Skip to main content

Win32.Viking.AX_45db9e92ad


Win32.Viking.AX (BitDefender), Exploit:Win32/ShellCode.gen!B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Win32.Qvod.ank (v) (VIPRE), Trojan.AVKill.11573 (DrWeb), Win32.Viking.AX (B) (Emsisoft), Artemis!45DB9E92ADF0 (McAfee), W32.Wapomi!gen1 (Symantec), Virus.Win32.Qvod (Ikarus), Win32.Viking.AX (FSecure), Worm/AutoRun.LY (AVG), Win32:Malware-gen (Avast), PE_JADTRE.A-O (TrendMicro), Win32.Viking.AX (AdAware)Behaviour: Trojan, Worm, Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 45db9e92adf00b8de9b733b52a306a40

SHA1: 40657201a984412125d32ac3a9d7dc33155e6942

SHA256: d3ed8896b7cfc812d61e0342705084247976725e0972f21ede4c8d3addc4e858

SSDeep: 6144:mwtKDxiswkBYK5Tz77uCYXilJbg5O5/9Wy:0TYK5/7 XST5lX

Size: 242688 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: ASPackv212, PolyEnE001byLennartHedlund, UPolyXv05_v6

Company: no certificate found

Created at: 2010-09-08 22:16:40

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

57124ba2.exe:2896
%original file name%.exe:320
reg.exe:1652
reg.exe:2044
reg.exe:844
reg.exe:520

The Trojan injects its code into the following process(es):

svchost.exe:1136

File activity

The process 57124ba2.exe:2896 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\Infotmp.txt (456 bytes)

The process %original file name%.exe:320 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\Infotmp.txt (456 bytes)
%System%\appmgmts.dll (242688 bytes)

The process reg.exe:1652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\r663215ff.txt (3806 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 9B B4 79 90 5D 20 51 64 56 78 93 40 E6 7C E8"

The process reg.exe:2044 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\5163053E]
"Type" = "1"

The process reg.exe:844 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\5163053E]
"ImagePath" = "system32\5163053E.sys"

The process reg.exe:520 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:


Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\5163053E]
"Start" = "3"

Dropped PE files

MD5 File path
8ccbd9aba7ff4f6190d151b6ccb38efcc:\WINDOWS\system32\dmutilio.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

KeInsertQueueApc

Using the driver "%System%\5163053E.sys" the Trojan substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:

MJ_CREATE
MJ_DIRECTORY_CONTROL

Using the driver "%System%\5163053E.sys" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:

MJ_INTERNAL_DEVICE_CONTROL

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    57124ba2.exe:2896
    %original file name%.exe:320
    reg.exe:1652
    reg.exe:2044
    reg.exe:844
    reg.exe:520

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\Infotmp.txt (456 bytes)
    %System%\appmgmts.dll (242688 bytes)
    %WinDir%\Temp\r663215ff.txt (3806 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Shenzhen QVOD Technology Co.,Ltd
Product Name: QvodInstall Module
Product Version: 3, 0, 0, 0
Legal Copyright: Copyright(C) 2006-2009 QVOD
Legal Trademarks:
Original Filename: QvodInstall.exe
Internal Name: QvodInstall.exe
File Version: 3, 0, 0, 0
File Description: QvodInstall Module
Comments:
Language: English (United States)

Company Name: Shenzhen QVOD Technology Co.,LtdProduct Name: QvodInstall ModuleProduct Version: 3, 0, 0, 0Legal Copyright: Copyright(C) 2006-2009 QVODLegal Trademarks: Original Filename: QvodInstall.exeInternal Name: QvodInstall.exeFile Version: 3, 0, 0, 0File Description: QvodInstall ModuleComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409649152215045.52493f6eb240322cd78af0c93c914983b29da
.rdata532481228846085.433456663c344ae9ba3fe17ebe78212b5ff76
.data6553620480117765.48192b6507624347c807f729c29635c24cd28
.rsrc860161597441489925.542536a78028585bf2331daa1896503d00ce3
.UPX0245760819230725.32369aa12a6555e17c14067054b55c6c38038
.UPX125395236864332805.53866444aa4cc3c7a0483c6cf2183239ff3df
.reloc290816409630725.1419296b72e1cc79e921e22de659fb82c2b8e
.aspack29491216384153604.04081db344d172c9ef14bacec0dba4f892bb1
.adata311296409600d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
287a5a75e19cdb58d00f9763e2a69218

Network Activity

URLs

URL IP
hxxp://52.nsvhn987.com/msdownload/update/v5/redir/wuredirt.rar195.22.26.231
hxxp://w2.mvps.org/resources/tools/getpublicip.shtml
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://e6845.ce.akamaiedge.net/CSC3-2004.crl
csc3-2004-crl.verisign.com23.42.21.163
csc3-2009-2-crl.verisign.com23.42.21.163
www.baidu.com180.76.3.151
crl.verisign.com23.42.21.163
vbnet.mvps.org216.155.126.44
www.download.windowsupdate.com92.123.155.25
csc3-2009-crl.verisign.com23.42.21.163
52.nsvjn987.com192.155.89.148
52.ns2275ab.com
52.ns768.com
1.nsb927.com
wpad
52.nsb927.com
52.ns792.com
52.ns529.com
52.ns098.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CSC3-2004.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: CSC3-2004-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "5068635391784c74dc0a5a7140856f08:1395911413"

Last-Modified: Thu, 27 Mar 2014 09:10:13 GMT

Accept-Ranges: bytes

Content-Length: 96264

Date: Thu, 27 Mar 2014 20:44:47 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0..x.0..v.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..140327090000Z..140406090000Z0..v.0!.....'...._.=.t.{...060411095352Z0!........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607081209Z0!...^.@.....1..v..`..061207041025Z0!...ol4....{.........080520210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>..........070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c.....080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....War.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!....&.G.E.

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"

Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Thu, 27 Mar 2014 20:44:17 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.PWP......onZ.t ....GIuTV.XY....

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"

Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Thu, 27 Mar 2014 20:44:17 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.PWP......onZ.t ....GIuTV.XY....

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"

Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Thu, 27 Mar 2014 20:44:18 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.PWP......onZ.t ....GIuTV.XY....

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"

Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Thu, 27 Mar 2014 20:44:19 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.PWP......onZ.t ....GIuTV.XY....

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"

Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Thu, 27 Mar 2014 20:44:20 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.PWP......onZ.t ....GIuTV.XY....

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8e6524f62f3a114ec765d2f97962a2e2:1391212212"

Last-Modified: Fri, 31 Jan 2014 23:50:12 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Thu, 27 Mar 2014 20:44:21 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140129000000Z..140331235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H...............8`u...j.....]....zz..~.7g!.(.h*1T..iC.X..TlS{.....n...lo....%xZ...Y?.F..-;....xE[s@.[.o.)ay...5.`.PWP......onZ.t ....GIuTV.XY....

<<

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"

Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Thu, 27 Mar 2014 20:44:27 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: Apache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Thu, 27 Mar 2014 20:44:27 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...

<<

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"

Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Thu, 27 Mar 2014 20:44:28 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: Apache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Thu, 27 Mar 2014 20:44:28 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...

<<

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"

Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Thu, 27 Mar 2014 20:44:29 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: Apache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Thu, 27 Mar 2014 20:44:29 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...

<<

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"

Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Thu, 27 Mar 2014 20:44:30 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: Apache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Thu, 27 Mar 2014 20:44:30 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...

<<

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"

Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Thu, 27 Mar 2014 20:44:31 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H..............#v..<.a....-a..,/.<...5%...X..@r%..$G*..9/...>.Y..~.$.|dG.j...XS..U.m.4z....7K..nG.*...}..........R........z?..x....;.Ik...VOEHTTP/1.1 200 OK..Server: Apache..ETag: "117874d748d93730ac0fcde495f3f5b7:1391215510"..Last-Modified: Sat, 01 Feb 2014 00:45:10 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Thu, 27 Mar 2014 20:44:31 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140129000000Z..140331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A...

<<

<<< skipped >>>

GET /msdownload/update/v5/redir/wuredirt.rar HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 195.22.26.231

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Thu, 27 Mar 2014 20:44:14 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: btst=15c5f01238e31651dcad6fae2af483a3|193.138.244.231|1395953054|1395953054|0|1|0

Set-Cookie: snkz=193.138.244.231

Content-Encoding: gzip

14........................0..

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5041

Date: Thu, 27 Mar 2014 20:44:38 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5041..Date: Thu, 27 Mar 2014 20:44:38 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5041

Date: Thu, 27 Mar 2014 20:44:38 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5041..Date: Thu, 27 Mar 2014 20:44:38 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5040

Date: Thu, 27 Mar 2014 20:44:39 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5040..Date: Thu, 27 Mar 2014 20:44:39 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5039

Date: Thu, 27 Mar 2014 20:44:40 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5039..Date: Thu, 27 Mar 2014 20:44:40 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5038

Date: Thu, 27 Mar 2014 20:44:41 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5038..Date: Thu, 27 Mar 2014 20:44:41 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5037

Date: Thu, 27 Mar 2014 20:44:42 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5037..Date: Thu, 27 Mar 2014 20:44:42 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5036

Date: Thu, 27 Mar 2014 20:44:43 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5036..Date: Thu, 27 Mar 2014 20:44:43 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5035

Date: Thu, 27 Mar 2014 20:44:44 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5035..Date: Thu, 27 Mar 2014 20:44:44 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5034

Date: Thu, 27 Mar 2014 20:44:45 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5034..Date: Thu, 27 Mar 2014 20:44:45 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5032

Date: Thu, 27 Mar 2014 20:44:47 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5032..Date: Thu, 27 Mar 2014 20:44:47 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=5031

Date: Thu, 27 Mar 2014 20:44:48 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=5031..Date: Thu, 27 Mar 2014 20:44:48 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..1401CF3DB40B609892..

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Thu, 27 Mar 2014 20:44:22 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<

<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Thu, 27 Mar 2014 20:44:23 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<

<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Thu, 27 Mar 2014 20:44:24 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<

<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Thu, 27 Mar 2014 20:44:25 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<

<<< skipped >>>

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "d74bed59c9729847e0d56742c9d14f3d:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Thu, 27 Mar 2014 20:44:26 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140327090002Z..140410090002Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<

<<< skipped >>>

GET /resources/tools/getpublicip.shtml HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: vbnet.mvps.org

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

MicrosoftOfficeWebServer: 5.0_Pub

MS-Author-Via: MS-FP/4.0

Date: Thu, 27 Mar 2014 20:44:13 GMT

Content-Length: 1245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>....

<<

<<< skipped >>>

GET /msdownload/update/v5/redir/wuredirt.rar HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 195.22.26.231

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Thu, 27 Mar 2014 20:44:35 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: btst=2e6f8266357cd74177ef7252541d58f6|193.138.244.231|1395953075|1395953075|0|1|0

Set-Cookie: snkz=193.138.244.231

Content-Encoding: gzip

14........................0..

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 37283

Date: Thu, 27 Mar 2014 20:44:32 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<

<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 37283

Date: Thu, 27 Mar 2014 20:44:33 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<

<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 37283

Date: Thu, 27 Mar 2014 20:44:34 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<

<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 37283

Date: Thu, 27 Mar 2014 20:44:35 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<

<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "b07199373ff075d5e5ac5f584892eb4b:1395911418"

Last-Modified: Thu, 27 Mar 2014 09:10:18 GMT

Accept-Ranges: bytes

Content-Length: 37283

Date: Thu, 27 Mar 2014 20:44:36 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140327090001Z..140410090001Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<

<<< skipped >>>

Map

Strings from Dumps

svchost.exe_1136_rwx_0505C000_0000B000:

D$<%d

D$<%d

svchost.exe_1136_rwx_05068000_00002000:

kernel32.dll

kernel32.dll

user32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvcrt.dll

msvcrt.dll

shlwapi.dll

shlwapi.dll

ws2_32.dll

ws2_32.dll

iphlpapi.dll

iphlpapi.dll

wintrust.dll

wintrust.dll

mpr.dll

mpr.dll

advapi32.dll

advapi32.dll

shell32.dll

shell32.dll

3, 0, 0, 0

3, 0, 0, 0

QvodInstall.exe

QvodInstall.exe

svchost.exe_1136_rwx_10001000_00057000:

t.SVW

t.SVW

.tgPV

.tgPV

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRVj

C.PjRVj

u.VV3

u.VV3

imagehlp.dll

imagehlp.dll

drivers\tcpip.sys

drivers\tcpip.sys

\drivers\tcpip.sys

\drivers\tcpip.sys

65.6.163.4

65.6.163.4

89.123.188.11

89.123.188.11

90.52.108.231

90.52.108.231

85.11.66.73

85.11.66.73

72.192.20.73

72.192.20.73

219.77.13.11

219.77.13.11

90.201.190.208

90.201.190.208

58.63.39.204

58.63.39.204

77.66.224.30

77.66.224.30

62.65.208.112

62.65.208.112

router.bitcomet.net

router.bitcomet.net

router.bitcomet.com

router.bitcomet.com

router.utorrent.com

router.utorrent.com

router.bittorrent.com

router.bittorrent.com

UDP Port

UDP Port

TCP Port

TCP Port

key not found:

key not found:

unsupported message type:

unsupported message type:

unsupported request:

unsupported request:

port

port

dht.log

dht.log

log.log

log.log

name.utf-8

name.utf-8

controlURL

controlURL

http://

http://

URLBase

URLBase

HTTP/1.1

HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)

User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"></s:Envelope>

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"></s:Envelope>

AddPortMapping

AddPortMapping

NewPortMappingDescription

NewPortMappingDescription

NewInternalPort

NewInternalPort

NewExternalPort

NewExternalPort

DeletePortMapping

DeletePortMapping

M-SEARCH * HTTP/1.1

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

HOST: 239.255.255.250:1900

External NAT port in use

External NAT port in use

External NAT port in use: Too many retries

External NAT port in use: Too many retries

Port mapping not owned by this class

Port mapping not owned by this class

Error getting StaticPortMappingCollection

Error getting StaticPortMappingCollection

port=

port=

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

continue execution and must now be terminated.

GetProcessWindowStation

GetProcessWindowStation

user32.dll

user32.dll

portuguese-brazilian

portuguese-brazilian

d:\Work\Order\Dlft2\trunk\Dlft\Release\DLFT.pdb

d:\Work\Order\Dlft2\trunk\Dlft\Release\DLFT.pdb

USER32.dll

USER32.dll

.?AV?$bind_t@XV?$mf1@XUdht_tracker@dht@@ABUmsg@2@@_mfi@boost@@V?$list2@V?$value@PAUdht_tracker@dht@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$bind_t@XV?$mf1@XUdht_tracker@dht@@ABUmsg@2@@_mfi@boost@@V?$list2@V?$value@PAUdht_tracker@dht@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$bind_t@XV?$mf1@XVnode_impl@dht@@ABUmsg@2@@_mfi@boost@@V?$list2@V?$value@PAVnode_impl@dht@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$bind_t@XV?$mf1@XVnode_impl@dht@@ABUmsg@2@@_mfi@boost@@V?$list2@V?$value@PAVnode_impl@dht@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

zcÁ

zcÁ

|%System%\svchost.exe

|%System%\svchost.exe

GetCPInfo

GetCPInfo

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

\=.LO

\=.LO

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc