Skip to main content

SearchProtectToolbar_pcap_46fc3421f4


SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 46fc3421f4adad3425ab6ef32d0c4355

SHA1: 5504bfa51de599a7235db39c8a45f419410a1742

SHA256: 069013029d890dbf847d052b0a8d97dd767486714f90d2cbec90174285448500

SSDeep: 24576:q4ysm2dkoSBaU9jILdudWwt684PHRql4llRD/NnI:0sLXhU9jIIdZ8PlRu

Size: 891496 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Cash Buyer Media

Created at: 2014-11-29 18:26:06

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:928
%original file name%.exe:312
%original file name%.exe:580

The Malware injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:928 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\149\arcadetwist_playthru_pcprocleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\29pXHmrN9h.dll (1486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iconChe.gif (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\knockout-2.js (10370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\173\tidynetwork_playthru_propccleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\177\tidy_playthru_onesystemcare_triple_628_3.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\do_tracking_hit.lua (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\169\knctr_playthru_tidy_triple_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreenParamete.js (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AutoFeatureMod.js (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\153\arcadetwist_knctr_playthru_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\145\arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wbk2.tmp (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\183\playthru_tidy_double_628_3.mht (8844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\161\knctr_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\adknowledge_3.mht (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\181\onesystemcare_tidy_double628.mht (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1Oz0QVgBf.dll (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\141\arcadetwist_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\165\knctr_playthru_tidy_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\options.json (197 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wbk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AutoFeatureMod.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iconChe.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\knockout-2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreenParamete.js (0 bytes)

Registry activity

The process %original file name%.exe:928 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015121520151216\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 BE 6A CC A6 4A 4A 0C C7 50 E3 D2 B7 C4 44 41"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015121520151216]
"CachePrefix" = ":2015121520151216:"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:312 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 0C D6 82 80 F3 1F DB 9C 1E 51 DF 00 E8 56 52"

The process %original file name%.exe:580 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 40 80 AB 58 96 43 CE E9 74 B9 5C 37 B5 81 24"

Dropped PE files

MD5 File path
a55240c71fbcfa83273a3b853e323b38c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\1Oz0QVgBf.dll
ef9b5304e4469137c5290b70ef0b7ec9c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\29pXHmrN9h.dll
5f13dbc378792f23e598079fc1e4422bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\kLoPVvrSyZOofGUugHSsEez1.dll
f0c59526f8186eadaf2171b8fd2967c1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\lua51.dll
44dac7f87bdf94d553f8d2cf073d605dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\h0nthn80NmAxFi2CggC\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:928
    %original file name%.exe:312
    %original file name%.exe:580

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\149\arcadetwist_playthru_pcprocleaner_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.psd (42457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\knockout.js (2039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\lua51.dll (3579 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\save.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\back.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\29pXHmrN9h.dll (1486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\main.css (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\.DS_Store (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_bg.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progressPause.gif (517 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\close.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iconChe.gif (740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\knockout-2.js (10370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\173\tidynetwork_playthru_propccleaner_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\177\tidy_playthru_onesystemcare_triple_628_3.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\do_tracking_hit.lua (913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\default_logo.png (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\decline.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\run.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\169\knctr_playthru_tidy_triple_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreenParamete.js (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AutoFeatureMod.js (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\153\arcadetwist_knctr_playthru_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\common.js (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\index.html (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_off.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skin.png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress.gif (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\145\arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin.zip (9476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\next.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\skipall.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wbk2.tmp (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\progress-bar.gif (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\step_on.png (999 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\minify.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\res\jquery.js (1843 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\183\playthru_tidy_double_628_3.mht (8844 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\161\knctr_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1\adknowledge_3.mht (7772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\cancel.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\assets\accept-lg.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\181\onesystemcare_tidy_double628.mht (9476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\1Oz0QVgBf.dll (677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\141\arcadetwist_playthru_onesystemcare_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\165\knctr_playthru_tidy_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h0nthn80NmAxFi2CggC\skin\options.json (197 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Cash Buyer Media
Product Name: Cash Buyer Media
Product Version: 61.6.7.6620
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 61.6.7.6620
File Description: Cash Buyer Media
Comments:
Language: English (United States)

Company Name: Cash Buyer MediaProduct Name: Cash Buyer MediaProduct Version: 61.6.7.6620Legal Copyright: Copyright (C) 2015Legal Trademarks: Original Filename: setup.exeInternal Name: setup.exeFile Version: 61.6.7.6620File Description: Cash Buyer MediaComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409653435537604.4611259445157f5b2aa9117c7ab9d4fab4baf
.rdata61440774881923.725295d0d3053677fc3822c5caecd2b9d6e2d
.data6963216284128005.23114ced9c3e2e405f9ce97f0b5abec5b067d
.rsrc86016692071683.1693be528cfb1576d557d291904a2817b4e2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 21
28e04d9304a40f4654399ff8bd406528
05ce7a30aaa73986f6175f1ec3063381
914aeced31a748ff736945dd89e80683
32cf0ca303132382c6d7a575bb65c79a
160d218058b4de50d3975e0c72d17a9a
dd36df1879f9e8a29fcd9a5e82e2c09b
e9cebfc61732d61a95008ffe0a2373c1
93c573a93423839523947db83e3a227e
062a97c1f3e5d91b2d662e01bb710f66
d76cab50bef037351746861d136bdfdc
8c028a1350f234e392f4cc6a63b6241e
b0a4f8a1c3e7601844c0cec45cde4a3f
2ed6d7582da9538f6436236c84891326
9dd75b71bce38735d459809145dbaeb4
ed600a82f00b65783c6e937895bf31eb
512cfd63104eb5517b581e96010840fd
6c448b6aabfddbba047906a46fd67e12
a5b76c7bf90af9d129ab5706e53816c7
0126773c0afe3075a5eb88e644f4cc2e
7fcfd59f62c968eae2f720f8d1e685af
b746529eaf8ce8aa07bdad4b3bc5562b

Network Activity

URLs

URL IP
hxxp://service.downloadadmin.com/checksuminstall?checksum=1767950.22.63.140
hxxp://a728.g.akamai.net/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip
hxxp://service.downloadadmin.com/env?browserVersion=11&osVersion=7&browserName=IE&c=fw35&variation=&pid=adknowledge&aid=adk&country=US&productKey=&s=fw35_300x250display5128768&brand=adknowledge.com&bc=1197303&osName=Windows50.22.63.140
hxxp://a728.g.akamai.net/binstallers/BM2/adknowledge/ipage/adknowledge_3.mht
hxxp://a728.g.akamai.net/binstallers/BM2/api/do_tracking_hit.lua
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_playthru_onesystemcare_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_playthru_pcprocleaner_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_knctr_playthru_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_playthru_onesystemcare_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_playthru_tidy_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_playthru_tidy_triple_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidynetwork_playthru_propccleaner_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidy_playthru_onesystemcare_triple_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/combos/onesystemcare_tidy_double628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/playthru_tidy_double_628_3.mht
hxxp://mirror.downloadnet1210.com/products/BM2/combos/onesystemcare_tidy_double628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_playthru_tidy_triple_628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/playthru_tidy_double_628_3.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidy_playthru_onesystemcare_triple_628_3.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_playthru_onesystemcare_updateadmin_628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_playthru_onesystemcare_updateadmin_628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_knctr_playthru_updateadmin_628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_playthru_tidy_updateadmin_628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/binstallers/BM2/adknowledge/ipage/adknowledge_3.mht213.133.184.112
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidynetwork_playthru_propccleaner_updateadmin_628.mht213.133.184.112
hxxp://mirror.downloadmanager145.com/binstallers/BM2/api/do_tracking_hit.lua213.133.184.113
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_playthru_pcprocleaner_updateadmin_628.mht213.133.184.112

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /binstallers/BM2/api/do_tracking_hit.lua HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadmanager145.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"

Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT

Accept-Ranges: bytes

Content-Length: 913

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

--[[.-- Lua Script to perform tracking hits IT can be run at start offer or finish and has aacces tot he variables.--]]..local http=require("wininet.http");.local json=require("json");..local main=function(). -- Need GuiInit. local guiinit=require("GuiInit");. local _Downloads=require("Downloads");. local target=current.file._a_.Options -- Get the options blob. -- No Target is specified then do nothing. if target == "" or not target then. return; -- Blank so do nothing . end. target=current.expand_path(target);. -- Get the command line and look for an option . --[[local cli=current.expand_path("$CMDLINE");. local opts=string.match(cli or "","--custom.p.tid=([^ ] )");. ]]. -- Make a reques to the target Url. local r,c,h = http.request{. method="POST",. url=target ,. proxy=_Downloads.proxyForUrl(target). }..end...return main();.HTTP/1.1 200 OK..Server: Apache..ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"..Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT..Accept-Ranges: bytes..Content-Length: 913..Content-Type: text/plain..Date: Tue, 15 Dec 2015 00:33:06 GMT..Connection: keep-alive..--[[.-- Lua Script to perform tracking hits IT can be run at start offer or finish and has aacces tot he variables.--]]..local http=require("wininet.http");.local json=require("json");..local main=function(). -- Need GuiInit. local guiinit=require("GuiInit");. local _Downloads=require("Downloads");. local target=current.file._a_.Options -- Get the

<<< skipped >>>

GET /skins/da/11122015/megazord_darkskin_nondlm_cancel.zip HTTP/1.1

Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "398d4b8eeb1f419a51f5c199a58139a2:1447358884"

Last-Modified: Thu, 12 Nov 2015 20:08:04 GMT

Accept-Ranges: bytes

Content-Length: 73310

Content-Type: application/zip

Date: Tue, 15 Dec 2015 00:33:05 GMT

Connection: keep-alive

PK........,nkG].\.............options.json].... .D.~......... .e..-4........t.o.&...=b.r.%s..Z..F0.....Qi.....t..Q...";..i..)..l{.E...v....O.F..s gsHK..P...of.v........}$G......:.;G.....PK.........`.Dj..m............assets/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P..x..@..................f.t|?MD...>....k<...]...V.y......f...m^.Z........e...".............0..u.....'<.[7n......p..-le.W.."...PK........8d.D3.......%.......assets/accept.png.VwXSg......2d.....$.D.BB$@...A!$7.F.$.$ .Ph..V....`.2.Z.2..(.....".Td....._....?........9.y...7....[.4. ....5.^.g.^..r2i`..H...Z...@.P.....6..@.....=.dK......<..."ta..X.?.......@V...8.....P/.$.G......r.d.3..f.P.o.u..p.9....e..0s3...$3....P...O@..a..%.. .(..O../..WP...P....x.....`.........8...`Qh.C@`p$<..5.~j0.7>.C...>....0o.0..B.D".....O.0D"q.....i ....)F............. ..2gz.AB2..z......a..S.d)C...(.....G.j............e... >Kv......w...,..!>Wv)L?*....xB:.... .\6...YQ... .........[P.8#*.K....Wm...J..).cc.....X..X.pT,.m.AcM.F..X:O d.X.*...,._.$..`.A.#...V.aoP.....(.......c."....|...s..6...C../............@.2^97.K36..hh......a....'g(Y0..)..%Y...?..l..<.O.....Q#......t....{.........u....rHE.Q...J.l.w[$.X5N...3...G3>...)N.w7h.^...I.>.../Us2.}.l..........>R...B..fA|8.!^I....J....k.....oo.....1!M9.}.._|.,k.bj.&B.g...D.......g_....T.S3 .G.7.5...v..5...........n.&hy.u=1..h..K1...D...}.|.../.x....R.}..r..W..u53...x...(A.hy.s^..S..f....l.P...."......k.v............R^V....9...=..&../...o.w.p....t'=]96.G.!W...........;~.<@..". .-......*.6l

<<< skipped >>>

GET /binstallers/BM2/adknowledge/ipage/adknowledge_3.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "963e0ef21e87f2dd88b475f85634a747:1434231096"

Last-Modified: Sat, 13 Jun 2015 21:31:36 GMT

Accept-Ranges: bytes

Content-Length: 61500

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Product Name..Date: Mon, 20 Oct 2014 17:40:00 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEC8C.DF382910"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEC8C.DF382910..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\vitallia_primary_4.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD>..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/OfferScreenParameters.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE =..data-bind=3D"text:$root.customParameters()['ProductName']">Product=20..Name</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=...container{width:628px; height:282px; padding:16px 0 0 0;}=0A=..h1 {color: #000000;font-family: "Helvetica =..Neue","Helvetica","Arial",sans-s

<<< skipped >>>

GET /products/BM2/combos/arcadetwist_playthru_onesystemcare_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "668c51a87c703a436c83895218d6e534:1439558955"

Last-Modified: Fri, 14 Aug 2015 13:29:15 GMT

Accept-Ranges: bytes

Content-Length: 75945

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/arcadetwist_playthru_pcacceleratepro_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "e9325ef10ed838c35b5af7775c9eae91:1444312504"

Last-Modified: Thu, 08 Oct 2015 13:55:04 GMT

Accept-Ranges: bytes

Content-Length: 76083

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/arcadetwist_playthru_pcprocleaner_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "671db8939d3b2ae3d8a7433381dcd081:1438700315"

Last-Modified: Tue, 04 Aug 2015 14:58:35 GMT

Accept-Ranges: bytes

Content-Length: 76006

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/arcadetwist_knctr_playthru_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "2b71e9df8a1242ac5e8565c59fec2e5c:1438700315"

Last-Modified: Tue, 04 Aug 2015 14:58:35 GMT

Accept-Ranges: bytes

Content-Length: 76002

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/knctr_playthru_onesystemcare_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "0b20a9fd75b7da657a56c678953dfa53:1439558956"

Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT

Accept-Ranges: bytes

Content-Length: 75945

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/knctr_playthru_tidy_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "e987399a16f3a98f5ba2a3b883279a21:1438700316"

Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT

Accept-Ranges: bytes

Content-Length: 76105

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/knctr_playthru_tidy_triple_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "1ee70d370acae337db961198ce34abcf:1438700316"

Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT

Accept-Ranges: bytes

Content-Length: 75801

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Mon, 7 Apr 2014 14:26:55 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CF526D.6D799070"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CF526D.6D799070..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\highlightly_stormalerts_optimizerpro_triple_628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COL

<<< skipped >>>

GET /products/BM2/combos/tidynetwork_playthru_propccleaner_updateadmin_628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "eaccef0167555b64ef5b014b80cd94f8:1438700316"

Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT

Accept-Ranges: bytes

Content-Length: 75987

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration

<<< skipped >>>

GET /products/BM2/combos/tidy_playthru_onesystemcare_triple_628_3.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "8a06da99b2dd4eae35a2d18f3903bdf1:1439558956"

Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT

Accept-Ranges: bytes

Content-Length: 75952

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Thu, 11 Sep 2014 14:28:18 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDCC.A1C309D0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDCC.A1C309D0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\tidy_rapidwatch_optimizerpro_triple_628_3.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FO

<<< skipped >>>

GET /products/BM2/combos/onesystemcare_tidy_double628.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "b2b2ba26d95808459c2f3b647fbec299:1439558956"

Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT

Accept-Ranges: bytes

Content-Length: 72381

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Windows Internet Explorer 9"..Subject: 628 by 282 Icy Offer..Date: Mon, 7 Jan 2013 11:23:06 -0500..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0010_01CDECC9.5D450B40"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0010_01CDECC9.5D450B40..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\strongvault_tidy_double628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><HEAD>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<TITLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3D"Content-Type"><!--=20..Edited by: Insert Initials & Date..Template Name: 628_Icy_2col_toolbar_EULA.php..-->..<STYLE>=0A=../* Overall page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#707271;}=0A=..#content {width:628px;height:282px; overflow:hidden; =..backgro

<<< skipped >>>

GET /products/BM2/combos/playthru_tidy_double_628_3.mht HTTP/1.1

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "8a3a08bba5a986be972f7f21967d2a1d:1438700316"

Last-Modified: Tue, 04 Aug 2015 14:58:36 GMT

Accept-Ranges: bytes

Content-Length: 68655

Content-Type: text/plain

Date: Tue, 15 Dec 2015 00:33:06 GMT

Connection: keep-alive

From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..Date: Thu, 11 Sep 2014 14:39:31 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDCE.32759F00"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDCE.32759F00..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\stormwatch_tidy_double_628_2.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."http://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0px; BACK

<<< skipped >>>

GET /checksuminstall?checksum=17679 HTTP/1.1

Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: service.downloadadmin.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Tue, 15 Dec 2015 00:32:59 GMT

Age: 0

X-Cache: MISS

008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <CustomParameter Name="ProductName">@ProductName</CustomParameter>. <CustomParameter Name="ProductFileSize">@{ProductFileSize|1mb}</CustomParameter>. <CustomParameter Name="ProductTos">@ProductTos</CustomParameter>. <CustomParameter Name="PrivacyUrl">@PrivacyUrl</CustomParameter>. <CustomParameter Name="bm.plain-thanks">true</CustomParameter>. <File Action="Run before Offer" Destination="" DirMode="false" FileType="Content" ForceCreate="true" Options="@StartTrackingUrl" Scramble="false" ShowFolder="false" SourceDir="" SourceFile="hXXp://mirror.downloadmanager145.com/binstallers/BM2/api/do_tracking_hit.lua" WaitForExe="false" id="file-2"/>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <ProductBinary embed="false" msioptions="@ProductMsiOptions" options="@ProductOptions">@ProductBinaryUrl</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.downloadnet1210.com/binstallers/BM2/adknowledge/ipage/adknowledge_3.mht</ProductEula>. <Primary>true</Primary>. <ProductId>1175439</ProductId>. <ProductName>@{ProductName|Adknowledge}</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle&g

<<< skipped >>>

GET /env?browserVersion=11&osVersion=7&browserName=IE&c=fw35&variation=&pid=adknowledge&aid=adk&country=US&productKey=&s=fw35_300x250display5128768&brand=adknowledge.com&bc=1197303&osName=Windows HTTP/1.1

Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)

User-Agent: Cash Buyer Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=520217;pid=928)

Host: service.downloadadmin.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Tue, 15 Dec 2015 00:33:06 GMT

Age: 0

X-Cache: MISS

001827..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:PremierOpinion (US) (1457)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1456)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1449)">true</Entry><Entry name="over-threshold:Optimizer Pro (US)">true</Entry><Entry name="over-threshold:Super Optimizer (US)">true</Entry><Entry name="over-threshold:PremierOpinion (UK)">true</Entry><Entry name="over-threshold:Super Optimizer (GB)">true</Entry><Entry name="over-threshold:Web Bar (GB)">true</Entry><Entry name="over-threshold:Web Bar (AU)">true</Entry><Entry name="over-threshold:Optimizer Pro (AR)">true</Entry><Entry name="over-threshold:Optimizer Pro (MX)">true</Entry><Entry name="over-threshold:Optimizer Pro (BR)">true</Entry><Entry name="over-threshold:Optimizer Pro (TR)">true</Entry><Entry name="over-threshold:Super Optimizer (DE)">true</Entry><Entry name="over-threshold:Super Optimizer (IN)">true</Entry><Entry name="over-threshold:Super Optimizer (RU)">true</Entry><Entry name="over-threshold:Super Optimizer (CN)">true</Entry><Entry name="over-threshold:Super Optimizer (ES)">true</Entry><Entry name="over-threshold:Super Optimizer (CH)">true</Entry><Entry name="over-threshold:Sup

<<< skipped >>>

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_580:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

PSSSSSSh

PSSSSSSh

6HdH.ls@zSNqT{hff)@ #

6HdH.ls@zSNqT{hff)@ #

advapi32.dll

advapi32.dll

debug.pdb

debug.pdb

comdlg32.dll

comdlg32.dll

SetNamedPipeHandleState

SetNamedPipeHandleState

CreateNamedPipeA

CreateNamedPipeA

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

msvcrt.dll

msvcrt.dll

_acmdln

_acmdln

_amsg_exit

_amsg_exit

ole32.dll

ole32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteExA

ShellExecuteExA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

55555555

55555555

lua51.dll

lua51.dll

CoCreateInstance failed(rc=%d)

CoCreateInstance failed(rc=%d)

All Files|*.*

All Files|*.*

Error creating ShellLink(rc=%d)

Error creating ShellLink(rc=%d)

CryptDuplicateKey

CryptDuplicateKey

CryptDeriveKey

CryptDeriveKey

CryptDestroyKey

CryptDestroyKey

luabridge.dll

luabridge.dll

shared_library.dll

shared_library.dll

luabridge.config

luabridge.config

luabridge.net

luabridge.net

resources.js

resources.js

luabridge.nsis

luabridge.nsis

444444444

444444444

%d.%d.%d

%d.%d.%d

win32.shell

win32.shell

luabridge.win32

luabridge.win32

__LOCALEXPORTS

__LOCALEXPORTS

luabridge.registry

luabridge.registry

111111111

111111111

./lua51.dll

./lua51.dll

local rshift,lshift,band=bit.rshift,bit.lshift,bit.band

local rshift,lshift,band=bit.rshift,bit.lshift,bit.band

local tohex=bit.tohex;

local tohex=bit.tohex;

local dict=ffi.new("char[?]",64)

local dict=ffi.new("char[?]",64)

function M.setSymbols(symbols)

function M.setSymbols(symbols)

ffi.copy(dict,symbols,64);

ffi.copy(dict,symbols,64);

seg = seg .. string.char(dict[bits]);

seg = seg .. string.char(dict[bits]);

seg = seg .. string.char(dict[bits]);

seg = seg .. string.char(dict[bits]);

table.insert(buf,seg);

table.insert(buf,seg);

seg=string.char(dict[idx]);

seg=string.char(dict[idx]);

seg=seg .. string.char(dict[bits]);

seg=seg .. string.char(dict[bits]);

table.insert(buf,seg)

table.insert(buf,seg)

table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])

table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])

return table.concat(buf);

return table.concat(buf);

local block=ffi.new("char[?]",block_sz);

local block=ffi.new("char[?]",block_sz);

function M.unb64(data)

function M.unb64(data)

table.insert(buf,ffi.string(block,p));

table.insert(buf,ffi.string(block,p));

local seg=ffi.string(block,p);

local seg=ffi.string(block,p);

--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));

--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));

table.insert(buf,seg);

table.insert(buf,seg);

return table.concat(buf)

return table.concat(buf)

M.setSymbols(DEF_DICT);

M.setSymbols(DEF_DICT);

function M.defaultDict()

function M.defaultDict()

M.setSymbols(DEF_DICT);

M.setSymbols(DEF_DICT);

M.unfilter = M.unb64

M.unfilter = M.unb64

M.setSymbols(loadarg);

M.setSymbols(loadarg);

return M.unb64;

return M.unb64;

Press any key to continue

Press any key to continue

require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");

require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");

return require('cleanup').runCleanup()

return require('cleanup').runCleanup()

dialog.image

dialog.image

resources.nsis

resources.nsis

./extramod.dll

./extramod.dll

%d.%.%d

%d.%.%d

luabridge.classes

luabridge.classes

resources.binlib

resources.binlib

resources.overlay

resources.overlay

luabridge.fs

luabridge.fs

mime.core

mime.core

dialog.html

dialog.html

resources.compressed

resources.compressed

key_duplicate

key_duplicate

key_encrypt

key_encrypt

777777777

777777777

%s expected data in index [1]

%s expected data in index [1]

key_destroy

key_destroy

Win32.Crypt.Key

Win32.Crypt.Key

derive_key

derive_key

Win32.Crypt.Hash

Win32.Crypt.Hash

key_decrypt

key_decrypt

provider_dervice_key

provider_dervice_key

%s expected table argument

%s expected table argument

default_key

default_key

bad argument #%d to %s('%s' expected)

bad argument #%d to %s('%s' expected)

Win32.Crypto.Provider

Win32.Crypto.Provider

%s expected 'length' with lightuserdata

%s expected 'length' with lightuserdata

%s

%s

99999999

99999999

miniz.DeflateZStream

miniz.DeflateZStream

inflateInit() failed (rc=%s)

inflateInit() failed (rc=%s)

deflate() failed(rc=%d)

deflate() failed(rc=%d)

Unsupported filter input(string|nil) expected

Unsupported filter input(string|nil) expected

miniz.InflateZStream

miniz.InflateZStream

inflate() failed(rc=%d)

inflate() failed(rc=%d)

deflateInit() failed (rc=%s)

deflateInit() failed (rc=%s)

Mime 1.0.3

Mime 1.0.3

zcÁ

zcÁ

version="61.6.7.6620"

version="61.6.7.6620"

setup.exe

setup.exe

61.6.7.6620

61.6.7.6620

%original file name%.exe_928:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

PSSSSSSh

PSSSSSSh

6HdH.ls@zSNqT{hff)@ #

6HdH.ls@zSNqT{hff)@ #

advapi32.dll

advapi32.dll

debug.pdb

debug.pdb

comdlg32.dll

comdlg32.dll

SetNamedPipeHandleState

SetNamedPipeHandleState

CreateNamedPipeA

CreateNamedPipeA

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

msvcrt.dll

msvcrt.dll

_acmdln

_acmdln

_amsg_exit

_amsg_exit

ole32.dll

ole32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteExA

ShellExecuteExA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

55555555

55555555

lua51.dll

lua51.dll

CoCreateInstance failed(rc=%d)

CoCreateInstance failed(rc=%d)

All Files|*.*

All Files|*.*

Error creating ShellLink(rc=%d)

Error creating ShellLink(rc=%d)

CryptDuplicateKey

CryptDuplicateKey

CryptDeriveKey

CryptDeriveKey

CryptDestroyKey

CryptDestroyKey

luabridge.dll

luabridge.dll

shared_library.dll

shared_library.dll

luabridge.config

luabridge.config

luabridge.net

luabridge.net

resources.js

resources.js

luabridge.nsis

luabridge.nsis

444444444

444444444

%d.%d.%d

%d.%d.%d

win32.shell

win32.shell

luabridge.win32

luabridge.win32

__LOCALEXPORTS

__LOCALEXPORTS

luabridge.registry

luabridge.registry

111111111

111111111

./lua51.dll

./lua51.dll

local rshift,lshift,band=bit.rshift,bit.lshift,bit.band

local rshift,lshift,band=bit.rshift,bit.lshift,bit.band

local tohex=bit.tohex;

local tohex=bit.tohex;

local dict=ffi.new("char[?]",64)

local dict=ffi.new("char[?]",64)

function M.setSymbols(symbols)

function M.setSymbols(symbols)

ffi.copy(dict,symbols,64);

ffi.copy(dict,symbols,64);

seg = seg .. string.char(dict[bits]);

seg = seg .. string.char(dict[bits]);

seg = seg .. string.char(dict[bits]);

seg = seg .. string.char(dict[bits]);

table.insert(buf,seg);

table.insert(buf,seg);

seg=string.char(dict[idx]);

seg=string.char(dict[idx]);

seg=seg .. string.char(dict[bits]);

seg=seg .. string.char(dict[bits]);

table.insert(buf,seg)

table.insert(buf,seg)

table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])

table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])

return table.concat(buf);

return table.concat(buf);

local block=ffi.new("char[?]",block_sz);

local block=ffi.new("char[?]",block_sz);

function M.unb64(data)

function M.unb64(data)

table.insert(buf,ffi.string(block,p));

table.insert(buf,ffi.string(block,p));

local seg=ffi.string(block,p);

local seg=ffi.string(block,p);

--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));

--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));

table.insert(buf,seg);

table.insert(buf,seg);

return table.concat(buf)

return table.concat(buf)

M.setSymbols(DEF_DICT);

M.setSymbols(DEF_DICT);

function M.defaultDict()

function M.defaultDict()

M.setSymbols(DEF_DICT);

M.setSymbols(DEF_DICT);

M.unfilter = M.unb64

M.unfilter = M.unb64

M.setSymbols(loadarg);

M.setSymbols(loadarg);

return M.unb64;

return M.unb64;

Press any key to continue

Press any key to continue

require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");

require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");

return require('cleanup').runCleanup()

return require('cleanup').runCleanup()

dialog.image

dialog.image

resources.nsis

resources.nsis

./extramod.dll

./extramod.dll

%d.%.%d

%d.%.%d

luabridge.classes

luabridge.classes

resources.binlib

resources.binlib

resources.overlay

resources.overlay

luabridge.fs

luabridge.fs

mime.core

mime.core

dialog.html

dialog.html

resources.compressed

resources.compressed

key_duplicate

key_duplicate

key_encrypt

key_encrypt

777777777

777777777

%s expected data in index [1]

%s expected data in index [1]

key_destroy

key_destroy

Win32.Crypt.Key

Win32.Crypt.Key

derive_key

derive_key

Win32.Crypt.Hash

Win32.Crypt.Hash

key_decrypt

key_decrypt

provider_dervice_key

provider_dervice_key

%s expected table argument

%s expected table argument

default_key

default_key

bad argument #%d to %s('%s' expected)

bad argument #%d to %s('%s' expected)

Win32.Crypto.Provider

Win32.Crypto.Provider

%s expected 'length' with lightuserdata

%s expected 'length' with lightuserdata

%s

%s

99999999

99999999

miniz.DeflateZStream

miniz.DeflateZStream

inflateInit() failed (rc=%s)

inflateInit() failed (rc=%s)

deflate() failed(rc=%d)

deflate() failed(rc=%d)

Unsupported filter input(string|nil) expected

Unsupported filter input(string|nil) expected

miniz.InflateZStream

miniz.InflateZStream

inflate() failed(rc=%d)

inflate() failed(rc=%d)

deflateInit() failed (rc=%s)

deflateInit() failed (rc=%s)

Mime 1.0.3

Mime 1.0.3

zcÁ

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/h0nthn80NmAxFi2CggC

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/h0nthn80NmAxFi2CggC

c:\%original file name%.exe

c:\%original file name%.exe

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

version="61.6.7.6620"

version="61.6.7.6620"

setup.exe

setup.exe

61.6.7.6620

61.6.7.6620