Gen.Variant.Barys.5570_0421383d93

by malwarelabrobot on February 4th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.5570 (B) (Emsisoft), Gen:Variant.Barys.5570 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0421383d93e7eaf52442710ef0db40cd
SHA1: 3bc77262d032cb6ca0289621b61e30c6617e6572
SHA256: 11e04a04af4ba124b7e0cea5a2cdc48480716ec2eb3a7a5a7ed9a8826f21ddb6
SSDeep: 3072:P69n42aJe8wN7DLqy1IpnmyJlTo0QtR8Gm9hkOZubDK5YPE:e42lRVWnmgTo0QtVm9hkOZwD
Size: 200704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-01-25 12:01:13
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:2748
%original file name%.exe:1764

The Trojan injects its code into the following process(es):

svchost.exe:3104
iexplore.exe:1968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (1281 bytes)

The process %original file name%.exe:1764 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

The process %original file name%.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "x8Er41k7sc2Nxa4U"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: qwde0nkx.exe
Internal Name: qwde0nkx.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 183812 184320 5.20441 e56f9f6faca0ee8a91be6e1da0204930
.sdata 196608 100 4096 0.168733 b54748e1244af557a1f3469d9e444cfd
.rsrc 204800 680 4096 0.474123 5665e3ab4fda9fbe794f0861444fa4a6
.reloc 212992 12 4096 0.009099 a73a5bf1d187a7693459ac1c780bf1e0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.google.com/ 173.194.113.210
hxxp://www.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdPTdJanuLAF 173.194.113.210
hxxp://www.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpTUdNfUuLAO 173.194.113.210
hxxp://www.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZbBNOj5o6AH 173.194.113.210
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw
hxxp://clients.l.google.com/GIAG2.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw 173.194.113.206
hxxp://vassg142.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ 2.21.89.35
hxxp://pki.google.com/GIAG2.crl 173.194.113.206
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ 173.194.113.206
hxxp://crl.geotrust.com/crls/secureca.crl 23.43.133.163
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 212.30.134.167
ssl.gstatic.com 173.194.113.223
clients1.google.com.ua 173.194.113.207


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /GIAG2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.google.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Date: Thu, 02 Feb 2017 23:46:37 GMT
Expires: Fri, 03 Feb 2017 00:46:37 GMT
Last-Modified: Thu, 02 Feb 2017 17:15:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 541
X-XSS-Protection: 1; mode=block
Age: 2422
Cache-Control: public, max-age=3600
0...0......0...*.H........0I1.0...U....US1.0...U....Google Inc1%0#..U.
...Google Internet Authority G2..170202154642Z..170212154642Z0R0'..vK.
...Q...170113141858Z0.0...U.......0'..1.3..*....160915202213Z0.0...U..
......00.0...U.#..0...J......h.v....b..Z./0...U........0...*.H........
.....a............z._.wte<.Ez..8>.r?...W...3..|;Z8...=.....KI...
 ..=....].....,$..E..jT?c..!.f... .ZyM.?.o.JK...\.....h............;.=
..../.p..?.$.....OX.8...^....F.D.s...;...H.wU7.Jj.Q..7.n..Q.cO...SR.07
......[....e.....v'..TOC.....(l_zcz.yLM.z_..d(....L.....UHTTP/1.1 200 
OK..Content-Type: application/pkix-crl..Date: Thu, 02 Feb 2017 23:46:3
7 GMT..Expires: Fri, 03 Feb 2017 00:46:37 GMT..Last-Modified: Thu, 02 
Feb 2017 17:15:00 GMT..X-Content-Type-Options: nosniff..Server: sffe..
Content-Length: 541..X-XSS-Protection: 1; mode=block..Age: 2422..Cache
-Control: public, max-age=3600..0...0......0...*.H........0I1.0...U...
.US1.0...U....Google Inc1%0#..U....Google Internet Authority G2..17020
2154642Z..170212154642Z0R0'..vK....Q...170113141858Z0.0...U.......0'..
1.3..*....160915202213Z0.0...U........00.0...U.#..0...J......h.v....b.
.Z./0...U........0...*.H.............a............z._.wte<.Ez..8>
;.r?...W...3..|;Z8...=.....KI... ..=....].....,$..E..jT?c..!.f... .ZyM
.?.o.JK...\.....h............;.=..../.p..?.$.....OX.8...^....F.D.s...;
...H.wU7.Jj.Q..7.n..Q.cO...SR.07......[....e.....v'..TOC.....(l_zcz.yL
M.z_..d(....L.....U....
<<< skipped >>>

GET /GIAG2.crl HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.google.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Date: Thu, 02 Feb 2017 23:46:37 GMT
Expires: Fri, 03 Feb 2017 00:46:37 GMT
Last-Modified: Thu, 02 Feb 2017 17:15:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 541
X-XSS-Protection: 1; mode=block
Age: 2422
Cache-Control: public, max-age=3600
0...0......0...*.H........0I1.0...U....US1.0...U....Google Inc1%0#..U.
...Google Internet Authority G2..170202154642Z..170212154642Z0R0'..vK.
...Q...170113141858Z0.0...U.......0'..1.3..*....160915202213Z0.0...U..
......00.0...U.#..0...J......h.v....b..Z./0...U........0...*.H........
.....a............z._.wte<.Ez..8>.r?...W...3..|;Z8...=.....KI...
 ..=....].....,$..E..jT?c..!.f... .ZyM.?.o.JK...\.....h............;.=
..../.p..?.$.....OX.8...^....F.D.s...;...H.wU7.Jj.Q..7.n..Q.cO...SR.07
......[....e.....v'..TOC.....(l_zcz.yLM.z_..d(....L.....UHTTP/1.1 200 
OK..Content-Type: application/pkix-crl..Date: Thu, 02 Feb 2017 23:46:3
7 GMT..Expires: Fri, 03 Feb 2017 00:46:37 GMT..Last-Modified: Thu, 02 
Feb 2017 17:15:00 GMT..X-Content-Type-Options: nosniff..Server: sffe..
Content-Length: 541..X-XSS-Protection: 1; mode=block..Age: 2422..Cache
-Control: public, max-age=3600..0...0......0...*.H........0I1.0...U...
.US1.0...U....Google Inc1%0#..U....Google Internet Authority G2..17020
2154642Z..170212154642Z0R0'..vK....Q...170113141858Z0.0...U.......0'..
1.3..*....160915202213Z0.0...U........00.0...U.#..0...J......h.v....b.
.Z./0...U........0...*.H.............a............z._.wte<.Ez..8>
;.r?...W...3..|;Z8...=.....KI... ..=....].....,$..E..jT?c..!.f... .ZyM
.?.o.JK...\.....h............;.=..../.p..?.$.....OX.8...^....F.D.s...;
...H.wU7.Jj.Q..7.n..Q.cO...SR.07......[....e.....v'..TOC.....(l_zcz.yL
M.z_..d(....L.....U..
<<< skipped >>>


GET /?gfe_rd=cr&ei=P86TWI74AZbBNOj5o6AH HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: NID=96=HCD6sH50HgxEmNAwt4zJJZyyJc64zTs54XLrht5aH2T_CHnM_sB3FKt4KIInsDuNV234yiIfQZK4kJEd3HEf-PNETzbgE7VLhP9oq7WRTbtjsp1v8q1fTpo9zHgPDfsc
Connection: Keep-Alive
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZbBNOj5o6AH&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Feb 2017 00:26:39 GMT
Server: gws
Content-Length: 276
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZb
BNOj5o6AH&gws_rd=ssl">here</A>...</BODY></HTML&g
t;....



GET / HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google.com
Connection: Keep-Alive
Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpTUdNfUuLAO
Content-Length: 260
Date: Fri, 03 Feb 2017 00:26:38 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpTU
dNfUuLAO">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpTUdNfUuLA
O..Content-Length: 260..Date: Fri, 03 Feb 2017 00:26:38 GMT..<HTML&
gt;<HEAD><meta http-equiv="content-type" content="text/html;c
harset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><
;BODY>.<H1>302 Moved</H1>.The document has moved.<A 
HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpTUdNfUuLAO"
>here</A>...</BODY></HTML>....



GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ HTTP/1.1
Cache-Control: max-age = 339923
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:41:21 GMT
If-None-Match: "c06e9a4e33eec9dd813b8faff15397229f914d2a"
User-Agent: Microsoft-CryptoAPI/6.1
Host: vassg142.ocsp.omniroot.com


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 1746
Last-Modified: Fri, 03 Feb 2017 00:19:55 GMT
ETag: "b2bb22250f5f8e27dcdf6b03bb7c7207f33edecd"
Cache-Control: public, no-transform, must-revalidate, max-age=339504
Expires: Mon, 06 Feb 2017 22:45:58 GMT
Date: Fri, 03 Feb 2017 00:27:34 GMT
Connection: keep-alive
0..........0..... .....0......0...0......\r...Ev.C..*....omJ...2017020
3001955Z0w0u0M0... .........-R...P:.B...9...0Q.......sw....KM...3..r..
.C...X.<1ya..w.2..^.?....20170203001955Z....20170207001955Z0...*.H.
.............=...C}?)...W,..r.>n.8,c.....SexXh..%..:t4Y..S..L.S.49C
. ....0l.R.M=;Q......k....uN...i..?_..'.)..]..4:7v.,".....a...T...UR&.
.....c..&..W..[..;.....Mb.R.Y>uml*I.}...<....(...:;...Y...tL..Ll
&.u..3.....Z...B.....yp..Pf=g...4...g...b4Z..5.1......b.6U.".....ce...
.0...0...0...........1....n.SsnC.K.]I.w90...*.H........0..1.0...U....N
L1.0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U...
.Cybertrust1.0,..U...%Verizon Akamai SureServer CA G14-SHA20...1604070
64154Z..170407064154Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Ve
rizon Enterprise Solutions1.0...U....Cybertrust1%0#..U....vassg142-OCS
P Responder 20160.."0...*.H.............0.........w.;..Eu..'f.c^....Qe
.O...U.....d.\?.....S.r'g.d..ES.NA.t....<.....#?.."...*Pm.<..s..
......v...<....8......A@.....7h...r$.T..8=......\....>......z=t3
?(.....i.>t.^.....]7.9..j.E. ....{.$w..Y,...hf..6......L._9,.....i.
..S...)/.."^.K.O...bb^....V....'p...'V..........H0..D0... .....0......
0L..U. .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.com
/repository0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.com
/vassg142.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg142.der0
...U...........0...U.%..0... .......0...U.#..0.......sw....KM...3..r.0
...U......\r...Ev.C..*....omJ.0...*.H.............l/0j.Z.z.......n
<<< skipped >>>


GET /?gfe_rd=cr&ei=PM6TWKKIIdPTdJanuLAF HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdPTdJanuLAF&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Fri, 03 Feb 2017 00:26:36 GMT
Server: gws
Content-Length: 276
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=96=R36wJ1TzRZRLkPpMGkBa5xNju0-gS7a0KelT-adJXBvR-_WvbWeem8cdQ8n4cEp_3PSkan_GZgnUPhMGeDRLwbTfovsoRiTC7JKys_O4xtgNSe3a0njXKmXCPmbHI8gw; expires=Sat, 05-Aug-2017 00:26:36 GMT; path=/; domain=.google.com.ua; HttpOnly
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdP
TdJanuLAF&gws_rd=ssl">here</A>...</BODY></HTML&g
t;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=PM6TWKKIIdPTdJanuLAF&gws_rd=ssl..Cache-Control: private..Content-T
ype: text/html; charset=UTF-8..P3P: CP="This is not a P3P policy! See 
hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more i
nfo."..Date: Fri, 03 Feb 2017 00:26:36 GMT..Server: gws..Content-Lengt
h: 276..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..
Set-Cookie: NID=96=R36wJ1TzRZRLkPpMGkBa5xNju0-gS7a0KelT-adJXBvR-_WvbWe
em8cdQ8n4cEp_3PSkan_GZgnUPhMGeDRLwbTfovsoRiTC7JKys_O4xtgNSe3a0njXKmXCP
mbHI8gw; expires=Sat, 05-Aug-2017 00:26:36 GMT; path=/; domain=.google
.com.ua; HttpOnly..<HTML><HEAD><meta http-equiv="conten
t-type" content="text/html;charset=utf-8">.<TITLE>302 Moved&l
t;/TITLE></HEAD><BODY>.<H1>302 Moved</H1>.T
he document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=PM6TWKKIIdPTdJanuLAF&gws_rd=ssl">here</A>...</
BODY></HTML>......
<<< skipped >>>

GET /?gfe_rd=cr&ei=Ps6TWJ6sGpTUdNfUuLAO HTTP/1.1


Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: NID=96=R36wJ1TzRZRLkPpMGkBa5xNju0-gS7a0KelT-adJXBvR-_WvbWeem8cdQ8n4cEp_3PSkan_GZgnUPhMGeDRLwbTfovsoRiTC7JKys_O4xtgNSe3a0njXKmXCPmbHI8gw
Connection: Keep-Alive
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpTUdNfUuLAO&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Fri, 03 Feb 2017 00:26:38 GMT
Server: gws
Content-Length: 276
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=96=HCD6sH50HgxEmNAwt4zJJZyyJc64zTs54XLrht5aH2T_CHnM_sB3FKt4KIInsDuNV234yiIfQZK4kJEd3HEf-PNETzbgE7VLhP9oq7WRTbtjsp1v8q1fTpo9zHgPDfsc; expires=Sat, 05-Aug-2017 00:26:38 GMT; path=/; domain=.google.com.ua; HttpOnly
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Ps6TWJ6sGpT
UdNfUuLAO&gws_rd=ssl">here</A>...</BODY></HTML&g
t;....



GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1
Cache-Control: max-age = 564348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1377
content-transfer-encoding: binary
Cache-Control: max-age=377184, public, no-transform, must-revalidate
Last-Modified: Tue, 31 Jan 2017 09:08:38 GMT
Expires: Tue, 7 Feb 2017 09:08:38 GMT
Date: Fri, 03 Feb 2017 00:26:47 GMT
Connection: keep-alive
0..]......V0..R.. .....0.....C0..?0......V.T'S...q..."...zr.*..2017013
1090838Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20170131090838Z....20170207090838Z0...*.H............
.!0.#..h..Zq......)..N....w.E!.^.....:UC...[t.gcx...Qe.#..}/.Xz..P.m..
...1......0...<t...&. .t... y...rG0...|:/... ....9C&..\DU..P.@]..a.
j1..cZ_4HI....[......h.:~..&r.&.."s..VVT&..a.r). .f.,...<.}....Q'..
........&.....a.li..i..]?..S.WvW...b..n8.!R<lf....'.;....0...0...0.
.s............ ...y..^..g0...*.H........0B1.0...U....US1.0...U....GeoT
rust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..171214112535Z
02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H.......
......0...............S....!....,.t.?....d...M@.._.=.S..,."......Gdv._
c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9.Y.....
./.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi.....3.
......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym........0
..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... ....
...0...U...........0...U.......0.0"..U....0...0.1.0...U....TGV-OFF-570
...*.H..............md.....yV{......y:5..@l#..5.......o..X....,r}.....
.i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.......a.....G
..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b..K...PO
47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\_..'.]q.f
._.WN......
<<< skipped >>>

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1


Cache-Control: max-age = 564348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1377
content-transfer-encoding: binary
Cache-Control: max-age=377184, public, no-transform, must-revalidate
Last-Modified: Tue, 31 Jan 2017 09:08:38 GMT
Expires: Tue, 7 Feb 2017 09:08:38 GMT
Date: Fri, 03 Feb 2017 00:26:49 GMT
Connection: keep-alive
0..]......V0..R.. .....0.....C0..?0......V.T'S...q..."...zr.*..2017013
1090838Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20170131090838Z....20170207090838Z0...*.H............
.!0.#..h..Zq......)..N....w.E!.^.....:UC...[t.gcx...Qe.#..}/.Xz..P.m..
...1......0...<t...&. .t... y...rG0...|:/... ....9C&..\DU..P.@]..a.
j1..cZ_4HI....[......h.:~..&r.&.."s..VVT&..a.r). .f.,...<.}....Q'..
........&.....a.li..i..]?..S.WvW...b..n8.!R<lf....'.;....0...0...0.
.s............ ...y..^..g0...*.H........0B1.0...U....US1.0...U....GeoT
rust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..171214112535Z
02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H.......
......0...............S....!....,.t.?....d...M@.._.=.S..,."......Gdv._
c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9.Y.....
./.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi.....3.
......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym........0
..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... ....
...0...U...........0...U.......0.0"..U....0...0.1.0...U....TGV-OFF-570
...*.H..............md.....yV{......y:5..@l#..5.......o..X....,r}.....
.i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.......a.....G
..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b..K...PO
47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\_..'.]q.f
._.WN......
<<< skipped >>>

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1


Cache-Control: max-age = 564348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1377
content-transfer-encoding: binary
Cache-Control: max-age=377184, public, no-transform, must-revalidate
Last-Modified: Tue, 31 Jan 2017 09:08:38 GMT
Expires: Tue, 7 Feb 2017 09:08:38 GMT
Date: Fri, 03 Feb 2017 00:26:49 GMT
Connection: keep-alive
0..]......V0..R.. .....0.....C0..?0......V.T'S...q..."...zr.*..2017013
1090838Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20170131090838Z....20170207090838Z0...*.H............
.!0.#..h..Zq......)..N....w.E!.^.....:UC...[t.gcx...Qe.#..}/.Xz..P.m..
...1......0...<t...&. .t... y...rG0...|:/... ....9C&..\DU..P.@]..a.
j1..cZ_4HI....[......h.:~..&r.&.."s..VVT&..a.r). .f.,...<.}....Q'..
........&.....a.li..i..]?..S.WvW...b..n8.!R<lf....'.;....0...0...0.
.s............ ...y..^..g0...*.H........0B1.0...U....US1.0...U....GeoT
rust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..171214112535Z
02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H.......
......0...............S....!....,.t.?....d...M@.._.=.S..,."......Gdv._
c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9.Y.....
./.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi.....3.
......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym........0
..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... ....
...0...U...........0...U.......0.0"..U....0...0.1.0...U....TGV-OFF-570
...*.H..............md.....yV{......y:5..@l#..5.......o..X....,r}.....
.i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.......a.....G
..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b..K...PO
47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\_..'.]q.f
._.WN....
<<< skipped >>>


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 02 Feb 2017 21:06:57 GMT
Expires: Mon, 06 Feb 2017 21:06:57 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 11996
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017020
2131737Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.i..{(..p....20170202131737Z....20170209131737Z0...*.H................
.1#H..%wx.m]Cb..&j[l.!..]dM`[D.^.N.a ...D.....AP.(C......Y@k.N......f,
....L.........[..{[..f9.x.L....4....m...~.Zw..bl.U ..U.H@.n.\52......j
.Vv....;W.fK.0 X....(.....G.M..c.i....P/......n..z...|>\.#..}..X.&g
t;....gW?.JcW .@."...e"-{...l........Z.<:[kw.L...HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 02 Feb 2017 21:06:5
7 GMT..Expires: Mon, 06 Feb 2017 21:06:57 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Age: 11996..Cache-Control: public, max-age=345600..0....
......0..... .....0......0...0......J......h.v....b..Z./..201702021317
37Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..i..{
(..p....20170202131737Z....20170209131737Z0...*.H.................1#H.
.%wx.m]Cb..&j[l.!..]dM`[D.^.N.a ...D.....AP.(C......Y@k.N......f,....L
.........[..{[..f9.x.L....4....m...~.Zw..bl.U ..U.H@.n.\52......j.Vv..
..;W.fK.0 X....(.....G.M..c.i....P/......n..z...|>\.#..}..X.>...
.gW?.JcW .@."...e"-{...l........Z.<:[kw.L.......
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 02 Feb 2017 21:06:57 GMT
Expires: Mon, 06 Feb 2017 21:06:57 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 11997
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017020
2131737Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.i..{(..p....20170202131737Z....20170209131737Z0...*.H................
.1#H..%wx.m]Cb..&j[l.!..]dM`[D.^.N.a ...D.....AP.(C......Y@k.N......f,
....L.........[..{[..f9.x.L....4....m...~.Zw..bl.U ..U.H@.n.\52......j
.Vv....;W.fK.0 X....(.....G.M..c.i....P/......n..z...|>\.#..}..X.&g
t;....gW?.JcW .@."...e"-{...l........Z.<:[kw.L...HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 02 Feb 2017 21:06:5
7 GMT..Expires: Mon, 06 Feb 2017 21:06:57 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Age: 11997..Cache-Control: public, max-age=345600..0....
......0..... .....0......0...0......J......h.v....b..Z./..201702021317
37Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..i..{
(..p....20170202131737Z....20170209131737Z0...*.H.................1#H.
.%wx.m]Cb..&j[l.!..]dM`[D.^.N.a ...D.....AP.(C......Y@k.N......f,....L
.........[..{[..f9.x.L....4....m...~.Zw..bl.U ..U.H@.n.\52......j.Vv..
..;W.fK.0 X....(.....G.M..c.i....P/......n..z...|>\.#..}..X.>...
.gW?.JcW .@."...e"-{...l........Z.<:[kw.L.......
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 02 Feb 2017 21:06:57 GMT
Expires: Mon, 06 Feb 2017 21:06:57 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 11998
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017020
2131737Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.i..{(..p....20170202131737Z....20170209131737Z0...*.H................
.1#H..%wx.m]Cb..&j[l.!..]dM`[D.^.N.a ...D.....AP.(C......Y@k.N......f,
....L.........[..{[..f9.x.L....4....m...~.Zw..bl.U ..U.H@.n.\52......j
.Vv....;W.fK.0 X....(.....G.M..c.i....P/......n..z...|>\.#..}..X.&g
t;....gW?.JcW .@."...e"-{...l........Z.<:[kw.L...HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 02 Feb 2017 21:06:5
7 GMT..Expires: Mon, 06 Feb 2017 21:06:57 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Age: 11998..Cache-Control: public, max-age=345600..0....
......0..... .....0......0...0......J......h.v....b..Z./..201702021317
37Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..i..{
(..p....20170202131737Z....20170209131737Z0...*.H.................1#H.
.%wx.m]Cb..&j[l.!..]dM`[D.^.N.a ...D.....AP.(C......Y@k.N......f,....L
.........[..{[..f9.x.L....4....m...~.Zw..bl.U ..U.H@.n.\52......j.Vv..
..;W.fK.0 X....(.....G.M..c.i....P/......n..z...|>\.#..}..X.>...
.gW?.JcW .@."...e"-{...l........Z.<:[kw.L.......
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Tue, 31 Jan 2017 15:55:19 GMT
Expires: Sat, 04 Feb 2017 15:55:19 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 203503
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017013
1070505Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.....V.y>....20170131070505Z....20170207070505Z0...*.H.............
nA ..8.....9W.'...d..`.`.51.x.x..).{.]@o.q.....B.4..........5`r...O...
..M..b.q#..i.....X.bo./b.#..S.0l6'Kb>.3_...F.Zx.K.%.Yy}..f..5.....w
dg/<1.H]..n......G.....^..t...e.,"....-...z..h.[...6 @.#.l..... ...
...nU"..T...#fCV.}Y.#...........jH..........I^>.(Wm.....


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Tue, 31 Jan 2017 15:55:19 GMT
Expires: Sat, 04 Feb 2017 15:55:19 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 203503
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2017013
1070505Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.....V.y>....20170131070505Z....20170207070505Z0...*.H.............
nA ..8.....9W.'...d..`.`.51.x.x..).{.]@o.q.....B.4..........5`r...O...
..M..b.q#..i.....X.bo./b.#..S.0l6'Kb>.3_...F.Zx.K.%.Yy}..f..5.....w
dg/<1.H]..n......G.....^..t...e.,"....-...z..h.[...6 @.#.l..... ...
...nU"..T...#fCV.}Y.#...........jH..........I^>.(Wm.HTTP/1.1 200 OK
..Content-Type: application/ocsp-response..Date: Tue, 31 Jan 2017 15:5
5:19 GMT..Expires: Sat, 04 Feb 2017 15:55:19 GMT..Server: ocsp_respond
er..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Opti
ons: SAMEORIGIN..Age: 203503..Cache-Control: public, max-age=345600..0
..........0..... .....0......0...0......J......h.v....b..Z./..20170131
070505Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..
....V.y>....20170131070505Z....20170207070505Z0...*.H.............n
A ..8.....9W.'...d..`.`.51.x.x..).{.]@o.q.....B.4..........5`r...O....
.M..b.q#..i.....X.bo./b.#..S.0l6'Kb>.3_...F.Zx.K.%.Yy}..f..5.....wd
g/<1.H]..n......G.....^..t...e.,"....-...z..h.[...6 @.#.l..... ....
..nU"..T...#fCV.}Y.#...........jH..........I^>.(Wm...
<<< skipped >>>


GET / HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google.com
Connection: Keep-Alive
Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdPTdJanuLAF
Content-Length: 260
Date: Fri, 03 Feb 2017 00:26:36 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdPT
dJanuLAF">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdPTdJanuLA
F..Content-Length: 260..Date: Fri, 03 Feb 2017 00:26:36 GMT..<HTML&
gt;<HEAD><meta http-equiv="content-type" content="text/html;c
harset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><
;BODY>.<H1>302 Moved</H1>.The document has moved.<A 
HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PM6TWKKIIdPTdJanuLAF"
>here</A>...</BODY></HTML>......


GET / HTTP/1.1


Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google.com
Connection: Keep-Alive
Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZbBNOj5o6AH
Content-Length: 260
Date: Fri, 03 Feb 2017 00:26:39 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZbB
NOj5o6AH">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZbBNOj5o6A
H..Content-Length: 260..Date: Fri, 03 Feb 2017 00:26:39 GMT..<HTML&
gt;<HEAD><meta http-equiv="content-type" content="text/html;c
harset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><
;BODY>.<H1>302 Moved</H1>.The document has moved.<A 
HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=P86TWI74AZbBNOj5o6AH"
>here</A>...</BODY></HTML>....



GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "2c1c1d29e6ed8e734360a581466b59b8:1486080920"
Last-Modified: Fri, 03 Feb 2017 00:15:20 GMT
Date: Fri, 03 Feb 2017 00:26:42 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170203000300Z..170213000300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............-I~Z.=@b.z...
8..=K.=....(cS ....O.O&5G..C.~....^.?...W...Q].e..<.]..x>|.&. ..
.=.".......o..8.&c......\v.9.B...r..=^.s.g$y.V..j..HTTP/1.1 200 OK..Se
rver: Apache..ETag: "2c1c1d29e6ed8e734360a581466b59b8:1486080920"..Las
t-Modified: Fri, 03 Feb 2017 00:15:20 GMT..Date: Fri, 03 Feb 2017 00:2
6:42 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: a
pplication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....E
quifax1-0 ..U...$Equifax Secure Certificate Authority..170203000300Z..
170213000300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H....
........-I~Z.=@b.z...8..=K.=....(cS ....O.O&5G..C.~....^.?...W...Q].e.
.<.]..x>|.&. ...=.".......o..8.&c......\v.9.B...r..=^.s.g$y.V..j
......


GET /crls/secureca.crl HTTP/1.1


Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "2c1c1d29e6ed8e734360a581466b59b8:1486080920"
Last-Modified: Fri, 03 Feb 2017 00:15:20 GMT
Date: Fri, 03 Feb 2017 00:26:43 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170203000300Z..170213000300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............-I~Z.=@b.z...
8..=K.=....(cS ....O.O&5G..C.~....^.?...W...Q].e..<.]..x>|.&. ..
.=.".......o..8.&c......\v.9.B...r..=^.s.g$y.V..j..HTTP/1.1 200 OK..Se
rver: Apache..ETag: "2c1c1d29e6ed8e734360a581466b59b8:1486080920"..Las
t-Modified: Fri, 03 Feb 2017 00:15:20 GMT..Date: Fri, 03 Feb 2017 00:2
6:43 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: a
pplication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....E
quifax1-0 ..U...$Equifax Secure Certificate Authority..170203000300Z..
170213000300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H....
........-I~Z.=@b.z...8..=K.=....(cS ....O.O&5G..C.~....^.?...W...Q].e.
.<.]..x>|.&. ...=.".......o..8.&c......\v.9.B...r..=^.s.g$y.V..j
......


GET /crls/secureca.crl HTTP/1.1


Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "2c1c1d29e6ed8e734360a581466b59b8:1486080920"
Last-Modified: Fri, 03 Feb 2017 00:15:20 GMT
Date: Fri, 03 Feb 2017 00:26:44 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170203000300Z..170213000300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............-I~Z.=@b.z...
8..=K.=....(cS ....O.O&5G..C.~....^.?...W...Q].e..<.]..x>|.&. ..
.=.".......o..8.&c......\v.9.B...r..=^.s.g$y.V..j..HTTP/1.1 200 OK..Se
rver: Apache..ETag: "2c1c1d29e6ed8e734360a581466b59b8:1486080920"..Las
t-Modified: Fri, 03 Feb 2017 00:15:20 GMT..Date: Fri, 03 Feb 2017 00:2
6:44 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: a
pplication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....E
quifax1-0 ..U...$Equifax Secure Certificate Authority..170203000300Z..
170213000300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H....
........-I~Z.=@b.z...8..=K.=....(cS ....O.O&5G..C.~....^.?...W...Q].e.
.<.]..x>|.&. ...=.".......o..8.&c......\v.9.B...r..=^.s.g$y.V..j
....



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT
Accept-Ranges: bytes
ETag: "7254ef33d54d21:0"
Server: Microsoft-IIS/8.5
VTag: 791177757300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Fri, 03 Feb 2017 00:27:28 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......b0... .....7......170311174324Z0.
..*.H..................)........j<.........G"...X..7y.1.s...vaE..'0
3.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#&
lt;#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$....
.........C..|M....WT..[.-.b.$)....v(....v._....'.p....a.)..j...oC....z
C:$.8....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Mod
ified: Mon, 12 Dec 2016 06:00:18 GMT..Accept-Ranges: bytes..ETag: "725
4ef33d54d21:0"..Server: Microsoft-IIS/8.5..VTag: 791177757300000000..P
3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo O
UR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..C
ontent-Length: 554..Cache-Control: max-age=900..Date: Fri, 03 Feb 2017
 00:27:28 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0
...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft 
Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..17031
2055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U
......b0... .....7......170311174324Z0...*.H..................).......
.j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...K
y$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{
...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_3500:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_3528:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

svchost.exe_3104:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

svchost.exe_3104_rwx_10000000_0004D000:

`.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
 juXqhu2.iu
KWindows
TServerKeylogger
4?,6%s
GetWindowsDirectoryW
RegOpenKeyExW
RegCreateKeyW
RegCloseKey
RegOpenKeyExA
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToCacheFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardType
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
.idata
.rdata
P.reloc
P.rsrc
URLDb
KERNEL32.DLL
ntdll.dll
oleaut32.dll
shlwapi.dll
wininet.dll
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
127.0.0.1
Server.exe
{821YF434-0EN2-Y0KX-4E6O-V018G5DEM3L2}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PTF.ftpserver.com
ftpuser

iexplore.exe_1968:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_1968_rwx_10000000_0004D000:

`.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
 juXqhu2.iu
KWindows
TServerKeylogger
4?,6%s
GetWindowsDirectoryW
RegOpenKeyExW
RegCreateKeyW
RegCloseKey
RegOpenKeyExA
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToCacheFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardType
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
.idata
.rdata
P.reloc
P.rsrc
URLDb
KERNEL32.DLL
ntdll.dll
oleaut32.dll
shlwapi.dll
wininet.dll
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
127.0.0.1
Server.exe
{821YF434-0EN2-Y0KX-4E6O-V018G5DEM3L2}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PTF.ftpserver.com
ftpuser
c:\%original file name%.exe
%Program Files%\Internet Explorer\iexplore.exe

SearchProtocolHost.exe_1808:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3736:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2748
    %original file name%.exe:1764

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (1281 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now