MD5: 72d9b93774dbb51033d60dd3520f0da8
SHA1: 07ce8a064a263a63e623d1fdc533580be6690f9e
SHA256: 12e038feb0c102a7c647caaff5cc8249829a506c0251a9110e8bf024bbe2a5e7
SSDeep: 12288:4nvpiGgzRy o/QNvH NUCrvktjkAl/WF /wLY7cBxMtP4YPsI/bGdteuiM:4nvEtE/QNfsUCrctjkqb/wLYXPJl/GL
Size: 790656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

17807780_stp.EXE:1440
%original file name%.exe:3896

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 17807780_stp.EXE:1440 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Windows Essentials Codec Pack\ogm.dll (3361 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVAudio.ax (10709 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll (40598 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Uninstall.lnk (1 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\cue2xml.js (4 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mp4.dll (5506 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkzlib.dll (846 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\Windows Essentials Codec Pack.url (52 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll (7391 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax (16187 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avi.dll (2396 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\swscale-lav-2.dll (14370 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avs.dll (1098 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVVideo.ax (22599 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkunicode.dll (48 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avss.dll (737 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avutil-lav-52.dll (13282 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\gdsmux.exe (7842 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll (3906 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\dsmux.exe (2918 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avcodec-lav-55.dll (201783 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\COPYING (18 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\libbluray.dll (10116 bytes)
C:\Windows\System32\drivers\etc\hosts (43 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\IntelQuickSyncDecoder.dll (13115 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVSplitter.ax (15530 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avformat-lav-55.dll (29707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Website.lnk (1 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\mkv2vfr.exe (4034 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\ts.dll (4404 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avresample-lav-1.dll (3317 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\CHANGELOG.txt (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz513C.tmp\System.dll (23 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\LAVFilters.Dependencies.manifest (482 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe (571 bytes)
%Program Files% (x86)\Windows Essentials Codec Pack\avfilter-lav-4.dll (6610 bytes)

The process %original file name%.exe:3896 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Rerarapepe_b[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Neyayeneda_TopImg[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\loader.gif (10 bytes)
%Program Files% (x86)\is665125.log (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\bootstrap_60311.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close_Hover.png (500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\main.css (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A26A2.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A68D0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\BG.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE (9091 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\ie6_main.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2432.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe[1].png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\ProgressBar.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg2[1].jpg (4704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2480.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Rerarapepe3[1].jpg (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2664.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Progress.png (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg1[1].jpg (21280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE.part (807 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\wplayer.png (2 bytes)

Registry activity

The process 17807780_stp.EXE:1440 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Media Type\Extensions\.mkv]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}]
"(Default)" = "DVSMorePPage"

[HKCR\Wow6432Node\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"mp4.3" = "00000000ffffffff,000000006d646174,{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}"
"mp4.2" = "00000000ffffffff,000000006d6f6f76,{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}"
"mp4.1" = "00000000ffffffff,0000000066747970,{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}"

[HKCR\Wow6432Node\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}]
"(Default)" = "Haali Media Splitter (AR)"

[HKCR\.ogg]
"Content Type" = "audio/x-ogg"

[HKCR\.mkv]
"Content Type" = "video/x-matroska"

[HKCR\Wow6432Node\CLSID\{60765CF5-01C2-4EE7-A44B-C791CF25FEA0}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"FilterData" = "02 00 00 00 01 00 80 00 01 00 00 00 00 00 00 00"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Haali\Matroska Splitter]
"vsfilter.autoload" = "0"

[HKCR\.ts]
"PerceivedType" = "video"

[HKCR\Wow6432Node\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}]
"(Default)" = "DVSMiscPPage"

[HKCR\Wow6432Node\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"(Default)" = "DirectVobSub (auto-loading version)"

[HKCR\Wow6432Node\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}]
"(Default)" = "DVSZoomPPage"

[HKCR\Wow6432Node\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mp4.dll"

[HKCR\.m2ts]
"PerceivedType" = "video"

[HKCR\.mkv]
"PerceivedType" = "video"

[HKCR\.mka]
"Content Type" = "video/x-matroska"

[HKCR\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"FriendlyName" = "DirectVobSub (auto-loading version)"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"CLSID" = "{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}"

[HKCR\Wow6432Node\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}]
"(Default)" = "Haali Memory Allocator"

[HKCR\HTTP\Extensions]
".mp4" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"FriendlyName" = "Haali Simple Media Splitter"

[HKCR\Wow6432Node\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"FilterData" = "02 00 00 00 00 00 20 00 03 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"UninstallString" = "%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"FriendlyName" = "Haali Video Sink"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"CLSID" = "{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}"

[HKCR\HTTP\Extensions]
".ts" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\Media Type\Extensions\.ogg]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}]
"(Default)" = "Haali TS Parser"

[HKCR\Wow6432Node\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}]
"(Default)" = "Haali Matroska Parser"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"DisplayIcon" = "%Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe"

[HKCR\Wow6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\Wow6432Node\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\HTTP\Extensions]
".OGG" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"FriendlyName" = "Haali Media Splitter"

[HKCR\Wow6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll"

[HKCR\HTTP\Extensions]
".ogm" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\Media Type\Extensions\.m2ts]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}]
"(Default)" = "DVSPathsPPage"

[HKCR\Wow6432Node\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\Wow6432Node\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"CLSID" = "{F13D3732-96BD-4108-AFEB-E85F68FF64DC}"

[HKCR\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll"

[HKCR\.ts]
"Content Type" = "video/x-matroska"

[HKCR\Wow6432Node\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}]
"(Default)" = "Haali HTTP Reader"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"FriendlyName" = "Haali Video Renderer"

[HKCU\Software\Haali\Matroska Splitter]
"ui.trayicon" = "1"

[HKCR\HTTP\Extensions]
".m2ts" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "17807780_stp.EXE"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"DisplayVersion" = "5.0"
"Publisher" = "Windows Essentials Codec Pack"

[HKCR\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"CLSID" = "{760A8F35-97E7-479D-AAF5-DA9EFF95D751}"

[HKCR\Wow6432Node\Media Type\Extensions\.mks]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{564FD788-86C9-4444-971E-CC4A243DA150}]
"FriendlyName" = "Haali Media Splitter (AR)"

[HKCR\Wow6432Node\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"CLSID" = "{93A22E7A-5091-45EF-BA61-6DA26156A5D0}"

[HKCR\Wow6432Node\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"avi.1" = "ffffffff00000000ffffffff,524946460000000041564920,{51A00247-40A8-4845-9F17-7DBFCC9A8783}"

[HKCR\Wow6432Node\Media Type\Extensions\.mp4]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\Media Type\Extensions\.ogm]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2}]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\Wow6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"FilterData" = "02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"CLSID" = "{9852A670-F845-491B-9BE6-EBD841B8A613}"

[HKCR\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}]
"(Default)" = "Haali Video Sink"

[HKCR\Wow6432Node\CLSID\{EB02CC0B-C3BF-4c10-859C-70F42AFCD6B6}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\.m2ts]
"Content Type" = "video/x-matroska"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"FriendlyName" = "DirectVobSub"

[HKCR\Wow6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}]
"(Default)" = "Haali Video Renderer"

[HKCR\Wow6432Node\CLSID\{60765CF5-01C2-4EE7-A44B-C791CF25FEA0}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCU\Software\Haali\Matroska Splitter]
"input.fonts" = "1"

[HKCR\Wow6432Node\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"(Default)" = "Haali Media Splitter"

[HKCR\Wow6432Node\Media Type\Extensions\.ts]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\Wow6432Node\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}]
"(Default)" = "Haali Avi Parser"

[HKCR\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}]
"(Default)" = "Haali Disk File Reader"

[HKCR\Wow6432Node\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Gabest\VSFilter\General]
"EnableZPIcon" = "0"

[HKCR\Wow6432Node\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\ts.dll"

[HKCR\Wow6432Node\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}]
"(Default)" = "Haali OGM Parser"

[HKCR\Wow6432Node\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\.ogg]
"PerceivedType" = "audio"

[HKCR\.mka]
"PerceivedType" = "video"

[HKCR\Wow6432Node\CLSID\{60765CF5-01C2-4EE7-A44B-C791CF25FEA0}]
"(Default)" = "DVSMainPPage"

[HKCR\Wow6432Node\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}]
"(Default)" = "Haali Media Splitter about page"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"URLInfoAbout" = "http://www.mediacodec.org/"

[HKCR\.mks]
"Content Type" = "video/x-matroska"

[HKCR\Wow6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}]
"(Default)" = "Haali Video Renderer Image Properties"

[HKCR\Wow6432Node\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\Media Type\Extensions\.mka]
"Source Filter" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}]
"(Default)" = "Haali Video Renderer Properties"

[HKCR\Wow6432Node\CLSID\{EB02CC0B-C3BF-4c10-859C-70F42AFCD6B6}]
"(Default)" = "Haali Avisynth DS Reader"

[HKCR\Wow6432Node\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"ts.1" = "ff,47,{B841F346-4835-4de8-AA5E-2E7CD2D4C435}"

[HKCR\Wow6432Node\CLSID\{EB02CC0B-C3BF-4c10-859C-70F42AFCD6B6}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\avs.dll"

[HKCR\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}]
"(Default)" = "Haali Simple Media Splitter"

[HKCU\Software\Haali\Matroska Splitter]
"input.linking" = "1"

[HKCR\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}]
"(Default)" = "DVSColorPPage"

[HKCU\Software\Haali]
"(Default)" = ""

[HKCR\Wow6432Node\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll"

[HKCU\Software\Gabest\VSFilter\General]
"SeenDivxWarning" = "0"

[HKCR\HTTP\Extensions]
".mka" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}]
"(Default)" = "Haali Media Splitter properties page"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{564FD788-86C9-4444-971E-CC4A243DA150}]
"FilterData" = "02 00 00 00 00 00 40 00 02 00 00 00 00 00 00 00"

[HKCR\Wow6432Node\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax"

[HKCR\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2}]
"0" = "0,4,,1A45DFA3"
"1" = "0,4,,52494646,8,4,,43445841,36,4,,64617461,68,4,,1A45DFA3"

[HKCR\HTTP\Extensions]
".mkv" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\.mks]
"PerceivedType" = "video"

[HKCR\HTTP\Extensions]
".mks" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}]
"(Default)" = "DVSGeneralPPage"

[HKLM\SOFTWARE\Wow6432Node\Windows Essentials Codec Pack]
"InstallPath" = "%Program Files% (x86)\Windows Essentials Codec Pack"

[HKCR\Wow6432Node\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\avi.dll"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}]
"CLSID" = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"

[HKCR\Wow6432Node\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}]
"(Default)" = "Haali MP4 Parser"

[HKCR\Wow6432Node\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"(Default)" = "Haali Matroska Muxer"

[HKCR\Wow6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll"

[HKCR\Wow6432Node\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}]
"(Default)" = "DVSTimingPPage"

[HKCR\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{564FD788-86C9-4444-971E-CC4A243DA150}]
"CLSID" = "{564FD788-86C9-4444-971E-CC4A243DA150}"

[HKCR\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll"

[HKCR\Wow6432Node\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\ogm.dll"

[HKCR\Wow6432Node\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKCU\Software\Gabest\VSFilter\General]
"VMRZoomEnabled" = "0"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}]
"FriendlyName" = "Haali Matroska Muxer"

[HKCR\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}]
"(Default)" = "DVSAboutPPage"

[HKCR\Wow6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Wow6432Node\HaaliMkx\Input]
"ogm.1" = "ffffffff,4f676753,{DB43B405-43AA-4f01-82D8-D84D47E6019C}"

[HKCR\Wow6432Node\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}]
"(Default)" = "DirectVobSub"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}]
"FilterData" = "02 00 00 00 02 00 80 00 03 00 00 00 00 00 00 00"

[HKCR\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows Essentials Codec Pack]
"DisplayName" = "Windows Essentials Codec Pack 5.0"

[HKCR\Wow6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\Media Type\Extensions\.mkv]
[HKCR\Wow6432Node\Media Type\Extensions\.mks]
[HKCR\Wow6432Node\Media Type\Extensions\.mka]

The process %original file name%.exe:3896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "D7 FF E5 C5 04 3F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "D7 FF E5 C5 04 3F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "D7 FF E5 C5 04 3F D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 907 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Web
Product Version: 5.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Web Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://securefilesetup.com/distribution/?product=wecp&channel=A004
hxxp://os.mediacodeccdn.com/Or-interactive/?v=5.0&c=1932223866	54.77.76.227
hxxp://rp.mediacodeccdn.com/?pcrc=2010889011&v=2.0	54.228.198.117
hxxp://d27jwl8eflbzdd.cloudfront.net/CodecSetup.exe	54.230.203.202
hxxp://46.166.187.59/img/Global/Yes_Button.png
hxxp://46.166.187.59/img/Global/Yes_Button_Hover.png
hxxp://46.166.187.59/img/Global/No_Button_Hover.png
hxxp://46.166.187.59/img/Neyayeneda/Neyayeneda_TopImg.png
hxxp://46.166.187.59/img/Malaromoro/bg1.jpg
hxxp://46.166.187.59/img/Malaromoro/bg2.jpg
hxxp://46.166.187.59/img/Rerarapepe/logo.png
hxxp://46.166.187.59/img/Rerarapepe/logo_new.png
hxxp://46.166.187.59/img/Rerarapepe/Rerarapepe3.jpg
hxxp://46.166.187.59/img/Rerarapepe/Rerarapepe.png
hxxp://46.166.187.59/img/Rerarapepe/Rerarapepe_b.png
hxxp://rp.mediacodeccdn.com/?pcrc=2078491783&v=2.0	54.228.198.117
hxxp://rp.mediacodeccdn.com/?pcrc=920873456&v=2.0	54.228.198.117
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff1eb6bf02500eae
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac721c9ae92b7fe0
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.202.16
hxxp://img.mediacodeccdn.com/img/Rerarapepe/Rerarapepe.png
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://img.mediacodeccdn.com/img/Malaromoro/bg2.jpg
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://img.mediacodeccdn.com/img/Neyayeneda/Neyayeneda_TopImg.png
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff1eb6bf02500eae	87.245.202.35
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.202.16
hxxp://img.mediacodeccdn.com/img/Rerarapepe/logo.png
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://img.mediacodeccdn.com/img/Global/No_Button_Hover.png
hxxp://img.mediacodeccdn.com/img/Rerarapepe/logo_new.png
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://img.mediacodeccdn.com/img/Malaromoro/bg1.jpg
hxxp://img.mediacodeccdn.com/img/Rerarapepe/Rerarapepe_b.png
hxxp://img.mediacodeccdn.com/img/Rerarapepe/Rerarapepe3.jpg
hxxp://img.mediacodeccdn.com/img/Global/Yes_Button.png
hxxp://img.mediacodeccdn.com/img/Global/Yes_Button_Hover.png
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac721c9ae92b7fe0	87.245.202.35

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=524341, public, no-transform, must-revalidate

Last-Modified: Sun, 1 Feb 2015 18:08:13 GMT

Expires: Sun, 8 Feb 2015 18:08:13 GMT

Date: Mon, 02 Feb 2015 16:29:20 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150201180813Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201502
01180813Z....20150208180813Z0...*[email protected]....#...q)
D....C"BZ..o.gI....1.!.6.vl..o.....6mD(/a'H..fA^..|0WW...b?w?.1.K.<
.-....4s..^y.oY.....s/.W.o...tg(8eQ..1>ZVv."...&i.>b.w...s.....Q
@.X..$...z]8W....?.Y\.V[...q.ou.&H:..F.....i.K<.G_..VA5-.Hg.i.....3
(6. .........U....Gw...0....*..X..v.....0...0...0..{.........[..I|....
.Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U..
..VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisig
n.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140
428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 20
04 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.
....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l
.....f..;]s!.\"v...|....][email protected]. ..W..
..n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....&l
t;..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%.
.0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E..
..0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.sym
cb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>
q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..w
o......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.0

VTag: 791450244700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Mon, 02 Feb 2015 16:28:32 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{[email protected].|7z
.. ......>..Q...([email protected]\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.0

VTag: 27948442200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Mon, 02 Feb 2015 16:28:32 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 279252244600000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Mon, 02 Feb 2015 16:28:32 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]..

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff1eb6bf02500eae HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Mon, 02 Feb 2015 16:28:32 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Mon, 02 Feb 2015 16:28:32 GMT..Conn
ection: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=399415, public, no-transform, must-revalidate

Last-Modified: Sat, 31 Jan 2015 07:23:00 GMT

Expires: Sat, 7 Feb 2015 07:23:00 GMT

Date: Mon, 02 Feb 2015 16:29:19 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015013
1072300Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150131072300Z....20150207072300Z0...*.H........
.....KX.GuA..j...RU...6.1......?J:D....- J./.]....A(L..H(.. ...V..^.d.
x..W..........7Z)]..{.V}{..1l.1...7.*.?.....\2V.....h/........7_7,|.2.
.\....L..|[email protected]........</..F-.v..y...E.c..L..b%.Uy...b.X.
.|`.....6%U..r#.L........w.p.qd^.....Z.8t".........9.M....0...0...0..3
......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSi
gn, Inc.1705..U....Class 3 Public Primary Certification Authority0...1
41202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corpora
tion1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA -
 G1 OCSP Responder Certificate 30.."0...*.H.............0..........'..
....Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).
....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p.
.^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._..
.... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. 
.e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. ....
...0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0..
. .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$
..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D..
.........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,.
...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=479114, public, no-transform, must-revalidate

Last-Modified: Sun, 1 Feb 2015 05:33:16 GMT

Expires: Sun, 8 Feb 2015 05:33:16 GMT

Date: Mon, 02 Feb 2015 16:29:19 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
1053316Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150201053316Z....20150208053316Z0...*.H........
.....|eBd.................(R.4...g..z8...!....I..%(Fkn...l.Ua.4.....U.
...$.d7..Ft........((.......W........[....P................p...W.jpP.d
l..%CqW...\..X.._.D[W..7..1...v.6..........x.]kH..mt.1..5..&0...O(...x
y.xU....nP[........]P..^Tx...S)J<..E'..D...i0:...h-...#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

HEAD /CodecSetup.exe HTTP/1.1

Accept: */*

Host: d27jwl8eflbzdd.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 11516520

Connection: keep-alive

Date: Fri, 09 Jan 2015 01:41:53 GMT

x-amz-meta-cb-modifiedtime: Sat, 21 Jun 2014 12:03:12 GMT

Last-Modified: Sat, 21 Jun 2014 14:17:40 GMT

ETag: "7a23586c77d9b0cdf944ae2f6e004a49"

Accept-Ranges: bytes

Server: AmazonS3

Age: 24583

X-Cache: Hit from cloudfront

Via: 1.1 09052d1a6e392e4f4a3fd97bf34a2b24.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 7liHXh5DJFJjsXwu08YOfWsADWwjoPHqXZVfo7eMaCuvhw0NeHTDEg==
....


GET /CodecSetup.exe HTTP/1.1

Range: bytes=0-11516519

Accept: */*

Host: d27jwl8eflbzdd.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 11516520

Connection: keep-alive

Date: Fri, 09 Jan 2015 01:41:53 GMT

x-amz-meta-cb-modifiedtime: Sat, 21 Jun 2014 12:03:12 GMT

Last-Modified: Sat, 21 Jun 2014 14:17:40 GMT

ETag: "7a23586c77d9b0cdf944ae2f6e004a49"

Accept-Ranges: bytes

Server: AmazonS3

Age: 24583

Content-Range: bytes 0-11516519/11516520

X-Cache: Hit from cloudfront

Via: 1.1 09052d1a6e392e4f4a3fd97bf34a2b24.cloudfront.net (CloudFront)

X-Amz-Cf-Id: aiZnrUFQDMCzhMSV52BdeouBdo9TGLBuFt7uQmKHd6LX5MgI7RN-Qw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................0......&........................................s....
..................(...@...............................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
[email protected]...@[email protected].
...............t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}[email protected]... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
[email protected]}[email protected].}.j.W.E......E.......Pp@.
[email protected]@.W...E..E.h [email protected]...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac721c9ae92b7fe0 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Mon, 02 Feb 2015 16:29:03 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT

Accept-Ranges: bytes

ETag: "75565c7ac03ad01:0"

Server: Microsoft-IIS/8.0

VTag: 791666644800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Mon, 02 Feb 2015 16:29:24 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Y0... .....7......150427174215Z0.
..*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e
.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...
0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp
[email protected]..@.. ...M....z....Q...{u. .W....

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"

Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT

Date: Mon, 02 Feb 2015 16:29:19 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Mon, 02 Feb 2015 16:29:19 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>

POST /?pcrc=2010889011&v=2.0 HTTP/1.1

Accept: */*

Host: rp.mediacodeccdn.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 800

Cache-Control: no-cache

...3E.Q)_l.y...K.......5g*.....M....Lj9r...l...........5.VkjG...J..B.L.$Y.sr'Z..P..!..5S6..I.c......8&.g.b./=.....T.`....={...~...._.....EGs...>K...?Mt..3.`..Og.g...!.sm1Z.....

.!.m.... ...E..R6.M..(.i.4.NJ..?R;..zi.........,A^`G.vdC^1A,tHB.5-IH.YaQ.q<-j#$.E..E..i3.X.d^...(...!9O;...M..K1b,%W.
.M.%.k....Yz..h.L}v...q.,.&Yh\..|............4.~2......SY.....l...X.J._<.....^r......'..[X.z..D.b4...S%.'...7e.j.]..U...0.......Pw%
~..g..p
.....-.%j...%.6Z.x.B..........l...W.......K..I.V....h.=....$..*|(,......;.....
.m.6 ~9...[..2.._...Lr^.

..Jp..f..)...0.5R$....x;.|s..x..`........jV.B.#H..R.se....^.E....5...J..@j(M.,".5..a.%..v..'..m..bj.....$z...ay...:)..Z,|".S...R.
..........".zl.....~\..5..B.......:.1.ZU...;0..
..9ANg...7..m0#a..._w.....5...G...?......HH.a...$.....S..e.}.Q..b.."\.......j.q.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 02 Feb 2015 16:24:26 GMT

Server: TornadoServer/3.1.1

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon
, 02 Feb 2015 16:24:26 GMT..Server: TornadoServer/3.1.1..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=2078491783&v=2.0 HTTP/1.1

Accept: */*

Host: rp.mediacodeccdn.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 2032

Cache-Control: no-cache

.^.S...N)Tw?.G{&..^.N7..0..t..`..lA.r.}AH..sO?.....Q).9-.X.'..4U..u ........P..7..z3...!....#u...@~P..{..0.UD.U.}.i....................,~A.....g:..!...?.......W...!...sZ...}m...

N...0^L....M...-..)...[}.;.W..nO.l...n.0.o3.'.?9: ..n}j...P.D..<STB\._.".C.?.....^.4...sF^).....(..N....! .uM..P.Epl.8

Jk.=...gR.6..~............[(.S..'.))>......>...E...y.....l.........^]>...i`[(H.<...k.|Z.X.Nu.1...`..c.a3....B....-...DA(\/..R.....BD.hc...4.^<.o...zEr....D...d6h.....S..<3...S...d.D..#.......kc..d.g.......2.AU.2.......U..t..
I....."}...:..V.~dE..9......F..Oj....m.$E.]lIo<..{.OWJ..m#...\.'.....Z.......K......\6Nh..l..:[email protected].*Cg5^.BB.....l..... .VF.k.[..A.~^Z.._.7dk.....kPEz..Eh..3P.p....."..D.}.m..nN{.x..%.n.....\... ........S.5..8...."[email protected].,.0..[........0.\..m.C.S-;.G.6\[email protected].}..._...nL.d{.R......EnR.o}..3.... ..H........j........Y..U&..o....M.v~..'...#.u.E.......G....0m..H ..L@...".D..H~ .\~v9......,...#.....j........;W.{..b...>..2.G.w..B.k.>t.5cj.%U../"....:W.
.....U.8../CUR..x.;r.y.q..$..1nS..)[email protected]....$c......P.,Z....I..Ss..<.G.F:[email protected]...}...O......n.s,8.8.a.8....._.s....r.....\.f....,....I.v..(>.,[email protected].........
.f`.w.P=YVh..3`,2...`G.q>k..p.8zz4.3t2x.U..Va..*8.......g.,/...\..1.>\
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 02 Feb 2015 16:24:36 GMT

Server: TornadoServer/3.1.1

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon
, 02 Feb 2015 16:24:36 GMT..Server: TornadoServer/3.1.1..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=920873456&v=2.0 HTTP/1.1

Accept: */*

Host: rp.mediacodeccdn.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 2112

Cache-Control: no-cache

.I..~...$$.......
a"...h.W`c(X..d..>..'.....o*.lL..>..|N.=..'..t;)0p..p1...F.#.Z

X..7.}..u....._RWp...K......K5...yI6....~ ........4..>.P.`DZr...b0f.$.V..m.o....s..p....7..rk.U....([email protected]$.jJ.yL.0....=...x.L.7.C.....L...5.:..o..j.i8..T_.e*cs!.>/.7.......F7.^.....Ho.....d..K..........\5*.C#P]Sj.....F.,.......m...h@#o.d.`...w..k.....Kv..X.

5G..m..:.. ........E.....x...]......b.....Jjb?...I<.l...Y.hR.........?......4 6...G....B......v &e.k.f..Es$.-...........>....O`.b..n... .`R}........"......!v...fh.......cPc..?........\../Z............eRD..u.K.Q..."i>A....o. ..V=.......YEW:.9.I*.#...5b..4!.".....5~..V.|..$..6]....(^..t...F!...2...........2..i...V.o3~....9...$......R../.[H...E.v.8.*p.~q..-..

,...:..r.oj,&..7J<..b..\0. S..6:..h/.lf.~6.x.j..........?........U...I....}...J..G..d...2..C..u..
.'.......|...5.M8.o.R......X......p.4...]u.^.y..h...z]....VP.h .m..A.Z.]H[.5........&s:.......=._.%...b...4L..={....6bvD.c.p..;..G..}..C....i......Hp.}..K#l54|.........~..-...O..E

.d...?...h....f.~.......,..N.&.....a..1dm..x.#?...P.....[.L......|.....z..w.E.8...X..R..b.|J.....yF..C..U#.g.i..5..i..1..x.).........?1.#V.N......'9W...K.d......{'..f......"...c...C../...\.9f.&(..)VL...$O...w...U..S(Cc.........B..,Dw/.."........g..,...DYP[..[.G..#S...
....d...W#[email protected]!{.....M.Q\K.U....
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 02 Feb 2015 16:24:40 GMT

Server: TornadoServer/3.1.1

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon
, 02 Feb 2015 16:24:40 GMT..Server: TornadoServer/3.1.1..Content-Lengt
h: 4..Connection: keep-alive..DONE..

GET /img/Global/Yes_Button_Hover.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:27 GMT

Content-Type: image/png

Content-Length: 1094

Connection: keep-alive

x-amz-id-2: 35dTmwNj2R5cCAvLf75lFpZrcHjzP9cJbFnn7eiiMZZUPDWD4fDumtgQqHrutKZF

x-amz-request-id: 29EDBC25060129A4

x-amz-meta-s3fox-filesize: 1094

x-amz-meta-s3fox-modifiedtime: 1380713503000

Last-Modified: Wed, 13 Nov 2013 16:12:44 GMT

x-amz-version-id: L9RQqPthtuNtMC55hxM9o_RZqWXqZtid

ETag: "aec475b9d6280598800f3ceafea4af8c"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2724EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2824EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2524EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2624EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>. ,.....IDATx......0.E..D....@L.^L...!...2.
..........=.....vq?.H.l4[.v..d.S.l......x..W{=..k...L(..3.....k.s..3..
.K....B..P..B..P@(B...E(B..u.f4.3..)e..l9z.i.?o..7.7M.....%...y..$.:.t
A..K........S..^/......IEND.B`.....
<<< skipped >>>

GET /img/Neyayeneda/Neyayeneda_TopImg.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:27 GMT

Content-Type: image/png

Content-Length: 5294

Connection: keep-alive

x-amz-id-2: hlbwVznLP7FsLEAs2RVpvEXz9MQbWfVUt9fMpbXui3QDEQe74pTlIFca0ggHc8l5

x-amz-request-id: B0949F71324B507F

x-amz-meta-cb-modifiedtime: Mon, 08 Dec 2014 15:35:18 GMT

Last-Modified: Mon, 08 Dec 2014 15:35:58 GMT

x-amz-version-id: FMo4KeFIwAQ6andjQM0juyaehifWTmdO

ETag: "e0b022bf564a4220d87633d0b4563314"

Accept-Ranges: bytes
....


GET /img/Malaromoro/bg2.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

..4.I...%c;...nrZR.uI.6...) .A.......nR.0..> ..W-m.~...<....S.u.
...-F....u...i.g.. .m..PH...VFo.@..?.../.......kY.Y.l......(.9...f.m..
Z;....._..c. ...#.>......H./?...x.C...~.k.......~/`O.E...z.U.?.....
.e$.5.5j.n.Fgq.>...u.v.o........-.q-.m.J. .y&..>.[.l....P.$.e.q&
gt;...@<..C.........{...d. e.........C.x.{...y......H*z...eZq3s.P@.
1&.O...VsiZ.Z(D...n...k..............6.".....oK.PDJ...zr:*..| ...6kK..
.a.h).....Q".....WnN.....}]..V..H.GZT....o.Q....K.bs.~..]..&..-..D?..7
<.... .c..#k.}E..F]7A.E....m_ZO..g.t.{B41Z.......WY,l...cg.....d .~
....j....k.b....r....,..J..&b ...gu.....b\9[x...h...o%..g.8..^..i.R...
....2[..$..g...}.u....?6I.e.......J.a.A...U./..&......kal......r.'t...
........?..P0<..H5#..Z^.Is(.....l.....D.`.....r...._.f`.T........].
.]0.........op.......'....-4....Y.........c......3HG.et..EO.L.T.[.....
j.C.....n....6...v. ..........,..f.%v.l..M6...... ...M=...[..? O-.....
..J{.i............WV.<..j..=.<...n..M ..tP.y.v......%:.{... d.Z.
.. .nJWq....?.ijf..Z.lj{~.Lu.p..J..?I..c....RQ..uf..[..Ac. ..=5m..`...
{......4.....[.B.J..x.p:.....o.<..|.u../q..7xR....v...$#..Q.._...W.
..Y:..K.8].K.....^|.; [email protected]...[...>.cA.....[
..@d4..!........F.5..r8....~.g......`tK.X...._Q.".<wmD*..d.#.L.0...
bQ5.r.f0?..;h.H...H_U...A..X{....~k~.....K.....~....r......w.@....&J..
F.........$o.:.......1.Y...d}%.....pc(Fp.....7.kMk.Cr.Yzv.#y..U.......
P.0..LP..e<..`5..ul.......n..\...&j.r.][email protected]
n. [email protected].<\...\o..bD..A%..h...J.j..:.a.8..,.m......
<<< skipped >>>

GET /img/Rerarapepe/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:28 GMT

Content-Type: image/png

Content-Length: 10944

Connection: keep-alive

x-amz-id-2: 2eUrHSuJHpM9jyFsf9ZJD0eygdMfOT0Sl9qFRbeTYEspfY3epVOaQWmwM7ywa5Rv

x-amz-request-id: 98991A5032697BC1

x-amz-meta-s3fox-filesize: 10944

x-amz-meta-s3fox-modifiedtime: 1384099835051

Last-Modified: Tue, 12 Nov 2013 11:05:48 GMT

x-amz-version-id: bDPFTNRsfueKXbAbmeVgRbPvzBoRvTw2

ETag: "0440e25b659207aaea00512d9a0a9924"

Accept-Ranges: bytes
.PNG........IHDR...L...^...........*.IDATx....T.....M...F."b.....F.Q..
..{.%..{E.........{.H....J.~*.....gN..j....._.Z..g..ff.....9C."..t:]'.
F3-55uOjZz.......o....\...'....&J4[O*.=i.`%Y...................E."....
.Z.>.69%;6.....HNIEFf&.J.,..r~..}.p).....e..V...3./)....A\|........
......   k,Q...M..B..h....../..N........#..!V.P.y'X4J...v...Z...o.{ ''
....L9....M.....7...l....Ml..SS..........$..C!.3.\...........A.'......
.m_..%x...."@....)V%.?|WX...Y\.C.c.r.V..R....g...:.\2....4..M.R9X..b..
.b......,.U..t.b...Z...P..Q*......7.......t.B.{....@jY!.....Q......Tdk
...3;...s..0... ....@.&..m.ktE.f. I.M..1...`..V..d[.9..qG.&".U..C..u..
.W.C{..4'..v?.....\..>......h<.C{.(4...u...G..E=Gvj..7[.?.:.?.K.
9...e..s........,--=....[W'...v......R....^<...!..]........>..j.
.......].v.....j.v..l.j.V.wn.j.&(I.][.r...Q.x..>....Hay...99f..;.%.
.R..Q_...h4Sy...a]....J.dQ..o........... 9...8.2Br..)...a)w..]...h.f.K
.}#i.T[.......u..(.;.....d=....,..{....Z..._.Q..t:... ..H.R..Wt.f^...'
6.Xu.\.DU*...u.oAK....&KQ.# .%.Q..f......{34.-.>.M............6'(.8
@.y..Z.......$.UP:...i.../..5....V:..\[email protected]'@B.:..f.\..,......17.....
..&.Qn..t..DJ.~w..z.j..........e.Q......&..tX...s.5s*..OA...HY......c.
..d@. .\[email protected][)...!h..P..r..,A...A..b......O.Oyr.i..".*....
m.EA8...r....T.6H.DP.....n.y=4.LG..1m2N.n.G.rX..........?.....5%mp.A=.
[email protected]/....J.r!..W.t..r.#Y..J.g.c...{.H,N...>r..lY.'.4....
.m.....D.t..YT.d. hN..P.K`.....%\..a-..~....l..s....?...5....8..P... .
.....5.............3u"...#s..(....7@R,.....Es.9..(...m#k.8...tiP..
<<< skipped >>>

GET /img/Rerarapepe/logo_new.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:28 GMT

Content-Type: image/png

Content-Length: 4569

Connection: keep-alive

x-amz-id-2: wHoH6zbccWJnikMqVq2ipm6CCxue0ptcG00ly2UOr8ijM5TmVaiz0iMEQDEnaGks

x-amz-request-id: BCE7494C294CE790

x-amz-meta-s3fox-filesize: 4569

x-amz-meta-s3fox-modifiedtime: 1388397217065

Last-Modified: Mon, 30 Dec 2013 09:53:59 GMT

x-amz-version-id: FBdIFQNqjG8fAIwxlMklzjPUXqz3Asib

ETag: "3263ff057b8e7380f7579d5aaab2bfdc"

Accept-Ranges: bytes
.PNG........IHDR...2...2......?......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2A43320D713811E3B459B11F
BD9400CD" xmpMM:DocumentID="xmp.did:2A43320E713811E3B459B11FBD9400CD"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A43320B713811E3B4
59B11FBD9400CD" stRef:documentID="xmp.did:2A43320C713811E3B459B11FBD94
00CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>v.Gr...MIDATx..Z{p\U......$.l.6M.jc..P....T
.N.*3.80`...:#.......3>...F..|...3>..hE..(...P-i..y7.$....{.=..w
......6)...~.....~..;.PJ.....ur.n.......O|.&...hj&.H.e2$l..y.T*...D.3E
.#.A -^t.....TzA-....P.N..i.'.........T..z>.GT.%r........"..H9....R
...I......}..@.^../..?o.U...F..c.qA.H.?A.(a.....k....,.!Vb.......:58.K
...@z>K[.......S_....T.......... lr......GU..~.....C......t24;f.M.R
%...4......`............%..aZ`.... [email protected].&0^.`v. u.
...?Y....e..%.."ik..^....s.}.~.8Iu..?........m...{ix.KM..........,4R..
[email protected]]p!%Z..f.$k......hB.......DK...R.&..k..%#e.
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:28 GMT

Content-Type: image/png

Content-Length: 3657

Connection: keep-alive

x-amz-id-2: v92W2l JYlUtcR/OjOYK5ouFe4SsIP/swlapf3AQ1gp5StisSOpF2D/ZTcQ74e6y

x-amz-request-id: ADA4B13BF06DFF96

x-amz-meta-s3fox-filesize: 3657

x-amz-meta-s3fox-modifiedtime: 1402226184727

Last-Modified: Mon, 09 Jun 2014 14:19:41 GMT

x-amz-version-id: nXvqG1jeKyMVMqgSg3LnBI1CMsSqJwdV

ETag: "e568d92e622a3ac2f573a98d91df1421"

Accept-Ranges: bytes
.PNG........IHDR.......!.............tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D84B53BEEFE11E39491D45C
0DAE79C8" xmpMM:DocumentID="xmp.did:2D84B53CEEFE11E39491D45C0DAE79C8"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D84B539EEFE11E394
91D45C0DAE79C8" stRef:documentID="xmp.did:2D84B53AEEFE11E39491D45C0DAE
79C8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..(.....IDATx..Wi....~U.=....][email protected]
...Vb..`..H8.\..D. Q.EA.....Q8..cB.c....&vv}a........3;..]..z...(%..LM
u......^3..1"...mr.. ..b...z.B.\.<]!...8...J.~.R.^.U....ArE...q...Q
W......W.. M..l......R..Dd."...P......F..-.....S...S... .OF...I./.N.&e
6.....TW.c....z......@.......`_.X'...X8.3op.'...z&.UT.m...r4:.1.'&.1F.
...9....Fr&..U...d......<..Z.Q.^.}]X.......D!......73.a.8.....Q..c.
w...).^U#..L3..}m......:.z..NN...r.Y..Ck..E}..-....t1..?g..d..t.E:4x.*
#....L...(wv..~.OY.......wfO.L.0....4...Ko........h. s6M\.D....$.....W
......6g...............>x....<..[...F"5C..=K.....[v...O'..ky
<<< skipped >>>

HEAD /distribution/?product=wecp&channel=A004 HTTP/1.1

Accept: */*

Host: securefilesetup.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Mon, 02 Feb 2015 16:24:25 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.5.9-1ubuntu4.3

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Mon, 02 Feb 2015 16:24:25 GMT

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Location: hXXp://d27jwl8eflbzdd.cloudfront.net/CodecSetup.exe
HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Mon, 02 Feb 2015 
16:24:25 GMT..Content-Type: text/html..Connection: keep-alive..X-Power
ed-By: PHP/5.5.9-1ubuntu4.3..Expires: Mon, 26 Jul 1997 05:00:00 GMT..L
ast-Modified: Mon, 02 Feb 2015 16:24:25 GMT..Cache-Control: no-store, 
no-cache, must-revalidate, max-age=0..Location: hXXp://d27jwl8eflbzdd.
cloudfront.net/CodecSetup.exe..

POST /Or-interactive/?v=5.0&c=1932223866 HTTP/1.1

Accept: */*

Host: os.mediacodeccdn.com

User-Agent: ICAS

Content-Length: 1252

Cache-Control: no-cache

0A0Czu0O1CtG1L1G2Z1P1C1T1R2Z1L2X1PtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0W0VzuyCtFtCtN0W0S0PzutCtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztBtCtAyEzztN1L1B0A1Q1H1L1GzutCtN0T0KzuyCyCyDtCyDyBtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0U0I0D0N1P2WzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0M0G0U0I0Dzu1RtDtAtBtB1T1R1QtGyD1PyD1QtGyEtB1OtDtG1StCyCtAtG1RyDzytC1P1PyC1O1OyD1SzytN0M0S0I0DzutBzzyDzztDtBtDzytAyDtGtBtCyDyCzyzytByDyDtDtGtAyCyDzztCtAtCzztDyEtN0S0I0D0U0I0Dzu0A0AyDzy0FtDyEyBzztDzytCtCzztByC0D0AtD0A0AzyyD0C0ByEzz0AtCtCyD0FtN0M0A0C1V0LzutDtDyDtDyDyCtBtCtDtCyByEtOtA0AtCzytBtFtCyCzztFtCtAzytFtCtAyDtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyDtDtBtDtBtCzztByEyEzyyBtAtAtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyCtAyCzyyCyBtN1L1Q1B1RzutBzztN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CyBtB1Qzy1SzytAyByByE1Q1S1SyDtCtDtAtA1QyCtD1Q1QtAyDtBtD1OtD1Q1TzztF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyCtFtCtN0O0S0S0P0V1P1CzutCtN0O0S2VyCyEzutCtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutCtAzzyEtN0M1P1H0P1M0TzutBtDyEyBtN0M1P1H0V1L1C0AzutCzyyCyEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu2W1L1G1Q1F2W1B1V1P1B1B1P1G2Z1L1T1I1B1V1R1F1Q1P1R1V1E1T1R1J
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/html

Date: Mon, 02 Feb 2015 16:24:26 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-CITY: Kharkov

X-ICSCT-GICSET: global137ad

X-ICSCT-IP: 193.138.244.231

X-ICSCT-SERVER-NAME: ads.slave-eu-west-1a-f6897811

X-ICSCT-TIMESTAMP: 20150202112426506

X-ICSCT-VERSION: 1.2.5

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
14de......._...\Ci.$.M.@' ."...U...g.0#./...%G.....K.......E..=.`w.0..
.d..r6.G4...Vlw.r.^..:.;SSJ.4.e.Q.y$.l.4m../...u5.h!~..y.!.....9E0C.N.
d.|..iJ...&.SxE...",....D...q7N.aR_..)...1..LcV.Z...WK...s_..W..|.....
$..)....<D2..-........(.N...a.4i.p.......K"...  .%l...z..D.m'.2.."q
w.,J.T.IZ.&..:$Rrw$Y.'....sc.t1.zL...&8..].rR...o....C.)..1...u..R....
...S..7p.a.R.d..Keh.wN..5......:.Q.......I........f..xcok...DPvv-Df..S
..gk0^.H.D.._A^...)[email protected]..{.R.Q...r..-.d..c.7......... ...~.....N
.....B.,|2V.j..fa.....~.*..C...W.|k.,n....j`...7R.)..:[email protected]
i. \?..Pic..hC.|.W.PhC..j..RE> Wq..U.?.ZjL`R~>.M ... Z|..R.. S.8
 ...... LN.Pl...K.R..V...#"RGg.SYuxl[.R.[.Y.Kr.Br..O...lkP....!R7..U..
`.;V..kN P1..D~B@R~..y P..j..P|.#R7..Z...Z.V.....0...(=T.C.Wz.....i`.P
{...1...k\PPx~..X.8...}..'..-C...?..6.t.v..$s$.!7..."...........g]lr..
[az...2..Yggo:.[q]\.r.wC..=r.VE..T...ij. .B....4...S..r...}b..m..S.s..
.]`|rU.. S.8 $m....z....V."......5.....%.g.H..e.W....=.../|P.J}.WJ..D.
.1.l.N....o....1......Q...?V=!.L..KF<)..M..hb.......j.7T.....px....
ooe.....w4......<.%...N..o..S...F....X.!..AyD.r.."...Z.....d.....T.
c...).[n{|.. .......gUkE..I.E..5.g...u.J\......K.N...A.....B..e{..d#z.
....x.7.?k(.W.Sx.u..klA.."wD.....nVe.S......i...O.7x.j.=.6.8.. ....i..
.s'qD...v...mx..z\...6.9W.........i.Y:.>......h~.t.*..K....~..sk"XU
,...~H.k..'|.......V....>.b.f..V..$..<~.3..re...XX.:.Y...D.1..1.
..%F.V...!......g..e`'>m ;...h.....csKs....(......V.b~..........x..
L>....)cL=q..S..f....n^.m..G .-pC.ZW.*_..p.*.z_..Gy.3.H...r.e..
<<< skipped >>>

GET /img/Global/Yes_Button.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:27 GMT

Content-Type: image/png

Content-Length: 1091

Connection: keep-alive

x-amz-id-2: 3 TEOy80OHWW0B3rS5rgyGoW LVBUK5YaH4Xl1hpnw3B3//kKqmgcTDhKr0y8TYH

x-amz-request-id: 340BFC5C75739B3B

x-amz-meta-s3fox-filesize: 1091

x-amz-meta-s3fox-modifiedtime: 1380713503006

Last-Modified: Wed, 13 Nov 2013 16:12:48 GMT

x-amz-version-id: .ffwqW.8iCK2_zdeBNvgWdy.OnUDjeHF

ETag: "3f27a393967d84f83a317f40351c0065"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0924EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0A24EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D2B0E0724EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:2D2B0E0824EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..&X....IDATx...1..0.E.......... .d.6\.&.ND
H.v....9.{....)...D$k...O...T.[Sl.I....K.....S3..fB...2?w.....2...../=
#.3.E(B...E(B...E( ...E(..Z..f..)U..l9.....7...........I..w...).u*..P#
G...?...%....\.l....IEND.B`.....
<<< skipped >>>

GET /img/Global/No_Button_Hover.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:27 GMT

Content-Type: image/png

Content-Length: 1091

Connection: keep-alive

x-amz-id-2: GZ07dztd4nGLnaThrCD1qQv1ZS/tRI3r7vMaqmPldQ8ZlqOQVsaJjFJGuAmdXFXE

x-amz-request-id: 2B66C77C4BA084F0

x-amz-meta-s3fox-filesize: 1091

x-amz-meta-s3fox-modifiedtime: 1380713503004

Last-Modified: Wed, 13 Nov 2013 16:12:47 GMT

x-amz-version-id: wNmfJwpUmazhRatL.BZxBG0x.XZldhEV

ETag: "6d55a62314755c1454569b2b098a3a9f"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2324EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2424EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2124EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2224EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>........IDATx...1..0.E........8A9?=..h'.NDH
.v..b $.{....)...D$j...O;.v...I6....../.s.....f....2.>.......1..?..
...... ...E( ....."...P."..PWhFC1...R.N...g......~.9h..~*.\.Q..3l'....
.B.\.W...`.............IEND.B`.....
<<< skipped >>>

GET /img/Malaromoro/bg1.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

=e.F.52].Ck...)..|u..p.iPuW........*...TS1...>~"....-..U.U.&......"
s.<......~ .....TV..i.A".I..C.63.....^.UUU;......E.O.5S...U..G2u.o.
........PTt...?oO..|or=..8dr9..#....p.^..DR.TUN...O..Y#2.q.mS....*:W..
....k.!.M.h..].>...G|6...".^A........5:...TU^..?...X.LS.R.....&.C%.
r7c.......?w...$.<..<mV.(.W.X..c......U=..>.K.2"...c.S...J...
.j._..:....n...'.<..i......H...}[email protected]....}X...$./p.....~I..
...D.e.T.)Q..qm........:4.<&.).d....A;.7...5..>.uz.3_..5......c.
..|^.Vq..k...S.rsGo.6.H..%.T.......l.....oW_J.\....,.q..<.3...R..6.
.....0,z.T<./....y.\t,.V.T.....Iu^..jV.......W...#[.W...'EU...z...}
.iR3..P...|....fD......;..[...w...B9>^.......O.s......_..... o.....
.:.AO......:(E....W.....lGur..j.=...f..o.........j.....7`X.".........:
.X.i%G5uhM.i.D.GpH.w....d..h....R.......w...Y.....~[..t.y.dY.5 ..7....
...iC.S.yR.5,.L.:L)[email protected]..?..T..*6p@S. .... .S...jFz
.B.)5....kQ.M.z..;.@....<}..&Lvhx.#g...[..w/ G....U...E9..r..m..mkQ
.9c..z....=.'O.....c....Hg.#.A......[...J.!U.....!.......W.!....3..C.^
.<)h.(..e.<..A..f7-/C.q.hxSm.v\]@$0\y....,...N..J.N3.)..;.S"M..2
.U...O..v...'.h..|../....v<.68...F.e1$....$..l..;..!.C..B?.......D.
...h2'..#..k*[email protected][email protected]&.3......X.........y&.c...nx....._
.E.:...c\nH. ..YQ..(QQ..liq.#...c........\.~.l.g..iUcp..v.1J. .>3&.
'../.........j"...........^...)K..f..@.<...r.KI..../.i'.N...*=...&l
t;..j8f{.B.....D.|..J......N...^o...ZnG...mi(.A..P\......j.X.,.n......
>~3.....V....x.cPMU..........s...*?.1.67.....f..l.G.<..q.\..
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe3.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:28 GMT

Content-Type: image/jpeg

Content-Length: 15799

Connection: keep-alive

x-amz-id-2: ZPB qpJApNlHvu1ztM6LNURd25DiRNkfiZzAkJxnsjPtUEe25TSWUgPjXbcjs0cK

x-amz-request-id: 343E1846C2C2B09F

x-amz-meta-s3fox-filesize: 15799

x-amz-meta-s3fox-modifiedtime: 1394538949746

Last-Modified: Tue, 11 Mar 2014 11:56:45 GMT

x-amz-version-id: zPl9IpmeaG3ff3qZpgvUQzMtoydG8QKH

ETag: "3e2809731062d36b6ae81e70aef3b785"

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F7DDEC055CA8E3
11B43CF856625B69D6" xmpMM:DocumentID="xmp.did:08AEC486A91411E3A978EB31
6F7617DC" xmpMM:InstanceID="xmp.iid:08AEC485A91411E3A978EB316F7617DC" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:B1126B7673A8E311B43CF856625B69D6" stRef:
documentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
..........................................!..1A..Qaq"..2R.......r.#S.T
.B.$4..3s...bCdt%U....c......................!1..AQ...aq..."2R......b3
..B.r................?..J. ..U.@@@@@@@A...."...            .a.....    
  ..U.@@@A.A.]A....Dq.....p:QS...C.u.....|OZ...D<[email protected].#.....E_
....:......:.<GZ...A..Z*...C.u.x.......:.e..27...EwQ..z........
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe_b.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Mon, 02 Feb 2015 16:24:28 GMT

Content-Type: image/png

Content-Length: 5163

Connection: keep-alive

x-amz-id-2: g4IYg0CHc8Pggb1S08hK3W1RCRywuIWGEcXMJyHbuPQB5EkSjf1lefHlNMq8RuZo

x-amz-request-id: 79ACCBCDEA3F260B

x-amz-meta-s3fox-filesize: 5163

x-amz-meta-s3fox-modifiedtime: 1402217717749

Last-Modified: Mon, 09 Jun 2014 14:41:12 GMT

x-amz-version-id: KNAPX8e2AxH1Bx9jEBmu7jKCGa_97Tvk

ETag: "297eebd38313ee5b5ce0639f28ef2690"

Accept-Ranges: bytes
.PNG........IHDR...(...,......o.{....tEXtSoftware.Adobe ImageReadyq.e&
lt;....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:82
BCB328EEEA11E3803DA559B157C612" xmpMM:InstanceID="xmp.iid:82BCB327EEEA
11E3803DA559B157C612" xmp:CreatorTool="Adobe Photoshop CS6 Windows">
; <xmpMM:DerivedFrom stRef:instanceID="B5CE02BD4916EF319BC08FB91CAA
85FD" stRef:documentID="B5CE02BD4916EF319BC08FB91CAA85FD"/> </rd
f:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end
="r"?><C......IDATx..Y..U.y..y...;w....``..5..*JP..H.....m.b....
.Z5.k.B]IlRcW..4.1XK]IP.QQ#j.....F`..q.y.y....y..{.3w...vf..{..{......
.}..."j~|>Xg.....`.<..kn....M..h..&.......)...l;_...a.. .N...Q7.
....)6{...a.kJ.x...Kj..Z4....n...i..E......X-......X .(*...U..hS.h..Z&
...........(47.....Bq.z......s..|.74%Y.._b..=....PZL....O......h....k.
C..v.....$.......(...Gh..8..!.S*..'.....N.....2.../.U...U...c)Eh.i.3[&
gt;1......J,....v...........&....3E...D.i..L.)|..!R..bJ4....K.".`.`9..
...S.....}[email protected]../.................(.....W.A)G.P.T..w....8.<
5..w....QD...}3g..(.H$...........[.":.L..o0....q;.G#....u...m....N
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=564721, public, no-transform, must-revalidate

Last-Modified: Mon, 2 Feb 2015 05:21:26 GMT

Expires: Mon, 9 Feb 2015 05:21:26 GMT

Date: Mon, 02 Feb 2015 16:29:25 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
2052126Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150202052126Z....20150209052126Z0...*.H........
.....H.c...ZXgu.....F..w...z[P..-..H`` .0...1...U....^e.J...I..^..jY..
.*....Z!.....T0.2..3=...o.N.S.c.<CBP.......0.E(.....v......J_.. .y.
......XUy'...1wd...!}....r(.]N.k... ..n.g.@...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=479452, public, no-transform, must-revalidate

Last-Modified: Sun, 1 Feb 2015 05:38:09 GMT

Expires: Sun, 8 Feb 2015 05:38:09 GMT

Date: Mon, 02 Feb 2015 16:29:22 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
1053809Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150201053809Z....20150208053809Z0...*.H........
.....?...b....NlG.asw.....n.g..c...... ..C.....^......j...._...lV.....
....e,.Il4u]....p....qF3.O...(..`..n...L...pn..X.'r.....'..B..&..z$VVz
.=..T5,.8.=.42....5.<...@... W.`.o...g....|...7..u1.%3x.)....?...[~
l......V..q2..B.y......1Wv{.R}2u%.=...9^...LvL...........#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   17807780_stp.EXE:1440
   %original file name%.exe:3896

2. Delete the original Malware file.
   
3. Delete or disinfect the following files created/modified by the Malware:
   

   %Program Files% (x86)\Windows Essentials Codec Pack\ogm.dll (3361 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\LAVAudio.ax (10709 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\VSFilter.dll (40598 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Uninstall.lnk (1 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\cue2xml.js (4 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\mp4.dll (5506 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\mkzlib.dll (846 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\Windows Essentials Codec Pack.url (52 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\dxr.dll (7391 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\splitter.ax (16187 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avi.dll (2396 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\swscale-lav-2.dll (14370 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avs.dll (1098 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\LAVVideo.ax (22599 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\mkunicode.dll (48 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avss.dll (737 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avutil-lav-52.dll (13282 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\gdsmux.exe (7842 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\mkx.dll (3906 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\dsmux.exe (2918 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avcodec-lav-55.dll (201783 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\COPYING (18 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\libbluray.dll (10116 bytes)
   C:\Windows\System32\drivers\etc\hosts (43 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\IntelQuickSyncDecoder.dll (13115 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\LAVSplitter.ax (15530 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avformat-lav-55.dll (29707 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Essentials Codec Pack\Website.lnk (1 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\mkv2vfr.exe (4034 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\ts.dll (4404 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avresample-lav-1.dll (3317 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\CHANGELOG.txt (1568 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz513C.tmp\System.dll (23 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\LAVFilters.Dependencies.manifest (482 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\uninst.exe (571 bytes)
   %Program Files% (x86)\Windows Essentials Codec Pack\avfilter-lav-4.dll (6610 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\locale\EN.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\logo_new[1].png (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Rerarapepe_b[1].png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\browse.css (337 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Neyayeneda_TopImg[1].png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\loader.gif (10 bytes)
   %Program Files% (x86)\is665125.log (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\bootstrap_60311.html (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close_Hover.png (500 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1540 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\button.css (417 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\No_Button[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\checkbox.css (190 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg2.png (978 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo[1].png (200 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button_Hover.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\main.css (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\progress-bar.css (506 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A26A2.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A68D0.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\sponsored.png (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\BG.png (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE (9091 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Color_Button.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\csshover3.htc (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\ie6_main.css (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Yes_Button_Hover[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2432.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe[1].png (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\ProgressBar.png (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\progress-bg.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\css\sdk-ui\images\button-bg.png (131 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg2[1].jpg (4704 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Close.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2480.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button_Hover.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\Rerarapepe3[1].jpg (200 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A2664.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Progress.png (740 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg1[1].jpg (21280 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\Grey_Button.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is898099773\17807780_stp.EXE.part (807 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664626\images\wplayer.png (2 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.