Adware.GenericKD.3820967_1e4b512482

by malwarelabrobot on December 25th, 2016 in Malware Descriptions.

Adware.GenericKD.3820967 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Worm, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1e4b51248230a8c3b68af43dd3b82fc5
SHA1: 08a724e5f65ef3e64d1fbda7fd0b2e75827f5786
SHA256: fed224d538682349fb73aa941bfe39427603bbf256bae5080e375b3370bd3def
SSDeep: 393216:eN3FliKlubIMMqdYjT2ZJzCuK7L/LrgF4N7QlOVQy4uH4YihJ:iDM8MMq/X27L/n44BQGzH4JJ
Size: 15555024 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Rapiddown
Created at: 2012-12-31 02:38:38
Analyzed on: Windows7 SP1 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):

rundll32.exe:2992
MsiExec.exe:1656

The Adware injects its code into the following process(es):

Kur.exe:3900
%original file name%.exe:1744

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Kur.exe:3900 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (104 bytes)

The process rundll32.exe:2992 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Windows\Installer\MSI1831.tmp-\CustomAction.config (234 bytes)
C:\Windows\Installer\MSI1831.tmp-\Microsoft.Deployment.WindowsInstaller.dll (3179 bytes)
C:\Windows\Installer\MSI1831.tmp-\Adguard.CustomActions.dll (7168 bytes)

The process %original file name%.exe:1744 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Progressive\Adguard\langs\Adguard.Filter.resources.pt.dll (6079 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.de.dll (1816 bytes)
C:\Progressive\Adguard\ICSharpCode.AvalonEdit.dll (5835 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.ko.dll (1860 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.pt.dll (1610 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.hy.dll (6857 bytes)
C:\Progressive\Adguard\nss\mozcrt19.dll (7955 bytes)
C:\Progressive\Adguard\Adguard.Filter.dll (8877 bytes)
C:\Progressive\Adguard\Adguard.Ipc.dll (1239 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.ko.dll (4513 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh-TW.dll (6200 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.ro.dll (899 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.sk.dll (4892 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.it.dll (1228 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.hu.dll (6857 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.es.dll (400 bytes)
C:\Progressive\Adguard\AdguardNetLib.dll (1890 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.hy.dll (1727 bytes)
C:\Progressive\Adguard\nss\nss3.dll (3953 bytes)
C:\Progressive\Adguard\Adguard.Network.dll (550 bytes)
C:\Progressive\Adguard\System.Data.SQLite.dll (2764 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.it.dll (7034 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh.dll (6200 bytes)
C:\Progressive\Adguard\nss\smime3.dll (1080 bytes)
C:\Progressive\Adguard\Adguard.Commons.dll (3465 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.fr.dll (2007 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.he.dll (5514 bytes)
C:\Progressive\Adguard\Microsoft.Expression.Interactions.dll (1499 bytes)
C:\Progressive\Adguard\AdguardSvc.exe.manifest (733 bytes)
C:\Progressive\Adguard\Adguard.Tools.exe.manifest (733 bytes)
C:\Progressive\Adguard\nss\certutil.exe (916 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.ru.dll (5790 bytes)
C:\Progressive\Adguard\AdguardSvc.exe.config (683 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.de.dll (5827 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.id.dll (1522 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.vi.dll (939 bytes)
C:\Progressive\Adguard\System.Windows.Interactivity.dll (1182 bytes)
C:\Progressive\Adguard\default.db (1944 bytes)
C:\Progressive\Adguard\Adguard.UI.dll (3201 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.hr.dll (6857 bytes)
C:\Progressive\setup.msi (2 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.zh.dll (1179 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.nl.dll (1370 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.uk.dll (5579 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.ro.dll (3935 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.hr.dll (929 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.zh-TW.dll (351 bytes)
C:\Progressive\Adguard\SQLite.Interop.dll (8724 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.tr.dll (150 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.vi.dll (4953 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.es.dll (7170 bytes)
C:\Progressive\Adguard\Adguard.Tools.exe (1171 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.sk.dll (836 bytes)
C:\Progressive\Adguard\Adguard.Safebrowsing.dll (651 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.pl.dll (1027 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.sr.dll (1468 bytes)
C:\Progressive\Adguard\Adguard.Global.dll (2790 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.he.dll (1566 bytes)
C:\Progressive\Adguard\drivers.bin (525 bytes)
C:\Progressive\Adguard\nss\plds4.dll (17 bytes)
C:\Progressive\Adguard\AdguardNetApi.dll (10191 bytes)
C:\Progressive\Adguard\nss\plc4.dll (1556 bytes)
C:\Progressive\Adguard\nss\nspr4.dll (2014 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.uk.dll (2238 bytes)
C:\Progressive\Adguard\Adguard.exe.manifest (1 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.nl.dll (6368 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.tr.dll (6235 bytes)
C:\Progressive\Adguard\Adguard.Service.dll (5450 bytes)
C:\Progressive\Adguard\Adguard.exe (46019 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.hu.dll (1659 bytes)
C:\Progressive\Adguard\Adguard.exe.config (2 bytes)
C:\Progressive\Adguard\nss\softokn3.dll (2049 bytes)
C:\Progressive\Adguard\AdguardSvc.exe (1807 bytes)
C:\Progressive\Adguard\libs\inststlib64.dll (2527 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.sr.dll (6235 bytes)
C:\Progressive\Adguard\Newtonsoft.Json.dll (6465 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.fr.dll (7170 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.ru.dll (988 bytes)
C:\Progressive\Kur.exe (4886 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.pl.dll (4224 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.id.dll (6162 bytes)

The process MsiExec.exe:1656 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Windows\Installer\MSI1831.tmp (311 bytes)

Registry activity

The process Kur.exe:3900 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Adware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process rundll32.exe:2992 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\ServiceModelOperation 3.0.0.0\Linkage]
"Export" = "ServiceModelOperation 3.0.0.0"

[HKLM\System\CurrentControlSet\services\SMSvcHost 3.0.0.0\Linkage]
"Export" = "SMSvcHost 3.0.0.0"

[HKLM\System\CurrentControlSet\services\MSDTC Bridge 4.0.0.0\Linkage]
"Export" = "MSDTC Bridge 4.0.0.0"

[HKLM\System\CurrentControlSet\services\ServiceModelService 3.0.0.0\Linkage]
"Export" = "ServiceModelService 3.0.0.0"

[HKLM\System\CurrentControlSet\services\Windows Workflow Foundation 4.0.0.0\Linkage]
"Export" = "Windows Workflow Foundation 4.0.0.0"

[HKLM\System\CurrentControlSet\services\Windows Workflow Foundation 3.0.0.0\Linkage]
"Export" = "Windows Workflow Foundation 3.0.0.0"

[HKLM\System\CurrentControlSet\services\ServiceModelEndpoint 3.0.0.0\Linkage]
"Export" = "ServiceModelEndpoint 3.0.0.0"

[HKLM\System\CurrentControlSet\Services\.NET Memory Cache 4.0\Linkage]
"Export" = ".NET Memory Cache 4.0"

[HKLM\System\CurrentControlSet\services\SMSvcHost 4.0.0.0\Linkage]
"Export" = "SMSvcHost 4.0.0.0"

[HKLM\System\CurrentControlSet\services\MSDTC Bridge 3.0.0.0\Linkage]
"Export" = "MSDTC Bridge 3.0.0.0"

The process %original file name%.exe:1744 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Adware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
d937be06a02a3a3f7f406a379055d972 c:\Progressive\Adguard\Adguard.Commons.dll
1f6c6c91bef2e095e187f2341440961a c:\Progressive\Adguard\Adguard.Filter.dll
631a3640bf39d3925f614c2176b48da0 c:\Progressive\Adguard\Adguard.Global.dll
aaec43aa201a4ff16511cc32f52b8837 c:\Progressive\Adguard\Adguard.Ipc.dll
fcf4e97ec20169bf5ea8d0783fd799e8 c:\Progressive\Adguard\Adguard.Network.dll
f0d2c0335fcbc3e6d01b721f70fc8c99 c:\Progressive\Adguard\Adguard.Safebrowsing.dll
52f7cec5d17d50224e7b45d39fec747f c:\Progressive\Adguard\Adguard.Service.dll
736e0235ca07ae90b51c6828fd510bcd c:\Progressive\Adguard\Adguard.Tools.exe
0d6bb8ee0850d51456b53c89556f2db0 c:\Progressive\Adguard\Adguard.UI.dll
a6600ece03849c2feb2a41a305909c23 c:\Progressive\Adguard\Adguard.exe
476ef9a3faa6038c42f6d44ec34fd2bc c:\Progressive\Adguard\AdguardNetApi.dll
f582300857333340a174f0a05a7faa80 c:\Progressive\Adguard\AdguardNetLib.dll
01dccb39ebd89d9150d8aedfb713fcbf c:\Progressive\Adguard\AdguardSvc.exe
ab9a8c8c6ca3571bd4d45af2ad833a1c c:\Progressive\Adguard\ICSharpCode.AvalonEdit.dll
6a3b9e46c41e42e7b8e1479468d892af c:\Progressive\Adguard\Microsoft.Expression.Interactions.dll
8d6860fe26c7fdd1b80381c22979238c c:\Progressive\Adguard\Newtonsoft.Json.dll
4bb56a0f30905b1a421aeccd6571420d c:\Progressive\Adguard\SQLite.Interop.dll
136d11f62a8ff089909b97b8a7f71909 c:\Progressive\Adguard\System.Data.SQLite.dll
3ab57a33a6e3a1476695d5a6e856c06a c:\Progressive\Adguard\System.Windows.Interactivity.dll
0a9e7c16cf73c88c090df0f6194d4748 c:\Progressive\Adguard\langs\Adguard.Filter.resources.de.dll
53b85706ea030c9c55069fa5d49a47cc c:\Progressive\Adguard\langs\Adguard.Filter.resources.es.dll
0030987d31a82eed421fed015b88b732 c:\Progressive\Adguard\langs\Adguard.Filter.resources.fr.dll
5a29431925f0b59879cdd233e01f2600 c:\Progressive\Adguard\langs\Adguard.Filter.resources.he.dll
abbef20086d73f7e0849506faa15ed46 c:\Progressive\Adguard\langs\Adguard.Filter.resources.hr.dll
412e15605c473427519230bcd4a42f0b c:\Progressive\Adguard\langs\Adguard.Filter.resources.hu.dll
8fd12c1a6b99c4ab3e157f94a7e438a6 c:\Progressive\Adguard\langs\Adguard.Filter.resources.hy.dll
ae6a67c17b310cbabaab5b60191e263f c:\Progressive\Adguard\langs\Adguard.Filter.resources.id.dll
a632751137c4109c7b6e3860b410a8b1 c:\Progressive\Adguard\langs\Adguard.Filter.resources.it.dll
5db6fb39656f6099e12021957dd02479 c:\Progressive\Adguard\langs\Adguard.Filter.resources.ko.dll
3db3963fee77eda5a63ad594aea9d2fe c:\Progressive\Adguard\langs\Adguard.Filter.resources.nl.dll
65281bf26a58d2215d2343fe3e8e3453 c:\Progressive\Adguard\langs\Adguard.Filter.resources.pl.dll
0954996e41d2a36cad8b27ef0ebfd439 c:\Progressive\Adguard\langs\Adguard.Filter.resources.pt.dll
f4c1b6b807a33460d3d72359f4444231 c:\Progressive\Adguard\langs\Adguard.Filter.resources.ro.dll
802b87af376771dba6ec2f2871791907 c:\Progressive\Adguard\langs\Adguard.Filter.resources.ru.dll
dbb0bfd5389fd32ea182f14069092c1a c:\Progressive\Adguard\langs\Adguard.Filter.resources.sk.dll
fd81fa86e4749f1836f484ef635c4d21 c:\Progressive\Adguard\langs\Adguard.Filter.resources.sr.dll
33b18a56200c89d86c4da6106ec1f7b6 c:\Progressive\Adguard\langs\Adguard.Filter.resources.tr.dll
b7cb5337dbff70333d817653de62a572 c:\Progressive\Adguard\langs\Adguard.Filter.resources.uk.dll
30c6153397974059b9efb50a9139f945 c:\Progressive\Adguard\langs\Adguard.Filter.resources.vi.dll
331f4315b20884140a14db44386f8708 c:\Progressive\Adguard\langs\Adguard.Filter.resources.zh-TW.dll
504b540d3ea5e775d86de8c5383603a3 c:\Progressive\Adguard\langs\Adguard.Filter.resources.zh.dll
6b0f24cd2de948b8737d0fd97e7e6d97 c:\Progressive\Adguard\langs\Adguard.UI.resources.de.dll
bb2b3a77ec6ba02517de567ba9189500 c:\Progressive\Adguard\langs\Adguard.UI.resources.es.dll
894794cff537d908f71ec5a8b178fde0 c:\Progressive\Adguard\langs\Adguard.UI.resources.fr.dll
4fc4e7c8619d3ea1542084a076c02403 c:\Progressive\Adguard\langs\Adguard.UI.resources.he.dll
cc2a40be2ac0807b74ca9fc27370c178 c:\Progressive\Adguard\langs\Adguard.UI.resources.hr.dll
d3cea024861af9630d876bd758d4c602 c:\Progressive\Adguard\langs\Adguard.UI.resources.hu.dll
6ec473cd5bd24dafcc7674c4857a8bff c:\Progressive\Adguard\langs\Adguard.UI.resources.hy.dll
4793191e61a5dcf4b012365db5ac48e7 c:\Progressive\Adguard\langs\Adguard.UI.resources.id.dll
b2d7eb22c68cb02a04db8788262ff9dc c:\Progressive\Adguard\langs\Adguard.UI.resources.it.dll
770d80896f91a9c04b4ded5901810a3f c:\Progressive\Adguard\langs\Adguard.UI.resources.ko.dll
9f3fca36729b518373d0dfe9ef793663 c:\Progressive\Adguard\langs\Adguard.UI.resources.nl.dll
d92e8d34185580e5a463a57d9643e914 c:\Progressive\Adguard\langs\Adguard.UI.resources.pl.dll
fe9c308340c75aa3301894952b040f19 c:\Progressive\Adguard\langs\Adguard.UI.resources.pt.dll
a3f9f6b529ed8552e17b2ad178a83d9a c:\Progressive\Adguard\langs\Adguard.UI.resources.ro.dll
333893bd2d3bea6f8c15a4103612f415 c:\Progressive\Adguard\langs\Adguard.UI.resources.ru.dll
188b19f694f8282b8c6ecdda1abf149d c:\Progressive\Adguard\langs\Adguard.UI.resources.sk.dll
e1e42c50c1a75b60171b787426c440ee c:\Progressive\Adguard\langs\Adguard.UI.resources.sr.dll
0e4a9dd0187f19b9406ba70effc14141 c:\Progressive\Adguard\langs\Adguard.UI.resources.tr.dll
83b3595036070723c5f4e11dc14ec56e c:\Progressive\Adguard\langs\Adguard.UI.resources.uk.dll
d3ca182920d5d888b901080be2d253a9 c:\Progressive\Adguard\langs\Adguard.UI.resources.vi.dll
71cc05869198a82d0fccee890fd9e893 c:\Progressive\Adguard\langs\Adguard.UI.resources.zh-TW.dll
a1562655d46136c9280878eea4430d91 c:\Progressive\Adguard\langs\Adguard.UI.resources.zh.dll
b4c674801115cf53fdec049d59deb07f c:\Progressive\Adguard\libs\inststlib64.dll
a253cbbfbceee37dd90b999d26542038 c:\Progressive\Adguard\nss\certutil.exe
0847bc96e23565dbae072ca335a212c9 c:\Progressive\Adguard\nss\mozcrt19.dll
32b2685234074047263d4a0cc8bf5d56 c:\Progressive\Adguard\nss\nspr4.dll
09cacf1074663b90a88c2345f42425ff c:\Progressive\Adguard\nss\nss3.dll
1cce55587f95d57759e36f387c4f9dee c:\Progressive\Adguard\nss\plc4.dll
9b31fe86fac03999982dccbe2a0103ac c:\Progressive\Adguard\nss\plds4.dll
031a02aadf62df41f8558a18e5d280a9 c:\Progressive\Adguard\nss\smime3.dll
b2ad88dd7b83b62695b764d1dadfc15d c:\Progressive\Adguard\nss\softokn3.dll
ed59fcdf07429719e646d7b9013f6f4f c:\Progressive\Kur.exe

HOSTS file anomalies

The Adware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 916 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
127.0.0.1 api.adguard.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SolidShare TEAM
Product Name: Adguard Premium
Product Version: 6.1.298.1564
Legal Copyright: (c) 2016 By Progressive
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.1.298.1564
File Description: SolidShare.Net Unattended Installer
Comments: SolidShare.Net Unattended Installer
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 184320 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 188416 57344 56320 5.48439 a2f141437a6e90fd12e6341b9ce6d2b4
.rsrc 245760 106496 105472 1.37231 969d605d573edc304ba43322ce2b5075

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141/l2SWCyYX308B7Khio=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx+JOp7hVgTeaGFJ/CQgQUljtT8Hkzl699g+8uK8zKt4YecmYCECqcIayqpjo8WKe5MivulI0=
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= 23.43.139.27
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 212.30.134.176
hxxp://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx+JOp7hVgTeaGFJ/CQgQUljtT8Hkzl699g+8uK8zKt4YecmYCECqcIayqpjo8WKe5MivulI0= 23.43.139.27
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141/l2SWCyYX308B7Khio= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 212.30.134.169
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 212.30.134.169


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86403
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT
If-None-Match: "8017f9a85f10d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Sat, 12 Nov 2016 01:34:12 GMT
Accept-Ranges: bytes
ETag: "02e4de843cd21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 50939
Date: Sat, 24 Dec 2016 21:12:50 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
MSCF............,...................I.................kI;. .authroot.s
tl.6....7..CK...<.[.........].y.Q..YKv..%k.....!..H!.Q.-..$tU$.)7k.
.R.=...n3......}?...3gf......h<.2...4.(q..f......&{.`....02.s...2@`
.J&#.<#..q..0Xy%.4..egd.:M.B....in.([....W....(.|.....|....s!..Mo..
@......|"(n;Z..'~DE.}(........Mz:T....x..{..n.`z..-.\.............q...
.ld2z..N/.b.J...........X.S.:UN.S.v."..'l........:yz.<."!.]O..6.:d.
....C.P ....P($.Y.Q y..y..B....u.`...u.00.....|(..A.J.Cp.c...X..g.....
....}..'........D.QVFf0...D...a6.f.0.....k.*8...<.;..o...(.....f...
L.0..C.......I.A!.H.....'._)....Qc.V.....5D..,..d../(..j.F.d.....`..f.
..$>:_%.W..(....@.r.9..Ob.e.$..m.~.]....g.......%`e_..&Qhp .......e
y.c.....H`.%<9.......#.\S...R.5....v.......dWE.....:...../"3.._..l.
XiH.J!..............{.5C_...i.U....7....;p....Q.`....L.j........u....b
.`:Mk.L.......*..@M^m..Jv...g........<d:l..Kq.X...*y...x1.u....... 
.....z.....c.(<.b...l.#....,z~..M.Y.]..Z....F..N./..[.#....Ol...f.k
........U.rF)D....3..sK...`..W.....5.=.@#a....!./....>...g.(. ..9..
>!.K..e..j..{x.0.^,...U9..ru.C......,..q^1.G..A.e.F[...".1..*...^..
.L..#:,7...:.z.n...fI1.....l..E.q>......E...x n....H....t....5.....
\...<.l....7}.`\..~_..#..Bz....i..[{.w.....a...c....E w?..6..l.....
.x8..H....7.e.;.%.:.!.*Q....#..bT.......(....ka.......B..|.........1..
..t.r...fk....C.t`....@3.P..*t..nmD.....8$.bd..`D...5X.....H..L../1:..
Ap...w.\...,..U..../"X......}X...a...G....N.X..<....MG....r..H.....
_@..Q2..T...Q.....].e.G./.v,.Z5ib..5........9 ............z..!...g
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1553
content-transfer-encoding: binary
Cache-Control: max-age=532130, public, no-transform, must-revalidate
Last-Modified: Sat, 24 Dec 2016 00:55:57 GMT
Expires: Sat, 31 Dec 2016 00:55:57 GMT
Date: Sat, 24 Dec 2016 21:11:50 GMT
Connection: keep-alive
0..........0..... .....0......0...0......WVD.8..Kcz.....K......2016122
4005557Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20161224005557Z....20161231005557Z0...*.H.....
..........N......e..(..S.@..J.#....@..../D..e1..js...g.dY..d.tS....kn.
.[[7..?....8O.....L.d......... ...b.^QMb.J>..3.HI.......7...i..F..O
..&=p./..-uK.2 ...YzK.....2.....n...u...a..$[.5#......#Y.q{..x....QU..
.&.[F0.m=p.;.VM.....K....@.;lW..=6....lu........4......t=...60..20...0
..........Q.B.D.u..~f...m.0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authori
ty - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0
...U....VeriSign Trust Network0...161122000000Z..171214235959Z0..1.0..
.U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Netwo
rk1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 50..
"0...*.H.............0.........c....A........P......k./......m....(..^
.......q.mB...,...t..w.&.W.....n.2..G.........e.\..@.v@.... ..,.*...L.
.R...6 l.O..}.v.'...E.'.R..73J.....&......V..$......A....R6.k...yj....
....!H.E.UGZ.!.>..~.....Ys.Z.@.)2z......D...0....dKC.IK...Z.t..J.]`
........O........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. ......
...hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rp
a0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0
...U....TGV-OFF-480...*.H............*.R>...:..u.M..l-r......0..R9s
..[^.<.b..*X......h.......qO......p.....Q~...:^........0......s
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1660
content-transfer-encoding: binary
Cache-Control: max-age=545077, public, no-transform, must-revalidate
Last-Modified: Sat, 24 Dec 2016 04:35:37 GMT
Expires: Sat, 31 Dec 2016 04:35:37 GMT
Date: Sat, 24 Dec 2016 21:11:56 GMT
Connection: keep-alive
0..x......q0..m.. .....0.....^0..Z0......w>.2Yb.........fJ*....2016
1224043537Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1.
.#....M....=....x..":...K.....20161224043537Z....20161231043537Z0...*.
H...............g.N....6..a1. .y.....Y.O.....s?.....Lh.......5......K.
..i.T.O\.V...#...G.....t0&...kyZ.l....iaoS.j.......i..F.?..-..:[.3....
......{.{..<.ls>.....F>.......;.51K...Y....;.<........a"g.
......x..#..$|....2"W:U.s...VF.])&.X =.......a...t...h8..c.&.......1..
H.....0...0...0..........O.....2../..n...0...*.H........0..1.0...U....
US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...
2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign
 Class 3 Code Signing 2009 CA0...161213000000Z..211231235959Z0D1B0@..U
...9Symantec Class 3 Code Signing 2009 CA SHA1 OCSP Responder0.."0...*
.H.............0.............s..{...L.S.9...7...!....!..........u..]..
l|/!.V..V.....7(...].C...3|..e....7.(KN.W..........W..O..<..<...
.&r...]#...uk....%.Q.9..9-zw4..........5...$..Pi..........${.F..b]!%{.
.T..........Av./0b.EF....h....D........~.kX.R...v.=..zx....U2.._..JI..
)..............0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. ....
.....hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0..
.U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0.
..U....TGV-OFF-630...U......w>.2Yb.........fJ*..0...U.#..0....>c
."t..d.1..#....M.0...*.H.............. ....i.......4q..........|..R.m.
\..}.?.N.....[.\9C.C..#.....$1.a{..V.Og|.....8..j..v.C.....L......
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1


Cache-Control: max-age = 547348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 19 Nov 2013 21:12:41 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1664
content-transfer-encoding: binary
Cache-Control: max-age=384416, public, no-transform, must-revalidate
Last-Modified: Thu, 22 Dec 2016 07:56:30 GMT
Expires: Thu, 29 Dec 2016 07:56:30 GMT
Date: Sat, 24 Dec 2016 21:12:02 GMT
Connection: keep-alive
0..|......u0..q.. .....0.....b0..^0.............V.m......E!....2016122
2075630Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^.3@..cL.1.......20161222075630Z....20161229075630Z0...*.H........
......s.\...._..p2Z....6y...F...9..&c.\.e....[.{VR....1.C..ZY#...!G...
...E#..0s.....z..;}7.....!G.............O.K..?..?g......j......:~BJ...
.r w}.j.!K.....z..%>A.l=J`.Y..R..e>.1y)a..l.c..R]..t.-.)$.... ..
..k..9..B '.I..@...t.r1....9...'.....".......A...f...J..`....0...0...0
..................[Df..{.,0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...161213000000Z..211231235959Z0F1D0B..U...;Symantec 
Class 3 Code Signing 2009-2 CA SHA1 OCSP Responder0.."0...*.H.........
....0.............2q..J..:...3....X.?.....9K.G....,......e.c,..9YI...z
.qA 0....9...CG......6.qX>.Xo.....g..=..B.E.......qB..W.|..>.qT.
4Z|....H. m...m..qy]Gi...0N.T.....N,.U.WJ5.f...r..@..8.b.......=..G.0.
....y4N"mK.J...."..".......ju.....k...x........P.]S=t....*..'.........
....0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. .........https:
//d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0...U.%..0... 
.......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-
OFF-640...U.............V.m......E!..0...U.#..0.....k.&p..?...-.5.....
0...*.H.............C.....S>F ..u.=KA5..@...`........a0s.M......JH.
X.Y..E........CX../......f5j..a......k...:.r/.J5..G...h...~.".A.].
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx+JOp7hVgTeaGFJ/CQgQUljtT8Hkzl699g+8uK8zKt4YecmYCECqcIayqpjo8WKe5MivulI0= HTTP/1.1
Cache-Control: max-age = 588368
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 05:31:11 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1611
content-transfer-encoding: binary
Cache-Control: max-age=416328, public, no-transform, must-revalidate
Last-Modified: Thu, 22 Dec 2016 16:50:55 GMT
Expires: Thu, 29 Dec 2016 16:50:55 GMT
Date: Sat, 24 Dec 2016 21:12:27 GMT
Connection: keep-alive
0..G......@0..<.. .....0.....-0..)0......H.S.......J.?x.7T..a..2016
1222165055Z0s0q0I0... ...........C%.......`M.....B...;S.y3..}... .....
rf..*.!...:<X..2 .......20161222165055Z....20161229165055Z0...*.H..
...........Ma...8.`.K$..]..<..#`.F)7..C1{f.,.....t.;6u"[....L<H"
[C~].p...`..A.......3m...H......q.....F.7>.:...iq...N:).D*....@...X
u..T..j.......|.....G.a6PE.R...Me.....$....,. .|-....q.ZI..........&r.
#........2(........?...gA..`....6XD...m....;....E..V.^._..:NrO..M....p
0..l0..h0..P.......jVl_wg...'.i....0...*.H........0.1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network100...U...'
Symantec Class 3 SHA256 Code Signing CA0...161002000000Z..161231235959
Z0A1?0=..U...6Symantec Class 3 SHA256 Code Signing CA OCSP Responder0.
."0...*.H.............0............y.....l..f.......m./].j..mysU[d....
..:..!...9......-._k..V.%.B'...'..e.S.....>....3..3..?../.hO#.c.L..
.....T...<,..-....Bt...U..G.A%|..E..y=jf....%.Y*..x.b..F...'~.,.g6.
.....?..@e.v.|!...R..8....:.N..,;zG.WN..{\c.Q.V!..l.....!h..d...T..Ik.
...Nu.S.WK"...........0...0... .....0......0"..U....0...0.1.0...U....T
GV-D-22120...U.#..0....;S.y3..}... .....rf0...U......H.S.......J.?x.7T
..a0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://VVV.
symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%..0.
.. .......0...U...........0...*.H................a..).B.>@.`...-.1.
.0..LJ.(S...s...U.'.;...N..Kp[..... B...&...K.|K..xd.....db....."\2..J
......l.....U.I..t C.8B...B.... .....v.!#.1.v7$..j......6>.....
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 808
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 09 Oct 2013 05:02:17 GMT
If-None-Match: "9c3f3dbaacc4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 21 Nov 2016 06:01:26 GMT
Accept-Ranges: bytes
ETag: "ea9ee7b1bc43d21:0"
Server: Microsoft-IIS/8.5
VTag: 438117755400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Sat, 24 Dec 2016 21:12:09 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..161120214850Z..
170219100850Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......10... .....7......170218215850
Z0...*.H.............,I...6<..{.....o).*.......>SJ.t............
N. ...#.........#J..A..."..9t...8....y..'k......O..f..&N..6\.:.0..{-.?
.....w}R...=S}.Q5..bwf...I..x..S........S....%u:...D|..q.)tC....^.....
..6.O..V.s....R!.c`....oT..z/|....A.....n{.$.5(.V^..Ox.1........3.I.vf
K,dZ`....n.k...vd......i..M..8_g..>.6!.. ....._.v..E....p!c..c....D
....iWn../.mZx......w..."~..(.N.&.s....S..k.=a..d:I....f..W.uO.K}].R..
 uY2...2..a.U^........... ..%5<F/..L...@..I..<. .....E..r.~=.k..
3l9..d^.9..&N._\K."m#..P.9..z.......K..j.z1..8.r.!v.>.....HTTP/1.1 
200 OK..Content-Type: application/pkix-crl..Last-Modified: Mon, 21 Nov
 2016 06:01:26 GMT..Accept-Ranges: bytes..ETag: "ea9ee7b1bc43d21:0"..S
erver: Microsoft-IIS/8.5..VTag: 438117755400000000..P3P: CP="ALL IND D
SP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM I
NT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 81
3..Cache-Control: max-age=900..Date: Sat, 24 Dec 2016 21:12:09 GMT..Co
nnection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....co
m1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Auth
ority..161120214850Z..170219100850Z0.0...a......../..100208014912Z._0]
0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......10..
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT
Accept-Ranges: bytes
ETag: "7254ef33d54d21:0"
Server: Microsoft-IIS/8.5
VTag: 791789525600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Sat, 24 Dec 2016 21:12:18 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......b0... .....7......170311174324Z0.
..*.H..................)........j<.........G"...X..7y.1.s...vaE..'0
3.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#&
lt;#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$....
.........C..|M....WT..[.-.b.$)....v(....v._....'.p....a.)..j...oC....z
C:$.8....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Mod
ified: Mon, 12 Dec 2016 06:00:18 GMT..Accept-Ranges: bytes..ETag: "725
4ef33d54d21:0"..Server: Microsoft-IIS/8.5..VTag: 791789525600000000..P
3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo O
UR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..C
ontent-Length: 554..Cache-Control: max-age=900..Date: Sat, 24 Dec 2016
 21:12:18 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0
...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft 
Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..17031
2055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U
......b0... .....7......170311174324Z0...*.H..................).......
.j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...K
y$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{
...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141/l2SWCyYX308B7Khio= HTTP/1.1
Cache-Control: max-age = 432038
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 11 Oct 2016 10:05:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1763
content-transfer-encoding: binary
Cache-Control: max-age=373496, public, no-transform, must-revalidate
Last-Modified: Thu, 22 Dec 2016 04:56:48 GMT
Expires: Thu, 29 Dec 2016 04:56:48 GMT
Date: Sat, 24 Dec 2016 21:12:22 GMT
Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2016122
2045648Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..=x..vI`.a}.....*....20161222045648Z....20161229045648Z0...*.H.....
........J.O2...;_P......A."....,..N&...I...@.%.^.d.Y'n.h2...H..gk1....
..|."|=.;..M..s./b.....A.....\.-..r*NC.7.....|$.m..^...k~x.........z-.
.E..P..2..L....?.GGR..k......n......_.......x..C8%l..>..C./.R.|7..[
...g..^..Pn[NJ.... \.....^..].M..?.I./...Y.....i(..k....-....0...0...0
..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...161122000000Z..171214235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 50.."0...*.H.............0.............................m..|...
.....1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z.
....... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..
H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4....
.D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H.
..E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http:
//VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0.
.....0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..
7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g..
<<< skipped >>>

The Adware connects to the servers at the folowing location(s):

%original file name%.exe_1744:

!Require Windows
`.rsrc
7J.eO
PSSSSSSh
<x%u<
ttNt_Nt.Nt
:Language:%u
Enter password:
0xx
"%s".
Could not overwrite file "%s".
Could not create file "%s".
0xX.
7-Zip: Internal error, code 0xX.
7-Zip: Internal error, code %u.
The archive is corrupted, or invalid password was entered.
7-Zip: Unsupported method.
Error during execution "%s".
"setup.exe"
Could not find "setup.exe".
Could not find command for "%s".
Could not delete file or folder "%s".
Could not create folder "%s".
Error in line %d of configuration data:
Could not open archive file "%s".
1.6.0 develop [x86]
2712 (30
1.6.0 develop [x86] build 2712 (December 30, 2012)
Supported methods and filters, build options:
Sorry, this program requires Microsoft Windows 2000 or later.
CreateIoCompletionPort
_acmdln
ShellExecuteW
ShellExecuteExW
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
.text
`.rdata
@.data
.rsrc
<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
<requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
MSVCRT.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
X%cX%c
SfxString%d
SfxFolderd
PasswordTitle
PasswordText
%X - X - X - X - X
7ZSfxx.cmd
setup.exe
7ZipSfx.x
SfxVarCmdLine1
SfxVarCmdLine2
SfxVarCmdLine0
@ (%d%s)
6.1.298.1564
SolidShare.Net Unattended Installer

%original file name%.exe_1744_rwx_00401000_0003A000:

PSSSSSSh
<x%u<
ttNt_Nt.Nt
:Language:%u
Enter password:
0xx
"%s".
Could not overwrite file "%s".
Could not create file "%s".
0xX.
7-Zip: Internal error, code 0xX.
7-Zip: Internal error, code %u.
The archive is corrupted, or invalid password was entered.
7-Zip: Unsupported method.
Error during execution "%s".
"setup.exe"
Could not find "setup.exe".
Could not find command for "%s".
Could not delete file or folder "%s".
Could not create folder "%s".
Error in line %d of configuration data:
Could not open archive file "%s".
1.6.0 develop [x86]
2712 (30
1.6.0 develop [x86] build 2712 (December 30, 2012)
Supported methods and filters, build options:
Sorry, this program requires Microsoft Windows 2000 or later.
CreateIoCompletionPort
_acmdln
ShellExecuteW
ShellExecuteExW
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
.text
`.rdata
@.data
.rsrc
X%cX%c
SfxString%d
SfxFolderd
PasswordTitle
PasswordText
%X - X - X - X - X
7ZSfxx.cmd
setup.exe
7ZipSfx.x
SfxVarCmdLine1
SfxVarCmdLine2
SfxVarCmdLine0
@ (%d%s)

Kur.exe_3900:

`.rsrc
QRA.Sb
j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
@Kv.AKv
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
zcÁ
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
keybd_event
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
UnregisterHotKey
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
1!<....(
%c=/Kr
<*-('(-)/)((4
H%d=j@
.text
`.rdata
@.data
.rsrc
@.reloc
%xJ7Q>
<requestedExecutionLevel
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates application support for Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates application support for Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
MPR.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
USERENV.dll
UxTheme.dll
VERSION.dll
WININET.dll
WINMM.dll
WSOCK32.dll
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\Progressive\Kur.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
6.1.298.1564
SolidShare.Net Unattended Installer

Kur.exe_3900_rwx_01051000_000F1000:

j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
@Kv.AKv
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
zcÁ
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
keybd_event
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
UnregisterHotKey
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
1!<....(
%c=/Kr
<*-('(-)/)((4
H%d=j@
.text
`.rdata
@.data
.rsrc
@.reloc
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\Progressive\Kur.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

MsiExec.exe_1656:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
ole32.dll
msi.dll
CKv,CKv.AKv;AKv
PSSSSSSh
t%SSWV3
ntdll.dll
RegOpenKeyExW
RegCreateKeyExW
ReportEventW
RegCloseKey
RegDeleteKeyW
RegEnumKeyW
RegEnumKeyExW
RegGetKeySecurity
MsgWaitForMultipleObjects
_acmdln
_amsg_exit
msiexec.pdb
name="MSIExec"
version="4.0.0.0"
<description> Windows installer setup service </description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
> >$>(>,>4>8><>
Msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
passive
Kernel32.dll
FIsKeyLocalSystemOrAdminOrTrustedInstallersOwned: Could not get owner security info.
PurgeUserOwnedSubkeys: Could not open subkey: %s
PurgeUserOwnedSubkeys: Could not enumerate subkeys.
PurgeUserOwnedSubkeys: Could not delete SubKey tree.
PurgeUserOwnedSubkeys: %s not owned by System, Admin or Trusted Installers. Deleting key   subkeys.
PurgeUserOwnedInstallerKeys: Could not delete tree.
PurgeUserOwnedInstallerKeys: Key '%s' not owned by System, Admin, or Trusted Installers. Deleting key   subkeys.
PurgeUserOwnedInstallerKeys: Could not open key '%s'
OpenProcessToken failed with %d
OLEAUT32.dll
Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
SetInstallerACLs: Could not create Secure Installer sub key.
SetInstallerACLs: Could not delete Installer key tree.
SetInstallerACLs: Installer key not owned by System or Admin. Deleting key   subkeys and re-creating.
SetInstallerACLs: Could not create Installer key.
Wait Failed in MsgWait.
kernel32.dll
APPID\%s
%s\DefaultIcon
%s\CLSID
CLSID\%s
CLSID\%s\ProgId
Msi.Package
Windows Installer Package
Msi.Patch
Windows Installer Patch
MsiExecCA32
{lX-0000-0000-C000-000000000046}
MsiRegMv.Exe
ISMIF32.DLL
%d.%d.%.4d.%d
REINSTALL=ALL REINSTALLMODE=%s
Error: %d. %s.
Software\Policies\Microsoft\Windows\Installer
Failed to connect to server. Error: 0x%X
FDeleteRegTree: Unable to delete subkey: %s
Windows
5.0.7601.17514 (win7sp1_rtm.101119-1850)
msiexec
msiexec.exe
Windows Installer - Unicode
5.0.7601.17514

rundll32.exe_3112:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
USER32.dll
msvcrt.dll
imagehlp.dll
ntdll.dll
?.ulf
.ue9]
ole32.dll
_amsg_exit
_wcmdln
rundll32.pdb
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\UNC\
rundll32.exe
Windows host process (Rundll32)
6.1.7600.16385 (win7_rtm.090713-1255)
RUNDLL32.EXE
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    rundll32.exe:2992
    MsiExec.exe:1656

  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    C:\Windows\System32\drivers\etc\hosts (104 bytes)
    C:\Windows\Installer\MSI1831.tmp-\CustomAction.config (234 bytes)
    C:\Windows\Installer\MSI1831.tmp-\Microsoft.Deployment.WindowsInstaller.dll (3179 bytes)
    C:\Windows\Installer\MSI1831.tmp-\Adguard.CustomActions.dll (7168 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.pt.dll (6079 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.de.dll (1816 bytes)
    C:\Progressive\Adguard\ICSharpCode.AvalonEdit.dll (5835 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.ko.dll (1860 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.pt.dll (1610 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.hy.dll (6857 bytes)
    C:\Progressive\Adguard\nss\mozcrt19.dll (7955 bytes)
    C:\Progressive\Adguard\Adguard.Filter.dll (8877 bytes)
    C:\Progressive\Adguard\Adguard.Ipc.dll (1239 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.ko.dll (4513 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh-TW.dll (6200 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.ro.dll (899 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.sk.dll (4892 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.it.dll (1228 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.hu.dll (6857 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.es.dll (400 bytes)
    C:\Progressive\Adguard\AdguardNetLib.dll (1890 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.hy.dll (1727 bytes)
    C:\Progressive\Adguard\nss\nss3.dll (3953 bytes)
    C:\Progressive\Adguard\Adguard.Network.dll (550 bytes)
    C:\Progressive\Adguard\System.Data.SQLite.dll (2764 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.it.dll (7034 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh.dll (6200 bytes)
    C:\Progressive\Adguard\nss\smime3.dll (1080 bytes)
    C:\Progressive\Adguard\Adguard.Commons.dll (3465 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.fr.dll (2007 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.he.dll (5514 bytes)
    C:\Progressive\Adguard\Microsoft.Expression.Interactions.dll (1499 bytes)
    C:\Progressive\Adguard\AdguardSvc.exe.manifest (733 bytes)
    C:\Progressive\Adguard\Adguard.Tools.exe.manifest (733 bytes)
    C:\Progressive\Adguard\nss\certutil.exe (916 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.ru.dll (5790 bytes)
    C:\Progressive\Adguard\AdguardSvc.exe.config (683 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.de.dll (5827 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.id.dll (1522 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.vi.dll (939 bytes)
    C:\Progressive\Adguard\System.Windows.Interactivity.dll (1182 bytes)
    C:\Progressive\Adguard\default.db (1944 bytes)
    C:\Progressive\Adguard\Adguard.UI.dll (3201 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.hr.dll (6857 bytes)
    C:\Progressive\setup.msi (2 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.zh.dll (1179 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.nl.dll (1370 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.uk.dll (5579 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.ro.dll (3935 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.hr.dll (929 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.zh-TW.dll (351 bytes)
    C:\Progressive\Adguard\SQLite.Interop.dll (8724 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.tr.dll (150 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.vi.dll (4953 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.es.dll (7170 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.sk.dll (836 bytes)
    C:\Progressive\Adguard\Adguard.Safebrowsing.dll (651 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.pl.dll (1027 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.sr.dll (1468 bytes)
    C:\Progressive\Adguard\Adguard.Global.dll (2790 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.he.dll (1566 bytes)
    C:\Progressive\Adguard\drivers.bin (525 bytes)
    C:\Progressive\Adguard\nss\plds4.dll (17 bytes)
    C:\Progressive\Adguard\AdguardNetApi.dll (10191 bytes)
    C:\Progressive\Adguard\nss\plc4.dll (1556 bytes)
    C:\Progressive\Adguard\nss\nspr4.dll (2014 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.uk.dll (2238 bytes)
    C:\Progressive\Adguard\Adguard.exe.manifest (1 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.nl.dll (6368 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.tr.dll (6235 bytes)
    C:\Progressive\Adguard\Adguard.Service.dll (5450 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.hu.dll (1659 bytes)
    C:\Progressive\Adguard\Adguard.exe.config (2 bytes)
    C:\Progressive\Adguard\nss\softokn3.dll (2049 bytes)
    C:\Progressive\Adguard\libs\inststlib64.dll (2527 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.sr.dll (6235 bytes)
    C:\Progressive\Adguard\Newtonsoft.Json.dll (6465 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.fr.dll (7170 bytes)
    C:\Progressive\Adguard\langs\Adguard.UI.resources.ru.dll (988 bytes)
    C:\Progressive\Kur.exe (4886 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.pl.dll (4224 bytes)
    C:\Progressive\Adguard\langs\Adguard.Filter.resources.id.dll (6162 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now