MD5: 6645561446eeeb98b7ed7df7aabf565c
SHA1: fcf3eb43fa12b23d1c737d72394a2e01b0774de6
SHA256: 1792bab633d27adf10437f285463e9e2e7747aa160864e7b8019a4c6a4ffabb1
SSDeep: 6144:/WmZJDSDDZnXI2i9RXXD3z5E9RBkiqpf8QBtxBS8oA:/duZ42ibz5EReNrdSa
Size: 213072 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AOL LLC.
Created at: 2009-07-21 17:14:14
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

roadie.exe:804
%original file name%.exe:2340
noneCodesignFilesBundle.exe:2800
flashax.exe:2252
sdclt.exe:2448

The Malware injects its code into the following process(es):

waol-0.4343.2046.1.exe:688

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process roadie.exe:804 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrinst.exe (130170 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\msvcr9\msvc9rt.exe (130583 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.exe (22520 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.dll (61584 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslaeu.exe (126024 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F8AAE6A916F668584D043F6543292194_D96BA187CDB0BBE4151F3618123F74F2 (1680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\down[1] (748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7FDB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbsetup.exe (53008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aolswfchk.dll (6797 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstC.dll (5576 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5BF987767EE121EB773E3E93D13C2F30_8E045C5CB1F111608338D2D3A7DCEAD9 (1696 bytes)
C:\Windows\nsreg.dat (732 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instSup.dll (10208 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SinfInst.exe (91332 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5BF987767EE121EB773E3E93D13C2F30_8E045C5CB1F111608338D2D3A7DCEAD9 (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuinst.exe (34008 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC (1212 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Retry AOL Desktop 9.7 Download.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7FDA.tmp (48 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\aolswfchk.dll (6744 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\instph.dll (12080 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_F9BDF410D651FF0504A529F7A107038D (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\browser\aolbwsrlp.exe (13488 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\instSup.dll (10208 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsshutd.exe (1928 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpchk.dll (680 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpgc.exe (7776 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acslang.exe (185031 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\AcsInstA.dll (6592 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\noneCodesignFilesBundle.exe (5565160 bytes)
C:\IPH.PH (3670 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\wbsetup.exe (71832 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F8AAE6A916F668584D043F6543292194_D96BA187CDB0BBE4151F3618123F74F2 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HDZ3KS6S\httpErrorPagesScripts[1] (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\parcon\AOLParconLink.exe (7336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~r1F3.tmp (3176 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\ocpinst.exe (518187 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\toolbar\aol_trio.exe (1182424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flashPlayer\install_flash_player_11_plugin.exe (2272819 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\info_48[1] (4 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\search\aolSearchInstaller.exe (1928 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acsrollb.exe (18800 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\comps\acscore.exe (159846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\registry.dat (732 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (1360 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\ecuchk.dll (392 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\waol-0.4343.2046.1.exe (173242 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_F9BDF410D651FF0504A529F7A107038D (1536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D285HURO\errorPageStrings[1] (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\postproc.exe (4712 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\AcsInstA.dll (6592 bytes)

The process %original file name%.exe:2340 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\message.js (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe (7392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.bin (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Preparing.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Progress.htm (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.dll (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoFiles.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC88.tmp\CertHelper.dll (1913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC87.tmp (23759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoQualify.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Error.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Cancelled.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dlgui.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\FailedLaunch.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\NoConn.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Grats.htm (792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\DownloadError.htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\Cancelling.htm (987 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\html\CancelConfirm.htm (993 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscFC88.tmp\System.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.ini (608 bytes)

The process waol-0.4343.2046.1.exe:688 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe (146 bytes)
C:\Users\Public\Desktop\AOL Desktop 9.7 Install.lnk (1 bytes)
C:\IPH.PH (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (4432 bytes)

The process noneCodesignFilesBundle.exe:2800 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\progress.xml (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\gui.ini (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\CLIENTDETAILS.txt (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\installer.swf (7168 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\rbm.bin (13 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\PRIVACY.txt (12 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\message.xml (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VMPCache.mtz (8 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\error.xml (361 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.ini (56 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tb\tbinst.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\EULA.txt (26 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\setup.ini (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\muinst\muinst.exe (14600 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\style.xml (953 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\VPPrePop.exe (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\acs\backup.ini (2 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\Dacldll.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLVPChk.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\tpspd\tsverchk.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\installOmniture.loc (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\media.ini (128 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\sysinfo\SiNdInst.dll (1568 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\flash\flashax.exe (39122 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\Vwpt.exe (61190 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\default.xml (1 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\marketing.xml (5 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\xml\screens.xml (3 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps\vwpt\AOLTheme.mtx (387 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comp01.000 (563011 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\media\txt\TOS.txt (27 bytes)
C:\ProgramData\AOL Downloads\waol\0.4343.2046.1\comps.ini (7 bytes)

The process flashax.exe:2252 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\734B.tmp (626 bytes)
C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx (732 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.dll (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\734C.tmp (464 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log (1 bytes)
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe (464 bytes)

Registry activity

The process roadie.exe:804 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"DLComplete" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\America Online\VID]
"VID" = "4603272406744064-632422412535335"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"SuperAttemptID" = "0EBFFB52-E225-4A71-BF94-6351C1FE6C21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionTime" = "42 70 C0 A2 F4 78 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\{31ADB854-D2B8-4bcd-A48B-0284831E89C5}]
"0" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\roadie.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"DLResSessions" = "0"
"DLSessions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"CDSessions" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3921C115C15D0ECA5CCB5BC4F07D21D8050B566A]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 B3 1D A1 8F"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 32 7F C4 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204]
"Blob" = "14 00 00 00 01 00 00 00 14 00 00 00 61 A6 99 6D"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "37"

[HKLM\SOFTWARE\Wow6432Node\America Online\IPH\waol_0.4343.2046.1]
"InstSessions" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\{31ADB854-D2B8-4bcd-A48B-0284831E89C5}]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"3921C115C15D0ECA5CCB5BC4F07D21D8050B566A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"503006091D97D4F5AE39F7CBE7927D7D652D3431"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2340 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3921C115C15D0ECA5CCB5BC4F07D21D8050B566A]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 39 21 C1 15"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 A1 44 6B CE"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"3921C115C15D0ECA5CCB5BC4F07D21D8050B566A"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"A1446BCE0C874DF0F2C3F61DA5C9A2BCF9DAB204"

The process waol-0.4343.2046.1.exe:688 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "42 70 C0 A2 F4 78 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\America Online\VID]
"VID" = "5533042191867904-114271311508728"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "9A 2E E5 BD F4 78 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AOLRebootNeeded"

The process flashax.exe:2252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"Policy" = "3"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
"(Default)" = "FlashBroker"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer]
"currentVersion" = "10,1,53,64"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
"LocalizedString" = "@C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe,-101"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "42"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMinor" = "1"

[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.10"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLInfoAbout" = "http://www.adobe.com"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMajor" = "10"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
"(Default)" = "IFlashBroker4"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "17235968"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
"(Default)" = ""

[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCU\Software\Macromedia\FlashPlayer]
"FlashPlayerVersion" = "10.1.53.64~installVector=1"

[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX]
"Version" = "10.1.53.64"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoModify" = "1"

[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"10.0" = "3473472"

[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX]
"PlayerPath" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion" = "10.1.53.64"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe,1"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe -osint -url %1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoRepair" = "1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"

[HKCR\.spl]
"Content Type" = "application/futuresplash"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx, 1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"

[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "88"

[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\SysWOW64\Macromed\Flash\Flash10h.ocx, 1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppPath" = "C:\Windows\SysWOW64\Macromed\Flash"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX]
"UninstallerPath" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppName" = "FlashUtil10h_ActiveX.exe"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"RequiresIESysFile" = "4.70.0.1155"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags" = "65536"

[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"UninstallString" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex"
"DisplayName" = "Adobe Flash Player 10 ActiveX"

[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.sol]
"Content Type" = "text/plain"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"

[HKCR\.sor]
"Content Type" = "text/plain"

[HKCR\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
"(Default)" = "FlashBroker"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "73"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"Publisher" = "Adobe Systems Incorporated"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.10"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"

[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"EstimatedSize" = "6144"

[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.10]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayIcon" = "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

The process sdclt.exe:2448 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Sysinternals\SigCheck]
"EulaAccepted" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AOL LLC.
Product Name: AOL Download Utility
Product Version: 0.4343.2046.1.1
Legal Copyright: Copyright (c) 2004-2008 - AOL LLC. All Rights Reserved.
Legal Trademarks: AOL is a trademark of AOL LLC.
Original Filename: AOL_Desktop_9.7.exe
Internal Name:
File Version: 0.4343.2046.1.1
File Description: AOL Download Utility 0.4343.2046.1.1
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c811f53d313ecf39
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEA/folAAtu2XY7/sias/UTw=
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/roadie1.8.4.1/roadie.loc
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll
hxxp://aol.122.2o7.net/b/ss//6
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9bae0654c986f0bb
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?cea8345e4b49256e
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo=
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs=
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c47dea64dd07db25
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe
hxxp://ftp-newaol.egslb.aol.com/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe	149.174.149.63
hxxp://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo=	95.100.77.22
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll	149.174.149.63
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c811f53d313ecf39	87.245.216.19
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe	149.174.149.63
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.216.33
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.216.33
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe	149.174.149.63
hxxp://instlxml1.sa.aol.com/b/ss//6	66.235.153.36
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=	23.51.123.27
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe	149.174.149.63
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=	23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.216.33
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.216.33
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=	23.51.123.27
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll	149.174.149.63
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c47dea64dd07db25	87.245.216.19
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.51.123.27
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEA/folAAtu2XY7/sias/UTw=	23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?cea8345e4b49256e	87.245.216.19
hxxp://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs=	95.100.77.22
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/roadie1.8.4.1/roadie.loc	149.174.149.63
hxxp://download.newaol.com:80/clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe	149.174.149.63
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=	23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9bae0654c986f0bb	87.245.216.19

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:23 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 24392

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:23 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:01 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 17736296

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:06:01 GMT

Keep-Alive: timeout=2, max=98

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......W`.<...o.
..o...o.y.o...o4..o...o4..o...o...o...o.y.o*..o.y.o...o.y.o...o.S.o...
o...o...o.y.o...oRich...o........PE..L......Q.................z.......
[email protected].....@............
.............P.......<........@..._..............h.......d...`.....
..............................@.......................................
.....text....x.......z.................. ..`.rdata...f.......h...~....
..........@[email protected]....>[email protected]...._...
@...`..................@[email protected]..."[email protected]...
......................................................................
......................................................................
......................................................................
......................................................................
.......................................................j..V.t$..D6....
...P.;k..Y.p..@...@.......^.... ..`......L$......I..H.....t..........t
..@. A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........
LA..G....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0
.j....J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........
%...;.^[email protected][email protected]. [email protected]
...TB.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s.f..9
v.@@Ju...v1;.v.f.x.-u......f..0r.f..9w.k..@...@J.|..u...t....._^[.
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:48 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 62248

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:48 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............c...c..
.c...o...c...o...c...o...c...o...c...k...c..(k...c...c..pc..%t...c...k
...c..(k...c..%t...c..Gh...c..%t...c..Rich.c..................PE..L...
.}.H.................`...p.......g.......p....@.......................
..........~...........................................................
........([email protected]
...............................text...._.......`.................. ..`
.rdata...G...p...P...p..............@[email protected].....................
[email protected]...............................@..@....................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:13 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 260120

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:13 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 454

<?xml version="1.0" encoding="UTF-8"?><request><events>event1</events><eVar1>Download | Roadie | waol_0.4343.2046.1 | Application Start</eVar1><prop1>cmp :</prop1><prop2>cmp :</prop2><prop49>xml api</prop49><prop16>Roadie | App Start | waol_0.4343.2046.1</prop16><reportsuiteid>aoljet</reportsuiteid><pagename>cmp : Roadie - App Start</pagename><visitorid>4603272406744064-632422412535335</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>
HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:39 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:54:39 GMT

Last-Modified: Sat, 18 Apr 2015 09:54:39 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D85F-CAEB-7ACCE06F"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www594

Content-Length: 64

Content-Type: text/xml

Connection: close
<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS<
/status>...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=338134, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 07:54:56 GMT

Expires: Tue, 21 Apr 2015 07:54:56 GMT

Date: Fri, 17 Apr 2015 09:59:22 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
4075456Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150414075456Z....20150421075456Z0...*.H........
[email protected]...>5...B.hdp.~..$9...d...Tx\.....<9i..m?...W..!.#..
...b...4.e...:..3...6p.L.U...s.y.8.....(e.. ........,....-.C.........)
.6..qb..E..B.. .aJ....So.^.U...{.z.GD5..}0...z.M..'...i5...m.)L.qT....
op....P|'S..7.......U.P..6.{jk..z.J..-.9d.."[...u05.WE}_....#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:53 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1096736

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:53 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
.........@.................................<.......................
.........................p..................h.........................
...................................................................tex
t...bz.......|.................. ..`.rdata...3.......4................
..@[email protected][email protected]..................
.................rsrc........p......................@..@..............
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U....\.}..t .}.F.E.u
[email protected][email protected]
...t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...
[email protected]}[email protected].}.j.W.E......E.......L.@.
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....
@._^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....
t.G.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:11 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1584744

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:11 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:55 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 11080

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:55 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$......./V.hk7.;k7.;
k7.;.(.;i7.;.(.;o7.;...;i7.;.?.;l7.;k7.;d7.;n;.;j7.;. .;j7.;. .;j7.;.&
lt;.;j7.;. .;j7.;Richk7.;........PE..L...Z..L...........!.............
............ ...............................`.......h.................
.............."..n.... [email protected] .......
........................................ ..H..........................
..text...(........................... ..`.rdata..f.... ...............
.......@[email protected]...,[email protected]....@.....
.................@[email protected][email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
................................................L$....SW.D$.P3.Q...^..
......;.......UW... .......;........T$..D$.UWRP.......tk.L$.Q.T$.Rhl .
.U.d.....tR.L$...A......F.....A.......^......^...A....~...............
.~...A.............F...U..( .....]_..[...._..[.......................0
..3.SV..$.....D$.Ph....j.h. ..h......2.... ....uW.L$.Q.L$..T$.R.D$.Pj.
h. ..Q.D$$....... ....u.hp ...T$.R..0 ...D$.P...........L$.Q... ....$.
...^..[3..7........................0.....0..3...$....h.....D$.PQ.D$...
.. ..........V.T$.R.t$..)........t}.L$........tp.D$..L$.;..T$..t$.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:45 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 974344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:45 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:24 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:24 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........b..N...N...
N...]...O...!...L.......M...!...J...K...O.......X...]...L.......I...N.
..........L.......O.......O.......O...RichN...........................
[email protected]....................
...................................................f..j...l^..x.......
................h............Q........................................
.......P..x............................text....9.......@..............
.... ..`.rdata..z....P... ...P..............@[email protected]
[email protected]...............................@[email protected]...
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslaeu.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:45 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 974344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:45 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
.........@............................................................
.........................................h............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc...............................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... [email protected]
[email protected][email protected].`...3..k...
[email protected]...;.........t.B..}........j.....@........}....B. ....
[email protected])...t....@..@.@.......@.@
....@...@[email protected][email protected]..]:[email protected].
[email protected][email protected][email protected].... .B.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:33 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 35432

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:33 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:33 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 37992

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:33 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......\./d..A7..A7
..A7..(7..A7w.E7..A7..O7..A7w.K7..A7..!7..A7..!7..A7...7..A7...7..A7..
@7f.A7..%7..A7...7..A7...7..A7...7..A7Rich..A7................PE..L...
.,.R...........!.....0...........0.......@............................
..........\...............................0J..j....D..d...............
........h.......d....A...............................................@
...............................text....#.......0.................. ..`
.rdata.......@.......@..............@[email protected]........
[email protected]................`..............@[email protected]...........
[email protected]..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/ecuinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:13 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 260120

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:13 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........Jr..Jr..
[email protected]~..Cr...y..Kr..O~
..Kr..RichJr..........................PE..L....f.B.................f..
.........:[email protected].......,............
................................... ..................H...............
......................................................................
.......text....d.......f.................. ..`.rdata..r............j..
............@[email protected][email protected]
...........................rsrc........ ......................@..@....
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..cB..H.P.u..u..u...`[email protected][email protected].@
..}..e....@[email protected]... M.........3..M.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...D.@[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ....E..E.Pj.h.[[email protected].@._^3.
[.....L$...dB...i......T.....tUVW.q.3.;5.dB.sD..i......D..S.....t.G...
..t...O..t .....u...3....3...F.....;5.dB.r.[_^...U..QQ.U.SV..i....
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:14 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 21608

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:14 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.thawte.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1396

content-transfer-encoding: binary

Cache-Control: max-age=581692, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Apr 2015 03:30:03 GMT

Expires: Fri, 24 Apr 2015 03:30:03 GMT

Date: Fri, 17 Apr 2015 09:59:19 GMT

Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`[email protected]
7033003Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.%Qq.........w.O.....20150417033003Z....20150424033003Z0...*.H........
......<.t.72.....&.Rtn....} ....-G....... ...9...E...M.I.E..:...M.=
.8v..*.b.Ê[email protected]....[(j..K.
t.d.....!.....j.....(f.C*. I.......N.....rU.x.U..9.9$..L..|(t.w-aR<
.0,(..'L$ ...L..[.......v.......w{{.w)s...i.d~.....M...;~....0...0...0
..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Tha
wte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..1506
01235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code 
Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z
.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.
j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......
{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y........
....8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U
.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U..
..TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~
..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Y
u.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]..
.y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t..
..>.....j....
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 42987344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:40 GMT

Keep-Alive: timeout=2, max=98

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1552

content-transfer-encoding: binary

Cache-Control: max-age=354558, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 12:25:08 GMT

Expires: Tue, 21 Apr 2015 12:25:08 GMT

Date: Fri, 17 Apr 2015 09:59:31 GMT

Connection: keep-alive
0..........0..... [email protected]
4122508Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150414122508Z....20150421122508Z0...*.H.....
........nr.3...bK.....r.......e....A...tF..uTPG..5.....R.4..........U.
...>{.p.....g......Qz....G...r.....e.....$..Om.3.r....m...........h
..Ra>F..P..z.........j..........U.Y.Cppv..B...V...Z.ka0.w.T.....l..
*.....9.=n......p... ..o..../j....9V....J.t*....J.W*..B'.......50..10.
.-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Auth
ority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only
1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.
0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Ne
twork1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 3
0.."0...*.H.............0..........6..]......w';.r........I..c..4.... 
.........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..
a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G..
...I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B...
..=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. 
.........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.
com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0..
.0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.
*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=403200, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 01:55:09 GMT

Expires: Wed, 22 Apr 2015 01:55:09 GMT

Date: Fri, 17 Apr 2015 09:59:31 GMT

Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015041
5015509Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150415015509Z....20150422015509Z0...*.H..
.............ny.*..<biwZX.....V....$`*...Y.Hs.....?./k.7.....i...R.
rW.FxvW6D...0}.-.a.......>....~NG.M...T....y.....Q..A3..........)..
..D.........j..'ox...q@.}.....9;d....6n.."....`#Su1V(.H......).EU%.eO.
.........h..)G.). .\:......R...T..Ip.=f.h6..]......../.....A.......0..
.0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.ve..

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:57 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 148480

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:57 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
.........@............................................................
....................................../..h............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc...............................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:37 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 4020768

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:37 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:26 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 93800

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:26 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........oSp.<S
p.<Sp.<V|.<Hp.<V|.<2p.<@x.<Qp.<.x.<Up.<.
S.<Pp.<Sp.<?p.<V|.<@p.<V|.<Rp.<.{.<Rp.<V
|.<Rp.<RichSp.<........................PE..L...'..E..........
.!................ag...............................................q..
............................P....@.. ...x....................Z..h.....
..l.......................................H...........................
.................text............................... ..`.rdata..0e....
...f..................@[email protected][email protected]
c................B..............@[email protected]............
[email protected]................................................................
......................................................................
......................................................................
......................................................................
..............................................U........h..........P..l
...h..........P.........p.........Ph.\....t.....V.t$......P..:....Yt.F
....u.3.@^.3.^.U..QQ.E...M..e..SV3.W.|..C;[email protected]..
u.3..E..u...F.>.u.F;.r.f.}..v.h.\..j.j..u...h....u...:..Y_^[..U....
$...SV3.W.u..u..E...........u..r;..P.s9..YY..\..S.E.h..........P.u...`
.....f................u...d...............;..M.s.....E.V..;..P..9...e.
..}..Y..Y.}.~..E. ...:..u/.E..M.@9M.|..E..}..t..e...u..u.V..:..f;E
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/postproc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:33 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 35432

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:33 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........`3M..]...].
..].J.....].."A...].......].J.....].3"D...]...\...]...9...].%.....]...
....].Rich..].........................PE..L......E.................T..
.$......V........p....@..................................!............
..........................D...........p............v..h...............
.............................................p........................
.......text...8S.......T.................. ..`.rdata.......p.......X..
............@[email protected][email protected].....
.......p..............@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................j.h....j.j.j.h.....t$....p
@[email protected][email protected]@..}..t.j\.......OO....Y
[email protected].[;..E.|=W.=.p@..........<\u.j.......P.......\..
..u.j.......P..C;].~._^[..U....,[email protected]@[email protected]@.P..
.p@...t3.M.Q.M.Q.M.Q.M.Q....t..M.......v.......E............E.P.E.P.E.
[email protected]@[email protected]
@[email protected]..<[email protected]
[email protected]@[email protected]@[email protected].....
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:41 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 716072

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:41 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/noneCodesignFilesBundle.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 42987344

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:40 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........,K|..K|..
K|...t..J|..._..J|..Xt..I|...t..A|..._..N|..K|...|..Np..A|...w..J|..Np
..J|..RichK|..................PE..L...1.eJ.................j..........
[email protected]....................
..................T...........................h.......................
.....................................................................t
ext....h.......j.................. ..`.rdata........... ...n..........
....@[email protected][email protected]....... ........
...................rsrc...............................@..@............
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...C..H.P.u..u..u...`[email protected][email protected].@
..}..e....@[email protected]... M.........3..M.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...D.@[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] [email protected].@._^3.
[.....L$....C...i......T.....tUVW.q.3.;5..C.sD..i......D..S.....t.G...
..t...O..t .....u...3....3...F.....;5..C.r.[_^...U..QQ.U.SV..i....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=448244, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 14:29:54 GMT

Expires: Wed, 22 Apr 2015 14:29:54 GMT

Date: Fri, 17 Apr 2015 09:59:17 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
5142954Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150415142954Z....20150422142954Z0...*.H........
.....P[.58K.E...V F.?.22.u..p..A..1m...* ..{.k..(......!..k'..^....M..
.ms%_.o..9.Da....A.......).5..j4M..._3..4........l......p..4.y;....o.2
.....:....V#...O.r.\}*M...p.C9....R..7V6....Y5N....X.XQ(@F....F...w.#.
[email protected].&........^.......r......v.....#0...0...0......
....r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign
, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at http
s://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing
 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....V
eriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use 
at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Co
de Signing 2009-2 OCSP Responder0.."0...*.H.............0.............
m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V
7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*...
.{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.
i~rl..<..krS..8.B..o][email protected]
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H......
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=597895, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Apr 2015 08:00:00 GMT

Expires: Fri, 24 Apr 2015 08:00:00 GMT

Date: Fri, 17 Apr 2015 09:59:31 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
7080000Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.....A..`.............Q.q..M....mq'.9.*..u..Y....TU..!T..J...i.Apu.q.e
,.9.v...D......i...-.;.a.....e..z.)Et....x..4\j..<.....B[.........3
......}..@<.6..:B"...^.....%.H.u4........{.B.M..].b....*..Q.8......
.._....C.fg.....Zs3.r....n|..t'..t..F...o....T.p...*3:..!...#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsshutd.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:14 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 21608

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:14 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........E... ... .
.. ...B... .../... .v.%... ...!... ...v... .v.v... ...*... ...K... .{.
K... ...u... .{.q... .Rich.. .........................PE..L....,.R....
.............*...........6.......@[email protected]....
...[.......................................F..d....`..x............@..
h............@...............................................@........
.......................text....).......*.................. ..`.rdata..
.....@......................@[email protected].......:..............@.
...rsrc...x....`.......<..............@..@.........................
......................................................................
......................................................................
......................................................................
......................................................................
[email protected]@.j.j.
j...$......0@@.....tB..T@@.=....u...$......$....PQ.T$.h....R..h@@.....
D$.P..X@@.V..`@@...$....^3...%[email protected]..$t.
..U..$|...V..$t...W3.......|$ [email protected]$h.D$.Q.D$(D....D$$.. @
@..5.@@[email protected]$hP..U.L$hQ...T$.R.D$$Pj.j.j.j.j.j...$....Qj...
.@@......T$dRtNh.B@........$.....D$....WP...@@[email protected]$.
...j.Q...@@[email protected]@@[email protected]........$x..._..^][3...$....l....
........W.D$.Ph....3.Wh`[email protected].......@@.........V.t$..L$.QV.T$.RP...
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:34 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 15144

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:34 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......e...!.n.!.n.
!.n...3.%.n.!.o.:.n.N.j.".n.N.d.%.n.2...$.n...1.'.n.....#.n...2. .n...
0. .n...4. .n.Rich!.n.........................PE..L....}.H...........!
......................... ...............................`.......>.
..............................%......X#[email protected]............(..(....
P..4...p ............................................... ..l..........
..................text...$........................... ..`.rdata.......
 ......................@[email protected][email protected]
rc...x....@......................@[email protected]..$....P....... ...........
[email protected]...............................................................
......................................................................
......................................................................
......................................................................
..................................................................V.t$
.W.=` ..V.D$......D$.............s._...^......V.....=....v._.....^....
.....0..j..D$.Pj.h?...j.j.j.Qh.......0....uf.L$..T$.RV.D$.Pj.VQ...0...
.t4V...T$....PVj.j.VR...0....t..D$.P... .._.....^.......L$.Q... .._3.^
......_.....^..........QVWh............D$.P.D$.......X ..3..?.......f.
..L$.Qh.!..h....V..\ ....._.........^Y..............UWh....3..Y.......
....|$.u._]....S.\$.VSh.!..W..H ..h@....)........VW.t$..E....4 ......D
$........~,.?.t7...t2h.........WS..h$!..V..H ..V.p...V....L ...t$,
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:42 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1113240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:42 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:44 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 472680

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:44 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............m...m..
.m..4e...m...e...m..4e...m...e...m...a...m...a../m...m...o..MN...m...a
.. m...a...m..[f...m...a...m..Rich.m..........................PE..L...
...E...........!......................................................
..........................................p...j...............(F......
....."..h........_......................................H.............
......`[email protected]............................... ..`
.rdata...$.......&..................@[email protected]...@f... ...$............
[email protected]...(F.......H...(..............@[email protected]..&...........
[email protected]..................................................
......................................................................
......................................................................
......................................................................
..............................................p..........V.t$..&.W....
.W...........P..........t.WP......_3.^...U.......3..V.E.3.......j..M.Q
[email protected]...^.......j.
X.U..........3...E...h...P..h...............x....u...l.........s..C...
Ph. ........... ...M.........D$...........|$.....u...v...t$...........
....~.%.........P......U...u..u.........u.].VP..........u.3..2.u..u...
.....M......v.;.s.I....tV.u.;.s.f..f....#.^][email protected]$........
.u...t$.P.t$..y........A........J........Q...R..SV...F...t.P.R....
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/instph.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:26 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 93800

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:26 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:58 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 58696

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:58 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........|.../.../
.../.../.../.../.../.../.../l../.../.../.../.../.../.../.../.../.../z.
./.../.../.../Rich.../........................PE..L...4.jL............
.........`.......'............@.................................~n....
..............................................X...............H.......
....@[email protected].............
...............text...Jr.......................... ..`.rdata..........
. ..................@[email protected]...\ [email protected].
..X...........................@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acsrollb.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:57 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 148480

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:57 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 52328

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:40 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 579

<?xml version="1.0" encoding="UTF-8"?><request><channel>us.roadie</channel><events>purchase,event10,event4</events><prop1>cmp : Downloads</prop1><prop2>cmp : Roadie</prop2><eVar4>Download | Roadie | waol_0.4343.2046.1 | Download Complete</eVar4><prop49>xml api</prop49><reportsuiteid>aoljet,aolcmp,aolsvc</reportsuiteid><pagename>cmp : Roadie Download</pagename><products>;waol_0.4343.2046.1;1;0</products><prop16>Roadie | Download Complete | waol_0.4343.2046.1</prop16><visitorid>5517592235047936-107563412127135</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>
HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:10 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:56:10 GMT

Last-Modified: Sat, 18 Apr 2015 09:56:10 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D8BA-32B0-142B2394"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www900

Content-Length: 64

Content-Type: text/xml

Connection: close
<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS<
/status>...

GET /clients/bush/waol/0.4343.2046.1/comps/msvcr9/msvc9rt.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:42 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1113240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:42 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
[email protected].................................
......................`..............H...P............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc........`......................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:25 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 169064

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:25 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:15 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:15 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........b..N...N...
N...]...O...!...L.......M...!...J...K...O.......X...]...L.......I...N.
..........L.......O.......O.......O...RichN...........................
[email protected]....................
...................................................f..j...l^..x.......
................h............Q........................................
.......P..x............................text....9.......@..............
.... ..`.rdata..z....P... ...P..............@[email protected]
[email protected]...............................@[email protected]...
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:15 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1655104

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:15 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:27 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 9359016

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:27 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.........................).......................................t....
......([email protected]...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..(e.......f...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:37 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 4020768

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:37 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
.........@..........................`......$o=........................
..........................p...........D=.H............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].................
..............rsrc....p.......j..................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/sysinfo/SinfInst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:41 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 716072

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:41 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........,K|..K|..
K|...t..J|..._..J|..Xt..I|...t..A|..._..N|..K|...|..Np..A|...w..J|..Np
..J|..RichK|..........PE..L...Ei.C.................h...........:......
[email protected]............................
..........l............p..............h...............................
.............................................................text....f
.......h.................. ..`.rdata...............l..............@..@
[email protected]................
...........rsrc....p.......j..................@..@....................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..cB..H.P.u..u..u...|[email protected][email protected].@
..}..e....@[email protected]... M.........3..M.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...D.@[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ....E..E.Pj.h.[[email protected].@._^3.
[.....L$...dB...i......T.....tUVW.q.3.;5.dB.sD..i......D..S.....t.G...
..t...O..t .....u...3....3...F.....;5.dB.r.[_^...U..QQ.U.SV..i....
<<< skipped >>>

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 634

<?xml version="1.0" encoding="UTF-8"?><request><reportSuiteID>aolinstaller</reportSuiteID><channel>us.clientinstall</channel><language>en-us</language><prop1>9.7</prop1><prop2>4343.2046</prop2><prop4>4343</prop4><prop5>2046</prop5><evar2>ie</evar2><evar3>9.10.9200.16521</evar3><evar7>Windows</evar7><evar8>Windows 7</evar8><evar10>Service Pack 1</evar10><evar11>2047</evar11><evar13>4343.2046</evar13><events>event1</events><evar14>Unknown</evar14><products>;aol_9.7_ins;;</products><pageName>Initialize installer</pageName><visitorid>5533042191867904-114271311508728</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>
HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:12 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:56:12 GMT

Last-Modified: Sat, 18 Apr 2015 09:56:12 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D8BC-28ED-64024922"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www418

Content-Length: 64

Content-Type: text/xml

Connection: close
<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS<
/status>...

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acslang.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:16 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1655104

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:16 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
[email protected]..........................
......................................,..h............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc...............................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:36 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 417240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:36 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
.........@.................................#..........................
......................p...............H..H............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc........p......................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=413995, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 04:50:03 GMT

Expires: Wed, 22 Apr 2015 04:50:03 GMT

Date: Fri, 17 Apr 2015 09:54:37 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015041
5045003Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150415045003Z....20150422045003Z0...*.H........
.....{....$....3p.>q......\:U....|q..!.....&.yM._W.[.YM~.v..o.L.K..
..3..d]..i..?...*...;..P.7J..fn.....uhps.U.3[.....G^V..z<.O..aT..o.
r....{[email protected].....\.......(@..v...8.{..>....8..|....IL..$...
.R..&.;...Z.[.KQl.`zk..%.#.'.c..0......n.......N.AN..6M.. b.....0...0.
..0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....
VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authorit
y0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec C
orporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3
 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0.......
...'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..
3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T.
.pS.p..^|o....S..v.).)[email protected]#qh...u1T.].G0.]E..
.=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0
l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.
. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U.....
...0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H........
.....$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......
a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,font>....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEA/folAAtu2XY7/sias/UTw= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=465178, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 19:04:53 GMT

Expires: Wed, 22 Apr 2015 19:04:53 GMT

Date: Fri, 17 Apr 2015 09:54:37 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
5190453Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....P....c....?Q<....20150415190453Z....20150422190453Z0...*.H.....
........L......Z..g.D(...:-.U;m......@G~...3........g'..'_...... '.?..
a..w(m<....G.*...E..w9....qx.4......m...>f.*\...t....g.......4..
...y.<.N.c..-$.....t...;.#}fy^[email protected].^..2. ..:2.G.
L.......^.5...9...i>J...E.....o...`...x..1(k..'...u....p.a..0.z...#
0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.
....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:
..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s..
...&."...:.C.Q.i~rl..<..krS..8.B..o][email protected]........
.0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........https:/
/VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's
 CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .....
..0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/search/aolSearchInstaller.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:24 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 24392

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:24 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$......."D..f%..f%..
f%...j3.g%..o]0.d%..o]&.s%..o]!.b%..o]6.b%..A...g%..A...a%..f%..7%..o]
/.d%..o]1.g%..o]4.g%..Richf%..........................PE..L......O....
............. ...&......D'.......0....@...............................
..q(....@.................................`8..x....`...............J..
H....p..t...`[email protected]..<..
..........................text...a........ .................. ..`.rdat
a.......0.......$..............@[email protected]...$....P.......:.............
[email protected]........`.......<..............@[email protected]
[email protected]....................................................
......................................................................
......................................................................
......................................................................
.....................................................2@..%[email protected]...
[email protected]@..D$..t.V..........^...............................y$.r..A..
.A....V...N....2@...\[email protected]@..D$..t.V.?........^...V...N....2@...\0
@...^.%[email protected]@[email protected]$.d........t$..|$ W...0@...
..D$.....W.N....2@...`[email protected]$.d......Y_^.................j.h3/@.d....
.P.. [email protected][email protected]..$4...d.......$D.....3...$.....D$..
\$...$..../.....$ .....$$... .....$([email protected]..$ ...Q....$D.....|0@..
.x0@...;:......GW..$ ...P......|[email protected]@....|$ ;9t..G.PV..$....R..
<<< skipped >>>

GET /MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBEwOjDo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.entrust.net

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Content-Transfer-Encoding: Binary

Content-Length: 1947

Last-Modified: Fri, 17 Apr 2015 06:37:09 GMT

ETag: "45F2CE048236D8101ECCB15D7FC186D4DD61BCCD"

Cache-Control: public, no-transform, must-revalidate, max-age=1348

Expires: Fri, 17 Apr 2015 10:17:38 GMT

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive
0..........0..... .....0.....}0..y0..[...0..1.0...U....Entrust.net1@0&
gt;..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#.
.U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification
 Authority (2048)1%0#..U....Entrust Validation Authority..201504170637
09Z0g0e0=0... ............~.\..E.M*[.F.Z.=..*p.:........c.=.,.....L..:
....20150408161654Z....20150424063709Z0...*.H.............5..N.....!..
..j.D.V./e)..x.....X..p..f;..9.....#[email protected].....
..Wy^...Q.\|...i._...Uq...`.HGa..........M.r\.$Y&..K.Ym ..:M..%.Mt...E
..Sg.cN....Ps... ..i.QX.......Oi.......&..........'.S...o.,..-.JE..b..
`...t.......^..d6"K..k..lyq...%..!....0...0...0..........L...0...*.H..
......0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 
incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1
301..U...*Entrust.net Certification Authority (2048)0...120710174511Z.
.150710205031Z0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/C
PS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net 
Limited1301..U...*Entrust.net Certification Authority (2048)1%0#..U...
.Entrust Validation Authority0.."0...*.H.............0...........U....
L.^A."@m.i.7.A..%{........?.>......L.../.v.Q.N......Z.g)[email protected]
.8.....L>m.6.h.;[^.k.X\........Uy.q...e...fB_6.T.6......".Y.."..|..
..D.*..~..|.....Wa.d......o..)Na.S.c..Q.......&E.....y..H......f......
.XH`..x.[21.1,.#.Q.g...g......u.....D...^..3........0..0...U........0.
..U.%..0... .......0... .....0......02..U... 0)0'.%.#.!hXXp://crl.
<<< skipped >>>

GET /MEUwQzBBMD8wPTAJBgUrDgMCGgUABBS6T8q7hSNQhIXIQ0oIkBdHhARt9wQUp7GqxLYG7d3Kn4iUloLV50NB0SUCBEwXaMs= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.entrust.net

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Content-Transfer-Encoding: Binary

Content-Length: 1978

Last-Modified: Fri, 17 Apr 2015 08:53:54 GMT

ETag: "39535E5C45AF92F09F080A8DB315913F5E66EF87"

Cache-Control: public, no-transform, must-revalidate, max-age=401

Expires: Fri, 17 Apr 2015 10:01:51 GMT

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive
0..........0..... .....0......0...0..e...0..1.0...U....US1.0...U....En
trust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference
1.0...U....(c) 2009 Entrust, Inc.1;09..U...2Entrust Code Signing Certi
fication Authority - L1D1%0#..U....Entrust Validation Authority..20150
417085354Z0g0e0=0... .........O...#P...CJ...G..m...................CA.
%..L.h.....20150417033210Z....20150424085354Z0...*.H................z.
..'..'..J....KEh.ulCQ r........_. ....W..?kq].._..`6....-....!.>XD.
.6.3l.?\..}....B..-.......La5.j.v\....4._<LBd.......q.)..%L...Y..,b
E......w..l......W. ...~.=.?s.R}...Z.....,..o.w...n......l..7...l.....
C..\.<.9Z..g.??.y.v.JSb5..&|[....=.O.J.{..k.a......0...0...0.......
...L. m0...*.H........0..1.0...U....US1.0...U....Entrust, Inc.1907..U.
..0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009
 Entrust, Inc.1;09..U...2Entrust Code Signing Certification Authority 
- L1D0...120710154100Z..150711063201Z0..1.0...U....US1.0...U....Entrus
t, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0.
..U....(c) 2009 Entrust, Inc.1;09..U...2Entrust Code Signing Certifica
tion Authority - L1D1%0#..U....Entrust Validation Authority0.."0...*.H
.............0...........U....L.^A."@m.i.7.A..%{........?.>......L.
../.v.Q.N......Z.g)[email protected]>m.6.h.;[^.k.X\........Uy.q..
.e...fB_6.T.6......".Y.."..|....D.*..~..|.....Wa.d......o..)Na.S.c..Q.
......&E.....y..H......f.......XH`..x.[21.1,.#.Q.g...g......u.....D...
^..3........0..0...U........0...U.%..0... .......0... .....0......
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:35 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74856

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:35 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 458

<?xml version="1.0" encoding="UTF-8"?><request><reportsuiteid>aoljet</reportsuiteid><pagename>cmp : Roadie - Install Start</pagename><events>event5</events><prop1>cmp :</prop1><prop2>cmp :</prop2><eVar6>Download | Roadie | waol_0.4343.2046.1 | Install Start</eVar6><prop49>xml api</prop49><prop16>Roadie | Install Start | waol_0.4343.2046.1</prop16><visitorid>5521342234851328-107563412127135</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>
HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:11 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:56:11 GMT

Last-Modified: Sat, 18 Apr 2015 09:56:11 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D8BB-A13C-05581B1A"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www872

Content-Length: 64

Content-Type: text/xml

Connection: close
<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS<
/status>...

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c811f53d313ecf39 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Fri, 17 Apr 2015 09:54:37 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Fri, 17 Apr 2015 09:54:37 GMT..Conn
ection: keep-alive......


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?9bae0654c986f0bb HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT

If-None-Match: "80b4d90ca4fd01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT

ETag: "80b4d90ca4fd01:0"

Cache-Control: max-age=604800

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive
....


GET /msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt?cea8345e4b49256e HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT

Accept-Ranges: bytes

ETag: "05934e1494dd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1070

Date: Fri, 17 Apr 2015 09:55:10 GMT

Connection: keep-alive
0..*0..........8c..0...*.H........0..1.0...U....Entrust.net1@0>..U.
..7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(
c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Author
ity (2048)0...991224175051Z..290724141512Z0..1.0...U....Entrust.net1@0
>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#
..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certificatio
n Authority (2048)0.."0...*.H.............0.........MK...... ...d* K..
[email protected] .^.v.5....|.:..[....$......}..kK.......@$..t....)
.....w.U...~.jd.....[.2Po=..f.....I.v.I.......g/...q.`.-.,..vf{...x.eS
]<....)../.P..H..2U...dL....u.....U`.0).{H.i..5?..]zz......"T...&..
.Ih...G...B..M.o&...!bfCp...........B0@0...U...........0...U.......0..
..0...U......U...........1..$...p0...*.H.............;..V.0.S.|zy.M...
......3|Fc..f$.@.!'..rs.O.1....LhS.........]=..n.......?....../....W,.
....D...O...}W./...Z..n..:....ly^y.....L.;e<..=..........^[..#.h...
.'\.-o0......Z....'..y..y.3W.....Bl..V..m....~....!...<y/^..L...."7
..C.......g.oH..V... |^.v.Y..|.5.eQHTTP/1.1 200 OK..Content-Type: appl
ication/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..
Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/
7.5..X-Powered-By: ASP.NET..Content-Length: 1070..Date: Fri, 17 Apr 20
15 09:55:10 GMT..Connection: keep-alive..0..*0..........8c..0...*.H...
.....0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 i
ncorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limit
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c47dea64dd07db25 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Fri, 17 Apr 2015 09:55:12 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Fri, 17 Apr 2015 09:55:12 GMT..Conn
ection: keep-alive..

GET /clients/bush/waol/0.4343.2046.1/comps/acs/setup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:25 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 169064

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:25 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@...................................(.........
..!..L.!This program cannot be run in DOS mode....$........m..........
........................[...L................/......5/......L.........
..s...5(..............................#...............Rich............
................PE..L...B..E.............................-............
@..................................{.............................. O..
Z....>..........`0..............h..................................
..........................................................text........
....................... ..`.rdata..zo.......p..................@[email protected]
ta....>...P.......<[email protected]...`0.......2...N.....
.........@..@.........................................................
......................................................................
......................................................................
......................................................................
.....................................................V.w...(.B.......g
....^.V........D$..t.V.....Y..^...U..QV...F.W..(.B..8;..}.t1.G...t.P.]
...Y.....t....t.W.J...Y.U..3....}.;~.u..F...t.P.,....f..Y....*..._^..V
[email protected]<-t.</t.3..8S...B........-t.HHu)
..V...P.....V...P.FSV.........YYu.@[_^...3...V.t$...tD.>.u?W.|$.hx.
B.W.......YYt. .PWV.....ht.B.V.]........WV.A...YY3.@_..3.^...U..QVW...
..W.M.........u.Y..t.Wj.P...........8.t.3.......}.S.G.h..B.P.(....x.B.
[email protected].....;.YYt.;}.t@.?"t..M...W.6.P..0Ghp.B
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/install_flash_player_11_plugin.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:56:01 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 17736296

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:06:01 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:34 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 15144

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:34 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/gui.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:44 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 472680

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:44 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT

If-None-Match: "a1132b8ef65d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT

ETag: "a1132b8ef65d01:0"

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:55:56 GMT

Connection: keep-alive
....


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT

If-None-Match: "dde36a309c58d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT

ETag: "dde36a309c58d01:0"

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:55:56 GMT

Connection: keep-alive
....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT

If-None-Match: "cf2633d6957d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT

ETag: "cf2633d6957d01:0"

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:55:56 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache
-Control: max-age=900..Date: Fri, 17 Apr 2015 09:55:56 GMT..Connection
: keep-alive..

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:24 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:24 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrinst.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:53 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1096736

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:53 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:55 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 556240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:55 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/tpspd/wbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:56 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 556240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:56 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...2.6D.................~..........b9......
......@[email protected]............................
[email protected]...............................
.............................................................text....|
.......~.................. ..`.rdata...4.......6..................@..@
[email protected]................
...........rsrc....@.......@..................@..@....................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected].@
..}..e....@[email protected]... M.........3..M.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...D.@[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ....E..E.Pj.h.9C.W..|[email protected].....@._^3.
[.....L$...AC...i......T.....tUVW.q.3.;5.AC.sD..i......D..S.....t.G...
..t...O..t .....u...3....3...F.....;5.AC.r.[_^...U..QQ.U.SV..i....
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:47 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 106568

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:47 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
[email protected].................................
......................`..................h............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc........`......................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/parcon/AOLParconLink.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:58 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 58696

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:58 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:18 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74536

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:18 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
[email protected].........
..!..L.!This program cannot be run in DOS mode....$.........XD..6...6.
..6.l./...6...k...6...k...6...i...6...V...6..._...6...i...6...7.D.6...
2...6...8...6...<...6...V...6...9...6...R...6...j...6.z.h...6...l..
.6.Rich..6.........................PE..L....}.H...........!.....p.....
.....M@.............................................. ................
...................}[email protected]...............(....... ..........
......................................................................
....text....d.......p.................. ..`.rdata...G.......P.........
.........@[email protected][email protected]........
...................@[email protected]..(........ [email protected].......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/tb/tbsetup.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:35 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 417240

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:35 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll HTTP/1.1

Host: download.newaol.com:80

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:38 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 52328

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:38 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1...u...u...
u...|.g.j...|.v.d...|.`.#...Rf..|...u.......|.i.w...|.q.t...|.r.t...Ri
chu...........PE..L......R...........!.....t...@...... ...............
................................:N....................................
..<...d.......................h.......l............................
.......H...@............................................text...Or.....
..t.................. ..`.rdata.."!......."...x..............@[email protected]
...@[email protected]..............................
.@[email protected][email protected].........................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..Q.E.VP.=....}..Y..t.
.u..:...Y...u.j.X..3.@;.t.3....t.......@@^.......3..U......e..W.}.j.X.
E..........'.SV......,..................j........Y...t.hh...V.H...YY..
uc.u..i.....tR...}........t4.e...e.....3.u..}......Y..t..u..E......Y.E
..3.*......E......u..W...Y.E...j.X^[[email protected]..]..]..].;......
..E.P.E.P.E........YY..tu.E.Pj.S.u..u.........u^W.=.....E.PS.E.PS.u..]
..u.....u4.}..u..u......Y.M.QPSS.u....u.....u..E.....6.....Y...u......
._9].t..u......Y9].t..u......Y.E.[..U.....S.E.P.u.3..]......I....E
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:59 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1489776

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:59 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L.......M.......M..._...N.......F.......I...L.......I...G.......M...I.
..M...RichL...........PE..L...<.6D.................|...........;...
[email protected].........................
......................p..................h............................
................................................................text..
.bz.......|.................. ..`.rdata...3.......4..................@
[email protected][email protected].....................
..............rsrc........p......................@..@.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
t.@..}..e....@[email protected]... M.........3..M.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...D.@..E..P.E..E.P.u...x.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h..B.W..|[email protected].....@._
^3.[.....L$....B...i......T.....tUVW.q.3.;5..B.sD..i......D..S.....t.G
.....t...O..t .....u...3....3...F.....;5..B.r.[_^...U..QQ.U.SV..i.
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/AcsInstA.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:15 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 46184

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:15 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/comps/flashPlayer/aolswfchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:40 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 52328

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:40 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1...u...u...
u...|.g.j...|.v.d...|.`.#...Rf..|...u.......|.i.w...|.q.t...|.r.t...Ri
chu...........PE..L......R...........!.....t...@...... ...............
................................:N....................................
..<...d.......................h.......l............................
.......H...@............................................text...Or.....
..t.................. ..`.rdata.."!......."...x..............@[email protected]
...@[email protected]..............................
.@[email protected][email protected].........................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..Q.E.VP.=....}..Y..t.
.u..:...Y...u.j.X..3.@;.t.3....t.......@@^.......3..U......e..W.}.j.X.
E..........'.SV......,..................j........Y...t.hh...V.H...YY..
uc.u..i.....tR...}........t4.e...e.....3.u..}......Y..t..u..E......Y.E
..3.*......E......u..W...Y.E...j.X^[[email protected]..]..]..].;......
..E.P.E.P.E........YY..tu.E.Pj.S.u..u.........u^W.=.....E.PS.E.PS.u..]
..u.....u4.}..u..u......Y.M.QPSS.u....u.....u..E.....6.....Y...u......
._9].t..u......Y9].t..u......Y.E.[..U.....S.E.P.u.3..]......I....E
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/acscore.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:59 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1489776

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:59 GMT

Keep-Alive: timeout=2, max=99

Connection: Keep-Alive

Content-Type: application/x-msdownload

POST /b/ss//6 HTTP/1.1

Host: instlxml1.sa.aol.com

Connection: close

Content-Length: 504

<?xml version="1.0" encoding="UTF-8"?><request><events>prodview</events><prop1>cmp :</prop1><prop2>cmp :</prop2><prop49>xml api</prop49><eVar5>Download | Roadie  | waol_0.4343.2046.1 | Download Start</eVar5><prop16>Roadie | Download Start | waol_0.4343.2046.1</prop16><reportsuiteid>aoljet</reportsuiteid><pagename>cmp : Roadie - Download Start</pagename><products>;waol_0.4343.2046.1</products><visitorid>4611232406744064-672205304002741</visitorid><prop3>gmt_5</prop3><prop24>uaid_na</prop24></request>
HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:40 GMT

Server: Omniture DC/2.0.0

Access-Control-Allow-Origin: *

X-C: ms-4.9.4

Expires: Thu, 16 Apr 2015 09:54:40 GMT

Last-Modified: Sat, 18 Apr 2015 09:54:40 GMT

Cache-Control: no-cache, no-store, max-age=0, no-transform, private

Pragma: no-cache

ETag: "5530D860-6B45-0431F54D"

Vary: *

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"

xserver: www357

Content-Length: 64

Content-Type: text/xml

Connection: close
<?xml version="1.0" encoding="UTF-8"?>.<status>SUCCESS<
/status>...

HEAD /clients/bush/waol/0.4343.2046.1/comps/toolbar/aol_trio.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:27 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 9359016

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:27 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:18 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74536

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:18 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/ocpgc.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:47 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 62248

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:47 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /clients/bush/waol/0.4343.2046.1/roadie1.8.4.1/roadie.loc HTTP/1.1

Host: download.newaol.com:80

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:54:38 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 31187

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:04:38 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: text/plain
//////////////////////////..// Picker Support Files //..//////////////
////////////..[CHECK]..F1=download.newaol.com/clients/bush/waol/0.4343
.2046.1/comps/flashPlayer/aolswfchk.dll;52328..[OS]..VISTA=VISTA..XP=X
P..XP64=XP64..VISTA64=VISTA64..WIN7_32=WIN7_32..WIN7_64=WIN7_64..[OMS_
APPSTART]..reportsuiteid=aoljet..pagename=cmp : Roadie - App Start..ev
ents=event1..eVar1=Download | Roadie | %PACKAGEID% | Application Start
..prop1=cmp :..prop2=cmp :..prop49=xml api..prop16=Roadie | App Start 
| %PACKAGEID%..[OMS_NONQUAL]..reportsuiteid=aoljet..pagename=cmp : Roa
die - Non Qualification..events=event2..eVar2=Download | Roadie |%PACK
AGEID% | Non Qual..prop1=cmp :..prop2=cmp :..prop49=xml api..prop16=Ro
adie | Non Qualification | %PACKAGEID%..[OMS_DLSTART]..reportsuiteid=a
oljet..pagename=cmp : Roadie - Download Start..events=prodview..prop1=
cmp :..prop2=cmp :..prop49=xml api..products=;%PACKAGEID%..eVar5=Downl
oad | Roadie  | %PACKAGEID% | Download Start..prop16=Roadie | Download
 Start | %PACKAGEID%..[OMS_USERCANCEL]..reportsuiteid=aoljet..pagename
=cmp : Roadie - User Cancel..events=event3..eVar3=Download | Roadie | 
%PACKAGEID% | User Cancel..prop1=cmp :..prop2=cmp :..prop49=xml api..p
rop16=Roadie | User Cancel | %PACKAGEID%..[OMS_INSTALLSTART]..reportsu
iteid=aoljet..pagename=cmp : Roadie - Install Start..events=event5..pr
op1=cmp :..prop2=cmp :..eVar6=Download | Roadie | %PACKAGEID% | Instal
l Start..prop49=xml api..prop16=Roadie | Install Start | %PACKAGEID%..
[OMS_DLCOMPLETE]..reportsuiteid=aoljet,aolcmp,aolsvc..pagename=cmp
<<< skipped >>>

GET /clients/bush/waol/0.4343.2046.1/waol-0.4343.2046.1.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:11 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1584744

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:11 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....I. ...............#.......5.D...............g.............2.......
$.......".......'.....Rich............PE..L....H.R....................
.........3............@................................. .............
[email protected]...............
................................................H...4...@.............
.......text............................... ..`.rdata...?.......@......
............@[email protected][email protected].....
......................@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................|$.....u.......t$........
[email protected]$..^..
[email protected]$.u .u.P.u..u..u..u..q.....E.]. ..t$..q ....E.....D$..
.|...;B....B..........hW....:....h...../....U..QQSV.1.^.....M.....W.].
.P...j..u.........u.......E.;.}[email protected]._.S......E.......G.......E._
^..[.....T$.V.......9P...}...~.W.9j.RP.W._..u..b........^...V...L$...u
.h.@...}......P........^......P....V.t$.;.~....x..~.V. ....".@.;.}....
..;.~.......;.}...P.d...^...V....1..P.........^.V....3....A H..@. 
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/comps/AcsInstC.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:32 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 37992

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:32 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

HEAD /clients/bush/waol/0.4343.2046.1/comps/acs/ecuchk.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:55 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 11080

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:55 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT

Accept-Ranges: bytes

ETag: "2711f7277076d01:0"

Server: Microsoft-IIS/8.5

VTag: 791500626200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Fri, 17 Apr 2015 09:59:22 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...

GET /clients/bush/waol/0.4343.2046.1/comps/acs/instSup.dll HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:35 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 74856

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:35 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
[email protected].........
..!..L.!This program cannot be run in DOS mode....$.........XD..6...6.
..6.l./...6...k...6...k...6...i...6...V...6..._...6...i...6...7.D.6...
2...6...8...6...<...6...V...6...9...6...R...6...j...6.z.h...6...l..
.6.Rich..6.........................PE..L....}.H...........!.....p.....
.....M@...............................................................
...................}[email protected]....... ..........
......................................................................
....text....d.......p.................. ..`.rdata...G.......P.........
.........@[email protected][email protected]........
...................@[email protected]..(........ [email protected].......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

HEAD /clients/bush/waol/0.4343.2046.1/comps/browser/aolbwsrlp.exe HTTP/1.1

Host: download.newaol.com:80

User-Agent: Roadie

Connection: close

HTTP/1.1 200 OK

Date: Fri, 17 Apr 2015 09:55:47 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 106568

Cache-Control: max-age=600

Expires: Fri, 17 Apr 2015 10:05:47 GMT

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

The Malware connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t9It.It#It

PSSSSSSh

SSSh@

~,.tM

tGHt.Ht&

AUu.AUuI

%s (%s:%d)

C:\PROGRA~1\MICROS~1.0\VC\ATLMFC\INCLUDE\afxwin1.inl

-v %s

sShortDate

%s\%s

%s\*.*

%d.%d%c

Disk.cpp

KERNEL32.dll

install.ini

comps.ini

media.ini

Update movie file %s

Flash initialized, Version %d.%d

CLSID\%s\InProcServer32

USER32.DLL

iexplore.exe

C:\PROGRA~1\MICROS~1.0\VC\ATLMFC\INCLUDE\afxwin2.inl

--:--:--

%ld.%ld,%s

4343.2046

Unknown ErrorCode:%d ExitCode:%d

Directory path contains waol.exe client

Windows must reboot to complete install

{D27CDB6E-AE6D-11cf-96B8-444553540000}

[ERRORUnsupportedToken]

kernel32.dll

Windows 2000

Windows Server 2003

Windows XP

Windows Home Server

Windows Server 2008

Windows Vista

Windows Server 2008 R2

Windows 7

Windows 8

Older than Windows 2000

installOmniture.loc

installOmniture.ini

%s\idb\SNmaster.idx

%s|%s*%s

%s*%s

Found build = %d.%d%c

Client is %s version -- %s

%s,%d,%d

DBGetClientInfo Path = %s ,szScreenName=%s , Version = %s

successfully wrote %d bytes...

writing %d bytes...

Writing component to %s...

CComponent::Write() - Resource size = %d

CComponent::Write() - Finding resource %d ...

%s%s%s

CScript::Execute() -- CreateProcess() failed for file %s

"%s" %s

CScript:Execute() - CreateProcess() creating script process

install.log

webregError

webregSN

AOL Software.Exe Running Path - %s

"%s\aolsoftware.exe"

progress.dll

%s\%s.lnk

%s.lnk

Install : CreateProcess = Inside %s%

Install : CreateProcess = %s%

GL*.TMP

launcher.dll

instph.dll

install.dll

deleting ProgUpd.dll

Location of client to upgrade '%s'

Upgrading from Client Version '%s' (Codebase '%s')

%s\win.ini

Software\Microsoft\Windows\CurrentVersion

%c:\%s

SystemChecks() : Insufficient HD space. Size of component resources = %d ( 1MB), Available space (%s) = %d

triggering windows restart...

d-d-d d.d.d

Running client -> %s

<invoke name="setInstallProgress" returntype="xml"><arguments><string>100</string><string>%s</string></arguments></invoke>

Launching client ... %s

waolinstallgui.cpp

%s\AOLFirewallMgr.ini

%s\AOLFirewallMgr.dll

%s\AOLInstallerFW.dll

gScript.Execute returned RESULT_ERROR

gScript.Execute returned RESULT_NOT_NT_ADMIN.

gScript.Execute returned RESULT_FILES_IN_USE

gScript.Execute returned RESULT_MISSINGCOMPS

gScript.Execute returned RESULT_NOMINBROWSER

gScript.Execute returned RESULT_DISKSPACEERROR

gScript.Execute returned RESULT_CANCEL_NOGUI

gScript.Execute returned RESULT_CANCEL

gScript.Execute returned RESULT_INCORRECTOS

gScript.Execute returned RESULT_SUCCESS

ERROR: gScript.Execute returned an unexpected code. Verify processing.

ERROR: gScript.Execute returned RESULT_NOT_NT_ADMIN.

ERROR: gScript.Execute returned RESULT_FILES_IN_USE.

gScript.Execute returned RESULT_NOMINBROWSER.

progupd.dll

\\.\Pipe\AOLINST

<invoke name="setInstallDirectory" returntype="xml"><arguments><string>%s</string></arguments></invoke>

Last Error: %ld-%s

ASSERT FAILED in %s line %d -->> '%s'

SUDSUpdate.ini

Software\MyWebSearch\OEHosts

\StringFileInfo\%s\%s

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shell32.dll

shfolder.dll

%s\appdata.ini

AOLSearchAsDefaultForFireFox

Kernel32.DLL

AOL.EXE

KERNEL32.DLL

StatusKey

Loading advapi32.dll - Service Beginning

advapi32.dll

Advapi32.dll

DeCon.exe

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s\aolreboot

SENSAPI.DLL

\AOL.cfg

UpdateTrustedAdobeClients STarted... %s

\waol.exe

sIni.lpszDestDir = %s

CASADIL.phx

\*.lnk

csafe.vxd

Exit Flash Installation %d

"%s\%s" %s

"%s\%s" %s %s

10.1.53.64

waol.exe

FunWebProuct

-r"%s:%s"

%s\$Recycle.bin

%s\Recycler

%s\Recycled

CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

INSTEXE

DOSETCERT2KEYS

CERTPSWD

CERTNUMBER

Comparing...installer primary language=0x%x, installer sub-language=0x%x

Checking languages : OS primary language=0x%x, sub-language=0x%x

MozillaUIWindowClass

MozillaWindowClass

%s\%s\%s\

netapi32.dll

wtsapi32.dll

\\.\Pipe\AOL

%s - %d%%

<invoke name="setInstallProgress" returntype="xml"><arguments><string>%d</string><string>%s</string></arguments></invoke>

[Installer] - setWelcomeFocus - %s

<invoke name="setEnterKey" returntype="xml"></invoke>

GUI: Main - WM_INITPROGRESS, %d

GUI: Main - WM_SHOWPROGRESS, %d

GUI: Stop Timer = %d

GUI: Main - WM_UPDATEPROGRESS, %d

GUI: Secondary - WM_UPDATEPROGRESS, %d

<invoke name="setCompsInstallProgress" returntype="xml"><arguments><string>%d</string></arguments></invoke>

Available Space on Install Drive (%c:): %dK

Required Space on Install Drive (%c:): %dK

Available Space on System Drive (%c:): %dK