mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 72d9b93774dbb51033d60dd3520f0da8
SHA1: 07ce8a064a263a63e623d1fdc533580be6690f9e
SHA256: 12e038feb0c102a7c647caaff5cc8249829a506c0251a9110e8bf024bbe2a5e7
SSDeep: 12288:4nvpiGgzRy o/QNvH NUCrvktjkAl/WF /wLY7cBxMtP4YPsI/bGdteuiM:4nvEtE/QNfsUCrctjkqb/wLYXPJl/GL
Size: 790656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
17807780_stp.EXE:1440
%original file name%.exe:3896
The Malware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 17807780_stp.EXE:1440 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files% (x86)\Windows Essentials Codec Pack\ogm.dll (3361 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVAudio.ax (10709 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll (40598 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Uninstall.lnk (1 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\cue2xml.js (4 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mp4.dll (5506 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkzlib.dll (846 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\Windows Essentials Codec Pack.url (52 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll (7391 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax (16187 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avi.dll (2396 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\swscale-lav-2.dll (14370 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avs.dll (1098 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVVideo.ax (22599 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkunicode.dll (48 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avss.dll (737 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avutil-lav-52.dll (13282 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\gdsmux.exe (7842 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll (3906 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\dsmux.exe (2918 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avcodec-lav-55.dll (201783 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\COPYING (18 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\libbluray.dll (10116 bytes)
C:\Windows\System32\drivers\etc\hosts (43 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\IntelQuickSyncDecoder.dll (13115 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVSplitter.ax (15530 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avformat-lav-55.dll (29707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Website.lnk (1 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkv2vfr.exe (4034 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\ts.dll (4404 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avresample-lav-1.dll (3317 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\CHANGELOG.txt (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz513C.tmp\System.dll (23 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVFilters.Dependencies.manifest (482 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe (571 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avfilter-lav-4.dll (6610 bytes)
The process %original file name%.exe:3896 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Rerarapepe_b[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Neyayeneda_TopImg[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\loader.gif (10 bytes)
%Program Files% (x86)\is665125.log (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\bootstrap_60311.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close_Hover.png (500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\main.css (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A26A2.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A68D0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\BG.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE (9091 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\ie6_main.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2432.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe[1].png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\ProgressBar.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg2[1].jpg (4704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2480.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Rerarapepe3[1].jpg (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2664.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Progress.png (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg1[1].jpg (21280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE.part (807 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\wplayer.png (2 bytes)
Registry activity
The process 17807780_stp.EXE:1440 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\Media Type\Extensions\.mkv]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}]
"(Default)" = "DVSMorePPage"
[HKCR\Wow6432Node\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"mp4.3" = "00000000ffffffff,000000006d646174,{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}"
"mp4.2" = "00000000ffffffff,000000006d6f6f76,{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}"
"mp4.1" = "00000000ffffffff,0000000066747970,{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}"
[HKCR\Wow6432Node\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}]
"(Default)" = "Haali Media Splitter (AR)"
[HKCR\.ogg]
"Content Type" = "audio/x-ogg"
[HKCR\.mkv]
"Content Type" = "video/x-matroska"
[HKCR\Wow6432Node\CLSID\{60765CF5-01C2-4EE7-A44B-C791CF25FEA0}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"FilterData" = "02 00 00 00 01 00 80 00 01 00 00 00 00 00 00 00"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Haali\Matroska Splitter]
"vsfilter.autoload" = "0"
[HKCR\.ts]
"PerceivedType" = "video"
[HKCR\Wow6432Node\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}]
"(Default)" = "DVSMiscPPage"
[HKCR\Wow6432Node\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"(Default)" = "DirectVobSub (auto-loading version)"
[HKCR\Wow6432Node\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}]
"(Default)" = "DVSZoomPPage"
[HKCR\Wow6432Node\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mp4.dll"
[HKCR\.m2ts]
"PerceivedType" = "video"
[HKCR\.mkv]
"PerceivedType" = "video"
[HKCR\.mka]
"Content Type" = "video/x-matroska"
[HKCR\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"FriendlyName" = "DirectVobSub (auto-loading version)"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"CLSID" = "{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}"
[HKCR\Wow6432Node\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}]
"(Default)" = "Haali Memory Allocator"
[HKCR\HTTP\Extensions]
".mp4" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"FriendlyName" = "Haali Simple Media Splitter"
[HKCR\Wow6432Node\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"FilterData" = "02 00 00 00 00 00 20 00 03 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"UninstallString" = "%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"FriendlyName" = "Haali Video Sink"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"CLSID" = "{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}"
[HKCR\HTTP\Extensions]
".ts" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\Media Type\Extensions\.ogg]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}]
"(Default)" = "Haali TS Parser"
[HKCR\Wow6432Node\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}]
"(Default)" = "Haali Matroska Parser"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"DisplayIcon" = "%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe"
[HKCR\Wow6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\Wow6432Node\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\HTTP\Extensions]
".OGG" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"FriendlyName" = "Haali Media Splitter"
[HKCR\Wow6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll"
[HKCR\HTTP\Extensions]
".ogm" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\Media Type\Extensions\.m2ts]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}]
"(Default)" = "DVSPathsPPage"
[HKCR\Wow6432Node\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\Wow6432Node\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"CLSID" = "{F13D3732-96BD-4108-AFEB-E85F68FF64DC}"
[HKCR\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll"
[HKCR\.ts]
"Content Type" = "video/x-matroska"
[HKCR\Wow6432Node\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}]
"(Default)" = "Haali HTTP Reader"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"FriendlyName" = "Haali Video Renderer"
[HKCU\Software\Haali\Matroska Splitter]
"ui.trayicon" = "1"
[HKCR\HTTP\Extensions]
".m2ts" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "17807780_stp.EXE"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"DisplayVersion" = "5.0"
"Publisher" = "Windows Essentials Codec Pack"
[HKCR\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"CLSID" = "{760A8F35-97E7-479D-AAF5-DA9EFF95D751}"
[HKCR\Wow6432Node\Media Type\Extensions\.mks]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{564FD788-86C9-4444-971E-CC4A243DA150}]
"FriendlyName" = "Haali Media Splitter (AR)"
[HKCR\Wow6432Node\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"CLSID" = "{93A22E7A-5091-45EF-BA61-6DA26156A5D0}"
[HKCR\Wow6432Node\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"avi.1" = "ffffffff00000000ffffffff,524946460000000041564920,{51A00247-40A8-4845-9F17-7DBFCC9A8783}"
[HKCR\Wow6432Node\Media Type\Extensions\.mp4]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\Media Type\Extensions\.ogm]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2}]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\Wow6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"CLSID" = "{9852A670-F845-491B-9BE6-EBD841B8A613}"
[HKCR\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"(Default)" = "Haali Video Sink"
[HKCR\Wow6432Node\CLSID\{EB02CC0B-C3BF-4c10-859C-70F42AFCD6B6}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\.m2ts]
"Content Type" = "video/x-matroska"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"FriendlyName" = "DirectVobSub"
[HKCR\Wow6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"(Default)" = "Haali Video Renderer"
[HKCR\Wow6432Node\CLSID\{60765CF5-01C2-4EE7-A44B-C791CF25FEA0}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCU\Software\Haali\Matroska Splitter]
"input.fonts" = "1"
[HKCR\Wow6432Node\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"(Default)" = "Haali Media Splitter"
[HKCR\Wow6432Node\Media Type\Extensions\.ts]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\Wow6432Node\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}]
"(Default)" = "Haali Avi Parser"
[HKCR\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}]
"(Default)" = "Haali Disk File Reader"
[HKCR\Wow6432Node\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}\InprocServer32]
"ThreadingModel" = "Both"
[HKCU\Software\Gabest\VSFilter\General]
"EnableZPIcon" = "0"
[HKCR\Wow6432Node\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\ts.dll"
[HKCR\Wow6432Node\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}]
"(Default)" = "Haali OGM Parser"
[HKCR\Wow6432Node\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\.ogg]
"PerceivedType" = "audio"
[HKCR\.mka]
"PerceivedType" = "video"
[HKCR\Wow6432Node\CLSID\{60765CF5-01C2-4EE7-A44B-C791CF25FEA0}]
"(Default)" = "DVSMainPPage"
[HKCR\Wow6432Node\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}]
"(Default)" = "Haali Media Splitter about page"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"URLInfoAbout" = "http://www.mediacodec.org/"
[HKCR\.mks]
"Content Type" = "video/x-matroska"
[HKCR\Wow6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}]
"(Default)" = "Haali Video Renderer Image Properties"
[HKCR\Wow6432Node\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\Media Type\Extensions\.mka]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}]
"(Default)" = "Haali Video Renderer Properties"
[HKCR\Wow6432Node\CLSID\{EB02CC0B-C3BF-4c10-859C-70F42AFCD6B6}]
"(Default)" = "Haali Avisynth DS Reader"
[HKCR\Wow6432Node\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"ts.1" = "ff,47,{B841F346-4835-4de8-AA5E-2E7CD2D4C435}"
[HKCR\Wow6432Node\CLSID\{EB02CC0B-C3BF-4c10-859C-70F42AFCD6B6}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\avs.dll"
[HKCR\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"(Default)" = "Haali Simple Media Splitter"
[HKCU\Software\Haali\Matroska Splitter]
"input.linking" = "1"
[HKCR\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}]
"(Default)" = "DVSColorPPage"
[HKCU\Software\Haali]
"(Default)" = ""
[HKCR\Wow6432Node\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll"
[HKCU\Software\Gabest\VSFilter\General]
"SeenDivxWarning" = "0"
[HKCR\HTTP\Extensions]
".mka" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}]
"(Default)" = "Haali Media Splitter properties page"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{564FD788-86C9-4444-971E-CC4A243DA150}]
"FilterData" = "02 00 00 00 00 00 40 00 02 00 00 00 00 00 00 00"
[HKCR\Wow6432Node\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"
[HKCR\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2}]
"0" = "0,4,,1A45DFA3"
"1" = "0,4,,52494646,8,4,,43445841,36,4,,64617461,68,4,,1A45DFA3"
[HKCR\HTTP\Extensions]
".mkv" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\.mks]
"PerceivedType" = "video"
[HKCR\HTTP\Extensions]
".mks" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}]
"(Default)" = "DVSGeneralPPage"
[HKLM\SOFTWARE\Wow6432Node\Windows Essentials Codec Pack]
"InstallPath" = "%Program Files% (x86)\Windows Essentials Codec Pack"
[HKCR\Wow6432Node\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\avi.dll"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"CLSID" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"
[HKCR\Wow6432Node\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}]
"(Default)" = "Haali MP4 Parser"
[HKCR\Wow6432Node\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"(Default)" = "Haali Matroska Muxer"
[HKCR\Wow6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll"
[HKCR\Wow6432Node\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}]
"(Default)" = "DVSTimingPPage"
[HKCR\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{564FD788-86C9-4444-971E-CC4A243DA150}]
"CLSID" = "{564FD788-86C9-4444-971E-CC4A243DA150}"
[HKCR\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll"
[HKCR\Wow6432Node\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\ogm.dll"
[HKCR\Wow6432Node\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKCU\Software\Gabest\VSFilter\General]
"VMRZoomEnabled" = "0"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"FriendlyName" = "Haali Matroska Muxer"
[HKCR\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}]
"(Default)" = "DVSAboutPPage"
[HKCR\Wow6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"ogm.1" = "ffffffff,4f676753,{DB43B405-43AA-4f01-82D8-D84D47E6019C}"
[HKCR\Wow6432Node\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"(Default)" = "DirectVobSub"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"FilterData" = "02 00 00 00 02 00 80 00 03 00 00 00 00 00 00 00"
[HKCR\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"DisplayName" = "Windows Essentials Codec Pack 5.0"
[HKCR\Wow6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll"
The Malware deletes the following registry key(s):
[HKCR\Wow6432Node\Media Type\Extensions\.mkv]
[HKCR\Wow6432Node\Media Type\Extensions\.mks]
[HKCR\Wow6432Node\Media Type\Extensions\.mka]
The process %original file name%.exe:3896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "D7 FF E5 C5 04 3F D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "D7 FF E5 C5 04 3F D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "D7 FF E5 C5 04 3F D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 2ce53dbbd35e72bcf3ef9840a6a4956e | c:\Program Files (x86)\Windows Essentials Codec Pack\IntelQuickSyncDecoder.dll |
| 0ad12598d9dc200553130f2857436c00 | c:\Program Files (x86)\Windows Essentials Codec Pack\LAVAudio.ax |
| 1f50c7e254ac7f29b33aa0d07a8167b9 | c:\Program Files (x86)\Windows Essentials Codec Pack\LAVSplitter.ax |
| 341c2eac7a6ab4b9c50436da1f3b9bae | c:\Program Files (x86)\Windows Essentials Codec Pack\LAVVideo.ax |
| fdc16f167090ffd3bb059374ad6fc54c | c:\Program Files (x86)\Windows Essentials Codec Pack\VSFilter.dll |
| 53bc42fde8522e537079689f700d2eb8 | c:\Program Files (x86)\Windows Essentials Codec Pack\avcodec-lav-55.dll |
| d45de93db15ce47942ad2e6e7ef197e6 | c:\Program Files (x86)\Windows Essentials Codec Pack\avfilter-lav-4.dll |
| d30df82a338b037c302b460529657144 | c:\Program Files (x86)\Windows Essentials Codec Pack\avformat-lav-55.dll |
| 5d4021e4dd26f64da49b7221b6962641 | c:\Program Files (x86)\Windows Essentials Codec Pack\avi.dll |
| 826ce5b9feaf84e17709a6c994581808 | c:\Program Files (x86)\Windows Essentials Codec Pack\avresample-lav-1.dll |
| 66fc9a44047ee0c88175931b02bd9a4c | c:\Program Files (x86)\Windows Essentials Codec Pack\avs.dll |
| 74e8dbd9be5794f9d9eaaeda83427875 | c:\Program Files (x86)\Windows Essentials Codec Pack\avss.dll |
| 52e6e9a3726797ddca400ef983cb8db8 | c:\Program Files (x86)\Windows Essentials Codec Pack\avutil-lav-52.dll |
| 7ec9cb7352d8291d1c97085727a7c63a | c:\Program Files (x86)\Windows Essentials Codec Pack\dsmux.exe |
| 31b7af4aa6dddf2cc64088a716eaa68e | c:\Program Files (x86)\Windows Essentials Codec Pack\dxr.dll |
| 17b90b130716d867fe1892232cb7764f | c:\Program Files (x86)\Windows Essentials Codec Pack\gdsmux.exe |
| 3c27d03b4f26e2d80962061b4f56e3e1 | c:\Program Files (x86)\Windows Essentials Codec Pack\libbluray.dll |
| ce0e6ace567e049bc30668a9bcf5f484 | c:\Program Files (x86)\Windows Essentials Codec Pack\mkunicode.dll |
| 9b093d85c1742c2b30d4b5a0658144eb | c:\Program Files (x86)\Windows Essentials Codec Pack\mkv2vfr.exe |
| 3f67ef1705c3464502ed1f69e872a43c | c:\Program Files (x86)\Windows Essentials Codec Pack\mkx.dll |
| 30180f48e918908306c6e6d94845bace | c:\Program Files (x86)\Windows Essentials Codec Pack\mkzlib.dll |
| 0ae1991d688d91cdf48a4b631d2cde4d | c:\Program Files (x86)\Windows Essentials Codec Pack\mp4.dll |
| 4c7c04c0d9e52ee1d578dbab61b8dc44 | c:\Program Files (x86)\Windows Essentials Codec Pack\ogm.dll |
| 80e491d8d4b750fc58d6877a3e684101 | c:\Program Files (x86)\Windows Essentials Codec Pack\splitter.ax |
| 134aee5fec65f53d684f72835e48daa8 | c:\Program Files (x86)\Windows Essentials Codec Pack\swscale-lav-2.dll |
| b3c3373c55269d61bce61e4501a205db | c:\Program Files (x86)\Windows Essentials Codec Pack\ts.dll |
| cce1f00a706e9070b7fac1ae8f8dce13 | c:\Program Files (x86)\Windows Essentials Codec Pack\uninst.exe |
| 7a23586c77d9b0cdf944ae2f6e004a49 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE |
HOSTS file anomalies
The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 907 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | validation.sls.microsoft.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
17807780_stp.EXE:1440
%original file name%.exe:3896 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Program Files% (x86)\Windows Essentials Codec Pack\ogm.dll (3361 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVAudio.ax (10709 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll (40598 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Uninstall.lnk (1 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\cue2xml.js (4 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mp4.dll (5506 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkzlib.dll (846 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\Windows Essentials Codec Pack.url (52 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll (7391 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax (16187 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avi.dll (2396 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\swscale-lav-2.dll (14370 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avs.dll (1098 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVVideo.ax (22599 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkunicode.dll (48 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avss.dll (737 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avutil-lav-52.dll (13282 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\gdsmux.exe (7842 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll (3906 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\dsmux.exe (2918 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avcodec-lav-55.dll (201783 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\COPYING (18 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\libbluray.dll (10116 bytes)
C:\Windows\System32\drivers\etc\hosts (43 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\IntelQuickSyncDecoder.dll (13115 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVSplitter.ax (15530 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avformat-lav-55.dll (29707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Website.lnk (1 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkv2vfr.exe (4034 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\ts.dll (4404 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avresample-lav-1.dll (3317 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\CHANGELOG.txt (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz513C.tmp\System.dll (23 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVFilters.Dependencies.manifest (482 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe (571 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avfilter-lav-4.dll (6610 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Rerarapepe_b[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Neyayeneda_TopImg[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\loader.gif (10 bytes)
%Program Files% (x86)\is665125.log (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\bootstrap_60311.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close_Hover.png (500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\main.css (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A26A2.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A68D0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\BG.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE (9091 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\ie6_main.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2432.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe[1].png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\ProgressBar.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg2[1].jpg (4704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2480.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Rerarapepe3[1].jpg (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2664.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Progress.png (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg1[1].jpg (21280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE.part (807 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\wplayer.png (2 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: Web
Product Version: 5.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Web Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Product Name: Web Product Version: 5.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Web Setup Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 37732 | 37888 | 4.63502 | f6a90e4028b4e215ec0a315cb1e50b38 |
| DATA | 45056 | 588 | 1024 | 1.8986 | d5ea23d4ecf110fd2591314cbaa84278 |
| BSS | 49152 | 3720 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
| .tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
| .reloc | 65536 | 2228 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 69632 | 113452 | 113664 | 4.1027 | 53683b46659a8f63c5cc39c705578328 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://securefilesetup.com/distribution/?product=wecp&channel=A004 | |
| hxxp://os.mediacodeccdn.com/Or-interactive/?v=5.0&c=1932223866 | 54.77.76.227 |
| hxxp://rp.mediacodeccdn.com/?pcrc=2010889011&v=2.0 | 54.228.198.117 |
| hxxp://d27jwl8eflbzdd.cloudfront.net/CodecSetup.exe | 54.230.203.202 |
| hxxp://46.166.187.59/img/Global/Yes_Button.png | |
| hxxp://46.166.187.59/img/Global/Yes_Button_Hover.png | |
| hxxp://46.166.187.59/img/Global/No_Button_Hover.png | |
| hxxp://46.166.187.59/img/Neyayeneda/Neyayeneda_TopImg.png | |
| hxxp://46.166.187.59/img/Malaromoro/bg1.jpg | |
| hxxp://46.166.187.59/img/Malaromoro/bg2.jpg | |
| hxxp://46.166.187.59/img/Rerarapepe/logo.png | |
| hxxp://46.166.187.59/img/Rerarapepe/logo_new.png | |
| hxxp://46.166.187.59/img/Rerarapepe/Rerarapepe3.jpg | |
| hxxp://46.166.187.59/img/Rerarapepe/Rerarapepe.png | |
| hxxp://46.166.187.59/img/Rerarapepe/Rerarapepe_b.png | |
| hxxp://rp.mediacodeccdn.com/?pcrc=2078491783&v=2.0 | 54.228.198.117 |
| hxxp://rp.mediacodeccdn.com/?pcrc=920873456&v=2.0 | 54.228.198.117 |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff1eb6bf02500eae | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac721c9ae92b7fe0 | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
| hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
| hxxp://img.mediacodeccdn.com/img/Rerarapepe/Rerarapepe.png | |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
| hxxp://img.mediacodeccdn.com/img/Malaromoro/bg2.jpg | |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
| hxxp://img.mediacodeccdn.com/img/Neyayeneda/Neyayeneda_TopImg.png | |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff1eb6bf02500eae | 87.245.202.35 |
| hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
| hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
| hxxp://img.mediacodeccdn.com/img/Rerarapepe/logo.png | |
| hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
| hxxp://img.mediacodeccdn.com/img/Global/No_Button_Hover.png | |
| hxxp://img.mediacodeccdn.com/img/Rerarapepe/logo_new.png | |
| hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
| hxxp://img.mediacodeccdn.com/img/Malaromoro/bg1.jpg | |
| hxxp://img.mediacodeccdn.com/img/Rerarapepe/Rerarapepe_b.png | |
| hxxp://img.mediacodeccdn.com/img/Rerarapepe/Rerarapepe3.jpg | |
| hxxp://img.mediacodeccdn.com/img/Global/Yes_Button.png | |
| hxxp://img.mediacodeccdn.com/img/Global/Yes_Button_Hover.png | |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac721c9ae92b7fe0 | 87.245.202.35 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=524341, public, no-transform, must-revalidate
Last-Modified: Sun, 1 Feb 2015 18:08:13 GMT
Expires: Sun, 8 Feb 2015 18:08:13 GMT
Date: Mon, 02 Feb 2015 16:29:20 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20150201180813Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20150201180813Z....20150208180813Z0...*.H...............S...@....K....#...q)D....C"BZ..o.gI....1.!.6.vl..o.....6mD(/a'H..fA^..|0WW...b?w?.1.K.<.-....4s..^y.oY.....s/.W.o...tg(8eQ..1>ZVv."...&i.>b.w...s.....Q@.X..$...z]8W....?.Y\.V[...q.ou.&H:..F.....i.K<.G_..VA5-.Hg.i.....3(6. .........U....Gw...0....*..X..v.....0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 812
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT
If-None-Match: "a2f3ff97eeecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT
Accept-Ranges: bytes
ETag: "88c4768d3f2ad01:0"
Server: Microsoft-IIS/8.0
VTag: 791450244700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Mon, 02 Feb 2015 16:28:32 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M........z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Qw......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT
If-None-Match: "3e1c83923e1cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.0
VTag: 27948442200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Mon, 02 Feb 2015 16:28:32 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~......
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT
If-None-Match: "58cddbea90dfcf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 279252244600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Mon, 02 Feb 2015 16:28:32 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..l..
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff1eb6bf02500eae HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT
If-None-Match: "0b2464b1797cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
ETag: "0b2464b1797cf1:0"
Cache-Control: max-age=86400
Date: Mon, 02 Feb 2015 16:28:32 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..Cache-Control: max-age=86400..Date: Mon, 02 Feb 2015 16:28:32 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=399415, public, no-transform, must-revalidate
Last-Modified: Sat, 31 Jan 2015 07:23:00 GMT
Expires: Sat, 7 Feb 2015 07:23:00 GMT
Date: Mon, 02 Feb 2015 16:29:19 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150131072300Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150131072300Z....20150207072300Z0...*.H.............KX.GuA..j...RU...6.1......?J:D....- J./.]....A(L..H(.. ...V..^.d.x..W..........7Z)]..{.V}{..1l.1...7.*.?.....\2V.....h/........7_7,|.2..\....L..|....zv.6@.G..Th........</..F-.v..y...E.c..L..b%.Uy...b.X..|`.....6%U..r#.L........w.p.qd^.....Z.8t".........9.M....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=479114, public, no-transform, must-revalidate
Last-Modified: Sun, 1 Feb 2015 05:33:16 GMT
Expires: Sun, 8 Feb 2015 05:33:16 GMT
Date: Mon, 02 Feb 2015 16:29:19 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150201053316Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150201053316Z....20150208053316Z0...*.H.............|eBd.................(R.4...g..z8...!....I..%(Fkn...l.Ua.4.....U....$.d7..Ft........((.......W........[....P................p...W.jpP.dl..%CqW...\..X.._.D[W..7..1...v.6..........x.]kH..mt.1..5..&0...O(...xy.xU....nP[........]P..^Tx...S)J<..E'..D...i0:...h-...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
HEAD /CodecSetup.exe HTTP/1.1
Accept: */*
Host: d27jwl8eflbzdd.cloudfront.net
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 11516520
Connection: keep-alive
Date: Fri, 09 Jan 2015 01:41:53 GMT
x-amz-meta-cb-modifiedtime: Sat, 21 Jun 2014 12:03:12 GMT
Last-Modified: Sat, 21 Jun 2014 14:17:40 GMT
ETag: "7a23586c77d9b0cdf944ae2f6e004a49"
Accept-Ranges: bytes
Server: AmazonS3
Age: 24583
X-Cache: Hit from cloudfront
Via: 1.1 09052d1a6e392e4f4a3fd97bf34a2b24.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 7liHXh5DJFJjsXwu08YOfWsADWwjoPHqXZVfo7eMaCuvhw0NeHTDEg==
....
GET /CodecSetup.exe HTTP/1.1
Range: bytes=0-11516519
Accept: */*
Host: d27jwl8eflbzdd.cloudfront.net
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 11516520
Connection: keep-alive
Date: Fri, 09 Jan 2015 01:41:53 GMT
x-amz-meta-cb-modifiedtime: Sat, 21 Jun 2014 12:03:12 GMT
Last-Modified: Sat, 21 Jun 2014 14:17:40 GMT
ETag: "7a23586c77d9b0cdf944ae2f6e004a49"
Accept-Ranges: bytes
Server: AmazonS3
Age: 24583
Content-Range: bytes 0-11516519/11516520
X-Cache: Hit from cloudfront
Via: 1.1 09052d1a6e392e4f4a3fd97bf34a2b24.cloudfront.net (CloudFront)
X-Amz-Cf-Id: aiZnrUFQDMCzhMSV52BdeouBdo9TGLBuFt7uQmKHd6LX5MgI7RN-Qw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................0......&........................................s......................(...@............................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...@...@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac721c9ae92b7fe0 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Mon, 02 Feb 2015 16:29:03 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT
Accept-Ranges: bytes
ETag: "75565c7ac03ad01:0"
Server: Microsoft-IIS/8.0
VTag: 791666644800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 02 Feb 2015 16:29:24 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..@.. ...M....z....Q...{u. .W....
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"
Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT
Date: Mon, 02 Feb 2015 16:29:19 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ....>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r../=l..?...9..V0..@Tk......fn?....0.A.HTTP/1.1 200 OK..Server: Apache..ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT..Date: Mon, 02 Feb 2015 16:29:19 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>
POST /?pcrc=2010889011&v=2.0 HTTP/1.1
Accept: */*
Host: rp.mediacodeccdn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 800
Cache-Control: no-cache
...3E.Q)_l.y...K.......5g*.....M....Lj9r...l...........5.VkjG...J..B.L.$Y.sr'Z..P..!..5S6..I.c......8&.g.b./=.....T.`....={...~...._.....EGs...>K...?Mt..3.`..Og.g...!.sm1Z.....
.!.m.... ...E..R6.M..(.i.4.NJ..?R;..zi.........,A^`G.vdC^1A,tHB.5-IH.YaQ.q<-j#$.E..E..i3.X.d^...(...!9O;...M..K1b,%W..M.%.k....Yz..h.L}v...q.,.&Yh\..|............4.~2......SY.....l...X.J._<.....^r......'..[X.z..D.b4...S%.'...7e.j.]..U...0.......Pw%~..g..p.....-.%j...%.6Z.x.B..........l...W.......K..I.V....h.=....$..*|(,......;......m.6 ~9...[..2.._...Lr^.
..Jp..f..)...0.5R$....x;.|s..x..`........jV.B.#H..R.se....^.E....5...J..@j(M.,".5..a.%..v..'..m..bj.....$z...ay...:)..Z,|".S...R...........".zl.....~\..5..B.......:.1.ZU...;0....9ANg...7..m0#a..._w.....5...G...?......HH.a...$.....S..e.}.Q..b.."\.......j.q.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 02 Feb 2015 16:24:26 GMT
Server: TornadoServer/3.1.1
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon, 02 Feb 2015 16:24:26 GMT..Server: TornadoServer/3.1.1..Content-Length: 4..Connection: keep-alive..DONE....
POST /?pcrc=2078491783&v=2.0 HTTP/1.1
Accept: */*
Host: rp.mediacodeccdn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 2032
Cache-Control: no-cache
.^.S...N)Tw?.G{&..^.N7..0..t..`..lA.r.}AH..sO?.....Q).9-.X.'..4U..u ........P..7..z3...!....#u...@~P..{..0.UD.U.}.i....................,~A.....g:..!...?.......W...!...sZ...}m...
N...0^L....M...-..)...[}.;.W..nO.l...n.0.o3.'.?9: ..n}j...P.D..<STB\._.".C.?.....^.4...sF^).....(..N....! .uM..P.Epl.8
Jk.=...gR.6..~............[(.S..'.))>......>...E...y.....l.........^]>...i`[(H.<...k.|Z.X.Nu.1...`..c.a3....B....-...DA(\/..R.....BD.hc...4.^<.o...zEr....D...d6h.....S..<3...S...d.D..#.......kc..d.g.......2.AU.2.......U..t..I....."}...:..V.~dE..9......F..Oj....m.$E.]lIo<..{.OWJ..m#...\.'.....Z.......K......\6Nh..l..:3.i.D..0=..m..O..8c.t@.N.*Cg5^.BB.....l..... .VF.k.[..A.~^Z.._.7dk.....kPEz..Eh..3P.p....."..D.}.m..nN{.x..%.n.....\... ........S.5..8....".......@q.p.,.0..[........0.\..m.C.S-;.G.6\.e.7.2~...Qs..@...R..a.l....he..HY..M.G.Q..uVQ.}..._...nL.d{.R......EnR.o}..3.... ..H........j........Y..U&..o....M.v~..'...#.u.E.......G....0m..H ..L@...".D..H~ .\~v9......,...#.....j........;W.{..b...>..2.G.w..B.k.>t.5cj.%U../"....:W......U.8../CUR..x.;r.y.q..$..1nS..)...1@...a..c..WR....$c......P.,Z....I..Ss..<.G.F:.-.d@.........U...}...O......n.s,8.8.a.8....._.s....r.....\.f....,....I.v..(>.,.B@.t..ml..........f`.w.P=YVh..3`,2...`G.q>k..p.8zz4.3t2x.U..Va..*8.......g.,/...\..1.>\
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 02 Feb 2015 16:24:36 GMT
Server: TornadoServer/3.1.1
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon, 02 Feb 2015 16:24:36 GMT..Server: TornadoServer/3.1.1..Content-Length: 4..Connection: keep-alive..DONE....
POST /?pcrc=920873456&v=2.0 HTTP/1.1
Accept: */*
Host: rp.mediacodeccdn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 2112
Cache-Control: no-cache
.I..~...$$.......a"...h.W`c(X..d..>..'.....o*.lL..>..|N.=..'..t;)0p..p1...F.#.Z
X..7.}..u....._RWp...K......K5...yI6....~ ........4..>.P.`DZr...b0f.$.V..m.o....s..p....7..rk.U....(.....@.e$.jJ.yL.0....=...x.L.7.C.....L...5.:..o..j.i8..T_.e*cs!.>/.7.......F7.^.....Ho.....d..K..........\5*.C#P]Sj.....F.,.......m...h@#o.d.`...w..k.....Kv..X.
5G..m..:.. ........E.....x...]......b.....Jjb?...I<.l...Y.hR.........?......4 6...G....B......v &e.k.f..Es$.-...........>....O`.b..n... .`R}........"......!v...fh.......cPc..?........\../Z............eRD..u.K.Q..."i>A....o. ..V=.......YEW:.9.I*.#...5b..4!.".....5~..V.|..$..6]....(^..t...F!...2...........2..i...V.o3~....9...$......R../.[H...E.v.8.*p.~q..-..
,...:..r.oj,&..7J<..b..\0. S..6:..h/.lf.~6.x.j..........?........U...I....}...J..G..d...2..C..u...'.......|...5.M8.o.R......X......p.4...]u.^.y..h...z]....VP.h .m..A.Z.]H[.5........&s:.......=._.%...b...4L..={....6bvD.c.p..;..G..}..C....i......Hp.}..K#l54|.........~..-...O..E
.d...?...h....f.~.......,..N.&.....a..1dm..x.#?...P.....[.L......|.....z..w.E.8...X..R..b.|J.....yF..C..U#.g.i..5..i..1..x.).........?1.#V.N......'9W...K.d......{'..f......"...c...C../...\.9f.&(..)VL...$O...w...U..S(Cc.........B..,Dw/.."........g..,...DYP[..[.G..#S.......d...W#.M......c@.......EA.0q....M!{.....M.Q\K.U....
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 02 Feb 2015 16:24:40 GMT
Server: TornadoServer/3.1.1
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon, 02 Feb 2015 16:24:40 GMT..Server: TornadoServer/3.1.1..Content-Length: 4..Connection: keep-alive..DONE..
GET /img/Global/Yes_Button_Hover.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:27 GMT
Content-Type: image/png
Content-Length: 1094
Connection: keep-alive
x-amz-id-2: 35dTmwNj2R5cCAvLf75lFpZrcHjzP9cJbFnn7eiiMZZUPDWD4fDumtgQqHrutKZF
x-amz-request-id: 29EDBC25060129A4
x-amz-meta-s3fox-filesize: 1094
x-amz-meta-s3fox-modifiedtime: 1380713503000
Last-Modified: Wed, 13 Nov 2013 16:12:44 GMT
x-amz-version-id: L9RQqPthtuNtMC55hxM9o_RZqWXqZtid
ETag: "aec475b9d6280598800f3ceafea4af8c"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2724EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2824EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2524EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2624EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>. ,.....IDATx......0.E..D....@L.^L...!...2...........=.....vq?.H.l4[.v..d.S.l......x..W{=..k...L(..3.....k.s..3...K....B..P..B..P@(B...E(B..u.f4.3..)e..l9z.i.?o..7.7M.....%...y..$.:.tA..K........S..^/......IEND.B`.....
<<< skipped >>>
GET /img/Neyayeneda/Neyayeneda_TopImg.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:27 GMT
Content-Type: image/png
Content-Length: 5294
Connection: keep-alive
x-amz-id-2: hlbwVznLP7FsLEAs2RVpvEXz9MQbWfVUt9fMpbXui3QDEQe74pTlIFca0ggHc8l5
x-amz-request-id: B0949F71324B507F
x-amz-meta-cb-modifiedtime: Mon, 08 Dec 2014 15:35:18 GMT
Last-Modified: Mon, 08 Dec 2014 15:35:58 GMT
x-amz-version-id: FMo4KeFIwAQ6andjQM0juyaehifWTmdO
ETag: "e0b022bf564a4220d87633d0b4563314"
Accept-Ranges: bytes
....
GET /img/Malaromoro/bg2.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
<<< skipped >>>
GET /img/Rerarapepe/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:28 GMT
Content-Type: image/png
Content-Length: 10944
Connection: keep-alive
x-amz-id-2: 2eUrHSuJHpM9jyFsf9ZJD0eygdMfOT0Sl9qFRbeTYEspfY3epVOaQWmwM7ywa5Rv
x-amz-request-id: 98991A5032697BC1
x-amz-meta-s3fox-filesize: 10944
x-amz-meta-s3fox-modifiedtime: 1384099835051
Last-Modified: Tue, 12 Nov 2013 11:05:48 GMT
x-amz-version-id: bDPFTNRsfueKXbAbmeVgRbPvzBoRvTw2
ETag: "0440e25b659207aaea00512d9a0a9924"
Accept-Ranges: bytes
.PNG........IHDR...L...^...........*.IDATx....T.....M...F."b.....F.Q....{.%..{E.........{.H....J.~*.....gN..j....._.Z..g..ff.....9C."..t:]'.F3-55uOjZz.......o....\...'....&J4[O*.=i.`%Y...................E.".....Z.>.69%;6.....HNIEFf&.J.,..r~..}.p).....e..V...3./)....A\|.............. k,Q...M..B..h....../..N........#..!V.P.y'X4J...v...Z...o.{ ''....L9....M.....7...l....Ml..SS..........$..C!.3.\...........A.'.......m_..%x...."@....)V%.?|WX...Y\.C.c.r.V..R....g...:.\2....4..M.R9X..b...b......,.U..t.b...Z...P..Q*......7.......t.B.{....@jY!.....Q......Tdk...3;...s..0... ....@.&..m.ktE.f. I.M..1...`..V..d[.9..qG.&".U..C..u...W.C{..4'..v?.....\..>......h<.C{.(4...u...G..E=Gvj..7[.?.:.?.K.9...e..s........,--=....[W'...v......R....^<...!..]........>..j........].v.....j.v..l.j.V.wn.j.&(I.][.r...Q.x..>....Hay...99f..;.%..R..Q_...h4Sy...a]....J.dQ..o........... 9...8.2Br..)...a)w..]...h.f.K.}#i.T[.......u..(.;.....d=....,..{....Z..._.Q..t:... ..H.R..Wt.f^...'6.Xu.\.DU*...u.oAK....&KQ.# .%.Q..f......{34.-.>.M............6'(.8@.y..Z.......$.UP:...i.../..5....V:..\...@.m'@B.:..f.\..,......17.......&.Qn..t..DJ.~w..z.j..........e.Q......&..tX...s.5s*..OA...HY......c...d@. .\.B..n9i..k.@.j.m[)...!h..P..r..,A...A..b......O.Oyr.i..".*....m.EA8...r....T.6H.DP.....n.y=4.LG..1m2N.n.G.rX..........?.....5%mp.A=...H@.C.a5.k.J.V/....J.r!..W.t..r.#Y..J.g.c...{.H,N...>r..lY.'.4.....m.....D.t..YT.d. hN..P.K`.....%\..a-..~....l..s....?...5....8..P... ......5.............3u"...#s..(....7@R,.....Es.9..(...m#k.8...tiP..
<<< skipped >>>
GET /img/Rerarapepe/logo_new.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:28 GMT
Content-Type: image/png
Content-Length: 4569
Connection: keep-alive
x-amz-id-2: wHoH6zbccWJnikMqVq2ipm6CCxue0ptcG00ly2UOr8ijM5TmVaiz0iMEQDEnaGks
x-amz-request-id: BCE7494C294CE790
x-amz-meta-s3fox-filesize: 4569
x-amz-meta-s3fox-modifiedtime: 1388397217065
Last-Modified: Mon, 30 Dec 2013 09:53:59 GMT
x-amz-version-id: FBdIFQNqjG8fAIwxlMklzjPUXqz3Asib
ETag: "3263ff057b8e7380f7579d5aaab2bfdc"
Accept-Ranges: bytes
.PNG........IHDR...2...2......?......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2A43320D713811E3B459B11FBD9400CD" xmpMM:DocumentID="xmp.did:2A43320E713811E3B459B11FBD9400CD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A43320B713811E3B459B11FBD9400CD" stRef:documentID="xmp.did:2A43320C713811E3B459B11FBD9400CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>v.Gr...MIDATx..Z{p\U......$.l.6M.jc..P....T.N.*3.80`...:#.......3>...F..|...3>..hE..(...P-i..y7.$....{.=..w......6)...~.....~..;.PJ.....ur.n.......O|.&...hj&.H.e2$l..y.T*...D.3E.#.A -^t.....TzA-....P.N..i.'.........T..z>.GT.%r........"..H9....R...I......}..@.^../..?o.U...F..c.qA.H.?A.(a.....k....,.!Vb.......:58.K...@z>K[.......S_....T.......... lr......GU..~.....C......t24;f.M.R%...4......`............%..aZ`.... ..@..v...T.L.l9....R.M-0.&0^.`v. u....?Y....e..%.."ik..^....s.}.~.8Iu..?........m...{ix.KM..........,4R..........FF..W@......o.7]p!%Z..f.$k......hB.......DK...R.&..k..%#e.
<<< skipped >>>
GET /img/Rerarapepe/Rerarapepe.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:28 GMT
Content-Type: image/png
Content-Length: 3657
Connection: keep-alive
x-amz-id-2: v92W2l JYlUtcR/OjOYK5ouFe4SsIP/swlapf3AQ1gp5StisSOpF2D/ZTcQ74e6y
x-amz-request-id: ADA4B13BF06DFF96
x-amz-meta-s3fox-filesize: 3657
x-amz-meta-s3fox-modifiedtime: 1402226184727
Last-Modified: Mon, 09 Jun 2014 14:19:41 GMT
x-amz-version-id: nXvqG1jeKyMVMqgSg3LnBI1CMsSqJwdV
ETag: "e568d92e622a3ac2f573a98d91df1421"
Accept-Ranges: bytes
.PNG........IHDR.......!.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D84B53BEEFE11E39491D45C0DAE79C8" xmpMM:DocumentID="xmp.did:2D84B53CEEFE11E39491D45C0DAE79C8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D84B539EEFE11E39491D45C0DAE79C8" stRef:documentID="xmp.did:2D84B53AEEFE11E39491D45C0DAE79C8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..(.....IDATx..Wi....~U.=....].7.5..l.@..1v...Vb..`..H8.\..D. Q.EA.....Q8..cB.c....&vv}a........3;..]..z...(%..LMu......^3..1"...mr.. ..b...z.B.\.<]!...8...J.~.R.^.U....ArE...q...QW......W.. M..l......R..Dd."...P......F..-.....S...S... .OF...I./.N.&e6.....TW.c....z......@.......`_.X'...X8.3op.'...z&.UT.m...r4:.1.'&.1F....9....Fr&..U...d......<..Z.Q.^.}]X.......D!......73.a.8.....Q..c.w...).^U#..L3..}m......:.z..NN...r.Y..Ck..E}..-....t1..?g..d..t.E:4x.*#....L...(wv..~.OY.......wfO.L.0....4...Ko........h. s6M\.D....$.....W......6g...............>x....<..[...F"5C..=K.....[v...O'..ky
<<< skipped >>>
HEAD /distribution/?product=wecp&channel=A004 HTTP/1.1
Accept: */*
Host: securefilesetup.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 02 Feb 2015 16:24:25 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 02 Feb 2015 16:24:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Location: hXXp://d27jwl8eflbzdd.cloudfront.net/CodecSetup.exe
HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Mon, 02 Feb 2015 16:24:25 GMT..Content-Type: text/html..Connection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.3..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Mon, 02 Feb 2015 16:24:25 GMT..Cache-Control: no-store, no-cache, must-revalidate, max-age=0..Location: hXXp://d27jwl8eflbzdd.cloudfront.net/CodecSetup.exe..
POST /Or-interactive/?v=5.0&c=1932223866 HTTP/1.1
Accept: */*
Host: os.mediacodeccdn.com
User-Agent: ICAS
Content-Length: 1252
Cache-Control: no-cache
0A0Czu0O1CtG1L1G2Z1P1C1T1R2Z1L2X1PtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0W0VzuyCtFtCtN0W0S0PzutCtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztBtCtAyEzztN1L1B0A1Q1H1L1GzutCtN0T0KzuyCyCyDtCyDyBtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0U0I0D0N1P2WzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0M0G0U0I0Dzu1RtDtAtBtB1T1R1QtGyD1PyD1QtGyEtB1OtDtG1StCyCtAtG1RyDzytC1P1PyC1O1OyD1SzytN0M0S0I0DzutBzzyDzztDtBtDzytAyDtGtBtCyDyCzyzytByDyDtDtGtAyCyDzztCtAtCzztDyEtN0S0I0D0U0I0Dzu0A0AyDzy0FtDyEyBzztDzytCtCzztByC0D0AtD0A0AzyyD0C0ByEzz0AtCtCyD0FtN0M0A0C1V0LzutDtDyDtDyDyCtBtCtDtCyByEtOtA0AtCzytBtFtCyCzztFtCtAzytFtCtAyDtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyDtDtBtDtBtCzztByEyEzyyBtAtAtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyCtAyCzyyCyBtN1L1Q1B1RzutBzztN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CyBtB1Qzy1SzytAyByByE1Q1S1SyDtCtDtAtA1QyCtD1Q1QtAyDtBtD1OtD1Q1TzztF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyCtFtCtN0O0S0S0P0V1P1CzutCtN0O0S2VyCyEzutCtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutCtAzzyEtN0M1P1H0P1M0TzutBtDyEyBtN0M1P1H0V1L1C0AzutCzyyCyEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu2W1L1G1Q1F2W1B1V1P1B1B1P1G2Z1L1T1I1B1V1R1F1Q1P1R1V1E1T1R1J
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Date: Mon, 02 Feb 2015 16:24:26 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-CITY: Kharkov
X-ICSCT-GICSET: global137ad
X-ICSCT-IP: 193.138.244.231
X-ICSCT-SERVER-NAME: ads.slave-eu-west-1a-f6897811
X-ICSCT-TIMESTAMP: 20150202112426506
X-ICSCT-VERSION: 1.2.5
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
14de......._...\Ci.$.M.@' ."...U...g.0#./...%G.....K.......E..=.`w.0...d..r6.G4...Vlw.r.^..:.;SSJ.4.e.Q.y$.l.4m../...u5.h!~..y.!.....9E0C.N.d.|..iJ...&.SxE...",....D...q7N.aR_..)...1..LcV.Z...WK...s_..W..|.....$..)....<D2..-........(.N...a.4i.p.......K"... .%l...z..D.m'.2.."qw.,J.T.IZ.&..:$Rrw$Y.'....sc.t1.zL...&8..].rR...o....C.)..1...u..R.......S..7p.a.R.d..Keh.wN..5......:.Q.......I........f..xcok...DPvv-Df..S..gk0^.H.D.._A^...)......@.Wd..{.R.Q...r..-.d..c.7......... ...~.....N.....B.,|2V.j..fa.....~.*..C...W.|k.,n....j`...7R.)..:.vd.yY..bL@.m6.Si. \?..Pic..hC.|.W.PhC..j..RE> Wq..U.?.ZjL`R~>.M ... Z|..R.. S.8 ...... LN.Pl...K.R..V...#"RGg.SYuxl[.R.[.Y.Kr.Br..O...lkP....!R7..U..`.;V..kN P1..D~B@R~..y P..j..P|.#R7..Z...Z.V.....0...(=T.C.Wz.....i`.P{...1...k\PPx~..X.8...}..'..-C...?..6.t.v..$s$.!7..."...........g]lr..[az...2..Yggo:.[q]\.r.wC..=r.VE..T...ij. .B....4...S..r...}b..m..S.s...]`|rU.. S.8 $m....z....V."......5.....%.g.H..e.W....=.../|P.J}.WJ..D..1.l.N....o....1......Q...?V=!.L..KF<)..M..hb.......j.7T.....px....ooe.....w4......<.%...N..o..S...F....X.!..AyD.r.."...Z.....d.....T.c...).[n{|.. .......gUkE..I.E..5.g...u.J\......K.N...A.....B..e{..d#z.....x.7.?k(.W.Sx.u..klA.."wD.....nVe.S......i...O.7x.j.=.6.8.. ....i...s'qD...v...mx..z\...6.9W.........i.Y:.>......h~.t.*..K....~..sk"XU,...~H.k..'|.......V....>.b.f..V..$..<~.3..re...XX.:.Y...D.1..1...%F.V...!......g..e`'>m ;...h.....csKs....(......V.b~..........x..L>....)cL=q..S..f....n^.m..G .-pC.ZW.*_..p.*.z_..Gy.3.H...r.e..
<<< skipped >>>
GET /img/Global/Yes_Button.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:27 GMT
Content-Type: image/png
Content-Length: 1091
Connection: keep-alive
x-amz-id-2: 3 TEOy80OHWW0B3rS5rgyGoW LVBUK5YaH4Xl1hpnw3B3//kKqmgcTDhKr0y8TYH
x-amz-request-id: 340BFC5C75739B3B
x-amz-meta-s3fox-filesize: 1091
x-amz-meta-s3fox-modifiedtime: 1380713503006
Last-Modified: Wed, 13 Nov 2013 16:12:48 GMT
x-amz-version-id: .ffwqW.8iCK2_zdeBNvgWdy.OnUDjeHF
ETag: "3f27a393967d84f83a317f40351c0065"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0924EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0A24EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D2B0E0724EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:2D2B0E0824EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..&X....IDATx...1..0.E.......... .d.6\.&.NDH.v....9.{....)...D$k...O...T.[Sl.I....K.....S3..fB...2?w.....2...../=#.3.E(B...E(B...E( ...E(..Z..f..)U..l9.....7...........I..w...).u*..P#G...?...%....\.l....IEND.B`.....
<<< skipped >>>
GET /img/Global/No_Button_Hover.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:27 GMT
Content-Type: image/png
Content-Length: 1091
Connection: keep-alive
x-amz-id-2: GZ07dztd4nGLnaThrCD1qQv1ZS/tRI3r7vMaqmPldQ8ZlqOQVsaJjFJGuAmdXFXE
x-amz-request-id: 2B66C77C4BA084F0
x-amz-meta-s3fox-filesize: 1091
x-amz-meta-s3fox-modifiedtime: 1380713503004
Last-Modified: Wed, 13 Nov 2013 16:12:47 GMT
x-amz-version-id: wNmfJwpUmazhRatL.BZxBG0x.XZldhEV
ETag: "6d55a62314755c1454569b2b098a3a9f"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2324EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2424EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2124EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2224EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx...1..0.E........8A9?=..h'.NDH.v..b $.{....)...D$j...O;.v...I6....../.s.....f....2.>.......1..?........ ...E( ....."...P."..PWhFC1...R.N...g......~.9h..~*.\.Q..3l'.....B.\.W...`.............IEND.B`.....
<<< skipped >>>
GET /img/Malaromoro/bg1.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
<<< skipped >>>
GET /img/Rerarapepe/Rerarapepe3.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:28 GMT
Content-Type: image/jpeg
Content-Length: 15799
Connection: keep-alive
x-amz-id-2: ZPB qpJApNlHvu1ztM6LNURd25DiRNkfiZzAkJxnsjPtUEe25TSWUgPjXbcjs0cK
x-amz-request-id: 343E1846C2C2B09F
x-amz-meta-s3fox-filesize: 15799
x-amz-meta-s3fox-modifiedtime: 1394538949746
Last-Modified: Tue, 11 Mar 2014 11:56:45 GMT
x-amz-version-id: zPl9IpmeaG3ff3qZpgvUQzMtoydG8QKH
ETag: "3e2809731062d36b6ae81e70aef3b785"
Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6" xmpMM:DocumentID="xmp.did:08AEC486A91411E3A978EB316F7617DC" xmpMM:InstanceID="xmp.iid:08AEC485A91411E3A978EB316F7617DC" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B1126B7673A8E311B43CF856625B69D6" stRef:documentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................0........................................................................................!..1A..Qaq"..2R.......r.#S.T.B.$4..3s...bCdt%U....c......................!1..AQ...aq..."2R......b3..B.r................?..J. ..U.@@@@@@@A...."... .a..... ..U.@@@A.A.]A....Dq.....p:QS...C.u.....|OZ...D<GZ...@..h.#.....E_....:......:.<GZ...A..Z*...C.u.x.......:.e..27...EwQ..z........
<<< skipped >>>
GET /img/Rerarapepe/Rerarapepe_b.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.mediacodeccdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 02 Feb 2015 16:24:28 GMT
Content-Type: image/png
Content-Length: 5163
Connection: keep-alive
x-amz-id-2: g4IYg0CHc8Pggb1S08hK3W1RCRywuIWGEcXMJyHbuPQB5EkSjf1lefHlNMq8RuZo
x-amz-request-id: 79ACCBCDEA3F260B
x-amz-meta-s3fox-filesize: 5163
x-amz-meta-s3fox-modifiedtime: 1402217717749
Last-Modified: Mon, 09 Jun 2014 14:41:12 GMT
x-amz-version-id: KNAPX8e2AxH1Bx9jEBmu7jKCGa_97Tvk
ETag: "297eebd38313ee5b5ce0639f28ef2690"
Accept-Ranges: bytes
.PNG........IHDR...(...,......o.{....tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:82BCB328EEEA11E3803DA559B157C612" xmpMM:InstanceID="xmp.iid:82BCB327EEEA11E3803DA559B157C612" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="B5CE02BD4916EF319BC08FB91CAA85FD" stRef:documentID="B5CE02BD4916EF319BC08FB91CAA85FD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?><C......IDATx..Y..U.y..y...;w....``..5..*JP..H.....m.b.....Z5.k.B]IlRcW..4.1XK]IP.QQ#j.....F`..q.y.y....y..{.3w...vf..{..{.......}..."j~|>Xg.....`.<..kn....M..h..&.......)...l;_...a.. .N...Q7.....)6{...a.kJ.x...Kj..Z4....n...i..E......X-......X .(*...U..hS.h..Z&...........(47.....Bq.z......s..|.74%Y.._b..=....PZL....O......h....k.C..v.....$.......(...Gh..8..!.S*..'.....N.....2.../.U...U...c)Eh.i.3[>1......J,....v...........&....3E...D.i..L.)|..!R..bJ4....K.".`.`9.....S.....}0X..@......W../.................(.....W.A)G.P.T..w....8.<5..w....QD...}3g..(.H$...........[.":.L..o0....q;.G#....u...m....N
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=564721, public, no-transform, must-revalidate
Last-Modified: Mon, 2 Feb 2015 05:21:26 GMT
Expires: Mon, 9 Feb 2015 05:21:26 GMT
Date: Mon, 02 Feb 2015 16:29:25 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150202052126Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150202052126Z....20150209052126Z0...*.H.............H.c...ZXgu.....F..w...z[P..-..H`` .0...1...U....^e.J...I..^..jY...*....Z!.....T0.2..3=...o.N.S.c.<CBP.......0.E(.....v......J_.. .y.......XUy'...1wd...!}....r(.]N.k... ..n.g.@...
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=479452, public, no-transform, must-revalidate
Last-Modified: Sun, 1 Feb 2015 05:38:09 GMT
Expires: Sun, 8 Feb 2015 05:38:09 GMT
Date: Mon, 02 Feb 2015 16:29:22 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150201053809Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20150201053809Z....20150208053809Z0...*.H.............?...b....NlG.asw.....n.g..c...... ..C.....^......j...._...lV.........e,.Il4u]....p....qF3.O...(..`..n...L...pn..X.'r.....'..B..&..z$VVz.=..T5,.8.=.42....5.<...@... W.`.o...g....|...7..u1.%3x.)....?...[~l......V..q2..B.y......1Wv{.R}2u%.=...9^...LvL...........#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
Map
The Malware connects to the servers at the folowing location(s):