WormAutoItGen.YR (Lavasoft MAS)Behaviour: Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 771e4514e4ac3ac440fa434f44f1d670
SHA1: f7bf8b7358a5ea5f0974b13ab49e66e9708f2389
SHA256: a4850313a2d63693f472fdf012e56b8ed21d2e6a70ed4a927579459f9758ec64
SSDeep: 49152:sf4R vwdRUtbCEm3Ub/MVo2iwKkM/B6EZM14USAyqd29SExFb Bb7tSg24/sr6Jf:sWWDbjmEbEVEwKkwfFFe724 6JcJA
Size: 4214896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Saitek
Created at: 2001-09-05 20:02:57
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
%original file name%.exe:1632
setup.exe:2224
The Worm injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1632 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll (11765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf905D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft907E.tmp\pftw1.pkg (7484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext905E.tmp (5 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\Sai3611.inf (2 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (1808 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll (13271 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (1984 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll (12803 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll (12930 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe (23729 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS (3252 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\sai3611.cat (8 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll (13172 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL (34600 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll (12887 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (1053 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll (4230 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll (11751 bytes)
The process setup.exe:2224 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (45 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (3032 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (118 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (2296 bytes)
C:\$Directory (192 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (53 bytes)
Registry activity
The process setup.exe:2224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall" = "C:\Windows\temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe -S0 -R -WEB"
The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall"
Dropped PE files
MD5 | File path |
---|---|
32f8b989e0ed59a999789355a0fb2167 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS |
4da5da193e0e4f86f6f8fd43ef25329a | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL |
41d0bae99ab9d8d57f3c794f1f8c8702 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll |
af3f53271f502d8c14d49a2063800018 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll |
f95da19233b10bb057336b9d23f4cb0c | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll |
970d4875dda50c9464a27a26f5423b5c | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll |
da1c6bb0c680f9a9e5d9559e8fade75f | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll |
1cd181769d827a8a7df392d0b47a61b7 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll |
2c4aef983519f16c1d1cac6eeb5439e0 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll |
1849d7374aacc5d0b9b09acd56a0b166 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll |
e7cb8c4fe2ca9abbc6f6366e01132d83 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll |
55c84e9b8aa2d04592d0e455da38b24a | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll |
ae13b83b04de797ec44849cf91459534 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll |
979fddb85bb12fb3e27108b72ba43385 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll |
bed7080125983a291e0d02986d913df9 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll |
4a9b6763b4c428d5e3d62bb385af1404 | c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1632
setup.exe:2224 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll (11765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf905D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft907E.tmp\pftw1.pkg (7484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext905E.tmp (5 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\Sai3611.inf (2 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (1808 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll (13271 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (1984 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll (12803 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll (12930 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe (23729 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS (3252 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\sai3611.cat (8 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll (13172 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL (34600 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll (12887 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (1053 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll (4230 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll (11751 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (3032 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (2296 bytes)
C:\$Directory (192 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall" = "C:\Windows\temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe -S0 -R -WEB" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Saitek
Product Name: Sims_3_Mood_Mouse_SD7_00000000_64_Drivers
Product Version: 00000000
Legal Copyright: Copyright (c) Saitek 2011
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32
File Version: 00000000
File Description: Saitek SST (SD7)64bit Drivers webinstall
Comments: Drivers only
Language: English (Australia)
Company Name: Saitek Product Name: Sims_3_Mood_Mouse_SD7_00000000_64_Drivers Product Version: 00000000 Legal Copyright: Copyright (c) Saitek 2011 Legal Trademarks: Original Filename: stub32i.exe Internal Name: stub32 File Version: 00000000 File Description: Saitek SST (SD7)64bit Drivers webinstall Comments: Drivers only Language: English (Australia)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 72470 | 73728 | 4.57623 | e169cd9727498334799ce574858324b5 |
.rdata | 77824 | 6480 | 8192 | 3.31499 | 1d22aa58107cdb479897ec936f8bbe61 |
.data | 86016 | 20024 | 8192 | 1.67875 | 7e0cfc2e100727b4ae39786ac23b9520 |
.rsrc | 106496 | 182952 | 184320 | 4.86811 | 77ee4c2b4732dc70c78518e6c523780b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 30
506b65753779e5a72fee8443f8061a6c
ed811c2ebfc18a5ed42d9ff424e68373
419d2eab32cf44d5c0b096c9dbddc55c
72104f4074122d3b6dd5b9feca6c75f6
f8869decaa3e360267581d087fc9d0be
3964005c77fd15fffb1e0ec679e27b79
06788f55be1d2d0bf495b9ef40369cbe
9322ed5c0cf894ab92f610eb24618dd5
78564eee1b19157985c374ed44297428
327e2a55bb585da4c513baacb0cfdefd
4d801ca1aba96192afa9f22382cd8fb2
55a28ea8a1f39b6a3d21e019ede22bc4
cf84383996bd8d5a0e28a9cc5f7a130c
edae8f0b1aae38ae2a93a2b932650c80
1cf2fe773c8ce76bbedc80085a017e05
77d88fbd54956ce064cf8501b975fc1c
7cb5defa952ca85747df433dbb3ad02d
4d13901448116568bd274d7c6f0ea8ce
4c6296f522092db45b7266cd0ef494dd
a6a8a931443e27d3afc3127d4ff29305
c103d86d8c66b0954216fcfb331a67d7
4c9c89070bb6a18674418d779516964a
ae46af2e5ec110bcbc9007d036388a50
0c296e235d36161769fc3a7a89db7b63
1658bc5ac7936d572ff56ef1a5b1ea1f
Network Activity
URLs
URL | IP |
---|---|
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583 | |
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 88.221.132.175 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 | 88.221.132.207 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 88.221.132.175 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583 | 88.221.132.207 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 88.221.132.175 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 88.221.132.175 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Wed, 07 Jan 2015 04:48:56 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=362894, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 09:34:14 GMT
Expires: Sun, 11 Jan 2015 09:34:14 GMT
Date: Wed, 07 Jan 2015 04:50:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150104093414Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150104093414Z....20150111093414Z0...*.H.................P.OK.w3.B.R..9_*..-....][\....5'.A.jL..=.OZ...|.......?..R..#YB.6q|...'.P..G ..h...I.H9.`G.M.}..M...3.......p.."Ug....U...7.3.?.......$.._Q.\_./.....|.L..[......gzO'.C..6.....B.sK.D..H[......iPI.... ...Xp.T.]..LR....R:.m.J..T...lDP..p....J..d./D.F....2....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=411363, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 23:04:05 GMT
Expires: Sun, 11 Jan 2015 23:04:05 GMT
Date: Wed, 07 Jan 2015 04:50:26 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150104230405Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150104230405Z....20150111230405Z0...*.H................G..z./....,FS?..1..H.b*.!\..U.X)._...\d.V.....a.....). ......;..9.pD.o4.....!...........5.O*....Gt...DM'...a.S../......<{;.Q#....*..~g...p.._WB.:1.....~T....=.1...w'.p#*q..]$.NO..!..e5.`Ic..@.kd. ..v....~......F.....l.........3U..T...^p3.....q..i,RMX%&....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=482014, public, no-transform, must-revalidate
Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT
Expires: Mon, 12 Jan 2015 18:44:32 GMT
Date: Wed, 07 Jan 2015 04:50:58 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150105184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150105184432Z....20150112184432Z0...*.H.............P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`p...AA....W.?..@UI..3pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.0
VTag: 438246244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:43 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7ffcf1:0"..Server: Microsoft-IIS/8.0..VTag: 438246244800000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:43 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\.
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"
Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT
Date: Wed, 07 Jan 2015 04:50:32 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ....>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r../=l..?...9..V0..@Tk......fn?....0.A.HTTP/1.1 200 OK..Server: Apache..ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT..Date: Wed, 07 Jan 2015 04:50:32 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=404827, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 21:14:33 GMT
Expires: Sun, 11 Jan 2015 21:14:33 GMT
Date: Wed, 07 Jan 2015 04:50:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150104211433Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20150104211433Z....20150111211433Z0...*.H.............P.<...'A.!..?... .T T..0... .K... #.Z..X.@0u@....Q...)`...z.fq........L:T.........7.I....3.}.5&.b.c..DP....O...~....K....N....ny.....`..Z....{...........f..n....j.h..A*...7T._.. .....q....6.5$|..=.....t.)....,..B...8...*.O....SM6....VqP.....e...i7Y....Q-.....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791502955900000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:02 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G........t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...OW~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....dI2.#...h.Y.._e........H.%2.r.w..M.(~...W.{?...@n0.X.v..Wa.^o]...K....f[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT..Accept-Ranges: bytes..ETag: "a2f3ff97eeecf1:0"..Server: Microsoft-IIS/8.5..VTag: 791502955900000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:02 GMT..Connection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... ..
<<< skipped >>>
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.5
VTag: 4389615400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:07 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT..Accept-Ranges: bytes..ETag: "d2e35dc7e31cd01:0"..Server: Microsoft-IIS/8.5..VTag: 4389615400000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 561..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:07 GMT..Connection: keep-alive..0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A...
<<< skipped >>>
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 438346843700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:13 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..l..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=426631, public, no-transform, must-revalidate
Last-Modified: Mon, 5 Jan 2015 03:19:06 GMT
Expires: Mon, 12 Jan 2015 03:19:06 GMT
Date: Wed, 07 Jan 2015 04:50:38 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20150105031906Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20150105031906Z....20150112031906Z0...*.H..............S.X.....3d*L....._.u..M...U...#..kf.?yG$Z...g#..=.R.~..#...S=<.;..K..,.......G..%eUb..'...K.vBd..u8`..H..4..\..2.........1.....J........N.......'|....}.xq...9Y..l.f.[..q)DfS%;.}I......tm>O;.......b.0..(DZ.....x{]..\[...%.D.... ..NM........5..V.;t.l..2........0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Wed, 07 Jan 2015 04:49:49 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):