MD5: 7dc5fc5bc9da0cd69221ed238acc1abf
SHA1: 1e49d21d791aa37860ade1623300f8040d6deec0
SHA256: e83ea7bada43c072c7a4d4ca2ffda659f6e5431473fe5d98fee4e5e03e6cf78a
SSDeep: 6144:BqKWHMW0nUlyqx0s1HE4YrBx7laxhomgAKxl 0QsSvHmSqE/bwLmXIWOhiMyS:b8D0yETrBrabgFxl 0WvrqWELmYWOh
Size: 436736 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Alexander Roshal
Created at: 2017-01-27 00:32:32
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2712
%original file name%.exe:3700
%original file name%.exe:3516

The Trojan injects its code into the following process(es):

svchost.exe:992
iexplore.exe:2316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\akSPyj9wl4Y.exe (2321 bytes)

The process %original file name%.exe:3700 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

The process %original file name%.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (2321 bytes)

Registry activity

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"anubktRih3orhE" = "C:\Windows\system32\akSPyj9wl4Y.exe"

The process %original file name%.exe:3700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "eK84MowZt1BR1K"

The process %original file name%.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: areOERWIzp1M7
Product Name: an8EY6N9hHA8XP9G
Product Version: 12.16.20.82
Legal Copyright: Copyright (c) 2014
Legal Trademarks: aIU2kIhwTqRv2CIT8LH
Original Filename: tg.exe
Internal Name: tg.exe
File Version: 12.16.20.82
File Description: aKZd8jPaYDi
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.google.com/	173.194.113.211
hxxp://www.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZGCNO7WofAC	173.194.113.211
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw
hxxp://www3.l.google.com/GIAG2.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+	173.194.113.195
hxxp://vassg142.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/	2.21.89.35
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw	173.194.113.195
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==	23.46.123.27
hxxp://pki.google.com/GIAG2.crl	216.58.209.78
hxxp://crl.geotrust.com/crls/secureca.crl	23.55.149.163
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	212.30.134.167
ssl.gstatic.com	173.194.113.216
clients1.google.com.ua	172.217.20.195

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ HTTP/1.1

Cache-Control: max-age = 339923

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:41:21 GMT

If-None-Match: "c06e9a4e33eec9dd813b8faff15397229f914d2a"

User-Agent: Microsoft-CryptoAPI/6.1

Host: vassg142.ocsp.omniroot.com

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/ocsp-response

Content-Length: 1746

Last-Modified: Mon, 13 Feb 2017 05:37:02 GMT

ETag: "19a722a3fc23de237e4720114f18d4d3cf63cc8b"

Cache-Control: public, no-transf

GET /GIAG2.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: pki.google.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Date: Mon, 13 Feb 2017 05:11:19 GMT

Expires: Mon, 13 Feb 2017 06:11:19 GMT

Last-Modified: Mon, 13 Feb 2017 02:15:00 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 541

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=3600

Age: 3101
0...0......0...*.H........0I1.0...U....US1.0...U....Google Inc1%0#..U.
...Google Internet Authority G2..170213010003Z..170223010003Z0R0'..vK.
...Q...170113141858Z0.0...U.......0'..1.3..*....160915202213Z0.0...U..
......00.0...U.#..0...J......h.v....b..Z./0...U........0...*.H........
......}.......J...~........:k.......wFN.....sz.N3<.....Z.......\..A
.{...z9....x)\.ju.]N.......h7s.P.*.......a......=j.......[/:(...WJ.C@.
...s..,.X..p.wI;.H2.d6.w4..m......E?0u.*.....`.#....S".N..~.......X~_.
.K.. .N?..UUH&.......X...g......UR.9.u.H8.-.LX.u.Gs...HTTP/1.1 200 OK.
.Content-Type: application/pkix-crl..Date: Mon, 13 Feb 2017 05:11:19 G
MT..Expires: Mon, 13 Feb 2017 06:11:19 GMT..Last-Modified: Mon, 13 Feb
 2017 02:15:00 GMT..X-Content-Type-Options: nosniff..Server: sffe..Con
tent-Length: 541..X-XSS-Protection: 1; mode=block..Cache-Control: publ
ic, max-age=3600..Age: 3101..0...0......0...*.H........0I1.0...U....US
1.0...U....Google Inc1%0#..U....Google Internet Authority G2..17021301
0003Z..170223010003Z0R0'..vK....Q...170113141858Z0.0...U.......0'..1.3
..*....160915202213Z0.0...U........00.0...U.#..0...J......h.v....b..Z.
/0...U........0...*.H..............}.......J...~........:k.......wFN..
...sz.N3<.....Z.......\..A.{...z9....x)\.ju.]N.......h7s.P.*.......
a......=j.......[/:(...WJ.C@....s..,.X..p.wI;.H2.d6.w4..m......E?0u.*.
....`.#....S".N..~.......X~_..K.. .N?..UUH&.......X...g......UR.9.u.H8
.-.LX.u.Gs.....
<<< skipped >>>

GET /?gfe_rd=cr&ei=_0uhWJeOJZGCNO7WofAC HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: VVV.google.com.ua

HTTP/1.1 302 Found

Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZGCNO7WofAC&gws_rd=ssl

Cache-Control: private

Content-Type: text/html; charset=UTF-8

P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."

Date: Mon, 13 Feb 2017 06:02:39 GMT

Server: gws

Content-Length: 276

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Set-Cookie: NID=96=JRpx_POKwetfk2SfXgWY54MXYCTsGXj1deRskE7X2DZpSJgffp6oX-yQqoWpHxlbqdNrDQ980bGv4bnizkPqIYhGuPWWh4aZfByy2bAiFO3G9iXgja-hIvKqclMGgJS5; expires=Tue, 15-Aug-2017 06:02:39 GMT; path=/; domain=.google.com.ua; HttpOnly
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZG
CNO7WofAC&gws_rd=ssl">here</A>...</BODY></HTML&g
t;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=_0uhWJeOJZGCNO7WofAC&gws_rd=ssl..Cache-Control: private..Content-T
ype: text/html; charset=UTF-8..P3P: CP="This is not a P3P policy! See 
hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more i
nfo."..Date: Mon, 13 Feb 2017 06:02:39 GMT..Server: gws..Content-Lengt
h: 276..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..
Set-Cookie: NID=96=JRpx_POKwetfk2SfXgWY54MXYCTsGXj1deRskE7X2DZpSJgffp6
oX-yQqoWpHxlbqdNrDQ980bGv4bnizkPqIYhGuPWWh4aZfByy2bAiFO3G9iXgja-hIvKqc
lMGgJS5; expires=Tue, 15-Aug-2017 06:02:39 GMT; path=/; domain=.google
.com.ua; HttpOnly..<HTML><HEAD><meta http-equiv="conten
t-type" content="text/html;charset=utf-8">.<TITLE>302 Moved&l
t;/TITLE></HEAD><BODY>.<H1>302 Moved</H1>.T
he document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=_0uhWJeOJZGCNO7WofAC&gws_rd=ssl">here</A>...</
BODY></HTML>....
<<< skipped >>>

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1

Cache-Control: max-age = 564348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1377

content-transfer-encoding: binary

Cache-Control: max-age=538744, public, no-transform, must-revalidate

Last-Modified: Sun, 12 Feb 2017 11:39:44 GMT

Expires: Sun, 19 Feb 2017 11:39:44 GMT

Date: Mon, 13 Feb 2017 06:02:50 GMT

Connection: keep-alive
0..]......V0..R.. .....0.....C0..?0......V.T'S...q..."...zr.*..2017021
2113944Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20170212113944Z....20170219113944Z0...*.H............
........8...........<..$.*5...y.*...-!..3..fG3e~ ...k...Y..........
...i.>ZMkF....<.j.[.?.Rmt......{3...<.$|.P..._...&.E4iq.&4a..
\.N."..7.h....*.C.......S............Ta~..........)k.5.4...s$]....`...
.Y;.......;..F5.kyT.....%..F...J<..CZ...B......,..q.I.n.n>.....0
...0...0..s............ ...y..^..g0...*.H........0B1.0...U....US1.0...
U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..1712
14112535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*
.H.............0...............S....!....,.t.?....d...M@.._.=.S..,."..
....Gdv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.z
I9.Y....../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]
yi.....3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym
........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..
0... .......0...U...........0...U.......0.0"..U....0...0.1.0...U....TG
V-OFF-570...*.H..............md.....yV{......y:5..@l#..5.......o..X...
.,r}......i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.....
..a.....G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....
b..K...PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\
_..'.]q.f._.WN....
<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com

HTTP/1.1 200 OK

Server: Apache

ETag: "61541e7e3ed3a53a653046bf63e4d92d:1486965621"

Last-Modified: Mon, 13 Feb 2017 06:00:21 GMT

Date: Mon, 13 Feb 2017 06:02:45 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170213054300Z..170223054300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H........................T
...[.F&....._...R.c.@..(u.r6u....q......ho...L.....CQ.&d..71....|..o..
Fd!...........|..BZf?..<-.Zl......8.....l.z..HTTP/1.1 200 OK..Serve
r: Apache..ETag: "61541e7e3ed3a53a653046bf63e4d92d:1486965621"..Last-M
odified: Mon, 13 Feb 2017 06:00:21 GMT..Date: Mon, 13 Feb 2017 06:02:4
5 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170213054300Z..170
223054300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
.................T...[.F&....._...R.c.@..(u.r6u....q......ho...L.....C
Q.&d..71....|..o..Fd!...........|..BZf?..<-.Zl......8.....l.z....

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Sun, 12 Feb 2017 21:13:23 GMT

Expires: Thu, 16 Feb 2017 21:13:23 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 31773

Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017021
2131759Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.i..{(..p....20170212131759Z....20170219131759Z0...*.H.............0,.
....ed....FT..l.dK...L.^..... ....4.l...F.]v...wH.XC..[..?.l.[..7 ..
&...<....>.3.....>.EX...!...(.;@.%....-......... D"8PP]..?B.p
..t.l..sNL.>xZ>.Z.&Gg*...|?.F3..Dht.....`..&.*.3D\..\..1..p.0..)
.[m.......U.D.xE,m..w.2l.... .|^^...~R."VT.:.,i[....}.....HTTP/1.1 200
 OK..Content-Type: application/ocsp-response..Date: Sun, 12 Feb 2017 2
1:13:23 GMT..Expires: Thu, 16 Feb 2017 21:13:23 GMT..Server: ocsp_resp
onder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-O
ptions: SAMEORIGIN..Age: 31773..Cache-Control: public, max-age=345600.
.0..........0..... .....0......0...0......J......h.v....b..Z./..201702
12131759Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./
..i..{(..p....20170212131759Z....20170219131759Z0...*.H.............0,
.....ed....FT..l.dK...L.^..... ....4.l...F.]v...wH.XC..[..?.l.[..7 .
.&...<....>.3.....>.EX...!...(.;@.%....-......... D"8PP]..?B.
p..t.l..sNL.>xZ>.Z.&Gg*...|?.F3..Dht.....`..&.*.3D\..\..1..p.0..
).[m.......U.D.xE,m..w.2l.... .|^^...~R."VT.:.,i[....}.........
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 09 Feb 2017 18:01:42 GMT

Expires: Mon, 13 Feb 2017 18:01:42 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 302481

Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017020
9130518Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.....V.y>....20170209130518Z....20170216130518Z0...*.H.............
..Sz.....b..p!.)...f.% zUL....\_.......ECZ.. ..m............:......gX.
.....c.....k..a.!@a..}..0...Y......2,...R..YP.k.../..w..y..u....N..4..
....H?..u..sw...#..f....x..nl....%..5{h3.^9YN...!.<.....w...1....E.
.3 ../.eO.Ev..{....b ......Z$.|Y7`.%...hV.a..2a......


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 09 Feb 2017 18:01:42 GMT

Expires: Mon, 13 Feb 2017 18:01:42 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 302481

Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017020
9130518Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.....V.y>....20170209130518Z....20170216130518Z0...*.H.............
..Sz.....b..p!.)...f.% zUL....\_.......ECZ.. ..m............:......gX.
.....c.....k..a.!@a..}..0...Y......2,...R..YP.k.../..w..y..u....N..4..
....H?..u..sw...#..f....x..nl....%..5{h3.^9YN...!.<.....w...1....E.
.3 ../.eO.Ev..{....b ......Z$.|Y7`.%...hV.a..2a..HTTP/1.1 200 OK..Cont
ent-Type: application/ocsp-response..Date: Thu, 09 Feb 2017 18:01:42 G
MT..Expires: Mon, 13 Feb 2017 18:01:42 GMT..Server: ocsp_responder..Co
ntent-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: S
AMEORIGIN..Age: 302481..Cache-Control: public, max-age=345600..0......
....0..... .....0......0...0......J......h.v....b..Z./..20170209130518
Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./......V.
y>....20170209130518Z....20170216130518Z0...*.H...............Sz...
..b..p!.)...f.% zUL....\_.......ECZ.. ..m............:......gX......c.
....k..a.!@a..}..0...Y......2,...R..YP.k.../..w..y..u....N..4......H?.
.u..sw...#..f....x..nl....%..5{h3.^9YN...!.<.....w...1....E..3 ../.
eO.Ev..{....b ......Z$.|Y7`.%...hV.a..2a....

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google.com

Connection: Keep-Alive

Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZGCNO7WofAC

Content-Length: 260

Date: Mon, 13 Feb 2017 06:02:39 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZGC
NO7WofAC">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZGCNO7WofA
C..Content-Length: 260..Date: Mon, 13 Feb 2017 06:02:39 GMT..<HTML&
gt;<HEAD><meta http-equiv="content-type" content="text/html;c
harset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><
;BODY>.<H1>302 Moved</H1>.The document has moved.<A 
HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=_0uhWJeOJZGCNO7WofAC"
>here</A>...</BODY></HTML>....

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT

If-None-Match: "b8b5df1d64d4ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT

Accept-Ranges: bytes

ETag: "7254ef33d54d21:0"

Server: Microsoft-IIS/8.5

VTag: 791177757300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Mon, 13 Feb 2017 06:03:33 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......b0... .....7......170311174324Z0.
..*.H..................)........j<.........G"...X..7y.1.s...vaE..'0
3.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#&
lt;#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$....
.........C..|M....WT..[.-.b.$)....v(....v._....'.p....a.)..j...oC....z
C:$.8....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Mod
ified: Mon, 12 Dec 2016 06:00:18 GMT..Accept-Ranges: bytes..ETag: "725
4ef33d54d21:0"..Server: Microsoft-IIS/8.5..VTag: 791177757300000000..P
3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo O
UR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..C
ontent-Length: 554..Cache-Control: max-age=900..Date: Mon, 13 Feb 2017
 06:03:33 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0
...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft 
Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..17031
2055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U
......b0... .....7......170311174324Z0...*.H..................).......
.j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...K
y$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{
...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_3716:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

svchost.exe_992:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

svchost.exe_992_rwx_10000000_0004A000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

 juXqhu2.iu

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ntdll.dll

ShellExecuteW

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

mrx9.ddns.net

Microsoft.exe

{3C3P45LE-B7TK-28XK-06E5-8H2XYV2357U7}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2.8.1

PTF.ftpserver.com

ftpuser

iexplore.exe_2316:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_2316_rwx_10000000_0004A000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

 juXqhu2.iu

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ntdll.dll

ShellExecuteW

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

mrx9.ddns.net

Microsoft.exe

{3C3P45LE-B7TK-28XK-06E5-8H2XYV2357U7}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2.8.1

PTF.ftpserver.com

ftpuser

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

SearchProtocolHost.exe_932:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_1464:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2712
   %original file name%.exe:3700
   %original file name%.exe:3516
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\System32\akSPyj9wl4Y.exe (2321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (2321 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "anubktRih3orhE" = "C:\Windows\system32\akSPyj9wl4Y.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.