Adware.Linkey.C (AdAware)Behaviour: Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f7ef8bf908b51f10187f3c858d81dc3a
SHA1: 91a1f512e8641f5ed52eb5977f4f0a2453159297
SHA256: 83e81954f7bef0da85305a81d35c58f738f2a86261c253a1e2e8dcbbeba777cf
SSDeep: 24576:QzZzHMLoUaG/eEmk8IIlkFxVRBDX94BZBuDNoqm8GK:Q DhmEnTSyxzVNMZBuDNolK
Size: 1460592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Aztec Media Inc
Created at: 2010-04-10 15:19:38
Analyzed on: Windows7Ada SP1 64-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
ffExtension.exe:1688
helper.exe:1912
regsvr32.exe:296
pack.exe:780
%original file name%.exe:1652
The Adware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ffExtension.exe:1688 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\install.rdf (771 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\skin\logo.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\content\button.css (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\content\action.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\content\overlay.xul (658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\chrome.manifest (193 bytes)
The process helper.exe:1912 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\CityHash.dll (1613 bytes)
The process regsvr32.exe:296 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files% (x86)\Linkey\IEExtension\comext.dll (98 bytes)
The process pack.exe:780 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files% (x86)\Linkey\IEExtension\icon.ico (1 bytes)
%Program Files% (x86)\Linkey\ChromeExtension\ChromeExtension.crx (47 bytes)
%Program Files% (x86)\Linkey\IEExtension\comext.dll (1137 bytes)
%Program Files% (x86)\Linkey\IEExtension\hoticon.ico (1 bytes)
The process %original file name%.exe:1652 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\pack.exe (6714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv68F3.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\MoreInfo.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Uninstall.exe (8214 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\FindProcDLL.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\modern-header.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\ffExtension.exe (3494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Linkey.lnk (830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll (31515 bytes)
%Program Files% (x86)\Linkey\Uninstall.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\UAC.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\System.dll (23 bytes)
%Program Files% (x86)\Linkey\Helper.dll (10815 bytes)
%Program Files% (x86)\Linkey\log.log (29266 bytes)
Registry activity
The process helper.exe:1912 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "FirefoxURL"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"
[HKCU\Software\Classes\FirefoxURL\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "FirefoxURL"
[HKCU\Software\Classes\FirefoxHTML\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"
[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\%Program Files% (x86)]
"Mozilla Firefox" = "E7CF176E110C211B"
[HKCU\Software\Classes\FirefoxURL]
"FriendlyTypeName" = "Firefox URL"
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\FirefoxURL\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\FirefoxHTML\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"
[HKCU\Software\Classes\FirefoxURL\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\FirefoxHTML]
"(Default)" = "Firefox HTML Document"
[HKCU\Software\Classes\FirefoxHTML\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "FirefoxURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Classes\FirefoxHTML]
"FriendlyTypeName" = "Firefox HTML Document"
[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKCU\Software\Classes\FirefoxURL]
"(Default)" = "Firefox URL"
[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "FIREFOX.EXE"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid" = "FirefoxHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid" = "FirefoxHTML"
The Adware deletes the following registry key(s):
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
[HKCU\Software\Classes\https\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
[HKCU\Software\Classes\http\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"
The process regsvr32.exe:296 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0]
"(Default)" = "comextLib"
[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Linkey\IEExtension\comext.dll"
[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"(Default)" = "{726E90BE-DC22-4965-B215-E0784DC26F47}"
[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}]
"(Default)" = "IButtonExt"
[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}]
"(Default)" = "IButtonExt"
[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"(Default)" = "{726E90BE-DC22-4965-B215-E0784DC26F47}"
[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\TypeLib]
"(Default)" = "{726E90BE-DC22-4965-B215-E0784DC26F47}"
[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}]
"(Default)" = "Linkey ButtonExt Class"
[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\Version]
"(Default)" = "1.0"
[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Linkey\IEExtension\comext.dll"
[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Linkey\IEExtension"
[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The process %original file name%.exe:1652 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"DisplayIcon" = "%Program Files% (x86)\Linkey\uninstall.exe"
[HKCU\Software\Linkey]
"home" = "%Program Files% (x86)\Linkey"
[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fpmeembnagmagppkgghhfjfdfajdfcah]
"Path" = "%Program Files% (x86)\Linkey\ChromeExtension\ChromeExtension.crx"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Linkey]
"LN" = "en"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fpmeembnagmagppkgghhfjfdfajdfcah]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"UninstallString" = "%Program Files% (x86)\Linkey\uninstall.exe"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Linkey]
"clid" = "{03CB007A-DB84-45C8-A35E-78A28B4A8564}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"InstallLocation" = "%Program Files% (x86)\Linkey"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"Icon" = "%Program Files% (x86)\Linkey\IEExtension\icon.ico"
[HKCR\Applications\%original file name%.exe]
"IsHostApp" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"Default Visible" = "Yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"NoRepair" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"ButtonText" = "Linkey"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"DisplayName" = "Linkey"
"Traffic_type" = "n"
[HKCU\Software\Linkey]
"iTime" = "2014-08-27"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"CLSID" = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Linkey]
"iver" = "0.0.0.90"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"HotIcon" = "%Program Files% (x86)\Linkey\IEExtension\hoticon.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.7, , \??\C:\Windows\TEMP\GoogleUpdateSetup.exe1b71e, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll,"
[HKCU\Software\Linkey]
"AppID" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"DisplayVersion" = "0.0.0.90"
[HKCU\Software\Linkey]
"pver" = "0.0.0.90"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"ClsidExtension" = "{C9776592-77D0-4C68-8F83-BC65F674B92A}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"Publisher" = "Aztec Media Inc"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "A9 2D 66 83 CF C1 CF 01"
[HKCU\Software\Linkey]
"sysid" = "300"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "A9 2D 66 83 CF C1 CF 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 4e74897a2b5df1d35c4a42d47339f299 | c:\Program Files (x86)\Linkey\Helper.dll |
| 81c6a0ec6deb3c69b32624bd5034332c | c:\Program Files (x86)\Linkey\IEExtension\comext.dll |
| 2ca991e44756151dabe682bb9200b06f | c:\Program Files (x86)\Linkey\Uninstall.exe |
| 4e74897a2b5df1d35c4a42d47339f299 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ffExtension.exe:1688
helper.exe:1912
regsvr32.exe:296
pack.exe:780
%original file name%.exe:1652 - Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\install.rdf (771 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\skin\logo.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\content\button.css (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\content\action.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\content\overlay.xul (658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\extension@linkeyproject.com\chrome.manifest (193 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\CityHash.dll (1613 bytes)
%Program Files% (x86)\Linkey\IEExtension\comext.dll (98 bytes)
%Program Files% (x86)\Linkey\IEExtension\icon.ico (1 bytes)
%Program Files% (x86)\Linkey\ChromeExtension\ChromeExtension.crx (47 bytes)
%Program Files% (x86)\Linkey\IEExtension\hoticon.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\pack.exe (6714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv68F3.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\MoreInfo.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Uninstall.exe (8214 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\FindProcDLL.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\modern-header.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\ffExtension.exe (3494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Linkey.lnk (830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll (31515 bytes)
%Program Files% (x86)\Linkey\Uninstall.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\UAC.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\System.dll (23 bytes)
%Program Files% (x86)\Linkey\Helper.dll (10815 bytes)
%Program Files% (x86)\Linkey\log.log (29266 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Aztec Media Inc
Product Name: Linkey
Product Version: 0.0.0.90
Legal Copyright: Copyright (c) 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.0.0.90
File Description: Linkey - Install
Comments:
Language: Language Neutral
Company Name: Aztec Media IncProduct Name: LinkeyProduct Version: 0.0.0.90Legal Copyright: Copyright (c) 2013Legal Trademarks: Original Filename: Internal Name: File Version: 0.0.0.90File Description: Linkey - InstallComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 26396 | 26624 | 4.50865 | cb807804553819b70f6e16b8a094d327 |
| .rdata | 32768 | 6614 | 6656 | 3.48434 | 161b329b4c70ce4fbd9c1143e738896b |
| .data | 40960 | 463772 | 512 | 1.20331 | 140876ba314e7bc36379ee5c6db80876 |
| .ndata | 507904 | 2740224 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 3248128 | 210304 | 210432 | 4.16968 | 3bd1bb0d92e05b6648764d3f75a5ef75 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.mlstat.com/statistics/client/install.php?systemid=300&os=6.1&is64=1&ver=0.0.0.90&type=New&appid=0&userHome=No&userToolbar=No | 94.31.0.52 |
| hxxp://download.dynect.mozilla.net/?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US | |
| hxxp://a1284.g.akamai.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar | |
| hxxp://gp1.wpc.v2cdn.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?41d4b1b60abaf38a | |
| hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
| hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
| hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a65426349699ba9 | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
| hxxp://a1621.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.38.91.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.38.91.27 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?41d4b1b60abaf38a | 212.30.134.182 |
| hxxp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar | 212.30.134.183 |
| hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 212.30.134.167 |
| hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 212.30.134.167 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a65426349699ba9 | 212.30.134.182 |
| hxxp://download.mozilla.org/?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US | 63.245.217.36 |
| hxxp://gtssl-ocsp.geotrust.com/ | 199.7.59.72 |
| hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 212.30.134.167 |
| hxxp://ocsp.thawte.com/ | 199.7.57.72 |
| hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 212.30.134.167 |
| hxxp://ocsp.digicert.com/ | 93.184.220.29 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.38.91.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.38.91.27 |
| translate.googleapis.com | 64.233.165.95 |
| www.linkeyproject.com | 94.31.0.55 |
| themes.googleusercontent.com | 173.194.113.203 |
| apis.google.com | 173.194.113.194 |
| accounts.google.com | 64.233.165.84 |
| www.googleapis.com | 64.233.165.95 |
| clients2.google.com | 173.194.113.197 |
| clients4.google.com | 173.194.113.195 |
| oauth.googleusercontent.com | 173.194.113.202 |
| geo.mozilla.org | 63.245.215.82 |
| accounts.youtube.com | 173.194.113.196 |
| welcome.webmaker.org | 54.239.168.114 |
| www.bing.com | 204.79.197.200 |
| ssl.gstatic.com | 173.194.39.120 |
| fonts.gstatic.com | 173.194.39.111 |
| www.google.com | 173.194.113.209 |
| clients2.googleusercontent.com | 173.194.113.203 |
| www.mozilla.org | 63.245.215.20 |
| snippets.mozilla.com | 63.245.217.48 |
| aus3.mozilla.org | 63.245.217.44 |
| snippets-stats.mozilla.org | 63.245.217.175 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST / HTTP/1.1
Host: ocsp.digicert.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 115
Content-Type: application/ocsp-request
Connection: keep-alive
0q0o0M0K0I0... ........._.z....'.5...C........a..1a./(..F8.,..............}.........0.0... .....0...0... .....0..
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=518103
Content-Type: application/ocsp-response
Date: Wed, 27 Aug 2014 08:19:08 GMT
Etag: "53fd7d4b-1d7"
Expires: Tue, 02 Sep 2014 20:19:08 GMT
Last-Modified: Wed, 27 Aug 2014 06:40:11 GMT
Server: ECS (fra/D5BE)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0........a..1a./(..F8.,......20140827062500Z0s0q0I0... ........._.z....'.5...C.........a..1a./(..F8.,..............}...........20140827062500Z....20140903064000Z0...*.H.............%.5hM..!..._.%.....Z...o..]{s..v.........U.....&w../D:!u....'....3....].1..;..f<~.._......h..#.k.Dt..gK..Q..y...k..N-.X.......G*. ....F..y...YOI.....\`(...PI.F.`..I...eZ.e( .".%.K....Z........v.)..F]..t.J.-7.eR.G.t,.my.....UX....:......a....*lE.....N..r6. HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=518103..Content-Type: application/ocsp-response..Date: Wed, 27 Aug 2014 08:19:08 GMT..Etag: "53fd7d4b-1d7"..Expires: Tue, 02 Sep 2014 20:19:08 GMT..Last-Modified: Wed, 27 Aug 2014 06:40:11 GMT..Server: ECS (fra/D5BE)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...0........a..1a./(..F8.,......20140827062500Z0s0q0I0... ........._.z....'.5...C.........a..1a./(..F8.,..............}...........20140827062500Z....20140903064000Z0...*.H.............%.5hM..!..._.%.....Z...o..]{s..v.........U.....&w../D:!u....'....3....].1..;..f<~.._......h..#.k.Dt..gK..Q..y...k..N-.X.......G*. ....F..y...YOI.....\`(...PI.F.`..I...eZ.e( .".%.K....Z........v.)..F]..t.J.-7.eR.G.t,.my.....UX....:......a....*lE.....N..r6. ..
<<< skipped >>>
GET /statistics/client/install.php?systemid=300&os=6.1&is64=1&ver=0.0.0.90&type=New&appid=0&userHome=No&userToolbar=No HTTP/1.1
User-Agent: Brand HTTPConnection
Host: VVV.mlstat.com
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Aug 2014 08:18:45 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=30
X-Server: wadyn4
HTTP/1.1 200 OK..Server: nginx..Date: Wed, 27 Aug 2014 08:18:45 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Keep-Alive: timeout=30..X-Server: wadyn4..
GET /?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=300000-599999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1; __utmz=150903082.1401956289.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer5.webapp.phx1.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Aug 2014 08:19:12 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar
Keep-Alive: timeout=3, max=500
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer5.webapp.phx1.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; charset=UTF-8..Date: Wed, 27 Aug 2014 08:19:12 GMT..Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar..Keep-Alive: timeout=3, max=500..Content-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Last-Modified: Tue, 26 Aug 2014 12:48:15 GMT
Expires: Tue, 02 Sep 2014 12:48:15 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1697
Cache-Control: max-age=534463, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:29 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20140826124815Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20140826124815Z....20140902124815Z0...*.H..............9.0....UH...y.:p.8.{.N..w.2.lW..V5T_..9....*....0....._..{.....T....K.........iL.FF1....C..|..Q.?.t.}O.../..q\...GV...6......F/.f...}S..e..G.C.8.Ce........1...sU/{...S&a.H.J,:..6....zZ.}.<e...D.X..~.@... ...&.......}.fN.4-...4.`........PK.9Da..t...L..z.$S....0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..........k
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 01 Jul 2014 05:04:34 GMT
Accept-Ranges: bytes
ETag: "924558f3e994cf1:0"
Server: Microsoft-IIS/8.5
VTag: 279238027700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:23:34 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..140630200855Z..141001082855Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......I0... .....7......140930201855Z0...*.H..............}....0].....'k.....'...Y..!&.._..3J......u..*D*....p.2I2.T..sv.`.F..97%...Xn5F.P.e^%0.o...hW....w..\G...'U'...4.&....K.wGS....i.S.>...1$.....yI...R.....:.x. .....G..:.TF...0..)F!..N%9I..-D.........@....u...V.. ;MFoK.....~.L".1.=....e........E..7...|.Xd.OE..
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 08 Aug 2014 05:04:30 GMT
Accept-Ranges: bytes
ETag: "3324a23cc6b2cf1:0"
Server: Microsoft-IIS/8.5
VTag: 791730025700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..140807204819Z..141106090819Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......&0... .....7......141105205819Z0...*.H................l.......[.....N....gm.A.\..0........!.m*.....q(...q.E..D....:.6R....ua.4...%.!Y....h.%E..].vem[9M.%.b...b..!!..WI.x` .d...}.aL.RTM..&.3.L3........t.y.........s;.k.WRR.Q.l{...c..'S.lx.xr}...8...k.oY........#...w5,.`.O..S.....*.x......?f.|.9.e...k.......U"...~....G...O...|!.3]...s<.nVY....5...yU9.PC%.....[......df.q.lT." !1....uiu..6...!.&..e.f...q.[.8...,.u0..;8....n..0.d....Ra.OC......H.....Xc..#...w.. ..:...z....A.../..Og.*.T......WDFLe.?..R..Q.......b8V......S.\.......R....d..Kr.fx....z.nk;......e.P.......
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 22 Jul 2014 05:05:25 GMT
Accept-Ranges: bytes
ETag: "97fdf38b6aa5cf1:0"
Server: Microsoft-IIS/8.5
VTag: 791312957000000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..140721213140Z..141020095140Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......10... .....7......141019214140Z0...*.H..............Lx4.9#...t)...2.......~.n..........\.......).Y.Qh.....).Ge4.F....(w.(8..b........2[.W.t VU.e{?^R$..T.|Le %T;..K\.Qxr.Un_.,.A..E..W.D.j&LqX.3...9R....C.U.. 0.-<...W.....9..U..m]{y.......2L..q..gu....GG.ao..D...rm...{)M....B....V........X....v.F.tPL...Y...P....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 20 Jul 2014 05:04:43 GMT
Accept-Ranges: bytes
ETag: "dba99d1ed8a3cf1:0"
Server: Microsoft-IIS/8.0
VTag: 279852831300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..140719211546Z..141018093546Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U....../0... .....7......141017212546Z0...*.H..............o..|.[I..4...[..dSbL!.."R.%O.....?;.G.!F.5Og.01.-.H.f...V0...7.[..{?]........>c.n.9......f.5 .w..q..>6_f2u.?.~!...`/3l....BH...T.q.M.........:...?J.p.w;..........V"...G......8....TOe...%....U:k8.....&.G....tB&N.n..;^.4c..M..x.$0.'...$1..Y..({.<.....o.H.g...
GET /pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=0-299999
Connection: keep-alive
HTTP/1.1 206 Partial Content
Last-Modified: Thu, 17 Jul 2014 05:53:21 GMT
ETag: "4ba84ce-141d0cc-4fe5d42161640"
Server: Apache
X-Backend-Server: ftp4.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
X-Cache-Info: cached
Cache-Control: max-age=240615
Expires: Sat, 30 Aug 2014 03:09:22 GMT
Date: Wed, 27 Aug 2014 08:19:07 GMT
Content-Range: bytes 0-299999/21090508
Content-Length: 300000
Connection: keep-alive
MAR1.A.G.....A..............x}r~.,_2...>..#Iq2. E..@J\.}_.{...h.........ZUb..n.W....qk........P..az.~M.2.....4xuX..ztbE.`.(l>.zU...........l..)Fau}~./..Y._e.u....vx....0.@....M.e?.T....0.b.[j..}0..&..3....]...c..m.C....<..Xr.f......*..p.Y.....\..O..'.W.....3...B_.....&.P.....a.0qJ..........h....firefox-mozilla-release.31.0....................................................................BZh91AY&SY..WN..Y_...P...r.......P...k.......F.L@..2.h.6......h..f.E.Pz...=C...0.M..1......".C@....z&...jm"i..........H..d7U..R.I..H..R.....@.. ....=^.....8....rYc.QjFd...z..^|.... ....4%qP.O....I..4x.J:..N...@IS...Xv....\.......xp......J.....m?.I$...-........a! ..*.n.}J.....Uc.]%E..l......)..^.5t5..<yU[}...1?;......q........6.#.9Qk....3.6nw{......Y.0.......9{E..#..v..{..7..oi.a....`..P.I...c.a#........O...|xH.kK..l.%....l..k.........$}.i&...G...,.L.~l.2.......7.Mim....;..*.%J...twr.........G..Eq>...Vst.~$u..7....S.V..:.-....W..MZ$Z.....1_...T.US[.n....5-......j..2b..W.$p~L....`..t..W.'.t3p.]..z`.yTr......qxM.I:No.Uft..OvrG.U.&.....v..T..8.>.RQ-]../U%HzJ.........[.um.B...<.......6......0.?P.c.....$..[..r..k).....T.S.P....%....\.......2a:.O]....d..^.)...u....w.7...2up..6.:..y..qki..9%...L-.2.-.Gv1.....qyg.f.M.;....nn.9#\k............0.8j B.!...3|....dymd..T..o5....Y...qji..$`...&x.o[5.....R.lky.G.......TG...w'6*u...:9..........TLZ. ,.EMo...]...BBj.]8BZh91AY&SYW.|...._...P...r.......P........a)S.O.=@4hzCjhh=L.4.....L.z.B..d......QP..h.....@..4h4.... ....4jdi.#SM.z.h.....U......RI.U...U^.H^@..$...$..{.D.H....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Last-Modified: Mon, 25 Aug 2014 06:37:34 GMT
Expires: Mon, 01 Sep 2014 06:37:34 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1967
Cache-Control: max-age=425643, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0..N...0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder..20140825063734Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20140825063734Z....20140901063734Z0...*.H..............x.t.b...FQ.l......,.^.Nmd.'.Mgg..H.... ......o....;..Ez.F.........y..ac.B...]..54......;..N.....3...n.CW..y.....s@.P.H..$3...x.w.{.....m..9.......A:.B..\...2..re...D".c.j...6J."..N. .@s...C..g.....$......ys.Cpj....].'R$I^.J;07...5^..[..[...U...}.............#0...0...0.............8.9v......d..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...140622000000Z..140920235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............'..Q96....O..d.\.>........./0......F..Z`qM... .u0.....uM........._.H.Pk#.?^7)..........9....0.E:......|V....r.k.J...S.c.X........<..^P...\!.D.Tg....{....v.z.....6....^r.~..U L..m.J.IV._.E...&.8 ..x..;-.r..g..H{.oB.U.'G.`,.$..xcJ;w.(..=...}It.4...?..W..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...Ve
<<< skipped >>>
POST / HTTP/1.1
Host: gtssl-ocsp.geotrust.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 102
Content-Type: application/ocsp-request
Connection: keep-alive
0d0b0@0>0<0... ........?.~..`D..AatN.l...)...ByT.a.U >c.<HW...E.J....T..0.0... .....0...0... .....0..
HTTP/1.0 200 Ok
last-modified: Tue, 26 Aug 2014 01:01:32 GMT
expires: Tue, 02 Sep 2014 01:01:32 GMT
content-type: application/ocsp-response
content-transfer-encoding: binary
content-length: 1359
cache-control: max-age=492144, public, no-transform, must-revalidate
date: Wed, 27 Aug 2014 08:19:08 GMT
connection: close
0..K......D0..@.. .....0.....10..-0...,0*1(0&..U....GeoTrust SSL TGV OCSP Responder..20140826010132Z0f0d0<0... ........?.~..`D..AatN.l...)...ByT.a.U >c.<HW...E.J....T....20140826010132Z....20140902010132Z0...*.H.............x.Z.$F...;>.....j.......bd0.*...tA..a./....!.J^....<....h]iG..DcM3.. .[~.t..z.{i....3.W.Z,.,4..k.....Q..%......&K.(3...0..:.qW.]`nP.&m.y.Y......Q....2..0.DGQ..H:_..|39@...M..<Qk.}.....~.*_...W....i/....2.K#.".K........~S ...U.X.........NGR..o.w(.<..V.h.......k0..g0..c0..K..........0...*.H........0@1.0...U....US1.0...U....GeoTrust, Inc.1.0...U....GeoTrust SSL CA0...140502165328Z..150522165328Z0*1(0&..U....GeoTrust SSL TGV OCSP Responder0.."0...*.H.............0...........S.O.].&...4.......PU.HE..L....P.AH(l...o.V...b*....c.r.5^...'.79.e<N]^n......<p....\H..0.#[".....B.A....K%?"...Q...z.\X.~.b....X{.R..d.e..3.p.1...]!xX?.N.X.O...`v!39..V..VK9U....|.fV.7v.....F.3..^.E'....C..M..4Ur......B ...>..d... ...w.....p..9$....y{........|0z0...U.#..0...ByT.a.U >c.<HW...E.J0... .....0......0...U.%..0... .......0...U...........0!..U....0...0.1.0...U....TGV-B-1210...*.H.............]E...n...a..b.M.(B....S......H~...h.2....{pK..#...0.........A...L).....).f|d:..@.9;r....B.$..1.LH...`....S.<.y..$..N./!.....e?z2T.'.....0..h.,b.D..... ....d.G..*[R`2J...g....6.!.........#.......T.LF:q,...2..S.9....5..u!.y.RP..;H`.....S..}.F..$3Se...N.....5..
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a65426349699ba9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT
ETag: "0b96c77303ecf1:0"
Date: Wed, 27 Aug 2014 08:23:28 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT..ETag: "0b96c77303ecf1:0"..Date: Wed, 27 Aug 2014 08:23:28 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Last-Modified: Tue, 26 Aug 2014 17:17:42 GMT
Expires: Tue, 02 Sep 2014 17:17:42 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1967
Cache-Control: max-age=550509, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:29 GMT
Connection: keep-alive
0..........0..... .....0......0...0..N...0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder..20140826171742Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20140826171742Z....20140902171742Z0...*.H.............f..cO....E.....r....Lj8.=Qe.......J$....}m..r..8...F..a.U.....-M{..f.`N;...L.R.VD................b5.vj...L...(...s.0F......#a.F?....o..t.....O..v4.6......p.0..._....!>p......1.....*..t.;TD#...3.!...=.S...J..#..v..F..m{Rd...&..S...n..2.....$.'.......k/.F.m....#0...0...0.............8.9v......d..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...140622000000Z..140920235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............'..Q96....O..d.\.>........./0......F..Z`qM... .u0.....uM........._.H.Pk#.?^7)..........9....0.E:......|V....r.k.J...S.c.X........<..^P...\!.D.Tg....{....v.z.....6....^r.~..U L..m.J.IV._.E...&.8 ..x..;-.r..g..H{.oB.U.'G.`,.$..xcJ;w.(..=...}It.4...?..W..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0..
<<< skipped >>>
POST / HTTP/1.1
Host: ocsp.thawte.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 115
Content-Type: application/ocsp-request
Connection: keep-alive
0q0o0M0K0I0... ........1....6..2\ch.-...a.I......4E@=..0O..>........j..R..MQ{...!,j..0.0... .....0...0... .....0..
HTTP/1.0 200 Ok
last-modified: Sun, 24 Aug 2014 08:42:35 GMT
expires: Sun, 31 Aug 2014 08:42:35 GMT
content-type: application/ocsp-response
content-transfer-encoding: binary
content-length: 1417
cache-control: max-age=347009, public, no-transform, must-revalidate
date: Wed, 27 Aug 2014 08:19:06 GMT
connection: close
0.........~0..z.. .....0.....k0..g0...J0H1.0...U....US1.0...U....Thawte, Inc.1"0 ..U....Thawte SSL OCSP Responder..20140824084235Z0s0q0I0... ........1....6..2\ch.-...a.I......4E@=..0O..>........j..R..MQ{...!,j....20140824084235Z....20140831084235Z0...*.H.............-...d.;UP...q.....E.|...q.v....J..].....}.&.G...l.=...\..6|tU.d.YS....&.....F..*0I......]....QS4........o..q.q...,t..].#..z....*....F.F.........7.|.60.....rH..................{.~!L...#h.*G........D.m.. .....q.j\..q.56.b....k.)..s ..W./V..Y.j%.,.iM.....X......z0..v0..r0..Z.......,.</..>C. ....T.0...*.H........0<1.0...U....US1.0...U....Thawte, Inc.1.0...U....Thawte SSL CA0...140621000000Z..140919235959Z0H1.0...U....US1.0...U....Thawte, Inc.1"0 ..U....Thawte SSL OCSP Responder0.."0...*.H.............0.........}.r...(..J..iIN$ ..h...,....#I....F..n.:......^.l.qF...F...$.Rf..{K?yN..q....=}BVB.L.2...P)D4nG.O.].8...!......X.[C.{..*.....H...v..A.......e...L.....0P.....,J..J.....Ff....OU.| ..S:...Z.F.v.Hs.......0pg......(....!R54......CR.Lw;...._.}*..aM.}.......@.S.......d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-11700...*.H.............zPU..v..7.. ..X.6:...<....7I.Xm....E.l.......L .JeQ..Vf..UZ....{K.o...e8c................c..;.H'..,.l...4......J.....jl.;.... .p....L.U.....N.....?E.Q..........<.:.R....eb,...>.k.s./s..h..F.....u....w ..*9.emQ.6....p.....M...V......F.l.........0...$P..i..P..
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?41d4b1b60abaf38a HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>
POST / HTTP/1.1
Host: gtssl-ocsp.geotrust.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 102
Content-Type: application/ocsp-request
Connection: keep-alive
0d0b0@0>0<0... ........?.~..`D..AatN.l...)...ByT.a.U >c.<HW...E.J.......0.0... .....0...0... .....0..
HTTP/1.0 200 Ok
last-modified: Mon, 25 Aug 2014 22:26:32 GMT
expires: Mon, 01 Sep 2014 22:26:32 GMT
content-type: application/ocsp-response
content-transfer-encoding: binary
content-length: 1359
cache-control: max-age=482846, public, no-transform, must-revalidate
date: Wed, 27 Aug 2014 08:19:06 GMT
connection: close
0..K......D0..@.. .....0.....10..-0...,0*1(0&..U....GeoTrust SSL TGV OCSP Responder..20140825222632Z0f0d0<0... ........?.~..`D..AatN.l...)...ByT.a.U >c.<HW...E.J.........20140825222632Z....20140901222632Z0...*.H.............eI....&=..n.R.AL.......R..T...H......i..8~.r.@.T....04*#...,.....8.._..0W'.......|.....2UP..mi..yF...Z...l....d(Y.S..N..rLo.3...z...........Vy7.._.........o.G...L...}g.-'...t|....e.....4..'.Yd..[.l.q.DE..b...{.^]o.@.4f.t.....(..u=..E6'"3....!/v_.0u..L...aW...k0..g0..c0..K..........0...*.H........0@1.0...U....US1.0...U....GeoTrust, Inc.1.0...U....GeoTrust SSL CA0...140502165328Z..150522165328Z0*1(0&..U....GeoTrust SSL TGV OCSP Responder0.."0...*.H.............0...........S.O.].&...4.......PU.HE..L....P.AH(l...o.V...b*....c.r.5^...'.79.e<N]^n......<p....\H..0.#[".....B.A....K%?"...Q...z.\X.~.b....X{.R..d.e..3.p.1...]!xX?.N.X.O...`v!39..V..VK9U....|.fV.7v.....F.3..^.E'....C..M..4Ur......B ...>..d... ...w.....p..9$....y{........|0z0...U.#..0...ByT.a.U >c.<HW...E.J0... .....0......0...U.%..0... .......0...U...........0!..U....0...0.1.0...U....TGV-B-1210...*.H.............]E...n...a..b.M.(B....S......H~...h.2....{pK..#...0.........A...L).....).f|d:..@.9;r....B.$..1.LH...`....S.<.y..$..N./!.....e?z2T.'.....0..h.,b.D..... ....d.G..*[R`2J...g....6.!.........#.......T.LF:q,...2..S.9....5..u!.y.RP..;H`.....S..}.F..$3Se...N.....5..
<<< skipped >>>
GET /?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=0-299999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1; __utmz=150903082.1401956289.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer1.webapp.scl3.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Aug 2014 08:18:52 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar
Keep-Alive: timeout=3, max=495
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer1.webapp.scl3.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; charset=UTF-8..Date: Wed, 27 Aug 2014 08:18:52 GMT..Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar..Keep-Alive: timeout=3, max=495..Content-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..
GET /pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=300000-599999
Connection: keep-alive
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Cache-Control: max-age=604800
Content-Range: bytes 300000-599999/21090508
Content-Type: application/octet-stream
Date: Wed, 27 Aug 2014 08:19:16 GMT
Etag: "4ba84ce-141d0cc-4fe5d42161640"
Expires: Wed, 03 Sep 2014 08:19:16 GMT
Last-Modified: Thu, 17 Jul 2014 05:53:21 GMT
Server: ECAcc (fra/D4CA)
X-Backend-Server: ftp8.dmz.scl3.mozilla.com
X-Cache: HIT
X-Cache-Info: caching
Content-Length: 300000
....U.m...JD..C...^....*....F.._...~22...n.u..........~....D...yE..nJ>..5..g.../......r4v...~.zy.........5v.~..}.w=.....3....Y....c/r`..*O....7..N .E....c&..FZ...2.]..O.....U.....r...#...k9...........o{....6)..9.b|S.?....>...."TTc..;;......H.....b^$...T2.. . M.o.]i..._8.......9..Q$..]%pXN.J.j.F.$.an.:0.~.&.0.UA..O.!....:=...py...C....G.......1P.[...d..o<.......mko......tK..H...q.]../.....x.....X..@..b\.*Q....g.N[...u|..{.dc.~..y.>..1.m..._....<K*.......;$....>.".|....^......;.L..P}T...w...(.3..V..2|7,.J{.|...p.......Qm_...;.Z... k.u;O...o.C....^.^.}.F4.O..=..6W.....Qqp.7r.;......pL.5M..B....i...KD..(]s..&....F.......x....*. ...9....o..1...)...........%.0`)z:..P.uI....[V...3..i......j@J.........}.....,....d?v..;."..D._...Xf..L.....-..0.y.:..e,%.......(.....:.>e...l..[.{..!......'-$'... .o.\.{.......eh...K...."(Ez..PMA....[..B>....k.M.G.lS2.*......G.2...f4.ow....v&U...w~*........^....xk.fro...j.......}..x.~_..I.t....@(s.hs(.y.....N..........O%z'......Z..5... .A.......x..\t.o..E...jWP....v....@C;......!..".(Jq...D.<wC.L}[.YkkeC.[.f......l.6..d.w...@O..._....x....A>%...mE,...ko"uc...l.j...j.....*.....f..../.{b....'jQ....L....}..%.....qef..."..J..].....Z.YgP(.x..y?.qz.-~....XD.k...&.....]......d......%.j........F...2..:..q.P..It....t".qt.....>5.!.'..B.@............X..d....m....;?..[I...............4=4.............Y.3dY|.Dh.|.@...U0........M[..i.Yt^..-.bi....B..E8..`..........a.oG.......}.....%...E..v.....88vi.......{Nz.Gk..O......%. .e....m....x. .Ia ....1...B.8.....?1s_ .l....A.2@.!
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Last-Modified: Sun, 24 Aug 2014 08:41:30 GMT
Expires: Sun, 31 Aug 2014 08:41:30 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1967
Cache-Control: max-age=346875, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0..N...0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder..20140824084130Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20140824084130Z....20140831084130Z0...*.H.............72..-..*..:L..i2..#%wQQ(.8W...O...0x.B...<....H......V...6...90.!.....#F=M...(H..Z.....h...C<...".........C..u/].C..G.............8.....RYc...T _&..s..[..\....T.....U.<.e..6.G..p..e8..}%?..]...........6D.^....o.3. 0b..4.7.0..{&..b.2...82..y...e....-...N`.....#0...0...0.............8.9v......d..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...140622000000Z..140920235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............'..Q96....O..d.\.>........./0......F..Z`qM... .u0.....uM........._.H.Pk#.?^7)..........9....0.E:......|V....r.k.J...S.c.X........<..^P...\!.D.Tg....{....v.z.....6....^r.~..U L..m.J.IV._.E...&.8 ..x..;-.r..g..H{.oB.U.'G.`,.$..xcJ;w.(..=...}It.4...?..W..........0...0...U....0.0....U. ...0..0....`.H...
<<< skipped >>>
Map
The Adware connects to the servers at the folowing location(s):