Skip to main content

Worm.Win32.AutoItGen_771e4514e4


WormAutoItGen.YR (Lavasoft MAS)Behaviour: Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 771e4514e4ac3ac440fa434f44f1d670

SHA1: f7bf8b7358a5ea5f0974b13ab49e66e9708f2389

SHA256: a4850313a2d63693f472fdf012e56b8ed21d2e6a70ed4a927579459f9758ec64

SSDeep: 49152:sf4R vwdRUtbCEm3Ub/MVo2iwKkM/B6EZM14USAyqd29SExFb Bb7tSg24/sr6Jf:sWWDbjmEbEVEwKkwfFFe724 6JcJA

Size: 4214896 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: Saitek

Created at: 2001-09-05 20:02:57

Analyzed on: Windows7Ada SP1 64-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:1632
setup.exe:2224

The Worm injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1632 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll (11765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf905D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft907E.tmp\pftw1.pkg (7484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext905E.tmp (5 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\Sai3611.inf (2 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (1808 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll (13271 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (1984 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll (12803 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll (12930 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe (23729 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS (3252 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\sai3611.cat (8 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll (13172 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL (34600 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll (12887 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (1053 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll (4230 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll (11751 bytes)

The process setup.exe:2224 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (45 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (3032 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (118 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (2296 bytes)
C:\$Directory (192 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (53 bytes)

Registry activity

The process setup.exe:2224 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:


To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall" = "C:\Windows\temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe -S0 -R -WEB"

The Worm deletes the following value(s) in system registry:


The Worm disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall"

Dropped PE files

MD5 File path
32f8b989e0ed59a999789355a0fb2167c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS
4da5da193e0e4f86f6f8fd43ef25329ac:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL
41d0bae99ab9d8d57f3c794f1f8c8702c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll
af3f53271f502d8c14d49a2063800018c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll
f95da19233b10bb057336b9d23f4cb0cc:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll
970d4875dda50c9464a27a26f5423b5cc:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll
da1c6bb0c680f9a9e5d9559e8fade75fc:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll
1cd181769d827a8a7df392d0b47a61b7c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll
2c4aef983519f16c1d1cac6eeb5439e0c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll
1849d7374aacc5d0b9b09acd56a0b166c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll
e7cb8c4fe2ca9abbc6f6366e01132d83c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll
55c84e9b8aa2d04592d0e455da38b24ac:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll
ae13b83b04de797ec44849cf91459534c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll
979fddb85bb12fb3e27108b72ba43385c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll
bed7080125983a291e0d02986d913df9c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll
4a9b6763b4c428d5e3d62bb385af1404c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1632
    setup.exe:2224

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll (11765 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf905D.tmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft907E.tmp\pftw1.pkg (7484 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext905E.tmp (5 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\Sai3611.inf (2 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (1808 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll (12195 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll (13271 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (1984 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll (12803 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll (12930 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll (12195 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe (23729 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS (3252 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\sai3611.cat (8 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll (13172 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL (34600 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll (12887 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (1053 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll (4230 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll (11751 bytes)
    C:\Users\"%CurrentUserName%"\NTUSER.DAT (3032 bytes)
    C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (2296 bytes)
    C:\$Directory (192 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SaitekInstall" = "C:\Windows\temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe -S0 -R -WEB"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Saitek
Product Name: Sims_3_Mood_Mouse_SD7_00000000_64_Drivers
Product Version: 00000000
Legal Copyright: Copyright (c) Saitek 2011
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32
File Version: 00000000
File Description: Saitek SST (SD7)64bit Drivers webinstall
Comments: Drivers only
Language: English (Australia)

Company Name: Saitek Product Name: Sims_3_Mood_Mouse_SD7_00000000_64_Drivers Product Version: 00000000 Legal Copyright: Copyright (c) Saitek 2011 Legal Trademarks: Original Filename: stub32i.exe Internal Name: stub32 File Version: 00000000 File Description: Saitek SST (SD7)64bit Drivers webinstall Comments: Drivers only Language: English (Australia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409672470737284.57623e169cd9727498334799ce574858324b5
.rdata77824648081923.314991d22aa58107cdb479897ec936f8bbe61
.data860162002481921.678757e0cfc2e100727b4ae39786ac23b9520
.rsrc1064961829521843204.8681177ee4c2b4732dc70c78518e6c523780b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 30
506b65753779e5a72fee8443f8061a6c
ed811c2ebfc18a5ed42d9ff424e68373
419d2eab32cf44d5c0b096c9dbddc55c
72104f4074122d3b6dd5b9feca6c75f6
f8869decaa3e360267581d087fc9d0be
3964005c77fd15fffb1e0ec679e27b79
06788f55be1d2d0bf495b9ef40369cbe
9322ed5c0cf894ab92f610eb24618dd5
78564eee1b19157985c374ed44297428
327e2a55bb585da4c513baacb0cfdefd
4d801ca1aba96192afa9f22382cd8fb2
55a28ea8a1f39b6a3d21e019ede22bc4
cf84383996bd8d5a0e28a9cc5f7a130c
edae8f0b1aae38ae2a93a2b932650c80
1cf2fe773c8ce76bbedc80085a017e05
77d88fbd54956ce064cf8501b975fc1c
7cb5defa952ca85747df433dbb3ad02d
4d13901448116568bd274d7c6f0ea8ce
4c6296f522092db45b7266cd0ef494dd
a6a8a931443e27d3afc3127d4ff29305
c103d86d8c66b0954216fcfb331a67d7
4c9c89070bb6a18674418d779516964a
ae46af2e5ec110bcbc9007d036388a50
0c296e235d36161769fc3a7a89db7b63
1658bc5ac7936d572ff56ef1a5b1ea1f

Network Activity

URLs

URL IP
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=23.43.139.27
hxxp://crl.verisign.com/pca3.crl23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd8388.221.132.207
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d2611058388.221.132.207
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl88.221.132.175
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl88.221.132.175

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT

If-None-Match: "0af536cf2ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

Accept-Ranges: bytes

ETag: "0b2464b1797cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6408

Date: Wed, 07 Jan 2015 04:48:56 GMT

Connection: keep-alive

MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=362894, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 09:34:14 GMT

Expires: Sun, 11 Jan 2015 09:34:14 GMT

Date: Wed, 07 Jan 2015 04:50:21 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150104093414Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150104093414Z....20150111093414Z0...*.H.................P.OK.w3.B.R..9_*..-....][\....5'.A.jL..=.OZ...|.......?..R..#YB.6q|...'.P..G ..h...I.H9.`G.M.}..M...3.......p.."Ug....U...7.3.?.......$.._Q.\_./.....|.L..[......gzO'.C..6.....B.sK.D..H[......iPI.... ...Xp.T.]..LR....R:.m.J..T...lDP..p....J..d./D.F....2....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=411363, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 23:04:05 GMT

Expires: Sun, 11 Jan 2015 23:04:05 GMT

Date: Wed, 07 Jan 2015 04:50:26 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150104230405Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150104230405Z....20150111230405Z0...*.H................G..z./....,FS?..1..H.b*.!\..U.X)._...\d.V.....a.....). ......;..9.pD.o4.....!...........5.O*....Gt...DM'...a.S../......<{;.Q#....*..~g...p.._WB.:1.....~T....=.1...w'.p#*q..]$.NO..!..e5.`Ic..@.kd. ..v....~......F.....l.........3U..T...^p3.....q..i,RMX%&....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=482014, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT

Expires: Mon, 12 Jan 2015 18:44:32 GMT

Date: Wed, 07 Jan 2015 04:50:58 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150105184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150105184432Z....20150112184432Z0...*.H.............P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`p...AA....W.?..@UI..3pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...

<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT

If-None-Match: "924558f3e994cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.0

VTag: 438246244800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Wed, 07 Jan 2015 04:49:43 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7ffcf1:0"..Server: Microsoft-IIS/8.0..VTag: 438246244800000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:43 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\.

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"

Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT

Date: Wed, 07 Jan 2015 04:50:32 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ....>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r../=l..?...9..V0..@Tk......fn?....0.A.HTTP/1.1 200 OK..Server: Apache..ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT..Date: Wed, 07 Jan 2015 04:50:32 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=404827, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 21:14:33 GMT

Expires: Sun, 11 Jan 2015 21:14:33 GMT

Date: Wed, 07 Jan 2015 04:50:46 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150104211433Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20150104211433Z....20150111211433Z0...*.H.............P.<...'A.!..?... .T T..0... .K... #.Z..X.@0u@....Q...)`...z.fq........L:T.........7.I....3.}.5&.b.c..DP....O...~....K....N....ny.....`..Z....{...........f..n....j.h..A*...7T._.. .....q....6.5$|..=.....t.)....,..B...8...*.O....SM6....VqP.....e...i7Y....Q-.....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...

<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT

If-None-Match: "96bfbfb1d77cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

Accept-Ranges: bytes

ETag: "a2f3ff97eeecf1:0"

Server: Microsoft-IIS/8.5

VTag: 791502955900000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Wed, 07 Jan 2015 04:49:02 GMT

Connection: keep-alive

0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G........t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...OW~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....dI2.#...h.Y.._e........H.%2.r.w..M.(~...W.{?...@n0.X.v..Wa.^o]...K....f[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT..Accept-Ranges: bytes..ETag: "a2f3ff97eeecf1:0"..Server: Microsoft-IIS/8.5..VTag: 791502955900000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:02 GMT..Connection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... ..

<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT

If-None-Match: "a413fc3b169cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.5

VTag: 4389615400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Wed, 07 Jan 2015 04:49:07 GMT

Connection: keep-alive

0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT..Accept-Ranges: bytes..ETag: "d2e35dc7e31cd01:0"..Server: Microsoft-IIS/8.5..VTag: 4389615400000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 561..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:07 GMT..Connection: keep-alive..0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A...

<<< skipped >>>

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT

If-None-Match: "87fbb3811f68cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 438346843700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Wed, 07 Jan 2015 04:49:13 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..l..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=426631, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 03:19:06 GMT

Expires: Mon, 12 Jan 2015 03:19:06 GMT

Date: Wed, 07 Jan 2015 04:50:38 GMT

Connection: keep-alive

0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20150105031906Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20150105031906Z....20150112031906Z0...*.H..............S.X.....3d*L....._.u..M...U...#..kf.?yG$Z...g#..=.R.~..#...S=<.;..K..,.......G..%eUb..'...K.vBd..u8`..H..4..\..2.........1.....J........N.......'|....}.xq...9Y..l.f.[..q)DfS%;.}I......tm>O;.......b.0..(DZ.....x{]..\[...%.D.... ..NM........5..V.;t.l..2........0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Wed, 07 Jan 2015 04:49:49 GMT

Connection: keep-alive

MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....

<<< skipped >>>

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps