%5[^@]

%5[^:]:%5[^

User-Agent: %s

Connection #%d seems to be dead!

Connection (#%d) was killed to make room (holds %d)

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Re-using existing connection! (#%ld) with host %s

PTF@example.com

Couldn't find host %s in the _netrc file, using defaults

Port number too large: %lu

%s://%s:%d%s

[%*39[0-9a-fA-F:.]%c

:%5[^@]

%5[^:@]:%5[^@]

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

HTTP/

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Received problem %d in the chunky parser

HTTP server doesn't seem to support byte ranges. Cannot resume.

Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)

Leftovers after chunking. Rewinding %d bytes

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

The requested URL returned error: %d

HTTP =

HTTP/%d.%d =

No URL set!

Violate RFC 2616/10.3.2 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

[^?&/:]://%c

Maximum (%d) redirects followed

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %d

I99[^;

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

23[^;=]=I99[^;

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curlm.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

Resolving host timed out: %s

Could not resolve host: %s; %s

Could not resolve proxy: %s; %s

Could not resolve host: %s

gethostbyname(2) failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

--:--:--

-.G

-.M

= %s = %s = %s %s %s %s %s %s %s

?bind failure: %s

Local port: %d

Bind to local port %d failed, trying next

couldn't find my own IP address (%s)

Bind local address to %s

Couldn't bind to '%s'

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

Failed connect to %s:%d; %s

%sAuthorization: Basic %s

%s:%s

Server auth using %s with user '%s'

Proxy auth using %s with user '%s'

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

%s%s=%s

%s %s%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

;type=%c

ftps://

PTF://

Host: %s%s%s:%d

Host: %s%s%s

Accept-Encoding: %s

Referer: %s

Received HTTP code %d from proxy after CONNECT

%d bytes of chunk left

HTTP/1.%d %d

Read %d bytes of chunk, continue

CONNECT %s:%d HTTP/1.0

%s%s%s%s

Host: %s

Establish HTTP proxy tunnel to %s:%d

TFTP

set timeouts for state %d; Total %d, retry %d maxtry %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

tftp_tx: internal error

bind() failed; %s

%s%c%s%c

tftp_send_first: internal error

TFTP finished

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%d

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.18.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

Excessive FTP response line length received, %zd bytes. Stripping

FTP response reading failed

FTP response aborted due to select/poll error: %d

FTP response timeout

Failed FTP upload:

RETR response: d

Connecting to %s (%s) port %d

Uploading to a URL without a file name!

FTPS not supported!

USER %s

socket(2) failed (%s)

PORT %d,%d,%d,%d,%d,%d

Telling server to connect to %d.%d.%d.%d:%d

getsockname() failed: %s

Failed to resolve host name %s

Connect data stream passively

REST %d

SIZE %s

%s%s%s

STOR %s

APPE %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

PASS %s

ACCT rejected by server: d

QUOT string not accepted: %s

TYPE %c

MDTM %s

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

server did not report OK, got %d

Remembering we are in dir "%s"

CWD %s

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

This doesn't seem like a nice ftp-server response

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]

%%X

Operation too slow. Less than %d bytes/sec transfered the last %d seconds

password

login

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%s:%s

%5[^=]=23[^

%5[^=]="23[^"]"

d:d:d

%c%c==

%c%c%c=

.html

.jpeg

--%s--

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

hXXp://download.bitdefender.com/windows/installer/%s/bitdefender_isecurity_qs.exe

aK-a}

B.AC5y

h.hN

Z%DgE

.Ow&9

n3w%F

.agy}

&p-w}

,.hXL.qkk
GetExtendedTcpTable
Bitdefender QuickScan Client v0.9.9.140
%s?auth_version=1&client_id=%u
CryptCATCatalogInfoFromContext
hXXp://8f8fb293be49781da3e3229cd4469a18.da3e3.net/
-utf16.txt
%sautorun.inf
%d.%d.%d.%d
/*ReplaceOpenPorts*/
0, 9, 9, 140
\\.\A:

d-d-d d:d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

http=

user_pref("network.proxy.type", 1);

user_pref("network.proxy.http", "

user_pref("network.proxy.http_port",

\\.\_:

%USERPROFILE%

%COMMONPROGRAMFILES%

%SYSTEMROOT%

zcÃ

%userprofile%\ntuser.dat

%S~a[
"C.kQ
%suHYl
^%u.jey(
 ..EK
.kIE#
`p.Tf
$/{.On
.PA_W
%Program Files%\PC Speed Up\PCSUQuickScan.exe
RDTFTFTP
4.&,.2*.&*.
.BpBH
qs.dll
KERNEL32.DLL
WLDAP32.dll
USER32.dll
ADVAPI32.dll
SHELL32.dll
ShellExecuteW
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHLWAPI.dll
WS2_32.dll
VERSION.dll
ADVAPI32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
bitdefender_isecurity_[quickscan].exe
hXXp://quickscan.bitdefender.com/qs_lang/qs-%s-utf16.txt
iphlpapi.dll
e%d.%d.%d.%d
%s\Cache\X
%X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X
%s\%s
%s (new)
%s (deleted)
wintrust.dll
hidden registry key!
%d seconds
Scanned %d files and modules
communication took %d sec
Authentication key has expired.
listens on ports
connected on port
Warning: Low execution rights. Please run QuickScan/browser as Administrator.
%s %s association
%d uploaded, %d failed
%d file(s)
Using HTTP proxy: %s
Upload: %s - %s %d bytes, hash: %s
Scan failed! %s
Scan failed! Error %d
Scan date: %s
referenced in: %s
Process %s (%d)
Machine ID: %X
is affected by %s
Found %d infected files!
File not found: %s
Failed to upload %d file(s)! Please rescan.
executes %s
kernel32.dll
ntdll.dll
\??\%s
psapi.dll
audiodg.exe
mfpmp.exe
gui.exe
ASP.NET Session State
SQL Analysis Services
SQL over TCP
RPC over HTTPS
HTTPS
FTP control
FTP default data
BackupExec
Webmin
WebDAV
Windows Live
Battle.net
VNC over HTTP
PostgreSQL
mSQL
MySQL
HTTP Proxy
Microsoft SQL
FTP over SSL
rlogin
rexec
SMTP over SSL
HTTP over SSL
SMTP
SSH/SCP
version="%d.%d.%d.%d">
%A, %B %d, %Y %H:%M:%S
%s
%s
%s
%d
%d
%d
%d
%d
%d
%d
%d
%s
%s
%d
%s - %s
%s (%d)
HKLM\%s\"PackedCatalogItem"
HKLM\%s\"LibraryPath"
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\%s\%s
UrlSearchHooks
Software\Microsoft\Internet Explorer\%s
%s\%s\"%s"
HKLM\%s\"Exec"
Applications\iexplore.exe\shell\open\command
Software\MozillaPlugins
%s\%s\"Path"
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\%s\Main
Software\Classes\Applications\firefox.exe\shell\open\command
Applications\firefox.exe\shell\open\command
Google\Chrome\User Data\Default\Extensions
Software\Microsoft\Windows\CurrentVersion\Run
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\%s\"AppInit_DLLs"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\%s\"Userinit"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\%s\"DllName"
HKLM\%s\"UIHost"
HKLM\%s\"Taskman"
SCRNSAVE.EXE
HKCU\"SCRNSAVE.EXE"
HKU\%s\"SCRNSAVE.EXE"
HKLM\%s\"AlternateShell"
SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs\"%s"
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\%s\"%s"
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%s\shell\open\command
HKCR\%s
HKCR\%s\"(default)"
HKLM\%s\"Shell"
HKLM\%s
%s\Parameters
HKLM\%s\"ServiceDll"
HKLM\%s\"ImagePath"
MD5: %s %s
{md5:"%s", path:"%s", tooltip:"%s"}
--> %s
%s --> %s
{path:"%s", tooltip:"%s", virus_name:"%s"}
{path:"%s", tooltip:"%s", virus_name:"%s"},
%-11s %-39s ] %s
{pid:%d, name:"%s", path:"%s", tooltip:"%s", signed:"%s"}
--> %s
{pid:%d, name:"%s", ip:"%s", port:"%d (%s)"}
%s %s:
{pid:%d, name:"%s", ports:"
%-11s %-39s %s
{name:"%s", path:"%s", tooltip:"%s", signed:"%s"}
\Bitdefender_QS_log.html
Report d-d-d d.d.d.html
%a %b %d %Y %X
(%userdomain%\%username%)
uploaded:"%s",
%d KB/s
scan_count:"%s", scan_time:"%s"
Report d-d-d d.d.d.%ws
css\style.css
css\ui.jqgrid.css
js\grid.locale-en.js
js\jquery.jqGrid.min.js
js\jquery.min.js
Bitdefender_QS_log.html
%s\%s:Zone.Identifier
Software%s\Classes\CLSID\%s\InprocServer32
HKLM\%s\"(default)"
%x.tmp
\StringFileInfo\xx\%s
rundll32.exe
Mozilla\Firefox
\profiles.ini
\prefs.js
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion
.DEFAULT
c:\windows\system32\
%System%\rundll32.exe
3a3>