Trojan-Downloader.Win32.Genome.kfmh (Kaspersky), Trojan.GenericKD.1949042 (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 89e0913adeecdd75df30124d88706ccb
SHA1: 572e09f091ae7efa88bb97b336ec5c8a5da0901f
SHA256: c211a115953e9f04de6b412bcd852a1af0399699d3c62682b9f44782f58f7545
SSDeep: 768:H24gVhXXOHDYCoaBXcrhTnmI0tSda/qA/Nx/MgyxCc PnW/HC2dNze0JjJ2uUSsh:HcgjYCnXsALqoP/k0PnW/HC22YJGTjYU
Size: 61499 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Popeler
Created at: 2014-07-27 00:58:31
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
PCSpeedUp.exe:1792
taskkill.exe:1044
taskkill.exe:1772
taskkill.exe:1628
taskkill.exe:456
taskkill.exe:228
taskkill.exe:1888
taskkill.exe:1032
taskkill.exe:1656
taskkill.exe:424
MSI87.tmp:444
install.exe:664
PCSUService.exe:340
PCSUService.exe:532
PCSpeedUp.tmp:1508
Silverlight.exe:1476
coregen.exe:832
coregen.exe:204
coregen.exe:1060
coregen.exe:1156
coregen.exe:1064
coregen.exe:1276
coregen.exe:588
coregen.exe:1352
coregen.exe:1464
coregen.exe:240
PCSULauncher.exe:1664
MsiExec.exe:1788
sllauncher.exe:336
regsvr32.exe:1744
regsvr32.exe:536
PCSUSD.exe:752
PCSUSD.exe:640
%original file name%.exe:468
mscorsvw.exe:1912
PCSUNotifier.exe:1164
PCSUNotifier.exe:1772
PCSUNotifier.exe:1060
PCSUNotifier.exe:864
PCSUNotifier.exe:736
PCSUNotifier.exe:1756
The Trojan injects its code into the following process(es):
sllauncher.exe:632
PCSUQuickScan.exe:2668
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process PCSpeedUp.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (0 bytes)
The process install.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\c575b8170f28869a833ee80321b1\Silverlight.msp (149529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Silverlight0.log (6424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SilverlightMSI.log (94845 bytes)
The Trojan deletes the following file(s):
C:\c575b8170f28869a833ee80321b1\Silverlight.msp (0 bytes)
The process PCSUService.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PC Speed Up\PCSUService-Timer.log (58 bytes)
%Program Files%\PC Speed Up\PCSUService.log (708958 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db (1040924 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (2213480 bytes)
The Trojan deletes the following file(s):
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)
The process PCSUService.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PC Speed Up\PCSpeedUp.s3db (13272 bytes)
%Program Files%\PC Speed Up\PCSUService.log (523 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (27928 bytes)
The Trojan deletes the following file(s):
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)
The process PCSpeedUp.tmp:1508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MT0V4.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-V0L2Q.tmp (4 bytes)
%Program Files%\PC Speed Up\unins000.msg (864 bytes)
%Program Files%\PC Speed Up\is-TASLC.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (2105 bytes)
%Program Files%\PC Speed Up\is-8N8LB.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-NE98B.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-L177B.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (715 bytes)
%Program Files%\PC Speed Up\is-VM1SV.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (735 bytes)
%Documents and Settings%\%current user%\Desktop\PC Speed Up.lnk (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp (4 bytes)
%Program Files%\PC Speed Up\is-LIRCS.tmp (601 bytes)
%Program Files%\PC Speed Up\is-E9A56.tmp (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (1526144 bytes)
%Program Files%\PC Speed Up\is-EQ1MK.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-8F289.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (13 bytes)
%Program Files%\PC Speed Up\is-2JPPF.tmp (2105 bytes)
%Program Files%\PC Speed Up\unins000.dat (50325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BU0HK.tmp (5 bytes)
%Program Files%\PC Speed Up\is-JOC2L.tmp (4185 bytes)
%Program Files%\PC Speed Up\is-LIUB1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (8 bytes)
%Program Files%\PC Speed Up\is-QQIDO.tmp (31891 bytes)
%Program Files%\PC Speed Up\is-SFCGG.tmp (2321 bytes)
%Program Files%\PC Speed Up\is-V6O7K.tmp (2321 bytes)
%Program Files%\PC Speed Up\App.config (4199 bytes)
%Program Files%\PC Speed Up\is-D44GU.tmp (3361 bytes)
%Program Files%\PC Speed Up\PCSUService.conf (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-2LMEU.tmp (53142 bytes)
%Program Files%\PC Speed Up\is-P9DQG.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (2321 bytes)
%Program Files%\PC Speed Up\is-GE08A.tmp (601 bytes)
%Program Files%\PC Speed Up\uninstaller.dat (673 bytes)
%Program Files%\PC Speed Up\is-7RHIK.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup Log 2014-10-30 #001.txt (477286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-5HERK.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Speed Up\is-G763Q.tmp (40 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_installOffer.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (0 bytes)
The process Silverlight.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\c575b8170f28869a833ee80321b1 (4 bytes)
C:\c575b8170f28869a833ee80321b1\install.exe (2961 bytes)
C:\c575b8170f28869a833ee80321b1\$shtdwn$.req (788 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (973 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (92550 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (5848 bytes)
The Trojan deletes the following file(s):
C:\c575b8170f28869a833ee80321b1\install.exe (0 bytes)
C:\_665281_ (0 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (0 bytes)
C:\c575b8170f28869a833ee80321b1 (0 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (0 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (0 bytes)
The process coregen.exe:832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll (656923 bytes)
The process coregen.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ni.dll (77425 bytes)
The process coregen.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll (100641 bytes)
The process coregen.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll (425332 bytes)
The process coregen.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll (16757 bytes)
The process coregen.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll (75293 bytes)
The process coregen.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll (244582 bytes)
The process coregen.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll (141274 bytes)
The process coregen.exe:1464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll (45897 bytes)
The process coregen.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll (112277 bytes)
The process sllauncher.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\My Documents\PCSpeedUp\App.log (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qs_limit[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
The process PCSUSD.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PC Speed Up\PCSpeedUp.s3db (14350 bytes)
%WinDir%\Tasks\PC SpeedUp Service Deactivator.job (312 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (6982 bytes)
The Trojan deletes the following file(s):
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)
The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7F.tmp (2100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (0 bytes)
Registry activity
The process PCSpeedUp.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A4 1D 05 82 E3 23 BE 9C EB 4A 90 A5 97 E5 5B"
The process taskkill.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 36 29 23 17 1A 20 06 60 D7 1A 06 25 AA 1A DA"
The process taskkill.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AB 7B 47 1C AC 8B 7B E9 81 E1 25 11 6A 25 E7"
The process taskkill.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 DF 46 80 B3 E3 EB 61 FC 7B D7 89 19 DE C1 F5"
The process taskkill.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 C0 1D 65 0C BB 7B 58 6E CA 62 A2 D6 F2 03 A8"
The process taskkill.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 B1 0A A7 A7 1E 57 9D 67 16 55 0E 06 76 71 3D"
The process taskkill.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 BB C4 FB 98 FA FD 24 D9 D3 3A 28 70 09 49 AE"
The process taskkill.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4C FC BF 0E C0 F7 74 33 90 8B D2 FB 6D AD C1"
The process taskkill.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 41 6D E8 85 54 8D 6E 63 61 42 D5 72 47 48 7B"
The process taskkill.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B CA D9 76 1B 50 99 AE D2 FB 55 90 FF 2E 87 74"
The process MSI87.tmp:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 0F 51 0E 8C 32 78 39 F2 C0 62 B5 6F 0D 70 E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Microsoft Silverlight\4.0.60310.0]
"coregen.exe" = "Microsoft Common Language Runtime native compiler"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process install.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 F4 3E 43 B9 FA A2 16 2E 2A 20 AA 94 38 72 07"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process PCSUService.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4E 07 8B 36 18 83 45 5D 6A 03 0E 83 AB BD E0"
The process PCSUService.exe:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 BE B7 05 67 99 21 02 56 6A 92 31 6F 13 DF 61"
The process PCSpeedUp.tmp:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Icon Group" = "PC Speed Up"
"MajorVersion" = "3"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"RequestID" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"QuietUninstallString" = "%Program Files%\PC Speed Up\unins000.exe /SILENT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"ApplicationPath" = "%Program Files%\PC Speed Up"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayName" = "PC Speed Up"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayIcon" = "%Program Files%\PC Speed Up\Icon.ico"
"Inno Setup: App Path" = "%Program Files%\PC Speed Up"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"UniqueID" = "08C4552D-D8DB-4386-8CE7-723FB995F06A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: User" = "%CurrentUserName%"
"InstallLocation" = "%Program Files%\PC Speed Up\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Language" = "uk"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Speedchecker Limited\PC Speed Up]
"UniqueID" = "08C4552D-D8DB-4386-8CE7-723FB995F06A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"InstallDate" = "20141030"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"InstallDate" = "20141030"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"UninstallString" = "%Program Files%\PC Speed Up\unins000.exe"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CountryCode" = "uk"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"Uninstaller" = "%Program Files%\PC Speed Up\unins000.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"MinorVersion" = "7"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"AVList" = "&av=300"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"NoModify" = "1"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"keyword" = ""
"CampaignID" = "ppi_2712_installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Publisher" = "Speedchecker Limited"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 B8 10 07 48 BB 4A 78 75 F9 4B 0B CF C5 FC F6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayVersion" = "3.7.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"NoRepair" = "1"
[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CrashDumpEnabled" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"Installer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\PCSpeedUp\pcsu_ppi_2712_installer_.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"URLInfoAbout" = "http://www.pcspeedup.com"
"Inno Setup: Setup Version" = "5.4.3 (u)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\System\CurrentControlSet\Services\PCSUService]
"Group" = "UIGroup"
[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"affid" = "2712"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files%\PC Speed Up\PCSUNotifier.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Silverlight.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 AC D0 88 CC 4D D8 80 03 3A 71 B8 D6 D5 DF B8"
The process coregen.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 EC 19 65 81 2B 01 19 D0 95 85 B3 41 50 8E F4"
The process coregen.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 10 47 D6 83 78 A1 DE 2B BE 55 E2 8A 80 28 B2"
The process coregen.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 9E 0B 38 CB 2B 92 A0 DE CA E2 EA 84 CB ED EE"
The process coregen.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 BC 44 03 3E 66 B4 30 0C 03 8A EB 72 3B 85 1D"
The process coregen.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 F0 A4 D1 6C 6E 13 EE 4D 46 76 C9 DF 46 56 86"
The process coregen.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 63 46 8E F3 36 58 04 BE 9F 25 71 9C 94 29 54"
The process coregen.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 DF F7 13 6E 9D 98 44 66 4C 99 AA 7A 6B D3 19"
The process coregen.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF BD F9 9B 99 CC E0 FF 3C 15 15 E2 7D FB 63 E0"
The process coregen.exe:1464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 D7 15 86 FA F4 FE 97 FC F7 9C D8 33 90 32 AA"
The process coregen.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 F3 7C 62 3D 0E CA B4 78 2C EF 2C BD D4 00 6D"
The process PCSULauncher.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 E9 73 37 F3 D4 1C 14 9C 0A 4B AF 83 8B BB 70"
The process MsiExec.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B B9 13 54 82 AC F6 25 E2 3E 95 48 31 68 36 FB"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\PlayReady]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Microsoft\PlayReady"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"
The process sllauncher.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Type" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Count" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Type" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 21 00 2B 00 E7 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 21 00 2B 00 B8 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Count" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CachePrefix" = ":2014103020141031:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216" = "My Computer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}\iexplore]
"Type" = "1"
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 22 00 22 00 58 03"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 A3 9C 31 6E 0E F8 4B 9F EA AB 8F 19 C2 89 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheLimit" = "8192"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014103020141031\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}\iexplore]
"Count" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process sllauncher.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 0B AE 10 B9 2B 5D 02 93 A4 3E 35 D3 CD 31 D3"
The process regsvr32.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B D8 E4 36 CE BD 65 39 6F 8A 09 95 F9 A7 BA 14"
The process regsvr32.exe:536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"
[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0]
"(Default)" = "PCSUHelperLib"
[HKCR\PCSU.Registry]
"(Default)" = "RegistryHelper Class"
[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\ProgID]
"(Default)" = "PCSU.Registry.1"
[HKCR\PCSU.SysUtils.1\CLSID]
"(Default)" = "{B89F5C49-51DB-4974-AB5A-E25901AA339C}"
[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"
[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PC Speed Up"
[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"
[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\0\win32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"
[HKCR\PCSU.SysUtils\CurVer]
"(Default)" = "PCSU.SysUtils.1"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}]
"(Default)" = "SysUtils Class"
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"
[HKCR\PCSU.SysUtils.1]
"(Default)" = "SysUtils Class"
[HKCR\PCSU.SysUtils]
"(Default)" = "SysUtils Class"
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}]
"(Default)" = "RegistryHelper Class"
[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"
[HKCR\PCSU.Registry\CurVer]
"(Default)" = "PCSU.Registry.1"
[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\ProgID]
"(Default)" = "PCSU.SysUtils.1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 CD 47 0E A1 81 D3 BA 7E D7 5B 07 BB 7B 90 CD"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\VersionIndependentProgID]
"(Default)" = "PCSU.Registry"
[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PCSU.Registry.1\CLSID]
"(Default)" = "{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}"
[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\VersionIndependentProgID]
"(Default)" = "PCSU.SysUtils"
[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"
[HKCR\PCSU.Registry.1]
"(Default)" = "RegistryHelper Class"
The process PCSUSD.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB F1 AA 53 39 6E C3 22 82 17 5B 47 C1 7B 34 95"
The process PCSUSD.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5F 22 43 29 C8 2E DA 38 80 DB 70 A5 80 AF D3"
The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 01 40 FE BE EF B1 6E 2F 6F 30 67 72 F6 7F 76"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
The process PCSUNotifier.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 FE 33 A8 C4 5B 0F 90 D2 94 3B E3 0F 6B 03 2D"
The process PCSUNotifier.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AD F0 5B 9C CD 3A 49 6A 48 62 8A 91 CC 3E 54"
The process PCSUNotifier.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB C7 90 76 AE 64 3D 09 3E 60 58 32 9E 5C FC 51"
The process PCSUNotifier.exe:864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD BD 30 F5 F3 2D C4 D1 73 33 EA 04 24 14 1F 77"
The process PCSUNotifier.exe:736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 8F FD 74 05 C9 4B 59 20 DD 54 42 F5 43 D8 E4"
The process PCSUNotifier.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 9D AE DE C0 E4 70 59 75 BE 6F 04 E3 BF 45 48"
Dropped PE files
MD5 | File path |
---|---|
13fdc3c91e53f49981e570ca1ae18c50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe |
3b7b22df6043964089a2a7ef4eab5ea9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp |
5b98f3dc538562555101a796433ccdad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe |
e881e7df65cd92ea25fa6bb9fbb5fb5f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll |
9cabb0d216e5502addb80756fa2f046c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe |
a7e8090522fd160ca308507a651e720c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll |
1919e1c9aa2e6a10e897a8b3a56da636 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll |
92dc6ef532fbb4a5c3201469a5b5eb63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll |
d82a429efd885ca0f324dd92afb6b7b8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-F53P8.tmp\itdownload.dll |
1fc1fbb2c7a14b7901fc9abbd6dbef10 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc80.tmp\inetc.dll |
13fdc3c91e53f49981e570ca1ae18c50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe |
dda7e7403991c4f2a2a2b245ad855319 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\Microsoft.VisualBasic.dll |
34211a0228cf5287e9524ec51814fac0 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\SLMSPRBootstrap.dll |
910b8184ee0b6ccce4b4c59b8b2fe9d2 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\Silverlight.Configuration.exe |
5fb428a045f861ad88625fe90971686a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\Silverlight.ConfigurationUI.dll |
a2e98f31109404986e30ec4f80a0b02d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Core.dll |
616354eb318d340f7704fa2fbc51eab8 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll |
21a8b51dc4585624794804532ea8b770 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Net.dll |
973c5c81d5e4155a32dcfebcadf2c4df | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll |
1dc8528fc3724d22d8fb9341ddf3a148 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.dll |
15054621291bdc4d93ba0f3541d26298 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll |
69cdfcdc4351140c0df9f7431cb02f83 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.dll |
e1fcf55ce15e5caf230d59a87e52cbb7 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll |
338d9e6809841943c7b2f9b0459e3a0f | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.dll |
b2b5b10e3dc62cd597425446afbea7be | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll |
8ddc3792b943fa436080fc3f7ee0a62d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.dll |
31f70cd2628716c46f96f4aa86a6dc0e | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll |
bf5aa294b6111536dc2f71f9c27d1277 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.dll |
588bbe1fcde2378772280b97012845c4 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll |
940b248b6e34436e6461654d15c5da26 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Xml.dll |
8324aca48274f395ee92ed8d609b6e1c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll |
f758831e1249ff575d6049b93288223a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\System.ni.dll |
86b931199ba434f8e20cc6ad7535a42d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\agcore.dll |
8e9c02b623523e273a195868e879d1d9 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\agcp.exe |
a98ef87279ab026b7bdfb3ce9df206ae | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\Microsoft.VisualBasic.resources.dll |
b7d32d5a4468cc2c9c2ae35418a4e3da | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\mscorlib.resources.dll |
f20da6f9c32dc794cc2d809fa2b7ecc8 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\mscorrc.dll |
229a568d2d15c52ac3ea8264bc879925 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ar\system.resources.dll |
740244ceefa5d4de100a2028435ad1fd | c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\Microsoft.VisualBasic.resources.dll |
f116025a9b96d01f218554889cf7a08d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\mscorlib.resources.dll |
82f9479de23f785d3842d1f37de810e8 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\mscorrc.dll |
78ff9f5d13a6dacd6c6f42f2eb58abe5 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\bg\system.resources.dll |
64eca3dc309dad3933cd626099ffc614 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\Microsoft.VisualBasic.resources.dll |
f6e0e42457e70b4085f71e24d71bbd7f | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\mscorlib.resources.dll |
e4741351290d225ed7f4bf6fca40d782 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\mscorrc.dll |
146fb5df4aceab2f0b4e1b1f5905f969 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ca\system.resources.dll |
0ce088d397fedeb81e737c447c367d90 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\coreclr.dll |
28b538decd18bbadadfbc87e50e95f1c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\coregen.exe |
996b98d2a09e2f05157a0d93ec35c490 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\Microsoft.VisualBasic.resources.dll |
11899b8883b47e5b7e33c12ee2dad9a3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\mscorlib.resources.dll |
a1e2fa516030c59ad5c482e02f7775cf | c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\mscorrc.dll |
779e3d60d53778b850de2c5d4d9bade6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\cs\system.resources.dll |
1cc709215725f3dc371f04086dc5f0a7 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\Microsoft.VisualBasic.resources.dll |
d656e02d9827fe0a8b5317e4ce2f25e2 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\mscorlib.resources.dll |
e0b76be64b49b6e3718fdfa3acf2169a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\mscorrc.dll |
a2c3291ce15b9b771490bddbfda724fd | c:\Program Files\Microsoft Silverlight\4.0.60310.0\da\system.resources.dll |
0e5af43c88e68ca9c34b0b4fe8b380ef | c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\Microsoft.VisualBasic.resources.dll |
31d278ee11dc82bbbf5d654fbb7ca9f3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\mscorlib.resources.dll |
8d47e6cd31e31c5dc1bba4fabc842c1c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\mscorrc.dll |
9f39e54a89333e75c60dcc21a4376abd | c:\Program Files\Microsoft Silverlight\4.0.60310.0\de\system.resources.dll |
86c43391198bc5ca923d4d10165a927f | c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\Microsoft.VisualBasic.resources.dll |
db198bc15099b854605e2187f2e72d8d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\mscorlib.resources.dll |
50a625ad344262558c24cdb43757f6b5 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\mscorrc.dll |
3dca4e41c6095a325e963513046aaee3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\el\system.resources.dll |
29bc165c51ecd9229637ac75f65cbb2d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\Microsoft.VisualBasic.resources.dll |
0fab65233b1c1295be3e42b312e182a6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\mscorlib.resources.dll |
04ee39507f51f0de749d12063771305e | c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\mscorrc.dll |
b2b1be442d59b1581c97968c9e1018e6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\es\system.resources.dll |
48e113bf08a000e879268b35d7a376ad | c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\Microsoft.VisualBasic.resources.dll |
98441ccd86a16b90456f04c3e0a50a7c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\mscorlib.resources.dll |
29caa35e3209e7e91c5d71e99f3677cc | c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\mscorrc.dll |
9b16fae36ca5a335448d2f1d51aa1e06 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\et\system.resources.dll |
3ba7d079c680fe38673a5ff39ae17015 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\Microsoft.VisualBasic.resources.dll |
56da59679011e04333b9258b130eb640 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\mscorlib.resources.dll |
935488a2e147215ada811fbf18014a77 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\mscorrc.dll |
02040ca2d9ece26e708f9e428fbe4f11 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\eu\system.resources.dll |
8f6a34997cec539dbdc3705eb236c265 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\Microsoft.VisualBasic.resources.dll |
9fd5eecf4479aef9d0acf6af59302080 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\mscorlib.resources.dll |
7455fc891f3942332f4bc3daee50057b | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\mscorrc.dll |
d59c5a85fe3b8d6cf6f07a80d8684f1d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fi\system.resources.dll |
70344d2df1d7e719d16a7800cda00a05 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\Microsoft.VisualBasic.resources.dll |
1611ce8f69b3aa0fa4a9488e610ffcbf | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\mscorlib.resources.dll |
a7ef42c7eeb9c5533f30d40c53763dc3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\mscorrc.dll |
6ae68aa30d81fa7dda96f2dff21a6482 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\fr\system.resources.dll |
ea1fb893fc7555bdb027e0a4c1a131cb | c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\Microsoft.VisualBasic.resources.dll |
39e60911fa11c4589f375d56f20f266c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\mscorlib.resources.dll |
b73b23971c8b85a42b383ec9bf6db954 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\mscorrc.dll |
bf87bcb45046f505751b38c6defb67d6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\he\system.resources.dll |
e2ec581055cd46102348b693054a10bc | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\Microsoft.VisualBasic.resources.dll |
c2d065d89e959fadef82f0dab02b00d1 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\mscorlib.resources.dll |
f4a04ac6247cfe0ce515f0d6d1c8309c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\mscorrc.dll |
2259c8431d62b7fb68255422e8f65851 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hr\system.resources.dll |
d7f90ab528f9220efa692462a2b95b61 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\Microsoft.VisualBasic.resources.dll |
d48c729e913eb6d7218bdd5229474b9b | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\mscorlib.resources.dll |
6880b7b588d9c4ebcf16207b2627d925 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\mscorrc.dll |
b49c2621719813f570f9269de647611c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\hu\system.resources.dll |
65b390d6c4023c7c28370d06417bf482 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\Microsoft.VisualBasic.resources.dll |
d424f7e1bc879fbe6483657125b942d3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\mscorlib.resources.dll |
ef77dca5141168f21aa63a6753cc5612 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\mscorrc.dll |
fd4fbfd43dd5f153bc7082be5874e979 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\id\system.resources.dll |
845f93271629ac3d4702427e7f77a589 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\Microsoft.VisualBasic.resources.dll |
ef4987b69195eba07c8268a0adae6824 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\mscorlib.resources.dll |
8d907050702c0f5a81b83588c0d144dd | c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\mscorrc.dll |
e342eb1bf12a567c8b588a7a326a1fbb | c:\Program Files\Microsoft Silverlight\4.0.60310.0\it\system.resources.dll |
4e72d0ac32048e49ec71dc883c3a903f | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\Microsoft.VisualBasic.resources.dll |
099eaf234c43d6e8ce4ec231cd98b3fe | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\mscorlib.resources.dll |
dadadc469095bb2216bc486fa56a6f22 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\mscorrc.dll |
de46d973259b68906458725b5c26ed35 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ja\system.resources.dll |
57fe6c216e7a94aae4bcbe2afc0455b6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\Microsoft.VisualBasic.resources.dll |
51ebb84406cd322e9c69472bc08aec7b | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\mscorlib.resources.dll |
939dfc462f4b11e2f8a1b665189183f8 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\mscorrc.dll |
d3f1e8db30cc7bb933fef4a53df75827 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ko\system.resources.dll |
01903310b53a139e7dc1550f4bcd2e72 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\Microsoft.VisualBasic.resources.dll |
5828f61a193f9d8ddfbc09786b6a873c | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\mscorlib.resources.dll |
ab81de520e190008f97cf6eb0d316792 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\mscorrc.dll |
0a85bc3e2edf898c17c376b894953ea6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lt\system.resources.dll |
a6663475b1da60b4009347251fcd6541 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\Microsoft.VisualBasic.resources.dll |
2b4b6d1918af270fd608da24b6b9a6ba | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\mscorlib.resources.dll |
3d01554ade59bdc03e62a384e0aa7334 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\mscorrc.dll |
fcea49f81f09920de272e9b0d0b07bfe | c:\Program Files\Microsoft Silverlight\4.0.60310.0\lv\system.resources.dll |
80a4dd24a1f2655750f4b459e98997cc | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\Microsoft.VisualBasic.resources.dll |
f5122a5b59e919c9d738036be6eefce3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\mscorlib.resources.dll |
a00b2c33f30e224f11610346188e2b87 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\mscorrc.dll |
31ff2cb1a7ba9c1290caf486280cd686 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ms\system.resources.dll |
81a4cd70d57f64e046bd945a45e2415e | c:\Program Files\Microsoft Silverlight\4.0.60310.0\mscorlib.dll |
54a3d027bbb4eb571c7c48d096ee0d4a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll |
96b6b98a6abbdb7278d6a62b1f9655e6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\mscorrc.dll |
fcadce8748f68bde4da4db74962c9ceb | c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\Microsoft.VisualBasic.resources.dll |
da06f47b6657bb741dae5d0ccc956b3e | c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\mscorlib.resources.dll |
0be3e9e1372a1d36b5e7e8ec2fa4baa1 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\mscorrc.dll |
4ca257510bffc524a7b06f582c04ff1a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\nl\system.resources.dll |
6fc0a8266113a062ca6fdc1b452fc049 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\Microsoft.VisualBasic.resources.dll |
f3dac902326bf547e5d230b2ae2215b3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\mscorlib.resources.dll |
55a0100162047835ecac80c3c9f3487a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\mscorrc.dll |
98e0dbb05eb4465a61a5547126c5e052 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\no\system.resources.dll |
8e151a2a185daf9852322028abe55534 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll |
8b93ef56bef58f2eb6b6d92b57715131 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrlui.dll |
d447a36f6d077f7ba4aee7c1c9a6d29a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\Microsoft.VisualBasic.resources.dll |
83e0f5720d1fc910d1cc158d06a014d3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\mscorlib.resources.dll |
fd6e1c26ec29d85406c8ab878d37e2e0 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\mscorrc.dll |
ec6e33b7705759ad2ba52e909b09d5b3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pl\system.resources.dll |
2204dd6ed09440638362ee33689b9b98 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\Microsoft.VisualBasic.resources.dll |
6ea844d42e3d447258cef882d5a3d521 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\mscorlib.resources.dll |
88fc3794b551ec9efaf43d48f0397192 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\mscorrc.dll |
768263c8fac574cb43e36e0eb9be9d2b | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt-BR\system.resources.dll |
9da3db7d39cf1094d983d5c9075884b9 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\Microsoft.VisualBasic.resources.dll |
14670acec0249c1c732868af4eede9c3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\mscorlib.resources.dll |
be56e32c3010f2e8cca0f92449e408a7 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\mscorrc.dll |
c4db4616be190c3f6ec74789d48abcaf | c:\Program Files\Microsoft Silverlight\4.0.60310.0\pt\system.resources.dll |
7e0d2a1e6c6d65f8d43ed6f6252d5e89 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\Microsoft.VisualBasic.resources.dll |
dcce963625d82ba51ea2f42de3e60934 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\mscorlib.resources.dll |
7e48a4ec1d12272e2f1e25a97b57934f | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\mscorrc.dll |
b3306b56fb7f2df1648350e961993a65 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ro\system.resources.dll |
e4a058d380954604aa0b54159af7ab90 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\Microsoft.VisualBasic.resources.dll |
a9ee3797880974de764d17d973b5c575 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\mscorlib.resources.dll |
7fe0fbfeb39d5d120f7d91885ca9a23e | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\mscorrc.dll |
29ee982522e840ddf6eaf3cfe44815df | c:\Program Files\Microsoft Silverlight\4.0.60310.0\ru\system.resources.dll |
958c056d2a335a61ff9b13ce98973ebb | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\Microsoft.VisualBasic.resources.dll |
cb66600f1268f400c2939ae83a3b2b81 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\mscorlib.resources.dll |
e062d096cfd16df787b97a2bb564c3b2 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\mscorrc.dll |
002b68a5e5a135f76be749c9f8c1866d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sk\system.resources.dll |
0d0115ecba8c7909817570a492bee664 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\Microsoft.VisualBasic.resources.dll |
508b76bfe9fbff5755d2d5583bf749ac | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\mscorlib.resources.dll |
ee7262ab88bd56eb89abf41f61905cbe | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\mscorrc.dll |
2081988c0c1417fb01e7fbcd211475af | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sl\system.resources.dll |
35e0c2177554ebff992743b87a1a476d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\Microsoft.VisualBasic.resources.dll |
0cb8ac78ae33cfcbb5af4027848ff7a5 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\mscorlib.resources.dll |
ebe6848f268b5773c3c96ea8485d04d5 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\mscorrc.dll |
d4d057d4666e28261b0cfbf2c7927bff | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Cyrl-CS\system.resources.dll |
3603ac8a2a052e648181cc81c0ac0b8d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\Microsoft.VisualBasic.resources.dll |
1a1d3871b5a70867f30e27665f528d8d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\mscorlib.resources.dll |
8e50d5dd3583d877af949ea7aa167d80 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\mscorrc.dll |
87ccbb06b06a255b17feba7b465629d3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sr-Latn-CS\system.resources.dll |
5f91aa1428aeb3aaf291d4d1908e6c86 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\Microsoft.VisualBasic.resources.dll |
f451b5e8e79733ed1d2d303475d248a6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\mscorlib.resources.dll |
a1b03b93d1c388ced687bd72a4d78734 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\mscorrc.dll |
8c954e9c495b67114194ec414031ce59 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\sv\system.resources.dll |
7df6a16f125b59c9a8afd43d5ffe3319 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\system.dll |
e3384bbeb3a2dd6a5cb73386567a110a | c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\Microsoft.VisualBasic.resources.dll |
3e90b48e5d65a4e11307daf70081f6ea | c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\mscorlib.resources.dll |
c91de4231db93e6aa43814a8dfd17ece | c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\mscorrc.dll |
84add9052724cfd13732e611e79483a3 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\th\system.resources.dll |
4110e3db953513e7136f0bafd7be216d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\Microsoft.VisualBasic.resources.dll |
3b03af2e713e16cd710590b26f745b09 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\mscorlib.resources.dll |
7cfa6b8bf525c4f3a66bc45300ee8f4b | c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\mscorrc.dll |
18704df881492c8904555f1d4cfce209 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\tr\system.resources.dll |
9eefc1cf2c36e12a22da5f21d78dd3c9 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\Microsoft.VisualBasic.resources.dll |
ad26ed8da155ccf4b1675c714832aee5 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\mscorlib.resources.dll |
4e2a0315efade90257da0efe7bdddbb1 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\mscorrc.dll |
5efe72d85ffb4473bb5ba1fe40ddc931 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\uk\system.resources.dll |
f34ce31a44bba8a34193acc34d553269 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\Microsoft.VisualBasic.resources.dll |
ad1936069c18085bad4f46596e096e6b | c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\mscorlib.resources.dll |
754db3c969035be56dfb73d93ca2ab83 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\mscorrc.dll |
9de8d1a8d07326122ce0e040356e6280 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\vi\system.resources.dll |
ea3d1945b622cdac3de3b29021828cfd | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\Microsoft.VisualBasic.resources.dll |
3955e856c350473773301f319a40ccb1 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\mscorlib.resources.dll |
cadc3a21f9e0f144472da8211bff52cf | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\mscorrc.dll |
f9cdd3fe790b0eb9213a9725992787d6 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hans\system.resources.dll |
cfd295d6b8309b206ef9b4e1d8f8e95d | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\Microsoft.VisualBasic.resources.dll |
1a9e36ce41c9f44fb08962aab6c8b516 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\mscorlib.resources.dll |
79fdff61c75be995c802217bb7d1b3f5 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\mscorrc.dll |
42888be4920e4d3988a08c3b46d3c191 | c:\Program Files\Microsoft Silverlight\4.0.60310.0\zh-Hant\system.resources.dll |
a8751ee4924c8d5165599ef43adf45d5 | c:\Program Files\Microsoft Silverlight\sllauncher.exe |
afc858e7152f99575c54d6c6418a44ab | c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll |
814374e4ab90e30c64eefaacf1da140b | c:\WINDOWS\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
PCSpeedUp.exe:1792
taskkill.exe:1044
taskkill.exe:1772
taskkill.exe:1628
taskkill.exe:456
taskkill.exe:228
taskkill.exe:1888
taskkill.exe:1032
taskkill.exe:1656
taskkill.exe:424
MSI87.tmp:444
install.exe:664
PCSUService.exe:340
PCSUService.exe:532
PCSpeedUp.tmp:1508
Silverlight.exe:1476
coregen.exe:832
coregen.exe:204
coregen.exe:1060
coregen.exe:1156
coregen.exe:1064
coregen.exe:1276
coregen.exe:588
coregen.exe:1352
coregen.exe:1464
coregen.exe:240
PCSULauncher.exe:1664
MsiExec.exe:1788
sllauncher.exe:336
regsvr32.exe:1744
regsvr32.exe:536
PCSUSD.exe:752
PCSUSD.exe:640
%original file name%.exe:468
mscorsvw.exe:1912
PCSUNotifier.exe:1164
PCSUNotifier.exe:1772
PCSUNotifier.exe:1060
PCSUNotifier.exe:864
PCSUNotifier.exe:736
PCSUNotifier.exe:1756 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (7386 bytes)
C:\c575b8170f28869a833ee80321b1\Silverlight.msp (149529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Silverlight0.log (6424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SilverlightMSI.log (94845 bytes)
%Program Files%\PC Speed Up\PCSUService-Timer.log (58 bytes)
%Program Files%\PC Speed Up\PCSUService.log (708958 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db (1040924 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (2213480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MT0V4.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-V0L2Q.tmp (4 bytes)
%Program Files%\PC Speed Up\unins000.msg (864 bytes)
%Program Files%\PC Speed Up\is-TASLC.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (2105 bytes)
%Program Files%\PC Speed Up\is-8N8LB.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-NE98B.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-L177B.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (715 bytes)
%Program Files%\PC Speed Up\is-VM1SV.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (735 bytes)
%Documents and Settings%\%current user%\Desktop\PC Speed Up.lnk (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (1281 bytes)
%Program Files%\PC Speed Up\is-LIRCS.tmp (601 bytes)
%Program Files%\PC Speed Up\is-E9A56.tmp (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (1526144 bytes)
%Program Files%\PC Speed Up\is-EQ1MK.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-8F289.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (13 bytes)
%Program Files%\PC Speed Up\is-2JPPF.tmp (2105 bytes)
%Program Files%\PC Speed Up\unins000.dat (50325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BU0HK.tmp (5 bytes)
%Program Files%\PC Speed Up\is-JOC2L.tmp (4185 bytes)
%Program Files%\PC Speed Up\is-LIUB1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (8 bytes)
%Program Files%\PC Speed Up\is-QQIDO.tmp (31891 bytes)
%Program Files%\PC Speed Up\is-SFCGG.tmp (2321 bytes)
%Program Files%\PC Speed Up\is-V6O7K.tmp (2321 bytes)
%Program Files%\PC Speed Up\App.config (4199 bytes)
%Program Files%\PC Speed Up\is-D44GU.tmp (3361 bytes)
%Program Files%\PC Speed Up\PCSUService.conf (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-2LMEU.tmp (53142 bytes)
%Program Files%\PC Speed Up\is-P9DQG.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (2321 bytes)
%Program Files%\PC Speed Up\is-GE08A.tmp (601 bytes)
%Program Files%\PC Speed Up\uninstaller.dat (673 bytes)
%Program Files%\PC Speed Up\is-7RHIK.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup Log 2014-10-30 #001.txt (477286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-5HERK.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Speed Up\is-G763Q.tmp (40 bytes)
C:\c575b8170f28869a833ee80321b1\install.exe (2961 bytes)
C:\c575b8170f28869a833ee80321b1\$shtdwn$.req (788 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (973 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (92550 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (5848 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll (656923 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ni.dll (77425 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll (100641 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll (425332 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll (16757 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll (75293 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll (244582 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll (141274 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll (45897 bytes)
%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll (112277 bytes)
%Documents and Settings%\%current user%\My Documents\PCSpeedUp\App.log (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qs_limit[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%WinDir%\Tasks\PC SpeedUp Service Deactivator.job (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7F.tmp (2100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files%\PC Speed Up\PCSUNotifier.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 26526 | 26624 | 4.49045 | 71f6ed20ad21579b10cb8828a7bb6a5c |
.rdata | 32768 | 6438 | 6656 | 3.3982 | 31f148bd55194b44b534fe4099cbde16 |
.data | 40960 | 419324 | 512 | 0.980766 | 4c7fd8b37c8cd61d9ada11edc15bc3b8 |
.ndata | 462848 | 606208 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 1069056 | 2552 | 2560 | 3.15581 | cc5d86fe1323be31da31079f593a8769 |
.reloc | 1073152 | 3728 | 4096 | 3.65185 | 0ee460ed01a8153e12813cea2480afd1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://safedownloadapi.cloudapp.net/getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300 | |
hxxp://a767.dscms.akamai.net/download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe | |
hxxp://212.71.248.160/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer | |
hxxp://li621-160.members.linode.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer | |
hxxp://li621-160.members.linode.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service | |
hxxp://safedownloadapi.cloudapp.net/reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID= | |
hxxp://pcspeedup.go2cloud.org/SP4C?aff_id=2712&source=installer | |
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service | |
hxxp://www.pcsuapi.net/reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID= | 168.63.102.240 |
hxxp://www.pcsuservice.com/getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300 | 168.63.102.240 |
hxxp://download.microsoft.com/download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe | 184.84.243.41 |
hxxp://link.pcspeedup.com/SP4C?aff_id=2712&source=installer | 107.23.165.131 |
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: WinHttpClient
Host: VVV.pcspeeduplog.com
Content-Length: 104
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceConnected":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:53 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
GET /reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID= HTTP/1.1
User-Agent: PCSUInstaller
Accept: */*
Host: VVV.pcsuapi.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
Set-Cookie: ASP.NET_SessionId=gbph5e1vkpefgmdzcctunse0; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 30 Oct 2014 16:38:52 GMT
Content-Length: 8
ca..SP4C..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: PCSUNotifier
Host: VVV.pcspeeduplog.com
Content-Length: 216
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Silverlight":"Install","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:35 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: WinHttpClient
Host: VVV.pcspeeduplog.com
Content-Length: 100
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceStart":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:53 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: PCSUNotifier
Host: VVV.pcspeeduplog.com
Content-Length: 204
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","installerStart":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:37:46 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: PCSUNotifier
Host: VVV.pcspeeduplog.com
Content-Length: 255
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","installerEnd":"WV-5.1.2600-SP3-DNF-4.0.30319-RID--TC0-ca-Silent-AX0","silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:57 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: WinHttpClient
Host: VVV.pcspeeduplog.com
Content-Length: 102
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceRunning":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:53 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
GET /getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300 HTTP/1.0
Host: VVV.pcsuservice.com
User-Agent: InnoTools_Downloader
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.0
Set-Cookie: ASP.NET_SessionId=ya1w5xo4fujobf443cti3g4k; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 30 Oct 2014 16:37:46 GMT
Connection: close
Content-Length: 0
GET /SP4C?aff_id=2712&source=installer HTTP/1.0
Host: link.pcspeedup.com
User-Agent: InnoTools_Downloader
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html
Date: Thu, 30 Oct 2014 16:38:54 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/1.4.4
tracking_id: 102c8f15e4ba45b7a8266467b35b34
Content-Length: 13
Connection: Close
success=true;..
GET /download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe HTTP/1.1
User-Agent: PCSUInstaller
Accept: */*
Host: download.microsoft.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 10 Mar 2011 08:49:12 GMT
Accept-Ranges: bytes
ETag: "3075d70dfcb1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6280056
Date: Thu, 30 Oct 2014 16:37:46 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K...K...K.......D...K...!......._.......J.......J...RichK...................PE..L...Hn.@.................x...........X... ........... ..............................k.`.......... .......................... ........................._.x............!............................................... ...............................text...`w... ...x.................. ..`.data................|..............@....rsrc............>_..~..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................n...D...4...................................Z...............|...................................&...2...:...T...n...........................................&...:...P...n...x...........................................>...L...f...~..............................."...<...R...h.......N...\...8...(.......................................b...........>...&...................n...:...H...T...`...................................................................................Hn.@.............&..............
<<< skipped >>>
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: WinHttpClient
Host: VVV.pcspeeduplog.com
Content-Length: 111
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceAction":"--install"
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:52 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: PCSUNotifier
Host: VVV.pcspeeduplog.com
Content-Length: 206
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Link":"SP4C","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:55 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: PCSUNotifier
Host: VVV.pcspeeduplog.com
Content-Length: 326
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","ReportInstall":"affID=2712|keyword=installer|campaignID=ppi_2712_installer|uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A|requestID=","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:38:54 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Content-Type: text/plain
Connection: close
User-Agent: PCSUNotifier
Host: VVV.pcspeeduplog.com
Content-Length: 219
"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Silverlight":"Download","OK":200,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Thu, 30 Oct 2014 16:37:50 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
PCSUService.exe_340:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSSSSh
SSSSSh
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
127.0.0.1
127.0.0.1
C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb
C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb
WS2_32.dll
WS2_32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
sqlite3_exec
sqlite3_exec
sqlite3_free
sqlite3_free
sqlite3_open16
sqlite3_open16
sqlite3_close
sqlite3_close
sqlite3_extended_result_codes
sqlite3_extended_result_codes
sqlite3.dll
sqlite3.dll
CreatePipe
CreatePipe
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
pdh.dll
pdh.dll
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpOpen
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetOption
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpWriteData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WINHTTP.dll
WINHTTP.dll
Secur32.dll
Secur32.dll
GetCPInfo
GetCPInfo
PeekNamedPipe
PeekNamedPipe
zcÃ
zcÃ
.PA_W
.PA_W
1&282R2
58W8
55f5
4!4&4,454;4
8"8&8*8.82868
8 8$8(8,808
9 9@9\9`9
>,>4>@>`>
2 2$2(2,20242
srclient.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
PCSUService-Timer.log
Wevtapi.dll
ERROR: GetWindowsBoottimes(): could not load Wevtapi.dll
Subscribing for Microsoft-Windows-Diagnostics-Performance/Operational - Event/System[EventID=100]
Microsoft-Windows-Diagnostics-Performance/Operational
ntdll.dll
ERROR: WaitUntilSystemIdle(): could not load Wevtapi.dll
ERROR: InitializePerformanceCounters(): check the registry keys in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
iexplore.exe
firefox.exe
chrome.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
RemoveExeImageHook(%s)...
DeleteValue failed: %d
DeleteKey failed: %d
registry key is not empty!
HKEY_LOCAL_MACHINE
ERROR: ProcessHelper.Start: hChildProcess != NULL
CreateOutputPipe
CreateInputPipe
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
RegistryHelper::GetValue():RegOpenKeyEx()
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
WinHttpClient
3.7.0.0
dddddd.d000
WindowsBoottimes
|userlogin|
PCSUBootTimes.log
,"LoginToIdle":
INSERT OR REPLACE INTO Boots(Idle, LoginToIdle, WinlogonToIdle, UptimeAtIdle, USBCacheActive) VALUES('
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
/update.aspx?uniqueID=
\PCSpeedUp-Silent-Update.exe
/SP- /VERYSILENT /updateMode=true /LOG=update.log /countryCode=
HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up
ERROR:RegistryHelper::CreateValue(HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up, UpdateChecked):
FileUploader.exe
Checking HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up key for USBCacheFill value...
DELETE FROM UC_STAT WHERE file LIKE '%.sys';
DELETE FROM UC_STAT WHERE file LIKE '%.tmp' AND read_counterDELETE FROM UC_STAT WHERE file NOT LIKE '%.exe%' AND file NOT LIKE '%.dll%' AND read_counter=1;hXXp://VVV.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=servicePCSUService: WinHttpClient.SendHttpRequest():PCSUService: SendHTTPRequestAsync:PCSUSD.exePCSUUCC.exePCSUQuickScan.exehXXp://qslimit.pcspeedup.co/qs_limit.aspx?productID=1&uniqueID=SendHttpRequestRegistryHelper.SetValueRegistryHelper.DeleteValueRegistryHelper.CreateKeyRegistryHelper.DeleteKeySysUtils.SetRestorePointIOHelper.FileCopyIOHelper.DeleteProcess.StartThe Process.Start didn't receive 7 arguments.Process.HasExitedThe Process.HasExited didn't receive 2 arguments.Process.StopThe Process.Stop didn't receive 2 arguments.Process.TerminateDB.ExecuteNonQueryThe DB.ExecuteNonQueryEx didn't receive the query/sql to execute.DB.ExecuteScalarThe DB.ExecuteScalarEx didn't receive the query/sql to execute.DB.ExecuteReaderThe DB.ExecuteReader didn't receive the query/sql to execute.NetworkHelper.GetAllMACAddressesService.StartService.StopRemove.IFEOPCSUSD.ScanPCSUSD.EnablePCSUSD.DisableProcess.CheckBrowsersPCSUUCC.ScanPCSUUCC.RefreshPCSUUCC.UpdatePCSUUCC.CleanPCSUUCC.FillPCSUUCC.InstallPCSpeedUp.sys"PCSUService.exePCSUUCC.UninstallPCSUUCC.OnPCSUUCC.OffPCSUUCC.StatusPCSUUCC.Usagecmd /c PCSUUCC.exe /usage > CacheUsage.txtHTTP.Sendserver_portPCSUService.confservice status: PID = %d, state = %s, CheckPoint = %d, WaitHint = %dEnumDependentServices failed (err=%d)Stop dependent service "%s"...OpenService failed (err=%d)ControlService failed (err=%d)QueryServiceStatusEx failed (err=%d)Timeout! (%d sec)StartService(%s)...ERROR! OpenSCManager failed! (err=%d)ERROR! OpenService(%s) failed! (err=%d)ERROR! StartService failed! (err=%d)ERROR! QueryServiceStatusEx failed (err=%d)Current State: %dExit Code: %dCheck Point: %dWait Hint: %dStopService(%s)...Service stop timed out. (%d sec)ERROR! StopDependentServices failed! (err = %d)ERROR! ControlService failed (err=%d)Wait timed out (%d sec)ExecuteNonQuery: sqlite3_exec:ExecuteScalar: sqlite3_exec:ExecuteReader: sqlite3_exec:LocalExecuteNonQuery: sqlite3_exec:LocalExecuteScalar: sqlite3_exec:LocalExecuteReader: sqlite3_exec:sqlite3_open16:sqlite3_close:PRAGMA foreign_keys = ON;SELECT DISTINCT s.ID, s.ValueName, s.ValueData, l.Path, s.ValueType FROM Startups s, ScanStartupApplications ssa, Locations l WHERE (s.Action = 2) AND (s.ID = ssa.IDStartup) AND (ssa.IDLocation = l.ID) ORDER BY s.ValueType DESC;hXXp://VVV.pcsuapi.comhXXp://VVV.pcsuapi.nethXXp://VVV.pcsuservice.comhXXp://VVV.pcsuapi.infohXXp://VVV.pcsuapi.orghXXp://VVV.sdapi.cohXXp://VVV.sdltdapi.comhXXp://VVV.sdservice.cohXXp://VVV.sdltdapi.nethXXp://VVV.safedownloadapi.comERROR:CheckUpdateURL():ResponseContent:%Program Files%\PC Speed Up\PCSUService.exesllauncher.exe_632:.text`.data.rsrc@.relocCWebBrowser2hhctrl.ocxCCmdTargetCNotSupportedExceptionClient hook allocation failure at file %hs line %d.Memory allocated at %hs(%d).Client hook re-allocation failure at file %hs line %d.HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.CRT detected that the application wrote to a heap buffer that was freed.crt block at 0x%p, subtype %x, %Iu bytes long.client block at 0x%p, subtype %x, %Iu bytes long.%hs(%d) :#File Error#(%d) :Data: %smscoree.dllkernel32.dllf:\sp\vctools\crt_bld\self_x86\crt\src\stdenvp.cf:\sp\vctools\crt_bld\self_x86\crt\src\stdargv.cKERNEL32.DLL.mixcrtThis is an unsupported way to load Visual C DLLs. You need to modify your application to build with a manifest.- Attempt to initialize the CRT more than once.- CRT not initializedPlease contact the application's support team for more information.- floating point support not loaded_CrtDbgReport: String too long or Invalid characters in String_CrtDbgReport: String too long or IO ErrorDebug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%sf:\sp\vctools\crt_bld\self_x86\crt\src\output.cGetProcessWindowStationUSER32.DLL%s(%d) : %sconvrtcp.coperatorMSPDB80.DLLOLEACC.dllsllauncher.pdbSSSShRegCloseKeyRegOpenKeyExWRegDeleteKeyWRegEnumKeyWRegOpenKeyWRegCreateKeyExWADVAPI32.dllGetProcessHeapGetCPInfoGetConsoleOutputCPKERNEL32.dllGetViewportExtExSetViewportOrgExOffsetViewportOrgExSetViewportExtExScaleViewportExtExGDI32.dllGetKeyStateUnhookWindowsHookExSetWindowsHookExWCreateDialogIndirectParamWUSER32.dllWINSPOOL.DRVSHLWAPI.dllSHFileOperationWSHELL32.dllole32.dllCOMDLG32.dllOLEAUT32.dlloledlg.dllVERSION.dllsllauncher.exe.?AVCCmdTarget@@.PAVCException@@.PAVCMemoryException@@.?AVCTestCmdUI@@.?AVCCmdUI@@.PAVCUserException@@.PAVCOleException@@.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@.PAVCSimpleException@@.PAVCObject@@.PAVCNotSupportedException@@.PAVCInvalidArgException@@.?AVCNotSupportedException@@.PAVCResourceException@@.PAVCArchiveException@@.PAVCOleDispatchException@@.PAVCFileException@@zcÃ1411989{9899SLLauncherPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING7 7$7(7,70747875'535_5{5;.6&6 6=6}66&7 7=7|74 4WindowStartupLocationWindowStylenpctrl.dllagcore.dllCLSID\{DFEAF541-F3E1-4c24-ACAC-99C30715084A}\InprocServer32Usage: SLLauncher.exe [app_id] [debug] [/install:] [/emulate:] [/overwrite] /origin: /uninstall /shortcut: [/pid]durlmon.dll%s (%s:%d)f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cppf:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inlaccKeyboardShortcutf:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inlAfx:%p:%x:%p:%p:%pAfx:%p:%xcommctrl_DragListMsgmfcm90u.dllcomctl32.dllcomdlg32.dllshell32.dllSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerSoftware\Microsoft\Windows\CurrentVersion\Policies\NetworkSoftware\Microsoft\Windows\CurrentVersion\Policies\Comdlg32ntdll.dll%s%s.dllf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cppf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cppf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cppf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cppuser32.dllF:\SP\vctools\crt_bld\SELF_X86\crt\src\tcscat_s.inlF:\SP\vctools\crt_bld\SELF_X86\crt\src\tcscpy_s.inl_CrtCheckMemory()_CrtIsValidHeapPointer(pUserData)_CrtSetDbgFlag(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)_CrtIsValidHeapPointer_CrtMemCheckpointF:\SP\vctools\crt_bld\SELF_X86\crt\src\tcsncpy_s.inlf:\sp\vctools\crt_bld\self_x86\crt\src\vswprint.ccrt0dat.cf:\sp\vctools\crt_bld\self_x86\crt\src\xtoa.cstrcat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), rterrs[tblindx].rterrtxt)strcat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), "\n\n")strcpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), "Runtime Error!\n\nProgram: ")_NMSG_WRITEcrt0msg.cf:\sp\vctools\crt_bld\self_x86\crt\src\dbgrpt.cstrcpy_s(szaFormat, 4096, "_CrtDbgReport: String too long or Invalid characters in String")_CrtDbgReportWVwcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")wcsncpy_s(szShortProgName, 260 - (szShortProgName - szExeName), dotdotdot, 3)wcscpy_s(szExeName, 260, L"")__crtMessageWindowW((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))__crtLCMapStringW_statstrcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")_mbsnbcpy_s(szShortProgName, 260 - (szShortProgName - szExeName), dotdotdot, 3)strcpy_s(szExeName, 260, "")__crtMessageWindowAtypname.cpp__crtInitCritSecAndSpinCount__crtMessageBoxAcrtmbox.cwcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")_VCrtDbgReportAstrcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")_VCrtDbgReportW__crtMessageBoxWf:\sp\vctools\crt_bld\self_x86\crt\src\crtmbox.cWUSER32.DLLf:\sp\vctools\crt_bld\self_x86\crt\src\vsprintf.c_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2strcpy_s(resultstr, resultsize, autofos.man)F:\SP\vctools\crt_bld\SELF_X86\crt\src\mbsncpy_s.inlf:\sp\vctools\crt_bld\self_x86\crt\src\_flsbuf.c../include\strgtold12.inl("CRT Logic error during setenv",0)__crtsetenvindex.htmlupdate.htmlupdate.metaMicrosoft.Silverlight.Offline.%Program Files%\Microsoft Silverlight\sllauncher.exe4.0.60310.0sllauncher.exe_632_rwx_02490000_0000E000:hY0.ydsllauncher.exe_632_rwx_047B2000_00009000:System.Windows.Browsersllauncher.exe_632_rwx_047D6000_00001000:Ph.bOsllauncher.exe_632_rwx_047DC000_00004000:Zh.bOsllauncher.exe_632_rwx_05130000_00010000:PCSpeedUp.resourcessllauncher.exe_632_rwx_05D30000_00010000:%UBsPjsllauncher.exe_632_rwx_05DE0000_00010000:%7s;wsllauncher.exe_632_rwx_05DF0000_00010000:,.TsPsllauncher.exe_632_rwx_06A30000_00010000:.rrPjPCSUQuickScan.exe_2668:.text`.rdata@.data.rsrc@.relocxSSShFTPjKSFtPj;SC.PjRVVisual C CRT: Not enough memory to complete call to strerror.Broken pipeInappropriate I/O control operationOperation not permittedportuguese-brazilianoperatorGetProcessWindowStationC:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUQuickScan.pdbKERNEL32.dllRegOpenKeyExWRegEnumKeyExWRegCloseKeyADVAPI32.dllGetCPInfozcÃ1 131>1|1?!?'? ?1?5?:$:,:4:<:>0 0$0(0,00040`0nKERNEL32.DLLmscoree.dll- Attempt to initialize the CRT more than once.- CRT not initialized- floating point support not loadedWUSER32.DLL=%% %-60spcsuservice.exeexplorer.exeAdding folder to scan: %sAdding file to scan: %sERROR: ScannerAddFile(): %dERROR: FindNextFileW(): %dERROR: FindFirstFileW(): %d\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersOpening key: %sqs.dllFailed to load: %sPCSUQuickScan.logPCSUQuickScan.xmlScanned %d files and %d modules in %d seconds.Uploaded files: %dScan result: %sInstalled AVs: %sWarnings: %sInfections: %d%s: %sFailed to unload: %s%Program Files%\PC Speed Up\PCSUQuickScan.exePCSUQuickScan.exe_2668_rwx_10001000_00260000:RSSSSSShu.VWjxSSShFTPjKSFtPj;SC.PjRV[%s %s %s]Send failure: %sFailed writing body (%d != %d)Internal error removing splay node = %dInternal error clearing splay node = %dPipe broke: handle 0x%x, url = %sError in the SSH layerCaller must register CURLOPT_CONV_ callback optionsTFTP: No such userTFTP: Unknown transfer IDTFTP: Illegal operationTFTP: Access ViolationTFTP: File Not FoundLogin deniedInvalid LDAP URLUnrecognized HTTP Content-EncodingProblem with the SSL CA cert (path? access rights?)Peer certificate cannot be authenticated with known CA certificatesProblem with the local SSL certificateSSL peer certificate or SSH md5 fingerprint was not OKA libcurl function was given a bad argumentOperation was aborted by an application callbackFTP: command REST failedFTP: command PORT failedHTTP response code said errorFTP: couldn't retrieve (RETR failed) the specified fileFTP: couldn't set file typeFTP: can't figure out the host in the PASV responseFTP: unknown 227 response formatFTP: unknown PASV replyFTP: unknown PASS replyFTP: weird server replyURL using bad/illegal format or missing URLUnsupported protocolPlease call curl_multi_perform() soonCURLSHcode unknownWinsock version not supportedProtocol family not supportedAddress family not supportedOperation not supportedSocket is unsupportedProtocol is unsupportedProtocol option is unsupportedUnknown error %d (%#x)%s:%dWARNING: failed to save cookies in %sAbout to connect() to %s%s port %d (#%d)Connected to %s (%s) port %d (#%d)malformed:]://%[^
[^:]:%[^
Protocol %s not supported or disabled in libcurl
http_proxy
%5[^:]:%5[^@]
%5[^:]:%5[^
User-Agent: %s
Connection #%d seems to be dead!
Connection (#%d) was killed to make room (holds %d)
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Re-using existing connection! (#%ld) with host %s
PTF@example.com
Couldn't find host %s in the _netrc file, using defaults
Port number too large: %lu
%s://%s:%d%s
[%*39[0-9a-fA-F:.]%c
:%5[^@]
%5[^:@]:%5[^@]
%s://%s
Connection #%ld to host %s left intact
operation aborted by callback
HTTP/
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Received problem %d in the chunky parser
HTTP server doesn't seem to support byte ranges. Cannot resume.
Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)
Leftovers after chunking. Rewinding %d bytes
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
The requested URL returned error: %d
HTTP =
HTTP/%d.%d =
No URL set!
Violate RFC 2616/10.3.2 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
[^?&/:]://%c
Maximum (%d) redirects followed
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %d
I99[^;
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
23[^;=]=I99[^;
# Fatal libcurl error
# Netscape HTTP Cookie File
# hXXp://curlm.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
Resolving host timed out: %s
Could not resolve host: %s; %s
Could not resolve proxy: %s; %s
Could not resolve host: %s
gethostbyname(2) failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
--:--:--
-.G
-.M
= %s = %s = %s %s %s %s %s %s %s
?bind failure: %s
Local port: %d
Bind to local port %d failed, trying next
couldn't find my own IP address (%s)
Bind local address to %s
Couldn't bind to '%s'
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Trying %s...
Failed connect to %s:%d; %s
%sAuthorization: Basic %s
%s:%s
Server auth using %s with user '%s'
Proxy auth using %s with user '%s'
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
%s%s=%s
%s %s%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
;type=%c
ftps://
PTF://
Host: %s%s%s:%d
Host: %s%s%s
Accept-Encoding: %s
Referer: %s
Received HTTP code %d from proxy after CONNECT
%d bytes of chunk left
HTTP/1.%d %d
Read %d bytes of chunk, continue
CONNECT %s:%d HTTP/1.0
%s%s%s%s
Host: %s
Establish HTTP proxy tunnel to %s:%d
TFTP
set timeouts for state %d; Total %d, retry %d maxtry %d
tftp_rx: giving up waiting for block %d
Received unexpected DATA packet block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
tftp_tx: internal error
bind() failed; %s
%s%c%s%c
tftp_send_first: internal error
TFTP finished
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, d %s M d:d:d GMT
Couldn't open file %s
There are more than %d entries
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%d
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.18.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s %s %s
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Syntax error in telnet option: %s
Unknown telnet option %s
7[^= ]%*[ =]%5s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
7[^,],7s
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
Excessive FTP response line length received, %zd bytes. Stripping
FTP response reading failed
FTP response aborted due to select/poll error: %d
FTP response timeout
Failed FTP upload:
RETR response: d
Connecting to %s (%s) port %d
Uploading to a URL without a file name!
FTPS not supported!
USER %s
socket(2) failed (%s)
PORT %d,%d,%d,%d,%d,%d
Telling server to connect to %d.%d.%d.%d:%d
getsockname() failed: %s
Failed to resolve host name %s
Connect data stream passively
REST %d
SIZE %s
%s%s%s
STOR %s
APPE %s
Bad PASV/EPSV response: d
Can't resolve new host %s:%d
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
Failed to do PORT
Got a d response code instead of the assumed 200
RETR %s
ftp server doesn't support SIZE
PBSZ %d
Access denied: d
ACCT %s
PASS %s
ACCT rejected by server: d
QUOT string not accepted: %s
TYPE %c
MDTM %s
ddd d:d:d GMT
dddddd
unsupported MDTM reply format
server did not report OK, got %d
Remembering we are in dir "%s"
CWD %s
Failed to MKD dir: d
MKD %s
QUOT command failed with d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
AUTH %s
This doesn't seem like a nice ftp-server response
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]
%%X
Operation too slow. Less than %d bytes/sec transfered the last %d seconds
password
login
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"
%s:%s:x:%s:%s:%s
%s:%s:%s
%5[^=]=23[^
%5[^=]="23[^"]"
d:d:d
%c%c==
%c%c%c=
.html
.jpeg
--%s--
Content-Type: %s
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
hXXp://download.bitdefender.com/windows/installer/%s/bitdefender_isecurity_qs.exe
aK-a}
B.AC5y
h.hN
Z%DgE
.Ow&9
n3w%F
.agy}
&p-w}
,.hXL.qkkGetExtendedTcpTableBitdefender QuickScan Client v0.9.9.140%s?auth_version=1&client_id=%uCryptCATCatalogInfoFromContexthXXp://8f8fb293be49781da3e3229cd4469a18.da3e3.net/-utf16.txt%sautorun.inf%d.%d.%d.%d/*ReplaceOpenPorts*/0, 9, 9, 140\\.\A:
d-d-d d:d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=
user_pref("network.proxy.type", 1);
user_pref("network.proxy.http", "
user_pref("network.proxy.http_port",
\\.\_:
%USERPROFILE%
%COMMONPROGRAMFILES%
%SYSTEMROOT%
zcÃ
%userprofile%\ntuser.dat
%S~a["C.kQ%suHYl^%u.jey(..EK.kIE#`p.Tf$/{.On.PA_W%Program Files%\PC Speed Up\PCSUQuickScan.exeRDTFTFTP4.&,.2*.&*..BpBHqs.dllKERNEL32.DLLWLDAP32.dllUSER32.dllADVAPI32.dllSHELL32.dllShellExecuteWole32.dllOLEAUT32.dllPSAPI.DLLSHLWAPI.dllWS2_32.dllVERSION.dllADVAPI32.DLLmscoree.dll- Attempt to initialize the CRT more than once.- CRT not initialized- floating point support not loadedWUSER32.DLLbitdefender_isecurity_[quickscan].exehXXp://quickscan.bitdefender.com/qs_lang/qs-%s-utf16.txtiphlpapi.dlle%d.%d.%d.%d%s\Cache\X%X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X%s\%s%s (new)%s (deleted)wintrust.dllhidden registry key!%d secondsScanned %d files and modulescommunication took %d secAuthentication key has expired.listens on portsconnected on portWarning: Low execution rights. Please run QuickScan/browser as Administrator.%s %s association%d uploaded, %d failed%d file(s)Using HTTP proxy: %sUpload: %s - %s %d bytes, hash: %sScan failed! %sScan failed! Error %dScan date: %sreferenced in: %sProcess %s (%d)Machine ID: %Xis affected by %sFound %d infected files!File not found: %sFailed to upload %d file(s)! Please rescan.executes %skernel32.dllntdll.dll\??\%spsapi.dllaudiodg.exemfpmp.exegui.exeASP.NET Session StateSQL Analysis ServicesSQL over TCPRPC over HTTPSHTTPSFTP controlFTP default dataBackupExecWebminWebDAVWindows LiveBattle.netVNC over HTTPPostgreSQLmSQLMySQLHTTP ProxyMicrosoft SQLFTP over SSLrloginrexecSMTP over SSLHTTP over SSLSMTPSSH/SCPversion="%d.%d.%d.%d">%A, %B %d, %Y %H:%M:%S%s%s%s%d%d%d%d%d%d%d%d%s%s%d%s - %s%s (%d)HKLM\%s\"PackedCatalogItem"HKLM\%s\"LibraryPath"Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsHKLM\%s\%sUrlSearchHooksSoftware\Microsoft\Internet Explorer\%s%s\%s\"%s"HKLM\%s\"Exec"Applications\iexplore.exe\shell\open\commandSoftware\MozillaPlugins%s\%s\"Path"SOFTWARE\Mozilla\Mozilla FirefoxSOFTWARE\Mozilla\Mozilla Firefox\%s\MainSoftware\Classes\Applications\firefox.exe\shell\open\commandApplications\firefox.exe\shell\open\commandGoogle\Chrome\User Data\Default\ExtensionsSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunOnceExSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceExSoftware\Microsoft\Windows\CurrentVersion\RunServicesSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesSoftware\Microsoft\Windows\CurrentVersion\RunServicesOnceSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnceSoftware\Microsoft\Windows\CurrentVersion\policies\Explorer\RunSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\Explorer\RunSoftware\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\%s\"AppInit_DLLs"SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonHKLM\%s\"Userinit"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKLM\%s\"DllName"HKLM\%s\"UIHost"HKLM\%s\"Taskman"SCRNSAVE.EXEHKCU\"SCRNSAVE.EXE"HKU\%s\"SCRNSAVE.EXE"HKLM\%s\"AlternateShell"SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLsHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs\"%s"Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKLM\%s\"%s"Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooksSoftware\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler%s\shell\open\commandHKCR\%sHKCR\%s\"(default)"HKLM\%s\"Shell"HKLM\%s%s\ParametersHKLM\%s\"ServiceDll"HKLM\%s\"ImagePath"MD5: %s %s{md5:"%s", path:"%s", tooltip:"%s"}--> %s%s --> %s{path:"%s", tooltip:"%s", virus_name:"%s"}{path:"%s", tooltip:"%s", virus_name:"%s"},%-11s %-39s ] %s{pid:%d, name:"%s", path:"%s", tooltip:"%s", signed:"%s"}--> %s{pid:%d, name:"%s", ip:"%s", port:"%d (%s)"}%s %s:{pid:%d, name:"%s", ports:"%-11s %-39s %s{name:"%s", path:"%s", tooltip:"%s", signed:"%s"}\Bitdefender_QS_log.htmlReport d-d-d d.d.d.html%a %b %d %Y %X(%userdomain%\%username%)uploaded:"%s",%d KB/sscan_count:"%s", scan_time:"%s"Report d-d-d d.d.d.%wscss\style.csscss\ui.jqgrid.cssjs\grid.locale-en.jsjs\jquery.jqGrid.min.jsjs\jquery.min.jsBitdefender_QS_log.html%s\%s:Zone.IdentifierSoftware%s\Classes\CLSID\%s\InprocServer32HKLM\%s\"(default)"%x.tmp\StringFileInfo\xx\%srundll32.exeMozilla\Firefox\profiles.ini\prefs.jsSoftware\Microsoft\Windows\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersSOFTWARE\Microsoft\Windows\CurrentVersion.DEFAULTc:\windows\system32\%System%\rundll32.exe3a3>