Adware.GenericKD.3820967_1e4b512482

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):

rundll32.exe:2992
MsiExec.exe:1656

The Adware injects its code into the following process(es):

Kur.exe:3900
%original file name%.exe:1744

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Kur.exe:3900 makes changes in the file system.

The Adware creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (104 bytes)

The process rundll32.exe:2992 makes changes in the file system.

The Adware creates and/or writes to the following file(s):

C:\Windows\Installer\MSI1831.tmp-\CustomAction.config (234 bytes)
C:\Windows\Installer\MSI1831.tmp-\Microsoft.Deployment.WindowsInstaller.dll (3179 bytes)
C:\Windows\Installer\MSI1831.tmp-\Adguard.CustomActions.dll (7168 bytes)

The process %original file name%.exe:1744 makes changes in the file system.

The Adware creates and/or writes to the following file(s):

C:\Progressive\Adguard\langs\Adguard.Filter.resources.pt.dll (6079 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.de.dll (1816 bytes)
C:\Progressive\Adguard\ICSharpCode.AvalonEdit.dll (5835 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.ko.dll (1860 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.pt.dll (1610 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.hy.dll (6857 bytes)
C:\Progressive\Adguard\nss\mozcrt19.dll (7955 bytes)
C:\Progressive\Adguard\Adguard.Filter.dll (8877 bytes)
C:\Progressive\Adguard\Adguard.Ipc.dll (1239 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.ko.dll (4513 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh-TW.dll (6200 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.ro.dll (899 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.sk.dll (4892 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.it.dll (1228 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.hu.dll (6857 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.es.dll (400 bytes)
C:\Progressive\Adguard\AdguardNetLib.dll (1890 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.hy.dll (1727 bytes)
C:\Progressive\Adguard\nss\nss3.dll (3953 bytes)
C:\Progressive\Adguard\Adguard.Network.dll (550 bytes)
C:\Progressive\Adguard\System.Data.SQLite.dll (2764 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.it.dll (7034 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh.dll (6200 bytes)
C:\Progressive\Adguard\nss\smime3.dll (1080 bytes)
C:\Progressive\Adguard\Adguard.Commons.dll (3465 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.fr.dll (2007 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.he.dll (5514 bytes)
C:\Progressive\Adguard\Microsoft.Expression.Interactions.dll (1499 bytes)
C:\Progressive\Adguard\AdguardSvc.exe.manifest (733 bytes)
C:\Progressive\Adguard\Adguard.Tools.exe.manifest (733 bytes)
C:\Progressive\Adguard\nss\certutil.exe (916 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.ru.dll (5790 bytes)
C:\Progressive\Adguard\AdguardSvc.exe.config (683 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.de.dll (5827 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.id.dll (1522 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.vi.dll (939 bytes)
C:\Progressive\Adguard\System.Windows.Interactivity.dll (1182 bytes)
C:\Progressive\Adguard\default.db (1944 bytes)
C:\Progressive\Adguard\Adguard.UI.dll (3201 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.hr.dll (6857 bytes)
C:\Progressive\setup.msi (2 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.zh.dll (1179 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.nl.dll (1370 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.uk.dll (5579 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.ro.dll (3935 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.hr.dll (929 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.zh-TW.dll (351 bytes)
C:\Progressive\Adguard\SQLite.Interop.dll (8724 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.tr.dll (150 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.vi.dll (4953 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.es.dll (7170 bytes)
C:\Progressive\Adguard\Adguard.Tools.exe (1171 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.sk.dll (836 bytes)
C:\Progressive\Adguard\Adguard.Safebrowsing.dll (651 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.pl.dll (1027 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.sr.dll (1468 bytes)
C:\Progressive\Adguard\Adguard.Global.dll (2790 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.he.dll (1566 bytes)
C:\Progressive\Adguard\drivers.bin (525 bytes)
C:\Progressive\Adguard\nss\plds4.dll (17 bytes)
C:\Progressive\Adguard\AdguardNetApi.dll (10191 bytes)
C:\Progressive\Adguard\nss\plc4.dll (1556 bytes)
C:\Progressive\Adguard\nss\nspr4.dll (2014 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.uk.dll (2238 bytes)
C:\Progressive\Adguard\Adguard.exe.manifest (1 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.nl.dll (6368 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.tr.dll (6235 bytes)
C:\Progressive\Adguard\Adguard.Service.dll (5450 bytes)
C:\Progressive\Adguard\Adguard.exe (46019 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.hu.dll (1659 bytes)
C:\Progressive\Adguard\Adguard.exe.config (2 bytes)
C:\Progressive\Adguard\nss\softokn3.dll (2049 bytes)
C:\Progressive\Adguard\AdguardSvc.exe (1807 bytes)
C:\Progressive\Adguard\libs\inststlib64.dll (2527 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.sr.dll (6235 bytes)
C:\Progressive\Adguard\Newtonsoft.Json.dll (6465 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.fr.dll (7170 bytes)
C:\Progressive\Adguard\langs\Adguard.UI.resources.ru.dll (988 bytes)
C:\Progressive\Kur.exe (4886 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.pl.dll (4224 bytes)
C:\Progressive\Adguard\langs\Adguard.Filter.resources.id.dll (6162 bytes)

The process MsiExec.exe:1656 makes changes in the file system.

The Adware creates and/or writes to the following file(s):

C:\Windows\Installer\MSI1831.tmp (311 bytes)

Registry activity

The process Kur.exe:3900 makes changes in the system registry.

The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Adware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process rundll32.exe:2992 makes changes in the system registry.

The Adware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\ServiceModelOperation 3.0.0.0\Linkage]
"Export" = "ServiceModelOperation 3.0.0.0"

[HKLM\System\CurrentControlSet\services\SMSvcHost 3.0.0.0\Linkage]
"Export" = "SMSvcHost 3.0.0.0"

[HKLM\System\CurrentControlSet\services\MSDTC Bridge 4.0.0.0\Linkage]
"Export" = "MSDTC Bridge 4.0.0.0"

[HKLM\System\CurrentControlSet\services\ServiceModelService 3.0.0.0\Linkage]
"Export" = "ServiceModelService 3.0.0.0"

[HKLM\System\CurrentControlSet\services\Windows Workflow Foundation 4.0.0.0\Linkage]
"Export" = "Windows Workflow Foundation 4.0.0.0"

[HKLM\System\CurrentControlSet\services\Windows Workflow Foundation 3.0.0.0\Linkage]
"Export" = "Windows Workflow Foundation 3.0.0.0"

[HKLM\System\CurrentControlSet\services\ServiceModelEndpoint 3.0.0.0\Linkage]
"Export" = "ServiceModelEndpoint 3.0.0.0"

[HKLM\System\CurrentControlSet\Services\.NET Memory Cache 4.0\Linkage]
"Export" = ".NET Memory Cache 4.0"

[HKLM\System\CurrentControlSet\services\SMSvcHost 4.0.0.0\Linkage]
"Export" = "SMSvcHost 4.0.0.0"

[HKLM\System\CurrentControlSet\services\MSDTC Bridge 3.0.0.0\Linkage]
"Export" = "MSDTC Bridge 3.0.0.0"

The process %original file name%.exe:1744 makes changes in the system registry.

The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Adware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

The Adware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 916 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   rundll32.exe:2992
   MsiExec.exe:1656

2. Delete the original Adware file.
   
3. Delete or disinfect the following files created/modified by the Adware:

   C:\Windows\System32\drivers\etc\hosts (104 bytes)
   C:\Windows\Installer\MSI1831.tmp-\CustomAction.config (234 bytes)
   C:\Windows\Installer\MSI1831.tmp-\Microsoft.Deployment.WindowsInstaller.dll (3179 bytes)
   C:\Windows\Installer\MSI1831.tmp-\Adguard.CustomActions.dll (7168 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.pt.dll (6079 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.de.dll (1816 bytes)
   C:\Progressive\Adguard\ICSharpCode.AvalonEdit.dll (5835 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.ko.dll (1860 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.pt.dll (1610 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.hy.dll (6857 bytes)
   C:\Progressive\Adguard\nss\mozcrt19.dll (7955 bytes)
   C:\Progressive\Adguard\Adguard.Filter.dll (8877 bytes)
   C:\Progressive\Adguard\Adguard.Ipc.dll (1239 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.ko.dll (4513 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh-TW.dll (6200 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.ro.dll (899 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.sk.dll (4892 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.it.dll (1228 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.hu.dll (6857 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.es.dll (400 bytes)
   C:\Progressive\Adguard\AdguardNetLib.dll (1890 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.hy.dll (1727 bytes)
   C:\Progressive\Adguard\nss\nss3.dll (3953 bytes)
   C:\Progressive\Adguard\Adguard.Network.dll (550 bytes)
   C:\Progressive\Adguard\System.Data.SQLite.dll (2764 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.it.dll (7034 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.zh.dll (6200 bytes)
   C:\Progressive\Adguard\nss\smime3.dll (1080 bytes)
   C:\Progressive\Adguard\Adguard.Commons.dll (3465 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.fr.dll (2007 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.he.dll (5514 bytes)
   C:\Progressive\Adguard\Microsoft.Expression.Interactions.dll (1499 bytes)
   C:\Progressive\Adguard\AdguardSvc.exe.manifest (733 bytes)
   C:\Progressive\Adguard\Adguard.Tools.exe.manifest (733 bytes)
   C:\Progressive\Adguard\nss\certutil.exe (916 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.ru.dll (5790 bytes)
   C:\Progressive\Adguard\AdguardSvc.exe.config (683 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.de.dll (5827 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.id.dll (1522 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.vi.dll (939 bytes)
   C:\Progressive\Adguard\System.Windows.Interactivity.dll (1182 bytes)
   C:\Progressive\Adguard\default.db (1944 bytes)
   C:\Progressive\Adguard\Adguard.UI.dll (3201 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.hr.dll (6857 bytes)
   C:\Progressive\setup.msi (2 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.zh.dll (1179 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.nl.dll (1370 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.uk.dll (5579 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.ro.dll (3935 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.hr.dll (929 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.zh-TW.dll (351 bytes)
   C:\Progressive\Adguard\SQLite.Interop.dll (8724 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.tr.dll (150 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.vi.dll (4953 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.es.dll (7170 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.sk.dll (836 bytes)
   C:\Progressive\Adguard\Adguard.Safebrowsing.dll (651 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.pl.dll (1027 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.sr.dll (1468 bytes)
   C:\Progressive\Adguard\Adguard.Global.dll (2790 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.he.dll (1566 bytes)
   C:\Progressive\Adguard\drivers.bin (525 bytes)
   C:\Progressive\Adguard\nss\plds4.dll (17 bytes)
   C:\Progressive\Adguard\AdguardNetApi.dll (10191 bytes)
   C:\Progressive\Adguard\nss\plc4.dll (1556 bytes)
   C:\Progressive\Adguard\nss\nspr4.dll (2014 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.uk.dll (2238 bytes)
   C:\Progressive\Adguard\Adguard.exe.manifest (1 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.nl.dll (6368 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.tr.dll (6235 bytes)
   C:\Progressive\Adguard\Adguard.Service.dll (5450 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.hu.dll (1659 bytes)
   C:\Progressive\Adguard\Adguard.exe.config (2 bytes)
   C:\Progressive\Adguard\nss\softokn3.dll (2049 bytes)
   C:\Progressive\Adguard\libs\inststlib64.dll (2527 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.sr.dll (6235 bytes)
   C:\Progressive\Adguard\Newtonsoft.Json.dll (6465 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.fr.dll (7170 bytes)
   C:\Progressive\Adguard\langs\Adguard.UI.resources.ru.dll (988 bytes)
   C:\Progressive\Kur.exe (4886 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.pl.dll (4224 bytes)
   C:\Progressive\Adguard\langs\Adguard.Filter.resources.id.dll (6162 bytes)
   

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

Static Analysis

VersionInfo

Company Name: SolidShare TEAM
Product Name: Adguard Premium
Product Version: 6.1.298.1564
Legal Copyright: (c) 2016 By Progressive
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.1.298.1564
File Description: SolidShare.Net Unattended Installer
Comments: SolidShare.Net Unattended Installer
Language: Language Neutral

Company Name: SolidShare TEAMProduct Name: Adguard PremiumProduct Version: 6.1.298.1564Legal Copyright: (c) 2016 By ProgressiveLegal Trademarks: Original Filename: Internal Name: File Version: 6.1.298.1564File Description: SolidShare.Net Unattended InstallerComments: SolidShare.Net Unattended InstallerLanguage: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86403

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Sat, 12 Nov 2016 01:34:12 GMT

Accept-Ranges: bytes

ETag: "02e4de843cd21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 50939

Date: Sat, 24 Dec 2016 21:12:50 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2

MSCF............,...................I.................kI;. .authroot.stl.6....7..CK...<.[.........].y.Q..YKv..%k.....!..H!.Q.-..$tU$.)7k..R.=...n3......}?...3gf......h<.2...4.(q..f......&{.`....02.s...2@`.J.<#..q..0Xy%.4..egd.:M.B....in.([....W....(.|.....|....s!..Mo..@......|"(n;Z..'~DE.}(........Mz:T....x..{..n.`z..-.\.............q....ld2z..N/.b.J...........X.S.:UN.S.v."..'l........:yz.<."!.]O..6.:d.....C.P ....P($.Y.Q y..y..B....u.`...u.00.....|(..A.J.Cp.c...X..g.........}..'........D.QVFf0...D...a6.f.0.....k.*8...<.;..o...(.....f...L.0..C.......I.A!.H.....'._)....Qc.V.....5D..,..d../(..j.F.d.....`..f...$>:_%.W..(....@.r.9..Ob.e.$..m.~.]....g.......%`e_..&Qhp .......ey.c.....H`.%<9.......#.\S...R.5....v.......dWE.....:...../"3.._..l.XiH.J!..............{.5C_...i.U....7....;p....Q.`....L.j........u....b.`:Mk.L.......*..@M^m..Jv...g........<d:l..Kq.X...*y...x1.u....... .....z.....c.(<.b...l.#....,z~..M.Y.]..Z....F..N./..[.#....Ol...f.k........U.rF)D....3..sK...`..W.....5.=.@#a....!./....>...g.(. ..9..>!.K..e..j..{x.0.^,...U9..ru.C......,..q^1.G..A.e.F[...".1..*...^...L..#:,7...:.z.n...fI1.....l..E.q>......E...x n....H....t....5.....\...<.l....7}.`\..~_..#..Bz....i..[{.w.....a...c....E w?..6..l......x8..H....7.e.;.%.:.!.*Q....#..bT.......(....ka.......B..|.........1....t.r...fk....C.t`....@3.P..*t..nmD.....8$.bd..`D...5X.....H..L../1:..Ap...w.\...,..U..../"X......}X...a...G....N.X..<....MG....r..H....._@..Q2..T...Q.....].e.G./.v,.Z5ib..5........9 ............z..!...g

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1553

content-transfer-encoding: binary

Cache-Control: max-age=532130, public, no-transform, must-revalidate

Last-Modified: Sat, 24 Dec 2016 00:55:57 GMT

Expires: Sat, 31 Dec 2016 00:55:57 GMT

Date: Sat, 24 Dec 2016 21:11:50 GMT

Connection: keep-alive

0..........0..... .....0......0...0......WVD.8..Kcz.....K......20161224005557Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20161224005557Z....20161231005557Z0...*.H...............N......e..(..S.@..J.#....@..../D..e1..js...g.dY..d.tS....kn..[[7..?....8O.....L.d......... ...b.^QMb.J>..3.HI.......7...i..F..O..&=p./..-uK.2 ...YzK.....2.....n...u...a..$[.5#......#Y.q{..x....QU...&.[F0.m=p.;.VM.....K....@.;lW..=6....lu........4......t=...60..20...0..........Q.B.D.u..~f...m.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 50.."0...*.H.............0.........c....A........P......k./......m....(..^.......q.mB...,...t..w.&.W.....n.2..G.........e.\..@.v@.... ..,.*...L..R...6 l.O..}.v.'...E.'.R..73J.....&......V..$......A....R6.k...yj........!H.E.UGZ.!.>..~.....Ys.Z.@.)2z......D...0....dKC.IK...Z.t..J.]`........O........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-480...*.H............*.R>...:..u.M..l-r......0..R9s..[^.<.b..*X......h.......qO......p.....Q~...:^........0......s

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1660

content-transfer-encoding: binary

Cache-Control: max-age=545077, public, no-transform, must-revalidate

Last-Modified: Sat, 24 Dec 2016 04:35:37 GMT

Expires: Sat, 31 Dec 2016 04:35:37 GMT

Date: Sat, 24 Dec 2016 21:11:56 GMT

Connection: keep-alive

0..x......q0..m.. .....0.....^0..Z0......w>.2Yb.........fJ*....20161224043537Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20161224043537Z....20161231043537Z0...*.H...............g.N....6..a1. .y.....Y.O.....s?.....Lh.......5......K...i.T.O\.V...#...G.....t0&...kyZ.l....iaoS.j.......i..F.?..-..:[.3..........{.{..<.ls>.....F>.......;.51K...Y....;.<........a"g.......x..#..$|....2"W:U.s...VF.])&.X =.......a...t...h8..c.&.......1..H.....0...0...0..........O.....2../..n...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA0...161213000000Z..211231235959Z0D1B0@..U...9Symantec Class 3 Code Signing 2009 CA SHA1 OCSP Responder0.."0...*.H.............0.............s..{...L.S.9...7...!....!..........u..]..l|/!.V..V.....7(...].C...3|..e....7.(KN.W..........W..O..<..<....&r...]#...uk....%.Q.9..9-zw4..........5...$..Pi..........${.F..b]!%{..T..........Av./0b.EF....h....D........~.kX.R...v.=..zx....U2.._..JI..)..............0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-630...U......w>.2Yb.........fJ*..0...U.#..0....>c."t..d.1..#....M.0...*.H.............. ....i.......4q..........|..R.m.\..}.?.N.....[.\9C.C..#.....$1.a{..V.Og|.....8..j..v.C.....L......

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Cache-Control: max-age = 547348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 19 Nov 2013 21:12:41 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1664

content-transfer-encoding: binary

Cache-Control: max-age=384416, public, no-transform, must-revalidate

Last-Modified: Thu, 22 Dec 2016 07:56:30 GMT

Expires: Thu, 29 Dec 2016 07:56:30 GMT

Date: Sat, 24 Dec 2016 21:12:02 GMT

Connection: keep-alive

0..|......u0..q.. .....0.....b0..^0.............V.m......E!....20161222075630Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20161222075630Z....20161229075630Z0...*.H..............s.\...._..p2Z....6y...F...9..&c.\.e....[.{VR....1.C..ZY#...!G......E#..0s.....z..;}7.....!G.............O.K..?..?g......j......:~BJ....r w}.j.!K.....z..%>A.l=J`.Y..R..e>.1y)a..l.c..R]..t.-.)$.... ....k..9..B '.I..@...t.r1....9...'.....".......A...f...J..`....0...0...0..................[Df..{.,0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...161213000000Z..211231235959Z0F1D0B..U...;Symantec Class 3 Code Signing 2009-2 CA SHA1 OCSP Responder0.."0...*.H.............0.............2q..J..:...3....X.?.....9K.G....,......e.c,..9YI...z.qA 0....9...CG......6.qX>.Xo.....g..=..B.E.......qB..W.|..>.qT.4Z|....H. m...m..qy]Gi...0N.T.....N,.U.WJ5.f...r..@..8.b.......=..G.0.....y4N"mK.J...."..".......ju.....k...x........P.]S=t....*..'.............0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. .........https://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-640...U.............V.m......E!..0...U.#..0.....k.&p..?...-.5.....0...*.H.............C.....S>F ..u.=KA5..@...`........a0s.M......JH.X.Y..E........CX../......f5j..a......k...:.r/.J5..G...h...~.".A.].

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx+JOp7hVgTeaGFJ/CQgQUljtT8Hkzl699g+8uK8zKt4YecmYCECqcIayqpjo8WKe5MivulI0= HTTP/1.1

Cache-Control: max-age = 588368

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 05:31:11 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: sv.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1611

content-transfer-encoding: binary

Cache-Control: max-age=416328, public, no-transform, must-revalidate

Last-Modified: Thu, 22 Dec 2016 16:50:55 GMT

Expires: Thu, 29 Dec 2016 16:50:55 GMT

Date: Sat, 24 Dec 2016 21:12:27 GMT

Connection: keep-alive

0..G......@0..<.. .....0.....-0..)0......H.S.......J.?x.7T..a..20161222165055Z0s0q0I0... ...........C%.......`M.....B...;S.y3..}... .....rf..*.!...:<X..2 .......20161222165055Z....20161229165055Z0...*.H.............Ma...8.`.K$..]..<..#`.F)7..C1{f.,.....t.;6u"[....L<H"[C~].p...`..A.......3m...H......q.....F.7>.:...iq...N:).D*....@...Xu..T..j.......|.....G.a6PE.R...Me.....$....,. .|-....q.ZI..........&r.#........2(........?...gA..`....6XD...m....;....E..V.^._..:NrO..M....p0..l0..h0..P.......jVl_wg...'.i....0...*.H........0.1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network100...U...'Symantec Class 3 SHA256 Code Signing CA0...161002000000Z..161231235959Z0A1?0=..U...6Symantec Class 3 SHA256 Code Signing CA OCSP Responder0.."0...*.H.............0............y.....l..f.......m./].j..mysU[d......:..!...9......-._k..V.%.B'...'..e.S.....>....3..3..?../.hO#.c.L.......T...<,..-....Bt...U..G.A%|..E..y=jf....%.Y*..x.b..F...'~.,.g6......?..@e.v.|!...R..8....:.N..,;zG.WN..{\c.Q.V!..l.....!h..d...T..Ik....Nu.S.WK"...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-22120...U.#..0....;S.y3..}... .....rf0...U......H.S.......J.?x.7T..a0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://VVV.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H................a..).B.>@.`...-.1..0..LJ.(S...s...U.'.;...N..Kp[..... B...&...K.|K..xd.....db....."\2..J......l.....U.I..t C.8B...B.... .....v.!#.1.v7$..j......6>.....

<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 808

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 09 Oct 2013 05:02:17 GMT

If-None-Match: "9c3f3dbaacc4ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Mon, 21 Nov 2016 06:01:26 GMT

Accept-Ranges: bytes

ETag: "ea9ee7b1bc43d21:0"

Server: Microsoft-IIS/8.5

VTag: 438117755400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Sat, 24 Dec 2016 21:12:09 GMT

Connection: keep-alive

0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..161120214850Z..170219100850Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......10... .....7......170218215850Z0...*.H.............,I...6<..{.....o).*.......>SJ.t............N. ...#.........#J..A..."..9t...8....y..'k......O..f..&N..6\.:.0..{-.?.....w}R...=S}.Q5..bwf...I..x..S........S....%u:...D|..q.)tC....^.......6.O..V.s....R!.c`....oT..z/|....A.....n{.$.5(.V^..Ox.1........3.I.vfK,dZ`....n.k...vd......i..M..8_g..>.6!.. ....._.v..E....p!c..c....D....iWn../.mZx......w..."~..(.N.&.s....S..k.=a..d:I....f..W.uO.K}].R.. uY2...2..a.U^........... ..%5<F/..L...@..I..<. .....E..r.~=.k..3l9..d^.9..&N._\K."m#..P.9..z.......K..j.z1..8.r.!v.>.....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Mon, 21 Nov 2016 06:01:26 GMT..Accept-Ranges: bytes..ETag: "ea9ee7b1bc43d21:0"..Server: Microsoft-IIS/8.5..VTag: 438117755400000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control: max-age=900..Date: Sat, 24 Dec 2016 21:12:09 GMT..Connection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..161120214850Z..170219100850Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......10..

<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT

If-None-Match: "b8b5df1d64d4ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT

Accept-Ranges: bytes

ETag: "7254ef33d54d21:0"

Server: Microsoft-IIS/8.5

VTag: 791789525600000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Sat, 24 Dec 2016 21:12:18 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......b0... .....7......170311174324Z0...*.H..................)........j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b.$)....v(....v._....'.p....a.)..j...oC....zC:$.8....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT..Accept-Ranges: bytes..ETag: "7254ef33d54d21:0"..Server: Microsoft-IIS/8.5..VTag: 791789525600000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Sat, 24 Dec 2016 21:12:18 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......b0... .....7......170311174324Z0...*.H..................)........j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141/l2SWCyYX308B7Khio= HTTP/1.1

Cache-Control: max-age = 432038

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 11 Oct 2016 10:05:24 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=373496, public, no-transform, must-revalidate

Last-Modified: Thu, 22 Dec 2016 04:56:48 GMT

Expires: Thu, 29 Dec 2016 04:56:48 GMT

Date: Sat, 24 Dec 2016 21:12:22 GMT

Connection: keep-alive

0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..20161222045648Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..=x..vI`.a}.....*....20161222045648Z....20161229045648Z0...*.H.............J.O2...;_P......A."....,..N&...I...@.%.^.d.Y'n.h2...H..gk1......|."|=.;..M..s./b.....A.....\.-..r*NC.7.....|$.m..^...k~x.........z-..E..P..2..L....?.GGR..k......n......_.......x..C8%l..>..C./.R.|7..[...g..^..Pn[NJ.... \.....^..].M..?.I./...Y.....i(..k....-....0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 50.."0...*.H.............0.............................m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g..

<<< skipped >>>

Map

The Adware connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1744:

!Require Windows

!Require Windows

`.rsrc

`.rsrc

7J.eO

7J.eO

PSSSSSSh

PSSSSSSh

ttNt_Nt.Nt

ttNt_Nt.Nt

:Language:%u

:Language:%u

Enter password:

Enter password:

0xx

0xx

"%s".

"%s".

Could not overwrite file "%s".

Could not overwrite file "%s".

Could not create file "%s".

Could not create file "%s".

0xX.

0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code %u.

7-Zip: Internal error, code %u.

The archive is corrupted, or invalid password was entered.

The archive is corrupted, or invalid password was entered.

7-Zip: Unsupported method.

7-Zip: Unsupported method.

Error during execution "%s".

Error during execution "%s".

"setup.exe"

"setup.exe"

Could not find "setup.exe".

Could not find "setup.exe".

Could not find command for "%s".

Could not find command for "%s".

Could not delete file or folder "%s".

Could not delete file or folder "%s".

Could not create folder "%s".

Could not create folder "%s".

Error in line %d of configuration data:

Error in line %d of configuration data:

Could not open archive file "%s".

Could not open archive file "%s".

1.6.0 develop [x86]

1.6.0 develop [x86]

2712 (30

2712 (30

1.6.0 develop [x86] build 2712 (December 30, 2012)

1.6.0 develop [x86] build 2712 (December 30, 2012)

Supported methods and filters, build options:

Supported methods and filters, build options:

Sorry, this program requires Microsoft Windows 2000 or later.

Sorry, this program requires Microsoft Windows 2000 or later.

CreateIoCompletionPort

CreateIoCompletionPort

_acmdln

_acmdln

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

GetKeyState

GetKeyState

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSVCRT.dll

MSVCRT.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll