Adware.Linkey.C_f7ef8bf908

by malwarelabrobot on August 27th, 2014 in Malware Descriptions.

Adware.Linkey.C (AdAware)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f7ef8bf908b51f10187f3c858d81dc3a
SHA1: 91a1f512e8641f5ed52eb5977f4f0a2453159297
SHA256: 83e81954f7bef0da85305a81d35c58f738f2a86261c253a1e2e8dcbbeba777cf
SSDeep: 24576:QzZzHMLoUaG/eEmk8IIlkFxVRBDX94BZBuDNoqm8GK:Q DhmEnTSyxzVNMZBuDNolK
Size: 1460592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Aztec Media Inc
Created at: 2010-04-10 15:19:38
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):

ffExtension.exe:1688
helper.exe:1912
regsvr32.exe:296
pack.exe:780
%original file name%.exe:1652

The Adware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ffExtension.exe:1688 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\install.rdf (771 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\skin\logo.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\content\button.css (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\content\action.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\content\overlay.xul (658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\chrome.manifest (193 bytes)

The process helper.exe:1912 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\AppAssocReg.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\CityHash.dll (1613 bytes)

The process regsvr32.exe:296 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files% (x86)\Linkey\IEExtension\comext.dll (98 bytes)

The process pack.exe:780 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files% (x86)\Linkey\IEExtension\icon.ico (1 bytes)
%Program Files% (x86)\Linkey\ChromeExtension\ChromeExtension.crx (47 bytes)
%Program Files% (x86)\Linkey\IEExtension\comext.dll (1137 bytes)
%Program Files% (x86)\Linkey\IEExtension\hoticon.ico (1 bytes)

The process %original file name%.exe:1652 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\pack.exe (6714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv68F3.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\MoreInfo.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Uninstall.exe (8214 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\FindProcDLL.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\modern-header.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\ffExtension.exe (3494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Linkey.lnk (830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll (31515 bytes)
%Program Files% (x86)\Linkey\Uninstall.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\UAC.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\System.dll (23 bytes)
%Program Files% (x86)\Linkey\Helper.dll (10815 bytes)
%Program Files% (x86)\Linkey\log.log (29266 bytes)

Registry activity

The process helper.exe:1912 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "FirefoxURL"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCU\Software\Classes\FirefoxURL\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "FirefoxURL"

[HKCU\Software\Classes\FirefoxHTML\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\%Program Files% (x86)]
"Mozilla Firefox" = "E7CF176E110C211B"

[HKCU\Software\Classes\FirefoxURL]
"FriendlyTypeName" = "Firefox URL"
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\FirefoxURL\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\FirefoxHTML\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKCU\Software\Classes\FirefoxURL\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\FirefoxHTML]
"(Default)" = "Firefox HTML Document"

[HKCU\Software\Classes\FirefoxHTML\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "FirefoxURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Classes\FirefoxHTML]
"FriendlyTypeName" = "Firefox HTML Document"

[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\FirefoxURL]
"(Default)" = "Firefox URL"

[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "FIREFOX.EXE"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid" = "FirefoxHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid" = "FirefoxHTML"

The Adware deletes the following registry key(s):

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
[HKCU\Software\Classes\https\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxHTML\shell\open\ddeexec]
[HKCU\Software\Classes\http\shell\open\ddeexec]
[HKCU\Software\Classes\FirefoxURL\shell\open\ddeexec]

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"

The process regsvr32.exe:296 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0]
"(Default)" = "comextLib"

[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Linkey\IEExtension\comext.dll"

[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"(Default)" = "{726E90BE-DC22-4965-B215-E0784DC26F47}"

[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}]
"(Default)" = "IButtonExt"

[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}]
"(Default)" = "IButtonExt"

[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"(Default)" = "{726E90BE-DC22-4965-B215-E0784DC26F47}"

[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\TypeLib]
"(Default)" = "{726E90BE-DC22-4965-B215-E0784DC26F47}"

[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}]
"(Default)" = "Linkey ButtonExt Class"

[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\CLSID\{C9776592-77D0-4C68-8F83-BC65F674B92A}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Linkey\IEExtension\comext.dll"

[HKCR\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Linkey\IEExtension"

[HKCR\Interface\{33B0A3CE-0830-4EB8-9769-03470E57D571}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process %original file name%.exe:1652 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"DisplayIcon" = "%Program Files% (x86)\Linkey\uninstall.exe"

[HKCU\Software\Linkey]
"home" = "%Program Files% (x86)\Linkey"

[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fpmeembnagmagppkgghhfjfdfajdfcah]
"Path" = "%Program Files% (x86)\Linkey\ChromeExtension\ChromeExtension.crx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Linkey]
"LN" = "en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fpmeembnagmagppkgghhfjfdfajdfcah]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"UninstallString" = "%Program Files% (x86)\Linkey\uninstall.exe"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Linkey]
"clid" = "{03CB007A-DB84-45C8-A35E-78A28B4A8564}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"InstallLocation" = "%Program Files% (x86)\Linkey"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"Icon" = "%Program Files% (x86)\Linkey\IEExtension\icon.ico"

[HKCR\Applications\%original file name%.exe]
"IsHostApp" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"Default Visible" = "Yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"NoRepair" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"ButtonText" = "Linkey"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"DisplayName" = "Linkey"
"Traffic_type" = "n"

[HKCU\Software\Linkey]
"iTime" = "2014-08-27"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"CLSID" = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Linkey]
"iver" = "0.0.0.90"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"HotIcon" = "%Program Files% (x86)\Linkey\IEExtension\hoticon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.7, , \??\C:\Windows\TEMP\GoogleUpdateSetup.exe1b71e, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll,"

[HKCU\Software\Linkey]
"AppID" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"DisplayVersion" = "0.0.0.90"

[HKCU\Software\Linkey]
"pver" = "0.0.0.90"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{DDF035BF-F2BE-497E-B8DD-3C6575A65BAB}]
"ClsidExtension" = "{C9776592-77D0-4C68-8F83-BC65F674B92A}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey]
"Publisher" = "Aztec Media Inc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "A9 2D 66 83 CF C1 CF 01"

[HKCU\Software\Linkey]
"sysid" = "300"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "A9 2D 66 83 CF C1 CF 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
4e74897a2b5df1d35c4a42d47339f299 c:\Program Files (x86)\Linkey\Helper.dll
81c6a0ec6deb3c69b32624bd5034332c c:\Program Files (x86)\Linkey\IEExtension\comext.dll
2ca991e44756151dabe682bb9200b06f c:\Program Files (x86)\Linkey\Uninstall.exe
4e74897a2b5df1d35c4a42d47339f299 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Aztec Media Inc
Product Name: Linkey
Product Version: 0.0.0.90
Legal Copyright: Copyright (c) 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.0.0.90
File Description: Linkey - Install
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 26396 26624 4.50865 cb807804553819b70f6e16b8a094d327
.rdata 32768 6614 6656 3.48434 161b329b4c70ce4fbd9c1143e738896b
.data 40960 463772 512 1.20331 140876ba314e7bc36379ee5c6db80876
.ndata 507904 2740224 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3248128 210304 210432 4.16968 3bd1bb0d92e05b6648764d3f75a5ef75

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.mlstat.com/statistics/client/install.php?systemid=300&os=6.1&is64=1&ver=0.0.0.90&type=New&appid=0&userHome=No&userToolbar=No 94.31.0.52
hxxp://download.dynect.mozilla.net/?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US
hxxp://a1284.g.akamai.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar
hxxp://gp1.wpc.v2cdn.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?41d4b1b60abaf38a
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a65426349699ba9
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1621.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.38.91.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.38.91.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?41d4b1b60abaf38a 212.30.134.182
hxxp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar 212.30.134.183
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 212.30.134.167
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 212.30.134.167
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a65426349699ba9 212.30.134.182
hxxp://download.mozilla.org/?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US 63.245.217.36
hxxp://gtssl-ocsp.geotrust.com/ 199.7.59.72
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 212.30.134.167
hxxp://ocsp.thawte.com/ 199.7.57.72
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 212.30.134.167
hxxp://ocsp.digicert.com/ 93.184.220.29
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.38.91.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.38.91.27
translate.googleapis.com 64.233.165.95
www.linkeyproject.com 94.31.0.55
themes.googleusercontent.com 173.194.113.203
apis.google.com 173.194.113.194
accounts.google.com 64.233.165.84
www.googleapis.com 64.233.165.95
clients2.google.com 173.194.113.197
clients4.google.com 173.194.113.195
oauth.googleusercontent.com 173.194.113.202
geo.mozilla.org 63.245.215.82
accounts.youtube.com 173.194.113.196
welcome.webmaker.org 54.239.168.114
www.bing.com 204.79.197.200
ssl.gstatic.com 173.194.39.120
fonts.gstatic.com 173.194.39.111
www.google.com 173.194.113.209
clients2.googleusercontent.com 173.194.113.203
www.mozilla.org 63.245.215.20
snippets.mozilla.com 63.245.217.48
aus3.mozilla.org 63.245.217.44
snippets-stats.mozilla.org 63.245.217.175


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

POST / HTTP/1.1
Host: ocsp.digicert.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 115
Content-Type: application/ocsp-request
Connection: keep-alive

0q0o0M0K0I0... ........._.z....'.5...C....
....a..1a./(..F8.,..............}.........0.0... .....0...
0... .....0..
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=518103
Content-Type: application/ocsp-response
Date: Wed, 27 Aug 2014 08:19:08 GMT
Etag: "53fd7d4b-1d7"
Expires: Tue, 02 Sep 2014 20:19:08 GMT
Last-Modified: Wed, 27 Aug 2014 06:40:11 GMT
Server: ECS (fra/D5BE)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0........a..1a./(..F8.,......2014082
7062500Z0s0q0I0... ........._.z....'.5...C.........a..1a./(..F8.,.....
.........}...........20140827062500Z....20140903064000Z0...*.H........
.....%.5hM..!..._.%.....Z...o..]{s..v.........U.....&w../D:!u....'....
3....].1..;..f<~.._......h..#.k.Dt..gK..Q..y...k..N-.X.......G*. ..
..F..y...YOI.....\`(...PI.F.`..I...eZ.e( .".%.K....Z........v.)..F]..t
.J.-7.eR.G.t,.my.....UX....:......a....*lE.....N..r6. HTTP/1.1 200 OK.
.Accept-Ranges: bytes..Cache-Control: max-age=518103..Content-Type: ap
plication/ocsp-response..Date: Wed, 27 Aug 2014 08:19:08 GMT..Etag: "5
3fd7d4b-1d7"..Expires: Tue, 02 Sep 2014 20:19:08 GMT..Last-Modified: W
ed, 27 Aug 2014 06:40:11 GMT..Server: ECS (fra/D5BE)..X-Cache: HIT..Co
ntent-Length: 471..0..........0..... .....0......0...0........a..1a./(
..F8.,......20140827062500Z0s0q0I0... ........._.z....'.5...C.........
a..1a./(..F8.,..............}...........20140827062500Z....20140903064
000Z0...*.H.............%.5hM..!..._.%.....Z...o..]{s..v.........U....
.&w../D:!u....'....3....].1..;..f<~.._......h..#.k.Dt..gK..Q..y...k
..N-.X.......G*. ....F..y...YOI.....\`(...PI.F.`..I...eZ.e( .".%.K....
Z........v.)..F]..t.J.-7.eR.G.t,.my.....UX....:......a....*lE.....N..r
6. ..
<<< skipped >>>


GET /statistics/client/install.php?systemid=300&os=6.1&is64=1&ver=0.0.0.90&type=New&appid=0&userHome=No&userToolbar=No HTTP/1.1
User-Agent: Brand HTTPConnection
Host: VVV.mlstat.com


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Aug 2014 08:18:45 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=30
X-Server: wadyn4
HTTP/1.1 200 OK..Server: nginx..Date: Wed, 27 Aug 2014 08:18:45 GMT..C
ontent-Type: text/html..Content-Length: 0..Connection: keep-alive..Kee
p-Alive: timeout=30..X-Server: wadyn4..



GET /?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=300000-599999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1; __utmz=150903082.1401956289.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive


HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer5.webapp.phx1.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Aug 2014 08:19:12 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar
Keep-Alive: timeout=3, max=500
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer5.webapp.
phx1.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; 
charset=UTF-8..Date: Wed, 27 Aug 2014 08:19:12 GMT..Location: hXXp://d
ownload.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/f
irefox-29.0.1-31.0.partial.mar..Keep-Alive: timeout=3, max=500..Conten
t-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Last-Modified: Tue, 26 Aug 2014 12:48:15 GMT
Expires: Tue, 02 Sep 2014 12:48:15 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1697
Cache-Control: max-age=534463, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:29 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20140826124815Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201408
26124815Z....20140902124815Z0...*.H..............9.0....UH...y.:p.8.{.
N..w.2.lW..V5T_..9....*....0....._..{.....T....K.........iL.FF1....C..
|..Q.?.t.}O.../..q\...GV...6......F/.f...}S..e..G.C.8.Ce........1...sU
/{...S&a.H.J,:..6....zZ.}.<e...D.X..~.@... ...&.......}.fN.4-...4.`
........PK.9Da..t...L..z.$S....0...0...0..{.........[..I|.....Zm..0...
*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSig
n Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa
 (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000
Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCS
P Responder0.."0...*.H.............0.........Y....h..@..>.....%.-..
...O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;
]s!.\"v...|....][email protected]. ..W....n..*..-
f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6....
.[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... ...
....0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. 
.........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rp
a0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...
0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.
....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..........k
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 01 Jul 2014 05:04:34 GMT
Accept-Ranges: bytes
ETag: "924558f3e994cf1:0"
Server: Microsoft-IIS/8.5
VTag: 279238027700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:23:34 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..140630200855Z..141001082855Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......I0... .....7......140930201855Z0.
..*.H..............}....0].....'k.....'...Y..!&.._..3J......u..*D*....
p.2I2.T..sv.`.F..97%...Xn5F.P.e^%0.o...hW....w..\G...'U'...4.&....K.wG
S....i.S.>...1$.....yI...R.....:.x. .....G..:.TF...0..)F!..N%9I..-D
[email protected].. ;MFoK.....~.L".1.=....e........E..7...|.Xd.OE..



GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 08 Aug 2014 05:04:30 GMT
Accept-Ranges: bytes
ETag: "3324a23cc6b2cf1:0"
Server: Microsoft-IIS/8.5
VTag: 791730025700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..140807204819Z..
141106090819Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......&0... .....7......141105205819
Z0...*.H................l.......[.....N....gm.A.\..0........!.m*.....q
(...q.E..D....:.6R....ua.4...%.!Y....h.%E..].vem[9M.%.b...b..!!..WI.x`
 .d...}.aL.RTM..&.3.L3........t.y.........s;.k.WRR.Q.l{...c..'S.lx.xr}
...8...k.oY........#...w5,.`.O..S.....*.x......?f.|.9.e...k.......U"..
.~....G...O...|!.3]...s<.nVY....5...yU9.PC%.....[......df.q.lT." !1
....uiu..6...!.&..e.f...q.[.8...,.u0..;8....n..0.d....Ra.OC......H....
.Xc..#...w.. ..:...z....A.../..Og.*.T......WDFLe.?..R..Q.......b8V....
..S.\.......R....d..Kr.fx....z.nk;......e.P.......


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 22 Jul 2014 05:05:25 GMT
Accept-Ranges: bytes
ETag: "97fdf38b6aa5cf1:0"
Server: Microsoft-IIS/8.5
VTag: 791312957000000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..140721213140Z..141020095140Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......10... .....7......14101
9214140Z0...*.H..............Lx4.9#...t)...2.......~.n..........\.....
..).Y.Qh.....).Ge4.F....(w.(8..b........2[.W.t VU.e{?^R$..T.|Le %T;..K
\.Qxr.Un_.,.A..E..W.D.j&LqX.3...9R....C.U.. 0.-<...W.....9..U..m]{y
.......2L..q..gu....GG.ao..D...rm...{)M....B....V........X....v.F.tPL.
..Y...P....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 20 Jul 2014 05:04:43 GMT
Accept-Ranges: bytes
ETag: "dba99d1ed8a3cf1:0"
Server: Microsoft-IIS/8.0
VTag: 279852831300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..140719211546Z..141018093546Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U....../0... .....7......141017212546Z0...*.
H..............o..|.[I..4...[..dSbL!.."R.%O.....?;.G.!F.5Og.01.-.H.f..
.V0...7.[..{?]........>c.n.9......f.5 .w..q..>6_f2u.?.~!...`/3l.
...BH...T.q.M.........:...?J.p.w;..........V"...G......8....TOe...%...
.U:k8.....&.G....tB&N.n..;^.4c..M..x.$0.'...$1..Y..({.<.....o.H.g..
.



GET /pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=0-299999
Connection: keep-alive


HTTP/1.1 206 Partial Content
Last-Modified: Thu, 17 Jul 2014 05:53:21 GMT
ETag: "4ba84ce-141d0cc-4fe5d42161640"
Server: Apache
X-Backend-Server: ftp4.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
X-Cache-Info: cached
Cache-Control: max-age=240615
Expires: Sat, 30 Aug 2014 03:09:22 GMT
Date: Wed, 27 Aug 2014 08:19:07 GMT
Content-Range: bytes 0-299999/21090508
Content-Length: 300000
Connection: keep-alive
MAR1.A.G.....A..............x}r~.,_2...>..#Iq2. E..@J\.}_.{...h....
.....ZUb..n.W....qk........P..az.~M.2.....4xuX..ztbE.`.(l>.zU......
.....l..)Fau}~./[email protected]?.T....0.b.[j..}0..&..3...
.]...c..m.C....<..Xr.f......*..p.Y.....\..O..'.W.....3...B_.....&.P
.....a.0qJ..........h....firefox-mozilla-release.31.0.................
...................................................BZh91AY&SY..WN..Y_.
[email protected]...=C...0.M..1....
.."[email protected]&...jm"i..........H..d7U..R.I..H..R.....@.. ....=^.....8...
.rYc.QjFd...z..^|.... ....4%qP.O....I..4x.J:[email protected]....\.......
xp......J.....m?.I$...-........a! ..*.n.}J.....Uc.]%E..l......)..^.5t5
..<yU[}...1?;......q........6.#.9Qk....3.6nw{......Y.0.......9{E..#
..v..{..7..oi.a....`..P.I...c.a#........O...|xH.kK..l.%....l..k.......
..$}.i&...G...,.L.~l.2.......7.Mim....;..*.%J...twr.........G..Eq>.
..Vst.~$u..7....S.V..:.-....W..MZ$Z.....1_...T.US[.n....5-......j..2b.
.W.$p~L....`..t..W.'.t3p.]..z`.yTr......qxM.I:No.Uft..OvrG.U.&.....v..
T..8.>.RQ-]../U%HzJ.........[.um.B...<.......6......0.?P.c.....$
..[..r..k).....T.S.P....%....\.......2a:.O]....d..^.)...u....w.7...2up
..6.:..y..qki..9%...L-.2.-.Gv1.....qyg.f.M.;....nn.9#\k............0.8
j B.!...3|....dymd..T..o5....Y...qji..$`...&x.o[5.....R.lky.G.......TG
...w'6*u...:9..........TLZ. ,.EMo...]...BBj.]8BZh91AY&SYW.|...._...P..
.r.......P........a)S.O.=@[email protected]
h4.... ....4jdi.#SM.z.h.....U......RI.U...U^.H^@..$...$..{.D.H....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Last-Modified: Mon, 25 Aug 2014 06:37:34 GMT
Expires: Mon, 01 Sep 2014 06:37:34 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1967
Cache-Control: max-age=425643, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0..N...0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Cod
e Signing 2009-2 OCSP Responder..20140825063734Z0s0q0I0... ..........!
7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............201408250
63734Z....20140901063734Z0...*.H..............x.t.b...FQ.l......,.^.Nm
d.'.Mgg..H.... ......o....;..Ez.F.........y..ac.B...]..54......;..N...
[email protected]..$3...x.w.{.....m..9.......A:.B..\...2..re...
D".c.j...6J."..N. [email protected].....$......ys.Cpj....].'R$I^.J;07...5^..[
..[...U...}.............#0...0...0.............8.9v......d..0...*.H...
.....0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trus
t Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09
100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...140622000000Z..1
40920235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSi
gn Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rp
a (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Respond
er0.."0...*.H.............0.............'..Q96....O..d.\.>.........
/0......F..Z`qM... .u0.....uM........._.H.Pk#.?^7)..........9....0.E:.
.....|V....r.k.J...S.c.X........<..^P...\!.D.Tg....{....v.z.....6..
..^r.~..U L..m.J.IV._.E...&.8 ..x..;-.r..g..H{.oB.U.'G.`,.$..xcJ;w.(..
=...}It.4...?..W..........0...0...U....0.0....U. ...0..0....`.H...E...
.0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...Ve
<<< skipped >>>


POST / HTTP/1.1
Host: gtssl-ocsp.geotrust.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 102
Content-Type: application/ocsp-request
Connection: keep-alive

0d0b0@0>0<0... ........?.~..`D..AatN.l...)...ByT.a.U >c.<HW...E.J....T..0.0... .....0...
0... .....0..
HTTP/1.0 200 Ok
last-modified: Tue, 26 Aug 2014 01:01:32 GMT
expires: Tue, 02 Sep 2014 01:01:32 GMT
content-type: application/ocsp-response
content-transfer-encoding: binary
content-length: 1359
cache-control: max-age=492144, public, no-transform, must-revalidate
date: Wed, 27 Aug 2014 08:19:08 GMT
connection: close
0..K......D0..@.. .....0.....10..-0...,0*1(0&..U....GeoTrust SSL TGV O
CSP Responder..20140826010132Z0f0d0<0... ........?.~..`D..AatN.l...
)...ByT.a.U >c.<HW...E.J....T....20140826010132Z....201409020101
32Z0...*.H.............x.Z.$F...;>.....j.......bd0.*...tA..a./....!
.J^....<....h]iG..DcM3.. .[~.t..z.{i....3.W.Z,.,4..k.....Q..%......
&K.(3...0..:.qW.]`nP.&m.y.Y......Q....2..0.DGQ..H:_..|[email protected]..<Qk.
}.....~.*_...W....i/....2.K#.".K........~S ...U.X.........NGR..o.w(.&l
t;..V.h.......k0..g0..c0..K..........0...*[email protected]
...U....GeoTrust, Inc.1.0...U....GeoTrust SSL CA0...140502165328Z..150
522165328Z0*1(0&..U....GeoTrust SSL TGV OCSP Responder0.."0...*.H.....
........0...........S.O.].&...4.......PU.HE..L....P.AH(l...o.V...b*...
.c.r.5^...'.79.e<N]^n......<p....\H..0.#[".....B.A....K%?"...Q..
.z.\X.~.b....X{.R..d.e..3.p.1...]!xX?.N.X.O...`v!39..V..VK9U....|.fV.7
v.....F.3..^.E'....C..M..4Ur......B ...>..d... ...w.....p..9$....y{
........|0z0...U.#..0...ByT.a.U >c.<HW...E.J0... .....0......0..
.U.%..0... .......0...U...........0!..U....0...0.1.0...U....TGV-B-1210
...*.H.............]E...n...a..b.M.(B....S......H~...h.2....{pK..#...0
.........A...L).....).f|d:[email protected];r....B.$..1.LH...`....S.<.y..$..N./
!.....e?z2T.'.....0..h.,b.D..... ....d.G..*[R`2J...g....6.!.........#.
......T.LF:q,...2..S.9....5..u!.y.RP..;H`.....S..}.F..$3Se...N.....5..
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a65426349699ba9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT
ETag: "0b96c77303ecf1:0"
Date: Wed, 27 Aug 2014 08:23:28 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Wed, 12 Mar 2014 20:20:10 GMT..ETag: "0b96c77303ecf1:0"..D
ate: Wed, 27 Aug 2014 08:23:28 GMT..Connection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Last-Modified: Tue, 26 Aug 2014 17:17:42 GMT
Expires: Tue, 02 Sep 2014 17:17:42 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1967
Cache-Control: max-age=550509, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:29 GMT
Connection: keep-alive
0..........0..... .....0......0...0..N...0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Cod
e Signing 2009-2 OCSP Responder..20140826171742Z0s0q0I0... ..........!
7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......201408261
71742Z....20140902171742Z0...*.H.............f..cO....E.....r....Lj8.=
Qe.......J$....}m..r..8...F..a.U.....-M{..f.`N;...L.R.VD..............
..b5.vj...L...(...s.0F......#a.F?....o..t.....O..v4.6......p.0..._....
!>p......1.....*..t.;TD#...3.!...=.S...J..#..v..F..m{Rd...&..S...n.
.2.....$.'.......k/.F.m....#0...0...0.............8.9v......d..0...*.H
........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign T
rust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c
)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...140622000000Z
..140920235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Ver
iSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com
/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Resp
onder0.."0...*.H.............0.............'..Q96....O..d.\.>......
.../0......F..Z`qM... .u0.....uM........._.H.Pk#.?^7)..........9....0.
E:......|V....r.k.J...S.c.X........<..^P...\!.D.Tg....{....v.z.....
6....^r.~..U L..m.J.IV._.E...&.8 ..x..;-.r..g..H{.oB.U.'G.`,.$..xcJ;w.
(..=...}It.4...?..W..........0...0...U....0.0....U. ...0..0....`.H...E
....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0..
<<< skipped >>>


POST / HTTP/1.1
Host: ocsp.thawte.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 115
Content-Type: application/ocsp-request
Connection: keep-alive

0q0o0M0K0I0... ........1....6..2\ch.-...a.I......4E@=..0O..>........j..R..MQ{...!,j..0.0... .....0...
0... .....0..
HTTP/1.0 200 Ok
last-modified: Sun, 24 Aug 2014 08:42:35 GMT
expires: Sun, 31 Aug 2014 08:42:35 GMT
content-type: application/ocsp-response
content-transfer-encoding: binary
content-length: 1417
cache-control: max-age=347009, public, no-transform, must-revalidate
date: Wed, 27 Aug 2014 08:19:06 GMT
connection: close
0.........~0..z.. .....0.....k0..g0...J0H1.0...U....US1.0...U....Thawt
e, Inc.1"0 ..U....Thawte SSL OCSP Responder..20140824084235Z0s0q0I0...
 ........1....6..2\ch.-...a.I......4E@=..0O..>........j..R..MQ{...!
,j....20140824084235Z....20140831084235Z0...*.H.............-...d.;UP.
..q.....E.|...q.v....J..].....}.&.G...l.=...\..6|tU.d.YS....&.....F..*
0I......]....QS4........o..q.q...,t..].#..z....*....F.F.........7.|.60
.....rH..................{.~!L...#h.*G........D.m.. .....q.j\..q.56.b.
...k.)..s ..W./V..Y.j%.,.iM.....X......z0..v0..r0..Z.......,.</..&g
t;C. ....T.0...*.H........0<1.0...U....US1.0...U....Thawte, Inc.1.0
...U....Thawte SSL CA0...140621000000Z..140919235959Z0H1.0...U....US1.
0...U....Thawte, Inc.1"0 ..U....Thawte SSL OCSP Responder0.."0...*.H..
...........0.........}.r...(..J..iIN$ ..h...,....#I....F..n.:......^.l
.qF...F...$.Rf..{K?yN..q....=}BVB.L.2...P)D4nG.O.].8...!......X.[C.{..
*.....H...v..A.......e...L.....0P.....,J..J.....Ff....OU.| ..S:...Z.F.
v.Hs.......0pg......(....!R54......CR.Lw;...._.}*..aM.}[email protected].....
..d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0".
.U....0...0.1.0...U....TGV-B-11700...*.H.............zPU..v..7.. ..X.6
:...<....7I.Xm....E.l.......L .JeQ..Vf..UZ....{K.o...e8c...........
.....c..;.H'..,.l...4......J.....jl.;.... .p....L.U.....N.....?E.Q....
......<.:.R....eb,...>.k.s./s..h..F.....u....w ..*9.emQ.6....p..
...M...V......F.l.........0...$P..i..P..
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?41d4b1b60abaf38a HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Wed, 27 Aug 2014 08:22:39 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{..."[email protected];
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#([email protected]..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|[email protected] 
[email protected][email protected]..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>


POST / HTTP/1.1
Host: gtssl-ocsp.geotrust.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 102
Content-Type: application/ocsp-request
Connection: keep-alive

0d0b0@0>0<0... ........?.~..`D..AatN.l...)...ByT.a.U >c.<HW...E.J.......0.0... .....0...
0... .....0..
HTTP/1.0 200 Ok
last-modified: Mon, 25 Aug 2014 22:26:32 GMT
expires: Mon, 01 Sep 2014 22:26:32 GMT
content-type: application/ocsp-response
content-transfer-encoding: binary
content-length: 1359
cache-control: max-age=482846, public, no-transform, must-revalidate
date: Wed, 27 Aug 2014 08:19:06 GMT
connection: close
0..K......D0..@.. .....0.....10..-0...,0*1(0&..U....GeoTrust SSL TGV O
CSP Responder..20140825222632Z0f0d0<0... ........?.~..`D..AatN.l...
)...ByT.a.U >c.<HW...E.J.........20140825222632Z....201409012226
32Z0...*.H.............eI....&=..n.R.AL.......R..T...H......i..8~.r.@.
T....04*#...,.....8.._..0W'.......|.....2UP..mi..yF...Z...l....d(Y.S..
N..rLo.3...z...........Vy7.._.........o.G...L...}g.-'...t|....e.....4.
.'.Yd..[.l.q.DE..b...{.^][email protected].....(..u=..E6'"3....!/v_.0u..L...aW.
..k0..g0..c0..K..........0...*[email protected]
rust, Inc.1.0...U....GeoTrust SSL CA0...140502165328Z..150522165328Z0*
1(0&..U....GeoTrust SSL TGV OCSP Responder0.."0...*.H.............0...
........S.O.].&...4.......PU.HE..L....P.AH(l...o.V...b*....c.r.5^...'.
79.e<N]^n......<p....\H..0.#[".....B.A....K%?"...Q...z.\X.~.b...
.X{.R..d.e..3.p.1...]!xX?.N.X.O...`v!39..V..VK9U....|.fV.7v.....F.3..^
.E'....C..M..4Ur......B ...>..d... ...w.....p..9$....y{........|0z0
...U.#..0...ByT.a.U >c.<HW...E.J0... .....0......0...U.%..0... .
......0...U...........0!..U....0...0.1.0...U....TGV-B-1210...*.H......
.......]E...n...a..b.M.(B....S......H~...h.2....{pK..#...0.........A..
.L).....).f|d:[email protected];r....B.$..1.LH...`....S.<.y..$..N./!.....e?z2T.
'.....0..h.,b.D..... ....d.G..*[R`2J...g....6.!.........#.......T.LF:q
,...2..S.9....5..u!.y.RP..;H`.....S..}.F..$3Se...N.....5..
<<< skipped >>>


GET /?product=firefox-31.0-partial-29.0.1&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=0-299999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1; __utmz=150903082.1401956289.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive


HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer1.webapp.scl3.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Aug 2014 08:18:52 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar
Keep-Alive: timeout=3, max=495
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer1.webapp.
scl3.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; 
charset=UTF-8..Date: Wed, 27 Aug 2014 08:18:52 GMT..Location: hXXp://d
ownload.cdn.mozilla.net/pub/firefox/releases/31.0/update/win32/en-US/f
irefox-29.0.1-31.0.partial.mar..Keep-Alive: timeout=3, max=495..Conten
t-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..



GET /pub/firefox/releases/31.0/update/win32/en-US/firefox-29.0.1-31.0.partial.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=300000-599999
Connection: keep-alive


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Cache-Control: max-age=604800
Content-Range: bytes 300000-599999/21090508
Content-Type: application/octet-stream
Date: Wed, 27 Aug 2014 08:19:16 GMT
Etag: "4ba84ce-141d0cc-4fe5d42161640"
Expires: Wed, 03 Sep 2014 08:19:16 GMT
Last-Modified: Thu, 17 Jul 2014 05:53:21 GMT
Server: ECAcc (fra/D4CA)
X-Backend-Server: ftp8.dmz.scl3.mozilla.com
X-Cache: HIT
X-Cache-Info: caching
Content-Length: 300000
....U.m...JD..C...^....*....F.._...~22...n.u..........~....D...yE..nJ&
gt;..5..g.../......r4v...~.zy.........5v.~..}.w=.....3....Y....c/r`..*
O....7..N .E....c&..FZ...2.]..O.....U.....r...#...k9...........o{....6
)..9.b|S.?....>...."TTc..;;......H.....b^$...T2.. . M.o.]i..._8....
...9..Q$..]%pXN.J.j.F.$.an.:0.~.&.0.UA..O.!....:=...py...C....G.......
1P.[...d..o<.......mko......tK..H...q.]../[email protected]\.*Q...
.g.N[...u|..{.dc.~..y.>..1.m..._....<K*.......;$....>.".|....
^......;.L..P}T...w...(.3..V..2|7,.J{.|...p.......Qm_...;.Z... k.u;O..
.o.C....^.^.}.F4.O..=..6W.....Qqp.7r.;......pL.5M..B....i...KD..(]s..&
....F.......x....*. ...9....o..1...)...........%.0`)z:..P.uI....[V...3
..i......j@J.........}.....,....d?v..;."..D._...Xf..L.....-..0.y.:..e,
%.......(.....:.>e...l..[.{..!......'-$'... .o.\.{.......eh...K....
"(Ez..PMA....[..B>....k.M.G.lS2.*......G.2...f4.ow....v&U...w~*....
....^....xk.fro...j.......}..x.~_..I.t....@(s.hs(.y.....N..........O%z
'......Z..5... .A.......x..\t.o..E...jWP....v....@C;......!..".(Jq...D
.<wC.L}[.YkkeC.[.f......l.6..d.w...@O..._....x....A>%...mE,...ko
"uc...l.j...j.....*.....f..../.{b....'jQ....L....}..%.....qef..."..J..
].....Z.YgP(.x..y?.qz.-~....XD.k...&.....]......d......%.j........F...
2..:..q.P..It....t".qt.....>5.!.'[email protected]....;?..
[I...............4=4.............Y.3dY|.Dh.|[email protected][..i.Yt^..
-.bi....B..E8..`..........a.oG.......}.....%...E..v.....88vi.......{Nz
.Gk..O......%. .e....m....x. .Ia ....1...B.8.....?1s_ .l....A.2@.!
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Last-Modified: Sun, 24 Aug 2014 08:41:30 GMT
Expires: Sun, 31 Aug 2014 08:41:30 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1967
Cache-Control: max-age=346875, public, no-transform, must-revalidate
Date: Wed, 27 Aug 2014 08:23:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0..N...0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Cod
e Signing 2009-2 OCSP Responder..20140824084130Z0s0q0I0... ..........!
7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......201408240
84130Z....20140831084130Z0...*.H.............72..-..*..:L..i2..#%wQQ(.
8W...O...0x.B...<....H......V...6...90.!.....#F=M...(H..Z.....h...C
<...".........C..u/].C..G.............8.....RYc...T _&..s..[..\....
T.....U.<.e..6.G..p..e8..}%?..]...........6D.^....o.3. 0b..4.7.0..{
&..b.2...82..y...e....-...N`.....#0...0...0.............8.9v......d..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...1406220
00000Z..140920235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U.
...VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisi
gn.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCS
P Responder0.."0...*.H.............0.............'..Q96....O..d.\.>
........./0......F..Z`qM... .u0.....uM........._.H.Pk#.?^7)..........9
....0.E:......|V....r.k.J...S.c.X........<..^P...\!.D.Tg....{....v.
z.....6....^r.~..U L..m.J.IV._.E...&.8 ..x..;-.r..g..H{.oB.U.'G.`,.$..
xcJ;w.(..=...}It.4...?..W..........0...0...U....0.0....U. ...0..0....`
.H...
<<< skipped >>>

The Adware connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ffExtension.exe:1688
    helper.exe:1912
    regsvr32.exe:296
    pack.exe:780
    %original file name%.exe:1652

  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\install.rdf (771 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\skin\logo.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\content\button.css (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\content\action.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\content\overlay.xul (658 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]\chrome.manifest (193 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\AppAssocReg.dll (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\ShellLink.dll (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv5DA.tmp\CityHash.dll (1613 bytes)
    %Program Files% (x86)\Linkey\IEExtension\comext.dll (98 bytes)
    %Program Files% (x86)\Linkey\IEExtension\icon.ico (1 bytes)
    %Program Files% (x86)\Linkey\ChromeExtension\ChromeExtension.crx (47 bytes)
    %Program Files% (x86)\Linkey\IEExtension\hoticon.ico (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\pack.exe (6714 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsv68F3.tmp (64 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\MoreInfo.dll (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Uninstall.exe (8214 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\FindProcDLL.dll (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\modern-header.bmp (2104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\nsl6866.tmp\ffExtension.exe (3494 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Linkey.lnk (830 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\Helper.dll (31515 bytes)
    %Program Files% (x86)\Linkey\Uninstall.exe (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\UAC.dll (29 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsa4347.tmp\System.dll (23 bytes)
    %Program Files% (x86)\Linkey\Helper.dll (10815 bytes)
    %Program Files% (x86)\Linkey\log.log (29266 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now