Sample_6645561446 – Adaware

mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6645561446eeeb98b7ed7df7aabf565c

SHA1: fcf3eb43fa12b23d1c737d72394a2e01b0774de6

SHA256: 1792bab633d27adf10437f285463e9e2e7747aa160864e7b8019a4c6a4ffabb1

SSDeep: 6144:/WmZJDSDDZnXI2i9RXXD3z5E9RBkiqpf8QBtxBS8oA:/duZ42ibz5EReNrdSa

Size: 213072 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: AOL LLC.

Created at: 2009-07-21 17:14:14

Analyzed on: Windows7Ada SP1 64-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

roadie.exe:804
%original file name%.exe:2340
noneCodesignFilesBundle.exe:2800
flashax.exe:2252
sdclt.exe:2448

The Malware injects its code into the following process(es):

waol-0.4343.2046.1.exe:688

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process roadie.exe:804 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrinst.exe (130170 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\msvcr9\msvc9rt.exe (130583 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.exe (22520 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.dll (61584 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslaeu.exe (126024 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F8AAE6A916F668584D043F6543292194_D96BA187CDB0BBE4151F3618123F74F2 (1680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\down[1] (748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7FDB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbsetup.exe (53008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aolswfchk.dll (6797 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstC.dll (5576 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5BF987767EE121EB773E3E93D13C2F30_8E045C5CB1F111608338D2D3A7DCEAD9 (1696 bytes)
C:\Windows\nsreg.dat (732 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instSup.dll (10208 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SinfInst.exe (91332 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5BF987767EE121EB773E3E93D13C2F30_8E045C5CB1F111608338D2D3A7DCEAD9 (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuinst.exe (34008 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC (1212 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Retry AOL Desktop 9.7 Download.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7FDA.tmp (48 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\aolswfchk.dll (6744 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instph.dll (12080 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_F9BDF410D651FF0504A529F7A107038D (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrlp.exe (13488 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\instSup.dll (10208 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsshutd.exe (1928 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpchk.dll (680 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpgc.exe (7776 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslang.exe (185031 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstA.dll (6592 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\noneCodesignFilesBundle.exe (5565160 bytes)
C:\IPH.PH (3670 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\wbsetup.exe (71832 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F8AAE6A916F668584D043F6543292194_D96BA187CDB0BBE4151F3618123F74F2 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\httpErrorPagesScripts[1] (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\parcon\AOLParconLink.exe (7336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~r1F3.tmp (3176 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpinst.exe (518187 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\toolbar\aol_trio.exe (1182424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\install_flash_player_11_plugin.exe (2272819 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\info_48[1] (4 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\search\aolSearchInstaller.exe (1928 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsrollb.exe (18800 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acscore.exe (159846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\registry.dat (732 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (1360 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuchk.dll (392 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\waol-0.4343.2046.1.exe (173242 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_F9BDF410D651FF0504A529F7A107038D (1536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\errorPageStrings[1] (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\postproc.exe (4712 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\AcsInstA.dll (6592 bytes)

The process %original file name%.exe:2340 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\message.js (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe (7392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.bin (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Preparing.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Progress.htm (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.dll (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoFiles.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC88.tmp\CertHelper.dll (1913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC87.tmp (23759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoQualify.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Error.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Cancelled.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\FailedLaunch.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoConn.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Grats.htm (792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\DownloadError.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Cancelling.htm (987 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\CancelConfirm.htm (993 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC88.tmp\System.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.ini (608 bytes)

The process waol-0.4343.2046.1.exe:688 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe (146 bytes)
C:\Users\Public\Desktop\AOL Desktop 9.7 Install.lnk (1 bytes)
C:\IPH.PH (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (4432 bytes)

The process noneCodesignFilesBundle.exe:2800 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\progress.xml (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.ini (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\CLIENTDETAILS.txt (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\installer.swf (7168 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\rbm.bin (13 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\PRIVACY.txt (12 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\message.xml (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VMPCache.mtz (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\error.xml (361 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.ini (56 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbinst.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\EULA.txt (26 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.ini (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\muinst\muinst.exe (14600 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\style.xml (953 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VPPrePop.exe (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\backup.ini (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\Dacldll.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLVPChk.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\tsverchk.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.loc (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\media.ini (128 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SiNdInst.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe (39122 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\Vwpt.exe (61190 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\default.xml (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\marketing.xml (5 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\screens.xml (3 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLTheme.mtx (387 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comp01.000 (563011 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\TOS.txt (27 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps.ini (7 bytes)

The process flashax.exe:2252 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\734B.tmp (626 bytes)
C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx (732 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.dll (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\734C.tmp (464 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log (1 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe (464 bytes)

Registry activity

The process roadie.exe:804 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"DLComplete" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\America Online\VID]
"VID" = "4603272406744064-632422412535335"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"SuperAttemptID" = "0EBFFB52-E225-4A71-BF94-6351C1FE6C21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionTime" = "42 70 C0 A2 F4 78 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\{31ADB854-D2B8-4bcd-A48B-0284831E89C5}]
"0" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"DLResSessions" = "0"
"DLSessions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"CDSessions" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3921C115C15D0ECA5CCB5BC4F07D21D8050B566A]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 B3 1D A1 8F"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 32 7F C4 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204]
"Blob" = "14 00 00 00 01 00 00 00 14 00 00 00 61 A6 99 6D"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "37"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"InstSessions" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\{31ADB854-D2B8-4bcd-A48B-0284831E89C5}]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"3921C115C15D0ECA5CCB5BC4F07D21D8050B566A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"503006091D97D4F5AE39F7CBE7927D7D652D3431"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2340 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3921C115C15D0ECA5CCB5BC4F07D21D8050B566A]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 39 21 C1 15"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 A1 44 6B CE"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"3921C115C15D0ECA5CCB5BC4F07D21D8050B566A"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204"

The process waol-0.4343.2046.1.exe:688 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "42 70 C0 A2 F4 78 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\America Online\VID]
"VID" = "5533042191867904-114271311508728"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "9A 2E E5 BD F4 78 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AOLRebootNeeded"

The process flashax.exe:2252 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"Policy" = "3"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
"(Default)" = "FlashBroker"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer]
"currentVersion" = "10,1,53,64"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
"LocalizedString" = "@C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe,-101"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "42"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMinor" = "1"

[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.10"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLInfoAbout" = "http://www.adobe.com"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMajor" = "10"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
"(Default)" = "IFlashBroker4"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "17235968"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
"(Default)" = ""

[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCU\Software\Macromedia\FlashPlayer]
"FlashPlayerVersion" = "10.1.53.64~installVector=1"

[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX]
"Version" = "10.1.53.64"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoModify" = "1"

[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"10.0" = "3473472"

[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX]
"PlayerPath" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion" = "10.1.53.64"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoRepair" = "1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"

[HKCR\.spl]
"Content Type" = "application/futuresplash"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx, 1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"

[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "88"

[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx, 1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppPath" = "C:\Windows\SysWOW64\Macromed\Flash"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX]
"UninstallerPath" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppName" = "FlashUtil10h_ActiveX.exe"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"RequiresIESysFile" = "4.70.0.1155"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags" = "65536"

[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"UninstallString" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex"
"DisplayName" = "Adobe Flash Player 10 ActiveX"

[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.sol]
"Content Type" = "text/plain"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"

[HKCR\.sor]
"Content Type" = "text/plain"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
"(Default)" = "FlashBroker"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "73"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"Publisher" = "Adobe Systems Incorporated"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.10"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"

[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"EstimatedSize" = "6144"

[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.10]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayIcon" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

The process sdclt.exe:2448 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Sysinternals\SigCheck]
"EulaAccepted" = "1"

Dropped PE files

MD5	File path
240c255fc3037379c365f0fd7e0fc1fb	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comp01.000
0f67250e5b0302c3657cd98a88e56992	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\AcsInstA.dll
0f67250e5b0302c3657cd98a88e56992	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstA.dll
fb354d49630efb35591ab9dfc0e60ede	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstC.dll
6c21eedf06e9d4b4ea9c99bb8f7f6a4d	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acscore.exe
556e48a21a632fb1d99712f3f35f5760	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslaeu.exe
d3855b39f6ff71b1b86047e6dbd0de47	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslang.exe
309f11ee6e3cf578a22603e6308a5d6b	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsrollb.exe
0f6f1c4ba5c132874d6b9eb206975dfd	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsshutd.exe
fb4b5f9714438220c710360034ead63f	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\instSup.dll
76fea2b136ba4ff3673c02112c084e19	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpchk.dll
4c95c4e949e974cddc01e5d64890a18d	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpgc.exe
ea56b1a21fe2c8727fffa72eae0fb910	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpinst.exe
02d0bc9f8614877ad05be0cd3c62f74b	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuchk.dll
0cc744e640b29003c8e79cad2afc91db	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuinst.exe
85e54f1bf7d72d020ca5ba36446e22f0	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.dll
d6a8a70a95ad1e032899e5549e647f7b	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instSup.dll
c3c5cdb4aa878d460a9f5e2f6f434695	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instph.dll
09eae542c81a46d6a1d7bb41be2bc493	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\postproc.exe
8553820decf7e829e4c0504d6160ef98	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.exe
cda935cce35271bbccf4529252e9b0dd	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrinst.exe
48d96d1fc3beca963b227e6f336b2185	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrlp.exe
cfeba46cf26400a4a0db35b262beda17	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\aolswfchk.dll
f920b84836299299aacbde3e195b81c5	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\install_flash_player_11_plugin.exe
9b9089fe6cb9690baa4b8297db004083	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe
47ee0aafbf70215e50a439793519ced4	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\msvcr9\msvc9rt.exe
c76786b0ee799df4e93466b6fd26820b	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\muinst\muinst.exe
99cd37721d91b978478ddb06b238ae94	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\parcon\AOLParconLink.exe
e1e04678b26c04f198a3a7124eb84ab2	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\search\aolSearchInstaller.exe
c35e103323c315fb86eea14819c70c96	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SiNdInst.dll
cb704139af001b0a8bcb3e3079071b4f	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SinfInst.exe
b577f2f5d53bf29f7ab693d426f9102a	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbinst.dll
dc89bf1fee901711cef4d23a5885f5ba	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbsetup.exe
d6bd37e2ca9931f1ac9fcb554f5fd4d9	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\toolbar\aol_trio.exe
dc479e0275eb9fc55a3fa772bcec2e00	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\Dacldll.dll
737715d6b1ed8ce64c9729234000c06a	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\tsverchk.dll
428fd63e4cc5c2cad44db5ad58471b3c	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\wbsetup.exe
1e8056cfb32e0827f4dea4ab80c293a9	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLVPChk.dll
6bc9a79f9257ea150fc64b70059b08e2	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VPPrePop.exe
fc393cff7bc091c6733a7df192a4d133	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\Vwpt.exe
c47cc6eb9d2fde7ae535c1f16d88c148	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\noneCodesignFilesBundle.exe
615dc56051219e1e6f23ae6c07f406b3	c:\ProgramData\AOL Downloads\waol\0.4343.2046.1\waol-0.4343.2046.1.exe
240c255fc3037379c365f0fd7e0fc1fb	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comp01.000
0f67250e5b0302c3657cd98a88e56992	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\AcsInstA.dll
0f67250e5b0302c3657cd98a88e56992	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstA.dll
fb354d49630efb35591ab9dfc0e60ede	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstC.dll
6c21eedf06e9d4b4ea9c99bb8f7f6a4d	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acscore.exe
556e48a21a632fb1d99712f3f35f5760	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslaeu.exe
d3855b39f6ff71b1b86047e6dbd0de47	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslang.exe
309f11ee6e3cf578a22603e6308a5d6b	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsrollb.exe
0f6f1c4ba5c132874d6b9eb206975dfd	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsshutd.exe
fb4b5f9714438220c710360034ead63f	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\instSup.dll
76fea2b136ba4ff3673c02112c084e19	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpchk.dll
4c95c4e949e974cddc01e5d64890a18d	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpgc.exe
ea56b1a21fe2c8727fffa72eae0fb910	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpinst.exe
02d0bc9f8614877ad05be0cd3c62f74b	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuchk.dll
0cc744e640b29003c8e79cad2afc91db	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuinst.exe
85e54f1bf7d72d020ca5ba36446e22f0	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.dll
d6a8a70a95ad1e032899e5549e647f7b	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\instSup.dll
c3c5cdb4aa878d460a9f5e2f6f434695	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\instph.dll
09eae542c81a46d6a1d7bb41be2bc493	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\postproc.exe
8553820decf7e829e4c0504d6160ef98	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.exe
cda935cce35271bbccf4529252e9b0dd	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrinst.exe
48d96d1fc3beca963b227e6f336b2185	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrlp.exe
cfeba46cf26400a4a0db35b262beda17	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\aolswfchk.dll
f920b84836299299aacbde3e195b81c5	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\install_flash_player_11_plugin.exe
9b9089fe6cb9690baa4b8297db004083	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe
47ee0aafbf70215e50a439793519ced4	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\msvcr9\msvc9rt.exe
c76786b0ee799df4e93466b6fd26820b	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\muinst\muinst.exe
99cd37721d91b978478ddb06b238ae94	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\parcon\AOLParconLink.exe
e1e04678b26c04f198a3a7124eb84ab2	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\search\aolSearchInstaller.exe
c35e103323c315fb86eea14819c70c96	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SiNdInst.dll
cb704139af001b0a8bcb3e3079071b4f	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SinfInst.exe
b577f2f5d53bf29f7ab693d426f9102a	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbinst.dll
dc89bf1fee901711cef4d23a5885f5ba	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbsetup.exe
d6bd37e2ca9931f1ac9fcb554f5fd4d9	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\toolbar\aol_trio.exe
dc479e0275eb9fc55a3fa772bcec2e00	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\Dacldll.dll
737715d6b1ed8ce64c9729234000c06a	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\tsverchk.dll
428fd63e4cc5c2cad44db5ad58471b3c	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\wbsetup.exe
1e8056cfb32e0827f4dea4ab80c293a9	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLVPChk.dll
6bc9a79f9257ea150fc64b70059b08e2	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VPPrePop.exe
fc393cff7bc091c6733a7df192a4d133	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\Vwpt.exe
c47cc6eb9d2fde7ae535c1f16d88c148	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\noneCodesignFilesBundle.exe
615dc56051219e1e6f23ae6c07f406b3	c:\Users\All Users\AOL Downloads\waol\0.4343.2046.1\waol-0.4343.2046.1.exe
cfeba46cf26400a4a0db35b262beda17	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\aolswfchk.dll
fbe5bf1a6e1a29d4f376edb921345f48	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.dll
8a75325dd2c5a2e888573455cb622e21	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe
f366d1694e4d244a73f4e52817c38d5b	c:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx
dc299b13e8f608358cf69fea25ad8b36	c:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.dll
5698b99b81d3692bf9fcdee5a07ea250	c:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
f366d1694e4d244a73f4e52817c38d5b	c:\Windows\System32\Macromed\Flash\Flash10h.ocx
dc299b13e8f608358cf69fea25ad8b36	c:\Windows\System32\Macromed\Flash\FlashUtil10h_ActiveX.dll
5698b99b81d3692bf9fcdee5a07ea250	c:\Windows\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
roadie.exe:804
%original file name%.exe:2340
noneCodesignFilesBundle.exe:2800
flashax.exe:2252
sdclt.exe:2448
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrinst.exe (130170 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\msvcr9\msvc9rt.exe (130583 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.exe (22520 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.dll (61584 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslaeu.exe (126024 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F8AAE6A916F668584D043F6543292194_D96BA187CDB0BBE4151F3618123F74F2 (1680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\down[1] (748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7FDB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbsetup.exe (53008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aolswfchk.dll (6797 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstC.dll (5576 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5BF987767EE121EB773E3E93D13C2F30_8E045C5CB1F111608338D2D3A7DCEAD9 (1696 bytes)
C:\Windows\nsreg.dat (732 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instSup.dll (10208 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SinfInst.exe (91332 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5BF987767EE121EB773E3E93D13C2F30_8E045C5CB1F111608338D2D3A7DCEAD9 (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuinst.exe (34008 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC (1212 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Retry AOL Desktop 9.7 Download.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7FDA.tmp (48 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\aolswfchk.dll (6744 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instph.dll (12080 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_F9BDF410D651FF0504A529F7A107038D (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrlp.exe (13488 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\instSup.dll (10208 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsshutd.exe (1928 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpchk.dll (680 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpgc.exe (7776 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslang.exe (185031 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstA.dll (6592 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\noneCodesignFilesBundle.exe (5565160 bytes)
C:\IPH.PH (3670 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\wbsetup.exe (71832 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F8AAE6A916F668584D043F6543292194_D96BA187CDB0BBE4151F3618123F74F2 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\httpErrorPagesScripts[1] (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\parcon\AOLParconLink.exe (7336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~r1F3.tmp (3176 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpinst.exe (518187 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\toolbar\aol_trio.exe (1182424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\install_flash_player_11_plugin.exe (2272819 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\info_48[1] (4 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\search\aolSearchInstaller.exe (1928 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsrollb.exe (18800 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acscore.exe (159846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\registry.dat (732 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (1360 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuchk.dll (392 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\waol-0.4343.2046.1.exe (173242 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_F9BDF410D651FF0504A529F7A107038D (1536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\errorPageStrings[1] (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\postproc.exe (4712 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\AcsInstA.dll (6592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\message.js (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe (7392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.bin (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Preparing.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Progress.htm (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.dll (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoFiles.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC88.tmp\CertHelper.dll (1913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC87.tmp (23759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoQualify.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Error.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Cancelled.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\FailedLaunch.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoConn.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Grats.htm (792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\DownloadError.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Cancelling.htm (987 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\CancelConfirm.htm (993 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC88.tmp\System.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.ini (608 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe (146 bytes)
C:\Users\Public\Desktop\AOL Desktop 9.7 Install.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (4432 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\progress.xml (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.ini (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\CLIENTDETAILS.txt (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\installer.swf (7168 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\rbm.bin (13 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\PRIVACY.txt (12 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\message.xml (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VMPCache.mtz (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\error.xml (361 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.ini (56 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbinst.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\EULA.txt (26 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.ini (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\muinst\muinst.exe (14600 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\style.xml (953 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VPPrePop.exe (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\backup.ini (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\Dacldll.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLVPChk.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\tsverchk.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.loc (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\media.ini (128 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SiNdInst.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\Vwpt.exe (61190 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\default.xml (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\marketing.xml (5 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\screens.xml (3 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLTheme.mtx (387 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comp01.000 (563011 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\TOS.txt (27 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps.ini (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\734B.tmp (626 bytes)
C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx (732 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.dll (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\734C.tmp (464 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log (1 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe (464 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: AOL LLC.
Product Name: AOL Download Utility
Product Version: 0.4343.2046.1.1
Legal Copyright: Copyright (c) 2004-2008 - AOL LLC. All Rights Reserved.
Legal Trademarks: AOL is a trademark of AOL LLC.
Original Filename: AOL_Desktop_9.7.exe
Internal Name:
File Version: 0.4343.2046.1.1
File Description: AOL Download Utility 0.4343.2046.1.1
Comments:
Language: Language Neutral

Company Name: AOL LLC.Product Name: AOL Download UtilityProduct Version: 0.4343.2046.1.1Legal Copyright: Copyright (c) 2004-2008 - AOL LLC. All Rights Reserved.Legal Trademarks: AOL is a trademark of AOL LLC.Original Filename: AOL_Desktop_9.7.exeInternal Name: File Version: 0.4343.2046.1.1File Description: AOL Download Utility 0.4343.2046.1.1Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	26202	26624	4.43171	46cdf25f533c03d5df7c193afea2f2bf
.rdata	32768	7626	7680	3.75093	b295087da0bff5cad3fbd45f13cdeab0
.data	40960	115860	512	0.88764	571756c7ae86f90b12c0c5db51bd04a6
.ndata	159744	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	192512	4096	3072	3.14315	5551988ba25457f34f6b27a26ab56fd5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c811f53d313ecf39
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEA/folAAtu2XY7/sias/UTw=
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/roadie1.8.4.1/roadie.loc
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll
hxxp://aol.122.2o7.net/b/ss//6
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9bae0654c986f0bb
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?cea8345e4b49256e
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs=
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c47dea64dd07db25
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe	149.174.149.63
hxxp://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo=	95.100.77.22
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll	149.174.149.63
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c811f53d313ecf39	87.245.216.19
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe	149.174.149.63
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.216.33
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.216.33
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe	149.174.149.63
hxxp://instlxml1.sa.aol.com/b/ss//6	66.235.153.36
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=	23.51.123.27
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe	149.174.149.63
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=	23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.216.33
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.216.33
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=	23.51.123.27
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll	149.174.149.63
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c47dea64dd07db25	87.245.216.19
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.51.123.27
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEA/folAAtu2XY7/sias/UTw=	23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?cea8345e4b49256e	87.245.216.19
hxxp://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs=	95.100.77.22
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/roadie1.8.4.1/roadie.loc	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=	23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9bae0654c986f0bb	87.245.216.19

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:23 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 24392

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:23 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:01 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 17736296

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:06:01 GMT

Keep-Alive: timeout=2, max=98

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`.<...o...o...o.y.o...o4..o...o4..o...o...o...o.y.o*..o.y.o...o.y.o...o.S.o...o...o...o.y.o...oRich...o........PE..L......Q.................z..........L.............@.................................j.....@.........................P.......<........@..._..............h.......d...`...................................@............................................text....x.......z.................. ..`.rdata...f.......h...~..............@..@.data....>.......$..................@....rsrc...._...@...`..................@..@.reloc...".......$...j..............@..B..................................................................................................................................................................................................................................................................................................................................................j..V.t$..D6.......P.;k..Y.p..@...@.......^.... ..`......L$......I..H.....t..........t..@. A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........LA..G....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0.j....J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........%...;.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W..i.......F.Y...TB.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s.f..9v.@@Ju...v1;.v.f.x.-u......f..0r.f..9w.k..@...@J.|..u...t....._^[.

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:48 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 62248

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:48 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............c...c...c...o...c...o...c...o...c...o...c...k...c..(k...c...c..pc..%t...c...k...c..(k...c..%t...c..Gh...c..%t...c..Rich.c..................PE..L....}.H.................`...p.......g.......p....@.................................~...................................................................(............r..................................@............p...............................text...._.......`.................. ..`.rdata...G...p...P...p..............@..@.data...P...........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:13 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 260120

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:13 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 454

<?xml version="1.0" encoding="UTF-8"?><request><events>event1</events><eVar1>Download | Roadie | waol_0.4343.2046.1 | Application Start</eVar1><prop1>cmp :</prop1><prop2>cmp :</prop2><prop49>xml api</prop49><prop16>Roadie | App Start | waol_0.4343.2046.1</prop16><reportsuiteid>aoljet</reportsuiteid><pagename>cmp : Roadie - App Start</pagename><visitorid>4603272406744064-632422412535335</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:39 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:54:39 GMT

Last-Modified: Sat, 18 Apr 2015 09:54:39 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D85F-CAEB-7ACCE06F"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www594

Content-Length: 64

Content-Type: text/xml

Connection: close

<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS</status>...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=338134, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 07:54:56 GMT

Expires: Tue, 21 Apr 2015 07:54:56 GMT

Date: Fri, 17 Apr 2015 09:59:22 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150414075456Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150414075456Z....20150421075456Z0...*.H..............@..F.V...>5...B.hdp.~..$9...d...Tx\.....<9i..m?...W..!.#.....b...4.e...:..3...6p.L.U...s.y.8.....(e.. ........,....-.C.........).6..qb..E..B.. .aJ....So.^.U...{.z.GD5..}0...z.M..'...i5...m.)L.qT....op....P|'S..7.......U.P..6.{jk..z.J..-.9d.."[...u05.WE}_....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:53 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1096736

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:53 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@.................................<................................................p..................h............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:11 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1584744

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:11 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:55 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 11080

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:55 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./V.hk7.;k7.;k7.;.(.;i7.;.(.;o7.;...;i7.;.?.;l7.;k7.;d7.;n;.;j7.;. .;j7.;. .;j7.;.<.;j7.;. .;j7.;Richk7.;........PE..L...Z..L...........!......................... ...............................`.......h..............................."..n.... ..x....@..p...............H....P..X...P ............................................... ..H............................text...(........................... ..`.rdata..f.... ......................@..@.data...,....0......................@....rsrc...p....@......................@..@.reloc.......P......................@..B.................................................................................................................................................................................................................................................................................................................................................L$....SW.D$.P3.Q...^........;.......UW... .......;........T$..D$.UWRP.......tk.L$.Q.T$.Rhl ..U.d.....tR.L$...A......F.....A.......^......^...A....~................~...A.............F...U..( .....]_..[...._..[.......................0..3.SV..$.....D$.Ph....j.h. ..h......2.... ....uW.L$.Q.L$..T$.R.D$.Pj.h. ..Q.D$$....... ....u.hp ...T$.R..0 ...D$.P...........L$.Q... ....$....^..[3..7........................0.....0..3...$....h.....D$.PQ.D$..... ..........V.T$.R.t$..)........t}.L$........tp.D$..L$.;..T$..t$.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:45 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 974344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:45 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:24 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:24 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..N...N...N...]...O...!...L.......M...!...J...K...O.......X...]...L.......I...N...........L.......O.......O.......O...RichN...........................PE..L....-.R...........!.....@...........C.......P.......................................................................f..j...l^..x.......................h............Q...............................................P..x............................text....9.......@.................. ..`.rdata..z....P... ...P..............@..@.data....H...p.......p..............@....rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:45 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 974344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:45 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@.....................................................................................................h............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....@..M..E..................B...B....B...q....$..1@.Vh..@...L...E.YY.`...3..k...Ph..@..jL..YYV.u...;.........t.B..}........j.....@........}....B. .......Q.NJ.......p.Vh..@...L..YYj.V............t)...t....@..@.@.......@.@....@...@.@......3......Ph..@...K..YYV.u..]:.......3........Vh..@...K.....YY..3.FV....@..e...h..@...K..Y.u...0.@..L...3.A.K....M.... .B.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:33 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 35432

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:33 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:33 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 37992

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:33 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\./d..A7..A7..A7..(7..A7w.E7..A7..O7..A7w.K7..A7..!7..A7..!7..A7...7..A7...7..A7..@7f.A7..%7..A7...7..A7...7..A7...7..A7Rich..A7................PE..L....,.R...........!.....0...........0.......@......................................\...............................0J..j....D..d.......................h.......d....A...............................................@...............................text....#.......0.................. ..`.rdata.......@.......@..............@..@.data....D...P.......P..............@....rsrc................`..............@..@.reloc..X............p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:13 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 260120

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:13 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Jr..Jr..Jr...z..Kr...Q..Kr..Yz..Hr...z..@r...Q..Or..Jr...r..O~..Cr...y..Kr..O~..Kr..RichJr..........................PE..L....f.B.................f...........:............@..........................0.......,............................................... ..................H............................................................................................text....d.......f.................. ..`.rdata..r............j..............@..@.data...............................@....ndata.......p...........................rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...`.@..B...SV.5.cB.W.E.P.u...d.@..e...E..E.P.u...h.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...l.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h.[B.W..p.@..u.W...u....E.P.u...t.@._^3.[.....L$...dB...i......T.....tUVW.q.3.;5.dB.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5.dB.r.[_^...U..QQ.U.SV..i....

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:14 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 21608

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:14 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.thawte.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1396

content-transfer-encoding: binary

Cache-Control: max-age=581692, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Apr 2015 03:30:03 GMT

Expires: Fri, 24 Apr 2015 03:30:03 GMT

Date: Fri, 17 Apr 2015 09:59:19 GMT

Connection: keep-alive

0..p......i0..e.. .....0.....V0..R0......Qw.}`.Z8...JV...r@z...20150417033003Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q..%Qq.........w.O.....20150417033003Z....20150424033003Z0...*.H..............<.t.72.....&.Rtn....} ....-G....... ...9...E...M.I.E..:...M.=.8v..*.b.ÃŠk...M=..Bu..S5c.s...i.Q...0......?....@c..T...p....[(j..K.t.d.....!.....j.....(f.C*. I.......N.....rU.x.U..9.9$..L..|(t.w-aR<.0,(..'L$ ...L..[.......v.......w{{.w)s...i.d~.....M...;~....0...0...0..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..150601235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y............8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Yu.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]...y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t....>.....j....

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 42987344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:40 GMT

Keep-Alive: timeout=2, max=98

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1552

content-transfer-encoding: binary

Cache-Control: max-age=354558, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 12:25:08 GMT

Expires: Tue, 21 Apr 2015 12:25:08 GMT

Date: Fri, 17 Apr 2015 09:59:31 GMT

Connection: keep-alive

0..........0..... .....0......0...0........C...4N...@..6...v...20150414122508Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150414122508Z....20150421122508Z0...*.H.............nr.3...bK.....r.......e....A...tF..uTPG..5.....R.4..........U....>{.p.....g......Qz....G...r.....e.....$..Om.3.r....m...........h..Ra>F..P..z.........j..........U.Y.Cppv..B...V...Z.ka0.w.T.....l..*.....9.=n......p... ..o..../j....9V....J.t*....J.W*..B'.......50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=403200, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 01:55:09 GMT

Expires: Wed, 22 Apr 2015 01:55:09 GMT

Date: Fri, 17 Apr 2015 09:59:31 GMT

Connection: keep-alive

0..........0..... .....0......0...0......%bn.$..5.......?'4....20150415015509Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150415015509Z....20150422015509Z0...*.H...............ny.*..<biwZX.....V....$`*...Y.Hs.....?./k.7.....i...R.rW.FxvW6D...0}.-.a.......>....~NG.M...T....y.....Q..A3..........)....D.........j..'ox...q@.}.....9;d....6n.."....`#Su1V(.H......).EU%.eO..........h..)G.). .\:......R...T..Ip.=f.h6..]......../.....A.......0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.ve..

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:57 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 148480

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:57 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@................................................................................................../..h............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:37 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 4020768

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:37 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:26 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 93800

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:26 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........oSp.<Sp.<Sp.<V|.<Hp.<V|.<2p.<@x.<Qp.<.x.<Up.<.S.<Pp.<Sp.<?p.<V|.<@p.<V|.<Rp.<.{.<Rp.<V|.<Rp.<RichSp.<........................PE..L...'..E...........!................ag...............................................q..............................P....@.. ...x....................Z..h.......l.......................................H............................................text............................... ..`.rdata..0e.......f..................@..@.data...H&...P.......4..............@....rsrc................B..............@..@.reloc..f............F..............@..B................................................................................................................................................................................................................................................................................................................................U........h..........P..l...h..........P.........p.........Ph.\....t.....V.t$......P..:....Yt.F....u.3.@^.3.^.U..QQ.E...M..e..SV3.W.|..C;..E.......s@V.......Yt...t..u.3..E..u...F.>.u.F;.r.f.}..v.h.\..j.j..u...h....u...:..Y_^[..U....$...SV3.W.u..u..E...........u..r;..P.s9..YY..\..S.E.h..........P.u...`.....f................u...d...............;..M.s.....E.V..;..P..9...e...}..Y..Y.}.~..E. ...:..u/.E..M.@9M.|..E..}..t..e...u..u.V..:..f;E

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:33 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 35432

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:33 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`3M..]...]...].J.....].."A...].......].J.....].3"D...]...\...]...9...].%.....].......].Rich..].........................PE..L......E.................T...$......V........p....@..................................!......................................D...........p............v..h............................................................p...............................text...8S.......T.................. ..`.rdata.......p.......X..............@..@.data...............................@....rsrc...p............p..............@..@................................................................................................................................................................................................................................................................................................................................................................................j.h....j.j.j.h.....t$....p@....u.3..P...p@.3.@.U........SV.u.......P...p@..}..t.j\.......OO....Yt..........P...p@.j.[;..E.|=W.=.p@..........<\u.j.......P.......\....u.j.......P..C;].~._^[..U....,j..u..E.P...p@.h.q@....p@...tCh.q@.P...p@...t3.M.Q.M.Q.M.Q.M.Q....t..M.......v.......E............E.P.E.P.E.P.E.P.E.P...p@...t..E...E...E......3...Qj....p@...$...p@.j.P.....P...p@..U........SVW.....V......P...p@.V......P3.S..<p@.3...O..........N...5.q@.h.z@..u.................P......h.z@.P..hq@....9...@.t.....

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:41 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 716072

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:41 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 42987344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:40 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........,K|..K|..K|...t..J|..._..J|..Xt..I|...t..A|..._..N|..K|...|..Np..A|...w..J|..Np..J|..RichK|..................PE..L...1.eJ.................j..........S9............@..................................k......................................T...........................h............................................................................................text....h.......j.................. ..`.rdata........... ...n..............@..@.data...tq..........................@....ndata....... ...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...`.@..B...SV.5..C.W.E.P.u...d.@..e...E..E.P.u...h.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...l.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..C.W..p.@..u.W...u....E.P.u...t.@._^3.[.....L$....C...i......T.....tUVW.q.3.;5..C.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..C.r.[_^...U..QQ.U.SV..i....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=448244, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 14:29:54 GMT

Expires: Wed, 22 Apr 2015 14:29:54 GMT

Date: Fri, 17 Apr 2015 09:59:17 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150415142954Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150415142954Z....20150422142954Z0...*.H.............P[.58K.E...V F.?.22.u..p..A..1m...* ..{.k..(......!..k'..^....M...ms%_.o..9.Da....A.......).5..j4M..._3..4........l......p..4.y;....o.2.....:....V#...O.r.\}*M...p.C9....R..7V6....Y5N....X.XQ(@F....F...w.#..s....=..ow._.@.......j.&........^.......r......v.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H......

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=597895, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Apr 2015 08:00:00 GMT

Expires: Fri, 24 Apr 2015 08:00:00 GMT

Date: Fri, 17 Apr 2015 09:59:31 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150417080000Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150417080000Z....20150424080000Z0...*.H.............A..`.............Q.q..M....mq'.9.*..u..Y....TU..!T..J...i.Apu.q.e,.9.v...D......i...-.;.a.....e..z.)Et....x..4\j..<.....B[.........3......}..@<.6..:B"...^.....%.H.u4........{.B.M..].b....*..Q.8........_....C.fg.....Zs3.r....n|..t'..t..F...o....T.p...*3:..!...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:14 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 21608

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:14 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E... ... ... ...B... .../... .v.%... ...!... ...v... .v.v... ...*... ...K... .{.K... ...u... .{.q... .Rich.. .........................PE..L....,.R.................*...........6.......@....@..........................p.......[.......................................F..d....`..x............@..h............@...............................................@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......:..............@....rsrc...x....`.......<..............@..@.......................................................................................................................................................................................................................................................................................................................................................................0P@.3.Vh.A@.j.j.j...$......0@@.....tB..T@@.=....u...$......$....PQ.T$.h....R..h@@.....D$.P..X@@.V..`@@...$....^3...%.......................l....0P@.3.S..$t...U..$|...V..$t...W3.......|$ ...D$..D$.h.B@..L$h.D$.Q.D$(D....D$$.. @@..5.@@.S.T$hR..h.B@..D$hP..U.L$hQ...T$.R.D$$Pj.j.j.j.j.j...$....Qj....@@......T$dRtNh.B@........$.....D$....WP...@@.=....u.WSh.A@.......L$....j.Q...@@...USh.A@.....T@@.PhlA@..c........$x..._..^][3...$....l............W.D$.Ph....3.Wh`B@.h.......@@.........V.t$..L$.QV.T$.RP...

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:34 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 15144

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:34 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!.n.!.n.!.n...3.%.n.!.o.:.n.N.j.".n.N.d.%.n.2...$.n...1.'.n.....#.n...2. .n...0. .n...4. .n.Rich!.n.........................PE..L....}.H...........!......................... ...............................`.......>...............................%......X#..P....@..x............(..(....P..4...p ............................................... ..l............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc..$....P....... ..............@..B...................................................................................................................................................................................................................................................................................................................................................V.t$.W.=` ..V.D$......D$.............s._...^......V.....=....v._.....^.........0..j..D$.Pj.h?...j.j.j.Qh.......0....uf.L$..T$.RV.D$.Pj.VQ...0....t4V...T$....PVj.j.VR...0....t..D$.P... .._.....^.......L$.Q... .._3.^......_.....^..........QVWh............D$.P.D$.......X ..3..?.......f...L$.Qh.!..h....V..\ ....._.........^Y..............UWh....3..Y...........|$.u._]....S.\$.VSh.!..W..H ..h@....)........VW.t$..E....4 ......D$........~,.?.t7...t2h.........WS..h$!..V..H ..V.p...V....L ...t$,

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:42 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1113240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:42 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:44 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 472680

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:44 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m...m...m..4e...m...e...m..4e...m...e...m...a...m...a../m...m...o..MN...m...a.. m...a...m..[f...m...a...m..Rich.m..........................PE..L......E...........!................................................................................................p...j...............(F..........."..h........_......................................H...................`...@....................text............................... ..`.rdata...$.......&..................@..@.data...@f... ...$..................@....rsrc...(F.......H...(..............@..@.reloc..&............p..............@..B..................................................................................................................................................................................................................................................................................................................p..........V.t$..&.W.....W...........P..........t.WP......_3.^...U.......3..V.E.3.......j..M.Qh....P........t..M....E.t.......@.tQ.....u...u..........M...^.......j.X.U..........3...E...h...P..h...............x....u...l.........s..C...Ph. ........... ...M.........D$...........|$.....u...v...t$...............~.%.........P......U...u..u.........u.].VP..........u.3..2.u..u........M......v.;.s.I....tV.u.;.s.f..f....#.^]..D$....@...j.P.t$.........u...t$.P.t$..y........A........J........Q...R..SV...F...t.P.R....

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:26 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 93800

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:26 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:58 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 58696

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:58 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.../.../.../.../.../.../.../.../.../l../.../.../.../.../.../.../.../.../.../z../.../.../.../Rich.../........................PE..L...4.jL.....................`.......'............@.................................~n..................................................X...............H...........@...................................@...............8............................text...Jr.......................... ..`.rdata........... ..................@..@.data...\ ..........................@....rsrc...X...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:57 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 148480

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:57 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 52328

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:40 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 579

<?xml version="1.0" encoding="UTF-8"?><request><channel>us.roadie</channel><events>purchase,event10,event4</events><prop1>cmp : Downloads</prop1><prop2>cmp : Roadie</prop2><eVar4>Download | Roadie | waol_0.4343.2046.1 | Download Complete</eVar4><prop49>xml api</prop49><reportsuiteid>aoljet,aolcmp,aolsvc</reportsuiteid><pagename>cmp : Roadie Download</pagename><products>;waol_0.4343.2046.1;1;0</products><prop16>Roadie | Download Complete | waol_0.4343.2046.1</prop16><visitorid>5517592235047936-107563412127135</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:10 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:56:10 GMT

Last-Modified: Sat, 18 Apr 2015 09:56:10 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D8BA-32B0-142B2394"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www900

Content-Length: 64

Content-Type: text/xml

Connection: close

<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS</status>...

GET /clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:42 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1113240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:42 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@..........................p.......................................................`..............H...P............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc........`......................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:25 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 169064

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:25 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:15 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:15 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:15 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1655104

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:15 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:27 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 9359016

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:27 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..................................).......................................t..........(e..........@...h............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...(e.......f...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:37 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 4020768

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:37 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@..........................`......$o=..................................................p...........D=.H............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...P...............................rsrc....p.......j..................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:41 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 716072

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:41 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........,K|..K|..K|...t..J|..._..J|..Xt..I|...t..A|..._..N|..K|...|..Np..A|...w..J|..Np..J|..RichK|..........PE..L...Ei.C.................h...........:............@..........................p.......A......................................l............p..............h............................................................................................text....f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata.......p...........................rsrc....p.......j..................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...|.@..B...SV.5.cB.W.E.P.u...h.@..e...E..E.P.u...l.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...p.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h.[B.W..t.@..u.W...u....E.P.u...x.@._^3.[.....L$...dB...i......T.....tUVW.q.3.;5.dB.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5.dB.r.[_^...U..QQ.U.SV..i....

<<< skipped >>>

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 634

<?xml version="1.0" encoding="UTF-8"?><request><reportSuiteID>aolinstaller</reportSuiteID><channel>us.clientinstall</channel><language>en-us</language><prop1>9.7</prop1><prop2>4343.2046</prop2><prop4>4343</prop4><prop5>2046</prop5><evar2>ie</evar2><evar3>9.10.9200.16521</evar3><evar7>Windows</evar7><evar8>Windows 7</evar8><evar10>Service Pack 1</evar10><evar11>2047</evar11><evar13>4343.2046</evar13><events>event1</events><evar14>Unknown</evar14><products>;aol_9.7_ins;;</products><pageName>Initialize installer</pageName><visitorid>5533042191867904-114271311508728</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:12 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:56:12 GMT

Last-Modified: Sat, 18 Apr 2015 09:56:12 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D8BC-28ED-64024922"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www418

Content-Length: 64

Content-Type: text/xml

Connection: close

<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS</status>...

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:16 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1655104

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:16 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@.................................a................................................................,..h............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:36 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 417240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:36 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@.................................#................................................p...............H..H............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=413995, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 04:50:03 GMT

Expires: Wed, 22 Apr 2015 04:50:03 GMT

Date: Fri, 17 Apr 2015 09:54:37 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150415045003Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150415045003Z....20150422045003Z0...*.H.............{....$....3p.>q......\:U....|q..!.....&.yM._W.[.YM~.v..o.L.K....3..d]..i..?...*...;..P.7J..fn.....uhps.U.3[.....G^V..z<.O..aT..o.r....{1.@.B..U.....y.....\.......(@..v...8.{..>....8..|....IL..$....R..&.;...Z.[.KQl.`zk..%.#.'.c..0......n.......N.AN..6M.. b.....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEA/folAAtu2XY7/sias/UTw= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=465178, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 19:04:53 GMT

Expires: Wed, 22 Apr 2015 19:04:53 GMT

Date: Fri, 17 Apr 2015 09:54:37 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150415190453Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........P....c....?Q<....20150415190453Z....20150422190453Z0...*.H.............L......Z..g.D(...:-.U;m......@G~...3........g'..'_...... '.?..a..w(m<....G.*...E..w9....qx.4......m...>f.*\...t....g.......4.....y.<.N.c..-$.....t...;.#}fy^...Z@.................F.^..2. ..:2.G.L.......^.5...9...i>J...E.....o...`...x..1(k..'...u....p.a..0.z...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........https://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:24 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 24392

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:24 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."D..f%..f%..f%...j3.g%..o]0.d%..o]&.s%..o]!.b%..o]6.b%..A...g%..A...a%..f%..7%..o]/.d%..o]1.g%..o]4.g%..Richf%..........................PE..L......O................. ...&......D'.......0....@.................................q(....@.................................`8..x....`...............J..H....p..t...`1..............................82..@............0..<............................text...a........ .................. ..`.rdata.......0.......$..............@..@.data...$....P.......:..............@....rsrc........`.......<..............@..@.reloc.......p.......D..............@..B...........................................................................................................................................................................................................................................................................................................................2@..%.1@.....V.....2@....1@..D$..t.V..........^...............................y$.r..A...A....V...N....2@...\0@......1@..D$..t.V.?........^...V...N....2@...\0@...^.%.1@......j.h.-@.d.....PQVW..P@.3.P.D$.d........t$..|$ W...0@.....D$.....W.N....2@...`0@....L$.d......Y_^.................j.h3/@.d.....P.. .....P@.3...$....SUVW..P@.3.P..$4...d.......$D.....3...$.....D$..\$...$..../.....$ .....$$... .....$(.....X0@.V..$ ...Q....$D.....|0@...x0@...;:......GW..$ ...P......|0@...x0@....|$ ;9t..G.PV..$....R..

<<< skipped >>>

GET /MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.entrust.net

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Content-Transfer-Encoding: Binary

Content-Length: 1947

Last-Modified: Fri, 17 Apr 2015 06:37:09 GMT

ETag: "45F2CE048236D8101ECCB15D7FC186D4DD61BCCD"

Cache-Control: public, no-transform, must-revalidate, max-age=1348

Expires: Fri, 17 Apr 2015 10:17:38 GMT

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive

0..........0..... .....0.....}0..y0..[...0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)1%0#..U....Entrust Validation Authority..20150417063709Z0g0e0=0... ............~.\..E.M*[.F.Z.=..*p.:........c.=.,.....L..:....20150408161654Z....20150424063709Z0...*.H.............5..N.....!....j.D.V./e)..x.....X..p..f;..9.....#......E.@..I.k......PY.B..JFH.......Wy^...Q.\|...i._...Uq...`.HGa..........M.r\.$Y&..K.Ym ..:M..%.Mt...E..Sg.cN....Ps... ..i.QX.......Oi.......&..........'.S...o.,..-.JE..b..`...t.......^..d6"K..k..lyq...%..!....0...0...0..........L...0...*.H........0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)0...120710174511Z..150710205031Z0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)1%0#..U....Entrust Validation Authority0.."0...*.H.............0...........U....L.^A."@m.i.7.A..%{........?.>......L.../.v.Q.N......Z.g)..A@.u..zoi.8.....L>m.6.h.;[^.k.X\........Uy.q...e...fB_6.T.6......".Y.."..|....D.*..~..|.....Wa.d......o..)Na.S.c..Q.......&E.....y..H......f.......XH`..x.[21.1,.#.Q.g...g......u.....D...^..3........0..0...U........0...U.%..0... .......0... .....0......02..U... 0)0'.%.#.!hXXp://crl.

<<< skipped >>>

GET /MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.entrust.net

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Content-Transfer-Encoding: Binary

Content-Length: 1978

Last-Modified: Fri, 17 Apr 2015 08:53:54 GMT

ETag: "39535E5C45AF92F09F080A8DB315913F5E66EF87"

Cache-Control: public, no-transform, must-revalidate, max-age=401

Expires: Fri, 17 Apr 2015 10:01:51 GMT

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive

0..........0..... .....0......0...0..e...0..1.0...U....US1.0...U....Entrust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009 Entrust, Inc.1;09..U...2Entrust Code Signing Certification Authority - L1D1%0#..U....Entrust Validation Authority..20150417085354Z0g0e0=0... .........O...#P...CJ...G..m...................CA.%..L.h.....20150417033210Z....20150424085354Z0...*.H................z...'..'..J....KEh.ulCQ r........_. ....W..?kq].._..`6....-....!.>XD..6.3l.?\..}....B..-.......La5.j.v\....4._<LBd.......q.)..%L...Y..,bE......w..l......W. ...~.=.?s.R}...Z.....,..o.w...n......l..7...l.....C..\.<.9Z..g.??.y.v.JSb5..&|[....=.O.J.{..k.a......0...0...0..........L. m0...*.H........0..1.0...U....US1.0...U....Entrust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009 Entrust, Inc.1;09..U...2Entrust Code Signing Certification Authority - L1D0...120710154100Z..150711063201Z0..1.0...U....US1.0...U....Entrust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009 Entrust, Inc.1;09..U...2Entrust Code Signing Certification Authority - L1D1%0#..U....Entrust Validation Authority0.."0...*.H.............0...........U....L.^A."@m.i.7.A..%{........?.>......L.../.v.Q.N......Z.g)..A@.u..zoi.8.....L>m.6.h.;[^.k.X\........Uy.q...e...fB_6.T.6......".Y.."..|....D.*..~..|.....Wa.d......o..)Na.S.c..Q.......&E.....y..H......f.......XH`..x.[21.1,.#.Q.g...g......u.....D...^..3........0..0...U........0...U.%..0... .......0... .....0......

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:35 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74856

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:35 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 458

<?xml version="1.0" encoding="UTF-8"?><request><reportsuiteid>aoljet</reportsuiteid><pagename>cmp : Roadie - Install Start</pagename><events>event5</events><prop1>cmp :</prop1><prop2>cmp :</prop2><eVar6>Download | Roadie | waol_0.4343.2046.1 | Install Start</eVar6><prop49>xml api</prop49><prop16>Roadie | Install Start | waol_0.4343.2046.1</prop16><visitorid>5521342234851328-107563412127135</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:11 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:56:11 GMT

Last-Modified: Sat, 18 Apr 2015 09:56:11 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D8BB-A13C-05581B1A"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www872

Content-Length: 64

Content-Type: text/xml

Connection: close

<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS</status>...

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c811f53d313ecf39 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Fri, 17 Apr 2015 09:54:37 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Fri, 17 Apr 2015 09:54:37 GMT..Connection: keep-alive......

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?9bae0654c986f0bb HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT

If-None-Match: "80b4d90ca4fd01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT

ETag: "80b4d90ca4fd01:0"

Cache-Control: max-age=604800

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive

....

GET /msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?cea8345e4b49256e HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT

Accept-Ranges: bytes

ETag: "05934e1494dd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1070

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive

0..*0..........8c..0...*.H........0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)0...991224175051Z..290724141512Z0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)0.."0...*.H.............0.........MK...... ...d* K...JM...v.g.x@.sB.h..S .^.v.5....|.:..[....$......}..kK.......@$..t....).....w.U...~.jd.....[.2Po=..f.....I.v.I.......g/...q.`.-.,..vf{...x.eS]<....)../.P..H..2U...dL....u.....U`.0).{H.i..5?..]zz......"T...&...Ih...G...B..M.o&...!bfCp...........B0@0...U...........0...U.......0....0...U......U...........1..$...p0...*.H.............;..V.0.S.|zy.M.........3|Fc..f$.@.!'..rs.O.1....LhS.........]=..n.......?....../....W,.....D...O...}W./...Z..n..:....ly^y.....L.;e<..=..........^[..#.h....'\.-o0......Z....'..y..y.3W.....Bl..V..m....~....!...<y/^..L...."7..C.......g.oH..V... |^.v.Y..|.5.eQHTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 1070..Date: Fri, 17 Apr 2015 09:55:10 GMT..Connection: keep-alive..0..*0..........8c..0...*.H........0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limit

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c47dea64dd07db25 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Fri, 17 Apr 2015 09:55:12 GMT

Connection: keep-alive

GET /clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:25 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 169064

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:25 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........m..................................[...L................/......5/......L...........s...5(..............................#...............Rich............................PE..L...B..E.............................-............@..................................{.............................. O..Z....>..........`0..............h............................................................................................text............................... ..`.rdata..zo.......p..................@..@.data....>...P.......<..............@....rsrc...`0.......2...N..............@..@................................................................................................................................................................................................................................................................................................................................V.w...(.B.......g....^.V........D$..t.V.....Y..^...U..QV...F.W..(.B..8;..}.t1.G...t.P.]...Y.....t....t.W.J...Y.U..3....}.;~.u..F...t.P.,....f..Y....*..._^..V.t$.WV...~.....Y.G.t.....u.3.@.D<-t.</t.3..8S...B........-t.HHu)..V...P.....V...P.FSV.........YYu.@[_^...3...V.t$...tD.>.u?W.|$.hx.B.W.......YYt. .PWV.....ht.B.V.]........WV.A...YY3.@_..3.^...U..QVW.....W.M.........u.Y..t.Wj.P...........8.t.3.......}.S.G.h..B.P.(....x.B.SW.E.............u.3.@.UGSW.....;.YYt.;}.t@.?"t..M...W.6.P..0Ghp.B

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:01 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 17736296

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:06:01 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:34 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 15144

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:34 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:44 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 472680

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:44 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT

If-None-Match: "a1132b8ef65d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT

ETag: "a1132b8ef65d01:0"

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:55:56 GMT

Connection: keep-alive

....

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT

If-None-Match: "dde36a309c58d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT

ETag: "dde36a309c58d01:0"

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:55:56 GMT

Connection: keep-alive

....

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT

If-None-Match: "cf2633d6957d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT

ETag: "cf2633d6957d01:0"

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:55:56 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache-Control: max-age=900..Date: Fri, 17 Apr 2015 09:55:56 GMT..Connection: keep-alive..

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:24 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:24 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:53 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1096736

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:53 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:55 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 556240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:55 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:56 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 556240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:56 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...2.6D.................~..........b9............@..........................@.......Y......................................p............@..........hh..h............................................................................................text....|.......~.................. ..`.rdata...4.......6..................@..@.data...4r..........................@....ndata.......P...........................rsrc....@.......@..................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....AC..H.P.u..u..u...p.@..B...SV.5.AC.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h.9C.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$...AC...i......T.....tUVW.q.3.;5.AC.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5.AC.r.[_^...U..QQ.U.SV..i....

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:47 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 106568

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:47 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@..........................p.......................................................`..................h............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc........`......................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:58 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 58696

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:58 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:18 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74536

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:18 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........XD..6...6...6.l./...6...k...6...k...6...i...6...V...6..._...6...i...6...7.D.6...2...6...8...6...<...6...V...6...9...6...R...6...j...6.z.h...6...l...6.Rich..6.........................PE..L....}.H...........!.....p..........M@.............................................. ...................................}...@...........P...............(....... ....................................................................................text....d.......p.................. ..`.rdata...G.......P..................@..@.data...x...........................@....rsrc...P...........................@..@.reloc..(........ ..................@..B.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:35 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 417240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:35 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll HTTP/1.1

Host: download.newaol.com:80

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:38 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 52328

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:38 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u...|.g.j...|.v.d...|.`.#...Rf..|...u.......|.i.w...|.q.t...|.r.t...Richu...........PE..L......R...........!.....t...@...... ...............................................:N......................................<...d.......................h.......l...................................H...@............................................text...Or.......t.................. ..`.rdata.."!......."...x..............@..@.data...@...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................U..Q.E.VP.=....}..Y..t..u..:...Y...u.j.X..3.@;.t.3....t.......@@^.......3..U......e..W.}.j.X.E..........'.SV......,..................j........Y...t.hh...V.H...YY..uc.u..i.....tR...}........t4.e...e.....3.u..}......Y..t..u..E......Y.E..3.*......E......u..W...Y.E...j.X^[_..3.@...U.....S3..]..]..].;........E.P.E.P.E........YY..tu.E.Pj.S.u..u.........u^W.=.....E.PS.E.PS.u..]..u.....u4.}..u..u......Y.M.QPSS.u....u.....u..E.....6.....Y...u......._9].t..u......Y9].t..u......Y.E.[..U.....S.E.P.u.3..]......I....E

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:59 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1489776

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:59 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L.......M.......M..._...N.......F.......I...L.......I...G.......M...I...M...RichL...........PE..L...<.6D.................|...........;............@..................................b...............................................p..................h............................................................................................text...bz.......|.................. ..`.rdata...3.......4..................@..@.data...T...........................@....ndata...................................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......B..H.P.u..u..u...p.@..B...SV.5..B.W.E.P.u.....@..e...E..E.P.u...t.@..}..e....@.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@..u....E..9}...w....~X.te.v4..H.@....E.tU.}.j.W.E......E.......L.@..vXW..P.@..u..5X.@.W..h ....E..E.Pj.h..B.W..|.@..u.W...u....E.P.u.....@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:15 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:15 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 52328

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:40 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:59 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1489776

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:59 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 504

<?xml version="1.0" encoding="UTF-8"?><request><events>prodview</events><prop1>cmp :</prop1><prop2>cmp :</prop2><prop49>xml api</prop49><eVar5>Download | Roadie | waol_0.4343.2046.1 | Download Start</eVar5><prop16>Roadie | Download Start | waol_0.4343.2046.1</prop16><reportsuiteid>aoljet</reportsuiteid><pagename>cmp : Roadie - Download Start</pagename><products>;waol_0.4343.2046.1</products><visitorid>4611232406744064-672205304002741</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:40 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:54:40 GMT

Last-Modified: Sat, 18 Apr 2015 09:54:40 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D860-6B45-0431F54D"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www357

Content-Length: 64

Content-Type: text/xml

Connection: close

<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS</status>...

HEAD /clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:27 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 9359016

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:27 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:18 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74536

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:18 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:47 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 62248

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:47 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/roadie1.8.4.1/roadie.loc HTTP/1.1

Host: download.newaol.com:80

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:38 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 31187

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:38 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: text/plain

//////////////////////////..// Picker Support Files //..//////////////////////////..[CHECK]..F1=download.newaol.com/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll;52328..[OS]..VISTA=VISTA..XP=XP..XP64=XP64..VISTA64=VISTA64..WIN7_32=WIN7_32..WIN7_64=WIN7_64..[OMS_APPSTART]..reportsuiteid=aoljet..pagename=cmp : Roadie - App Start..events=event1..eVar1=Download | Roadie | %PACKAGEID% | Application Start..prop1=cmp :..prop2=cmp :..prop49=xml api..prop16=Roadie | App Start | %PACKAGEID%..[OMS_NONQUAL]..reportsuiteid=aoljet..pagename=cmp : Roadie - Non Qualification..events=event2..eVar2=Download | Roadie |%PACKAGEID% | Non Qual..prop1=cmp :..prop2=cmp :..prop49=xml api..prop16=Roadie | Non Qualification | %PACKAGEID%..[OMS_DLSTART]..reportsuiteid=aoljet..pagename=cmp : Roadie - Download Start..events=prodview..prop1=cmp :..prop2=cmp :..prop49=xml api..products=;%PACKAGEID%..eVar5=Download | Roadie | %PACKAGEID% | Download Start..prop16=Roadie | Download Start | %PACKAGEID%..[OMS_USERCANCEL]..reportsuiteid=aoljet..pagename=cmp : Roadie - User Cancel..events=event3..eVar3=Download | Roadie | %PACKAGEID% | User Cancel..prop1=cmp :..prop2=cmp :..prop49=xml api..prop16=Roadie | User Cancel | %PACKAGEID%..[OMS_INSTALLSTART]..reportsuiteid=aoljet..pagename=cmp : Roadie - Install Start..events=event5..prop1=cmp :..prop2=cmp :..eVar6=Download | Roadie | %PACKAGEID% | Install Start..prop49=xml api..prop16=Roadie | Install Start | %PACKAGEID%..[OMS_DLCOMPLETE]..reportsuiteid=aoljet,aolcmp,aolsvc..pagename=cmp

<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:11 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1584744

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:11 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................I. ...............#.......5.D...............g.............2.......$.......".......'.....Rich............PE..L....H.R.............................3............@................................. ...........................................@.......x...............h...............................................................H...4...@....................text............................... ..`.rdata...?.......@..................@..@.data............0..................@....rsrc...x...........................@..@.................................................................................................................................................................................................................................................................................................................................................................................|$.....u.......t$........A........J........Q...R...t$..U...Y....D$.V....t..@.P....E.P...H$..^...U...E...t..@..u$.u .u.P.u..u..u..u..q.....E.]. ..t$..q ....E.....D$...|...;B....B..........hW....:....h...../....U..QQSV.1.^.....M.....W.]..P...j..u.........u.......E.;.}...@P.N.QP._.S......E.......G.......E._^..[.....T$.V.......9P...}...~.W.9j.RP.W._..u..b........^...V...L$...u.h.@...}......P........^......P....V.t$.;.~....x..~.V. ....".@.;.}......;.~.......;.}...P.d...^...V....1..P.........^.V....3....A H..@.

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:32 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 37992

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:32 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:55 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 11080

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:55 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT

Accept-Ranges: bytes

ETag: "2711f7277076d01:0"

Server: Microsoft-IIS/8.5

VTag: 791500626200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:59:22 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...

GET /clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:35 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74856

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:35 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........XD..6...6...6.l./...6...k...6...k...6...i...6...V...6..._...6...i...6...7.D.6...2...6...8...6...<...6...V...6...9...6...R...6...j...6.z.h...6...l...6.Rich..6.........................PE..L....}.H...........!.....p..........M@..................................................................................}...@...........P...............h....... ....................................................................................text....d.......p.................. ..`.rdata...G.......P..................@..@.data...x...........................@....rsrc...P...........................@..@.reloc..(........ ..................@..B.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:47 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 106568

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:47 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

waol-0.4343.2046.1.exe_688:

.text

`.rdata

@.data

.rsrc

t9It.It#It

PSSSSSSh

SSSh@

~,.tM

tGHt.Ht&

AUu.AUuI

%s (%s:%d)

C:\PROGRA~1\MICROS~1.0\VC\ATLMFC\INCLUDE\afxwin1.inl

-v %s

sShortDate

%s\%s

%s\*.*

%d.%d%c

Disk.cpp

KERNEL32.dll

install.ini

comps.ini

media.ini

Update movie file %s

Flash initialized, Version %d.%d

CLSID\%s\InProcServer32

USER32.DLL

iexplore.exe

C:\PROGRA~1\MICROS~1.0\VC\ATLMFC\INCLUDE\afxwin2.inl

--:--:--

%ld.%ld,%s

4343.2046

Unknown ErrorCode:%d ExitCode:%d

Directory path contains waol.exe client

Windows must reboot to complete install

{D27CDB6E-AE6D-11cf-96B8-444553540000}

[ERRORUnsupportedToken]

kernel32.dll

Windows 2000

Windows Server 2003

Windows XP

Windows Home Server

Windows Server 2008

Windows Vista

Windows Server 2008 R2

Windows 7

Windows 8

Older than Windows 2000

installOmniture.loc

installOmniture.ini

%s\idb\SNmaster.idx

%s|%s*%s

%s*%s

Found build = %d.%d%c

Client is %s version -- %s

%s,%d,%d

DBGetClientInfo Path = %s ,szScreenName=%s , Version = %s

successfully wrote %d bytes...

writing %d bytes...

Writing component to %s...

CComponent::Write() - Resource size = %d

CComponent::Write() - Finding resource %d ...

%s%s%s

CScript::Execute() -- CreateProcess() failed for file %s

"%s" %s

CScript:Execute() - CreateProcess() creating script process

install.log

webregError

webregSN

AOL Software.Exe Running Path - %s

"%s\aolsoftware.exe"

progress.dll

%s\%s.lnk

%s.lnk

Install : CreateProcess = Inside %s%

Install : CreateProcess = %s%

GL*.TMP

launcher.dll

instph.dll

install.dll

deleting ProgUpd.dll

Location of client to upgrade '%s'

Upgrading from Client Version '%s' (Codebase '%s')

%s\win.ini

Software\Microsoft\Windows\CurrentVersion

%c:\%s

SystemChecks() : Insufficient HD space. Size of component resources = %d ( 1MB), Available space (%s) = %d

triggering windows restart...

d-d-d d.d.d

Running client -> %s

100%s

Launching client ... %s

waolinstallgui.cpp

%s\AOLFirewallMgr.ini

%s\AOLFirewallMgr.dll

%s\AOLInstallerFW.dll

gScript.Execute returned RESULT_ERROR

gScript.Execute returned RESULT_NOT_NT_ADMIN.

gScript.Execute returned RESULT_FILES_IN_USE

gScript.Execute returned RESULT_MISSINGCOMPS

gScript.Execute returned RESULT_NOMINBROWSER

gScript.Execute returned RESULT_DISKSPACEERROR

gScript.Execute returned RESULT_CANCEL_NOGUI

gScript.Execute returned RESULT_CANCEL

gScript.Execute returned RESULT_INCORRECTOS

gScript.Execute returned RESULT_SUCCESS

ERROR: gScript.Execute returned an unexpected code. Verify processing.

ERROR: gScript.Execute returned RESULT_NOT_NT_ADMIN.

ERROR: gScript.Execute returned RESULT_FILES_IN_USE.

gScript.Execute returned RESULT_NOMINBROWSER.

progupd.dll

\\.\Pipe\AOLINST

Last Error: %ld-%s

ASSERT FAILED in %s line %d -->> '%s'

SUDSUpdate.ini

Software\MyWebSearch\OEHosts

\StringFileInfo\%s\%s

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shell32.dll

shfolder.dll

%s\appdata.ini

AOLSearchAsDefaultForFireFox

Kernel32.DLL

AOL.EXE

KERNEL32.DLL

StatusKey

Loading advapi32.dll - Service Beginning

advapi32.dll

Advapi32.dll

DeCon.exe

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s\aolreboot

SENSAPI.DLL

\AOL.cfg

UpdateTrustedAdobeClients STarted... %s

\waol.exe

sIni.lpszDestDir = %s

CASADIL.phx

\*.lnk

csafe.vxd

Exit Flash Installation %d

"%s\%s" %s

"%s\%s" %s %s

10.1.53.64

waol.exe

FunWebProuct

-r"%s:%s"

%s\$Recycle.bin

%s\Recycler

%s\Recycled

CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

INSTEXE

DOSETCERT2KEYS

CERTPSWD

CERTNUMBER

Comparing...installer primary language=0x%x, installer sub-language=0x%x

Checking languages : OS primary language=0x%x, sub-language=0x%x

MozillaUIWindowClass

MozillaWindowClass

%s\%s\%s\

netapi32.dll

wtsapi32.dll

\\.\Pipe\AOL

%s - %d%%

%d%s

[Installer] - setWelcomeFocus - %s

GUI: Main - WM_INITPROGRESS, %d

GUI: Main - WM_SHOWPROGRESS, %d

GUI: Stop Timer = %d

GUI: Main - WM_UPDATEPROGRESS, %d

GUI: Secondary - WM_UPDATEPROGRESS, %d

Available Space on Install Drive (%c:): %dK

Required Space on Install Drive (%c:): %dK

Available Space on System Drive (%c:): %dK

Required Space on System Drive (%c:): %dK

1%s

%s,%ld.%ld MB,%ld.%ld MB

%s,%ld.%ld GB,%ld.%ld MB

[Installer] - getClientList - ReturnValue - %s

\gecko\usr\registry.dat

Mozilla\registry.dat

Users/%s

\nsreg.dat

Common/Profiles/%s

\cookies.txt

%s%s>

POST %s HTTP/1.1

Host: %s

Content-Length: %d

hXXp://aol.com

uaid_%s

IPH.PH

%sd

Software\Microsoft\Windows\CurrentVersion\Internet Settings

CNotSupportedException

comctl32.dll

comdlg32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

hhctrl.ocx

commctrl_DragListMsg

CCmdTarget

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

RICHED20.DLL

mfcm90.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

user32.dll

ole32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

OLEACC.dll

WININET.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

CreateNamedPipeA

DisconnectNamedPipe

ConnectNamedPipe

WaitNamedPipeA

GetCPInfo

PeekNamedPipe

GetConsoleOutputCP

ExitWindowsEx

UnhookWindowsHookEx

GetKeyState

SetWindowsHookExA

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

MSIMG32.dll

COMDLG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegQueryInfoKeyA

RegEnumKeyA

ADVAPI32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

oledlg.dll

OLEAUT32.dll

VERSION.dll

WS2_32.dll

setup.exe

_NR_RegAddKey@16

_NR_RegAddKeyRaw@16

_NR_RegDeleteKey@12

_NR_RegDeleteKeyRaw@12

_NR_RegEnumSubkeys@24

_NR_RegGetKey@16

_NR_RegGetKeyRaw@16

_VR_UninstallDeleteSharedFilesKey@4

.PAVCException@@

.?AVCCmdTarget@@

.?AVCCmdLineInfo@@

.?AVCAOLInstCmdLine@@

.?AVCMozillaCookie@@

\mozregistry.dat

%s #%d

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCFileException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCOleDispatchException@@

zcÃ

hXXp://free.aol.com/tryaolfree/

instlxml1.sa.aol.com

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.ini

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.loc

%Program Files% (x86)\AOL Desktop 9.7

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\waol-0.4343.2046.1.exe

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comp01.000

C:\IPH.PH

7'&&&$($($$

)NaQ.SaI

@.reloc

YYSShh

PSVSSShli

ProgUpd Error: Failed to notify Launcher that progress received for '%s'

UpdateProgress(): Progress value of %d%% received for '%s' is out of valid range of 0% to 100%.

ProgUpd Error: Progress value of %d%% received for '%s' is out of valid range of 0% to 100%.

ProgUpd Error: Invalid progress value received for '%s'.

UpdateProgress(): Invalid progress value of '%d' received for '%s'.

ProgUpd: Repeat of previous progress value received for '%s'.

ProgUpd: First valid progress update received from '%s'

.\AppInfo.cpp

_AOL_INSTEVENT_%s

ProgUpd: Looking for synchronization event named '%s'...

ProgUpd Error: No synchronization event for '%s'.

.\Event.cpp

ProgUpd Error: Could not set event named '%s'.

ProgUpd: Logfile section set to '%s' - Ret Code = %d

ProgUpd Error: Logging Error in '%s' at line %d

%s:d

.\IPH.cpp

%s:%ld

UpdateProgress(): AppID not given with '%d%%' progress update

ProgUpd: AppID truncated to '%s'.

UpdateProgress(): AppID '%s' is too long -- Must be no more than 6 characters.

UpdateProgress(): AppID contains illegal characters. AppID = '%s'.

ProgUpd Error: AppID contains illegal characters. AppID = '%s'.

`~!@#$%^&*()= {}[]\|:;"',./?

.\ProgUpd.cpp

ProgUpd: AppID passed in with '%d%%' progress update is NULL.

ProgUpd: Sending reboot request message for '%s'...

ProgUpd: AppID passed in = '%s'.

SetReboot(): AppID '%s' is too long -- Must be no more than 6 characters.

ProgUpd - SetReboot called with AppID '%s'.

SOFTWARE\America Online\Products\%s\%s

SOFTWARE\America Online\Products\%s\%s\Shortcuts

SOFTWARE\America Online\Products\%s\%s\EmptyFolders

SOFTWARE\America Online\Products\%s\%s\UninstPlugins

Software\America Online\Installs\%s

%s_%s

%s\References

%s_%i

%s_backup

Software\America Online\Products\%s\%s

%s\Components

Software\America Online\Products\%s

%s,%s

SOFTWARE\America Online\Installs\%s

SHDeleteKeyA

RegCreateKeyA

ProgUpd.dll

;-;6;?;`;

3 3@3\3`3|3

0VVV.entrust.net/rpa is incorporated by reference1

2Entrust Code Signing Certification Authority - L1D0

T;B%Sk

"hXXp://crl.entrust.net/level1d.crl03

hXXp://ocsp.entrust.net0A

hXXp://VVV.entrust.net/rpa0

hXXp://ocsp.entrust.net0/

#hXXp://aia.entrust.net/l1d-2048.cer03

"hXXp://crl.entrust.net/level1d.crl0A

Entrust.net1@0>

7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#

*Entrust.net Certification Authority (2048)0

hXXp://ocsp.entrust.net02

!hXXp://crl.entrust.net/2048ca.crl0;

2Entrust Code Signing Certification Authority - L1D

VVV.aol.com 0

accKeyboardShortcut

mscoree.dll

ekernel32.dll

!"#$%&'()*

9.07.000

1, 0, 1, 0

,****** AOL Desktop 9.7 Starts at : %s ****** ****** AOL Desktop 9.7 Ends: at : %s ******

RBM.exe

When you're ready to continue, click OK.RClick the 'Empty Recycle Bin' button to delete these files and free up this space.dYour computer is low on resources.

Please close any running programs and click 'Retry' to continue.JAn error occurred while attempting to install the America Online Software.

7Windows must be restarted to complete the installation.

AOL Desktop 9.7 Install@Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Drive %c:

We recommend that you shut down any open applications before installing AOL.When you're ready to continue, click OK.hAdobe

We cannot install AOL Desktop 9.7 because we did not find a version of AOL installed in the %s directory. Please select another directory.

In order to continue the installation Windows will need to be restarted.

Would you like to restart Windows now?

Please download and reinstall the AOL Desktop software. To Download, visit this link: hXXp://daol.aol.com/software and then click the Download Now button. If this still does not fix the problem please call 1-800-827-6364 for assistance.

explorer.exe

main.idx

SNMaster.idx

%s, last used %s , %s

%s, never used , %s

aol.exe

aoltray.exe

%s, most recently used %s, %s

%s, most recently used , %s

Please download a compatible version of the AOL Desktop software. To Download, visit this link: hXXp://daol.aol.com/software/90vr and then click the Download Now button. If this still does not fix the problem please call 1-800-827-6364 for assistance.

It looks like the AOL Desktop software is already running on user account "%s".

xThe directory path you provided already contains AOL Desktop software. Please select another directory path to continue.XThis copy of AOL cannot be installed because an installation file is missing or damaged.

Page %d

We're sorry, this version of AOL is not compatible with the version of Windows you are running.

Your computer does not have the minimum required operating system. You must be using Windows XP, Windows Vista, or Windows 7 to install this version of AOL

To get the best possible performance with this version of AOL, we recommend using a computer with a %s or better processor.

We were not able to detect a %s or better processor on your computer.

8You currently do not have enough disk space on drive %c.?You currently do not have enough disk space on drive %c and %c.@You now have enough disk space to install AOL. Click 'Continue'.tYour hard drive now has enough free disk space to install the AOL software. Click 'Next' to resume the installation.

AOL Quick Reference Guide.txt.Text Files (*.txt)|*.txt|All Files (*.*)|*.*||

Click OK to finish this installation. You will be able to connect using TCP/IP only.

Location: hXXp://VVV.microsoft.com/windows/ie/downloads/default.mspx.

Your computer does not have the minimum required Service Pack. You must be using Windows 2000 with Service Pack 3 (SP3) or later to install this version of AOL

The current drive selected for installation does not have enough space for the required components. If there is another drive attached to your system that has enough space, please select it from the 'Drive' list below.mPlease wait while we initialize the installation. This may take a few minutes. Thank you for your patience.

Installation for AOL Desktop 9.7 cannot proceed because the executable file (waol.exe) is missing. Please select another directory path to continue.

`You currently have less than 1 MB of temporary files that have not been used in at least 1 week.4You currently have no old temporary files to delete.YYou currently have %.2f MB of temporary files that have not been used in at least 1 week.jClick the 'Delete Temp Files' button to delete these files and free up this space (some files may remain).

00|01|06

Replace%Select the entire document

waol-0.4343.2046.1.exe_688_rwx_03F02000_00010000:

Sj.Whx