SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 910c8012ac4a3a3440664ee42a64190a
SHA1: eb0d39b14d42378a8ebb7737a25bf0cefcdbd1a0
SHA256: 3b61d152f28c4de1456a7b0236c6e352878fbd1661a7ad459a10fbbef62c62d2
SSDeep: 24576:QJLMLKmtvPyHu7FzV9TTWDxpy9pNg4W7HM89cN 2QHC3:uiKmHyORVNTWHp7s8EQ
Size: 894520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Pro Preferred Installer
Created at: 2014-07-31 16:16:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
%original file name%.exe:404
%original file name%.exe:608
%original file name%.exe:1888
The Malware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:608 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85678DAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsis7z.dll (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\wbk2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\401\moneyviking_490.mht (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\writer[1].jpg (6212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\shared_library.dll (1485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\405\Update_Admin_490_1.mht (1924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\404\onesystemcare_490.mht (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\403\rockettab_490.mht (1924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\290\findwide_nocheckboxes_490.mht (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\1\OO-writer-openofficeuscom-bm25.mht (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\extramod.dll (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\loading_screen.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsisunz.dll (40 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wbk1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:404 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 50 D1 1F 99 6C E1 0E 15 8F 5D 46 FD 16 AD 86"
The process %original file name%.exe:608 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015120220151203]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015120220151203]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015120220151203]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015120220151203\"
"CachePrefix" = ":2015120220151203:"
"CacheLimit" = "8192"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 2E 63 E1 E1 DE 8F D1 78 F0 52 AD F4 A0 51 D9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Malware deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1888 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 2C F1 71 E6 CF B0 09 97 3C C4 1C 31 02 AC FB"
Dropped PE files
| MD5 | File path |
|---|---|
| edaf7c05730d7fb2cc52f7b9851dc5a0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\extramod.dll |
| 44dac7f87bdf94d553f8d2cf073d605d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\loading_screen.dll |
| f0c59526f8186eadaf2171b8fd2967c1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\lua51.dll |
| 692479f7c07a64a6a632148e382f0e22 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsis7z.dll |
| 5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsisunz.dll |
| 0bfb8664639d8c349559d5a61960138a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FvxiEESGs0th3PHLIZs\shared_library.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:404
%original file name%.exe:608
%original file name%.exe:1888 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85678DAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsis7z.dll (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\wbk2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\401\moneyviking_490.mht (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\writer[1].jpg (6212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\shared_library.dll (1485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\405\Update_Admin_490_1.mht (1924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\404\onesystemcare_490.mht (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\403\rockettab_490.mht (1924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\290\findwide_nocheckboxes_490.mht (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01UZ4127\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\1\OO-writer-openofficeuscom-bm25.mht (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\extramod.dll (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\loading_screen.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FvxiEESGs0th3PHLIZs\nsisunz.dll (40 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Pro Preferred Installer
Product Name: Pro Preferred Installer
Product Version: 50.4.8.219
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 50.4.8.219
File Description: Pro Preferred Installer
Comments:
Language: Language Neutral
Company Name: Pro Preferred InstallerProduct Name: Pro Preferred InstallerProduct Version: 50.4.8.219Legal Copyright: Copyright (C) 2015Legal Trademarks: Original Filename: setup.exeInternal Name: setup.exeFile Version: 50.4.8.219File Description: Pro Preferred InstallerComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 52411 | 52736 | 4.48321 | 8a36f5dd626ddc7f32cff1aa477cad7e |
| .rdata | 57344 | 10344 | 10752 | 3.9695 | 2b338e17612f83bf3890455274aa4bbf |
| .data | 69632 | 15852 | 12288 | 4.732 | 7b3314b6ed59a17f79e6c9a4d412154e |
| .bindat | 86016 | 586560 | 586752 | 5.54398 | feea5a1f76814518335d71faae6afcf2 |
| .script | 675840 | 215036 | 215040 | 5.54432 | e25de589d4f46dc5a647668f0c063aa2 |
| .rsrc | 892928 | 10752 | 10752 | 3.24224 | b14419f88a8bf804460091560a11b46a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0 | 50.22.63.140 |
| hxxp://a728.g.akamai.net/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip | |
| hxxp://service.downloadadmin.com/env?browserVersion=9&osVersion=Vista&productKey=&s=msn&browserName=IE&c=Srch_US_OpenOffice_us_Writer_PM&brand=openoffice.us.com&pid=TR&bc=1176227&osName=Windows&country=UA | 50.22.63.140 |
| hxxp://a728.g.akamai.net/binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht | |
| hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_490.mht | |
| hxxp://a728.g.akamai.net/products/BM2/moneyviking/ipage/moneyviking_490.mht | |
| hxxp://a728.g.akamai.net/products/BM2/rockettab/ipage/rockettab_490.mht | |
| hxxp://a728.g.akamai.net/products/BM2/onesystemcare/ipage/onesystemcare_490.mht | |
| hxxp://a728.g.akamai.net/products/BM2/updateadmin/ipage/Update_Admin_490_1.mht | |
| hxxp://install.downloadadmin.com/cms/cmsimages/openoffice/writer.jpg | 98.129.229.20 |
| hxxp://mirror.mirror-files.com/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip | 213.133.184.113 |
| hxxp://mirror.downloadnet1210.com/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_490.mht | 213.133.184.113 |
| hxxp://mirror.downloadnet1210.com/products/BM2/onesystemcare/ipage/onesystemcare_490.mht | 213.133.184.113 |
| hxxp://mirror.downloadnet1210.com/products/BM2/updateadmin/ipage/Update_Admin_490_1.mht | 213.133.184.113 |
| hxxp://mirror.downloadnet1210.com/products/BM2/rockettab/ipage/rockettab_490.mht | 213.133.184.113 |
| hxxp://mirror.downloadnet1210.com/binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht | 213.133.184.113 |
| hxxp://mirror.downloadnet1210.com/products/BM2/moneyviking/ipage/moneyviking_490.mht | 213.133.184.113 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true
X-Exename: %original file name%.exe
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 02 Dec 2015 00:44:54 GMT
Age: 0
X-TVAR:
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <PlainEula>false</PlainEula>. <ProductBinary embed="false" msioptions="" options="/S">hXXp://mirror.downloadmanager145.com/binstallers/BM2/openoffice/exe/4_1_1/Apache_OpenOffice_4.1.1_Win_x86_install_en-US.exe</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.downloadnet1210.com/binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht</ProductEula>. <Primary>true</Primary>. <ProductId>14</ProductId>. <ProductName>OpenOffice Writer</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle>. <BrandingText>Findwide Toolbar - Flat Design - TB10723</BrandingText>. <BrandingUrl>hXXp://VVV.downloadadmin.com</BrandingUrl>. <Category>toolbar, search, home</Category>. <CustomCss>color:#FFFFFF;</CustomCss>. <CustomParameter Name="advertisername">eShield</CustomParameter>. <If>. <Not>. <Env property="browser.chrome.is_default" op="=" value="true"/>. </Not>. <Not>. <Env property="custom.browserName" op="=" value="Chrome"/&
<<< skipped >>>
POST /install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0
X-Exe-Checksum: 0
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
X-Exename: %original file name%.exe
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: service.downloadadmin.com
Connection: Keep-Alive
delta=375
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 02 Dec 2015 00:44:57 GMT
Age: 0
X-Cache: MISS
0..HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Wed, 02 Dec 2015 00:44:57 GMT..Age: 0..X-Cache: MISS..0......
GET /env?browserVersion=9&osVersion=Vista&productKey=&s=msn&browserName=IE&c=Srch_US_OpenOffice_us_Writer_PM&brand=openoffice.us.com&pid=TR&bc=1176227&osName=Windows&country=UA HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1176227&pid=TR&brand=openoffice.us.com&s=msn&c=Srch_US_OpenOffice_us_Writer_PM&country=US&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true
X-Exename: %original file name%.exe
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 02 Dec 2015 00:44:58 GMT
Age: 0
X-TVAR:
X-Cache: MISS
002337..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:PremierOpinion (US) (1457)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1456)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1449)">true</Entry><Entry name="over-threshold:One System Care (US) (Chrome)">true</Entry><Entry name="over-threshold:Super Optimizer (US)">true</Entry><Entry name="over-threshold:PremierOpinion (UK)">true</Entry><Entry name="over-threshold:PremierOpinion (UK) (1456)">true</Entry><Entry name="over-threshold:Super Optimizer (GB)">true</Entry><Entry name="over-threshold:Web Bar (GB)">true</Entry><Entry name="over-threshold:Web Bar (AU)">true</Entry><Entry name="over-threshold:Optimizer Pro (AR)">true</Entry><Entry name="over-threshold:Optimizer Pro (MX)">true</Entry><Entry name="over-threshold:Optimizer Pro (BR)">true</Entry><Entry name="over-threshold:Optimizer Pro (TR)">true</Entry><Entry name="over-threshold:Registry Helper (SafeApp Software) (INTL)">true</Entry><Entry name="over-threshold:PremierOpinion (FR)">true</Entry><Entry name="over-threshold:PremierOpinion (AU)">true</Entry><Entry name="over-threshold:PremierOpinion (DE)">true</Entry><Entry name="over-threshold:PremierOpinion (BR)">true</Entry>
<<< skipped >>>
GET /cms/cmsimages/openoffice/writer.jpg HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: install.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.4
Content-Type: image/jpeg
Date: Wed, 02 Dec 2015 00:45:00 GMT
Accept-Ranges: bytes
Connection: Keep-Alive
Set-Cookie: X-Mapping-dbfpeoop=69071A17C24CFA9DDF58AC8A8F62766E; path=/
Last-Modified: Fri, 18 Jan 2013 19:40:03 GMT
X-Cache-Info: caching
Content-Length: 63397
......JFIF.....d.d......Ducky.......H......Adobe.d.................................................................................................................................................................................................................................................!1..AQa".q.2..B#.$......Rb3.r..4.....CS...t.s..T.eV.5..v........................!1.AQa..q."2......B.R#..br3......C.$.S4D............?..h.....5. .$..,.Ze..n..w._.E<.8c...xQ>k.....<.|.....O).....~U.R.k..z|.<.<...#.S.C.a.z<.|.<....*.).5...yS.C.b...*yHy.?.G.<.<......R.k....O).5..r<..!...9.U>R.k..r<.....3.O.<.<.Fq.....>k.`'..B,.....).!....!O!...8..Q....o.......s.c..)...9......t<.!.#.S..>s....O.D..o......dO...=>B...>k..#.S...X...B...>k.`#.S.Q>k.q....T[.a..<.>..5. ..S.Q.k..#...Q.k. #.S...k.@G..."<.<@G.O.". .1...... .1...?N...x....B(....<.."<.8AG.<.<.8AG...P.X...T.P.X...U.J.k........X|...yHy.i..*yH.5.0..)..VVF.(...Qo1..(.........T..o5...<.>..YY...*..".##T..T}2..23.>U.J.y.a..*..".!..O..X.........t....#.\.n| 6.....j..I@.Q.I..E .cS..I.d.P..H.|. ..'......H"G..* H.'..$.}).H..NU.$:|=hD..J..'O..D..T.....).Q.........$...c....-.R...^..u.-..S....<..P.1.H'P...*.-.B.JA).(...#J.. ...T.i.P<....SM$...i,...i&D".I2..S....J...%X.j.%G..i*..SIQ....).........Q....*. ]B.D. ...i..%B..P...yTi"F.<.t.L.@R.&D@...^F.=*`.........@SI.. Ti,0..Ii.QQ..d.?..i/&.&..XVl ...e$.iw.[0En.....s../t]CU..u.1..z.U.E..'X...(5....v.5...........j.....A.......P.C.V.....<..P.
<<< skipped >>>
GET /binstallers/BM2/openoffice/ipage/OO-writer-openofficeuscom-bm25.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "a2999772c3f42d84b5185004a58392c0:1348790843"
Last-Modified: Thu, 27 Sep 2012 23:41:31 GMT
Accept-Ranges: bytes
Content-Length: 2266
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: Untitled Document..Date: Tue, 23 Aug 2011 14:06:37 -0700..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/uber/Open_office/Writer/writer_da.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML=20..xmlns=3D"hXXp://VVV.w3.org/1999/xhtml"><HEAD><TITLE>Untitled =..Document</TITLE>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE type=3Dtext/css>BODY {...MARGIN: 0px..}...style7 {...FONT-FAMILY: Geneva, Arial, Helvetica, sans-serif; COLOR: #666; =..FONT-SIZE: 11px..}..</STYLE>..<META name=3DGENERATOR content=3D"MSHTML 8.00.7601.17655"></HEAD>..<BODY>..<DIV=20..style=3D"BACKGROUND-IMAGE: =..url(hXXp://install.downloadadmin.com/cms/cmsimages/openoffice/writer.jpg)=..; WIDTH: 490px; BACKGROUND-REPEAT: no-repeat; BACKGROUND-POSITION: left =..top; HEIGHT: 450px">..<DIV=20..style=3D"PADDING-BOTTOM: 0px; PADDING-LEFT: 35px; PADDING-RIGHT: 35px; =..PADDING-TOP: 345px"=20..align=3Dleft><SPAN class=3Dstyle7>OpenOfficeSuite is an open source =..product=20..developed by Oracle Corporation licensed under <A=20..href=3D"hXXp://VVV.gnu.org/licenses/lgpl.html" target=3D_blank>GNU LGPL =..v3</A>
<<< skipped >>>
GET /products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_490.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "d526c0dae99b16719f4f02416715c27f:1405373453"
Last-Modified: Mon, 14 Jul 2014 21:30:53 GMT
Accept-Ranges: bytes
Content-Length: 15352
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy Offer w/EULA..Date: Mon, 14 Jul 2014 17:30:45 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/bm2.5_ALL_OFFERS/advertisers/tnt/findwide_nocheckboxes.php?mode=preview..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145px; TOP: 260px; LEFT: 20px..}..#eula {...WIDTH:
<<< skipped >>>
GET /products/BM2/moneyviking/ipage/moneyviking_490.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "2aaec5237cf6fea275c19597b2efc7b2:1447446596"
Last-Modified: Fri, 13 Nov 2015 20:29:56 GMT
Accept-Ranges: bytes
Content-Length: 34927
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy Offer w/EULA..Date: Fri, 13 Nov 2015 15:28:42 -0500..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/bm2.5_ALL_OFFERS/advertisers/moneyviking/EULA.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT: 200px;
<<< skipped >>>
GET /products/BM2/rockettab/ipage/rockettab_490.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "86c1268b2989e21ee1276a68d828078b:1406649493"
Last-Modified: Tue, 29 Jul 2014 15:58:13 GMT
Accept-Ranges: bytes
Content-Length: 23514
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy Offer w/EULA..Date: Tue, 29 Jul 2014 11:57:47 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/bm2.5_ALL_OFFERS/advertisers/rockettab/uniform_eula.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT:
<<< skipped >>>
GET /products/BM2/onesystemcare/ipage/onesystemcare_490.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "fbf24e88e7a942bf9651dda851b4739b:1431544513"
Last-Modified: Wed, 13 May 2015 19:15:13 GMT
Accept-Ranges: bytes
Content-Length: 15917
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy Offer w/EULA..Date: Wed, 13 May 2015 15:15:06 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/bm2.5_ALL_OFFERS/advertisers/onesystemcare/uniform_eula.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIG
<<< skipped >>>
GET /products/BM2/updateadmin/ipage/Update_Admin_490_1.mht HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "51943c10df43f524c8a34441c5bd6023:1418079573"
Last-Modified: Mon, 08 Dec 2014 22:59:33 GMT
Accept-Ranges: bytes
Content-Length: 24576
Content-Type: text/plain
Date: Wed, 02 Dec 2015 00:44:59 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy Offer w/EULA..Date: Thu, 4 Sep 2014 13:57:27 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/bm2.5_ALL_OFFERS/advertisers/UpdateAdmin/uniform_eula.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT:
<<< skipped >>>
GET /skins/da/03042014/DownloadAdmin_Google_DevInfo.zip HTTP/1.1
User-Agent: Installer(ref=[162d599112667f9e38bd8dd7655afad80b34a5d2];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=283108;pid=608)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "1afaa98075fcb4e70a449fb2c68d2f91:1393974846"
Last-Modified: Tue, 04 Mar 2014 23:14:06 GMT
Accept-Ranges: bytes
Content-Length: 84488
Content-Type: application/zip
Date: Wed, 02 Dec 2015 00:44:57 GMT
Connection: keep-alive
PK.........ydD....k...y.......options.json%.;.. ....xf.S.. ]....E...e.z.V....{.'.Y{..>.Br......kr.l.g..hu.2.."((\.".<j...J._..$.' .j......m.G........PK.........ydDj..m............skin/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P..x..@..................f.t|?MD...>....k<...]...V.y......f...m^.Z........e...".............0..u.....'<.[7n......p..-le.W.."...PK.........ydD../.............skin/acceptGreen2x.gif.U.T....$.:...P.E..$$.$...J ...a.....zS. ...JK@...R...8".t..t. EA......].{....[.....?........oie...........rY.~#...&..\(c..g.c.k.W..!rq'........HHH..d..%F.....#.g.......a...op....,.~.o....3".. )..t.......'..8.u..d....Y..c.#q.;v^.=..Z..F..y..-..2...p........b.7...R.3~.\F]..H..._...xI.G.8.[......S...a...8.F}."../.......c...~".~vS-......P.n...;../.....) .b......CO........t....}.=.....E.-G..l4.z.....<l...M.l.p.s..-G.H].i<.......5.....?.XK.D.U.!....5r..L4....qjur....S8.....GO/....c....9..S....$..{......As....@/P........ C.....t.."...M%D.Q....=.|<0..8#.A.6...G.q.F....c#...=..P.....pe.? !>...?6.?l...Q.:..S..--...~.:..Z'.H......tOiicut.H=.?.... ...3f..../.*{....pxxx.f8J3 .....`~.@"O.#N.G...G...V.......D..P...?d....!...?C.....R......4=.....4..&........9C.......4...%8 4....W.o..=..p...}.u?)..f...~... 3C...MO.'...E.!.:z..ss.........,..f:.Hs..:.7........6.....s.F...L.d..0.0....Z.....{P~r...E.[..4............H..!....4.....v........#=....D..xZ...A.q.X..b....?....3..;.....si...L.U.........1A................._.V?.|Z^..aqa~....4wjrb|ltdx........7=.]...m.._..l~....g.6>.4.?y\W..............
<<< skipped >>>
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_404:
.text
.text
`.rdata
`.rdata
@.data
@.data
.bindat
.bindat
@.script
@.script
@.rsrc
@.rsrc
PSSSSSSh
PSSSSSSh
%d.%d.%d
%d.%d.%d
./shared_library.dll
./shared_library.dll
./extramod.dll
./extramod.dll
./lua51.dll
./lua51.dll
advapi32.dll
advapi32.dll
Error creating ShellLink(rc=%d)
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
All Files|*.*
miniz.InflateZStream
miniz.InflateZStream
miniz.DeflateZStream
miniz.DeflateZStream
inflate() failed(rc=%d)
inflate() failed(rc=%d)
deflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
Unsupported filter input(string|nil) expected
deflateInit() failed (rc=%s)
deflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
derive_key
derive_key
default_key
default_key
KEYLEN
KEYLEN
UPDATE_KEY
UPDATE_KEY
EXPORTABLE
EXPORTABLE
DELETE_KEYSET
DELETE_KEYSET
MACHINE_KEYSET
MACHINE_KEYSET
NEWKEYSET
NEWKEYSET
BAD_KEYSET
BAD_KEYSET
NO_KEY
NO_KEY
BAD_PUBLIC_KEY
BAD_PUBLIC_KEY
bad argument #%d to %s('%s' expected)
bad argument #%d to %s('%s' expected)
%s
%s
provider_derive_key
provider_derive_key
key_destroy
key_destroy
%s expected data in index [1]
%s expected data in index [1]
%s expected 'length' with lightuserdata
%s expected 'length' with lightuserdata
%s expected table argument
%s expected table argument
key_encrypt
key_encrypt
key_decrypt
key_decrypt
key_duplicate
key_duplicate
Win32.Crypt.Key
Win32.Crypt.Key
Win32.Crypt.Hash
Win32.Crypt.Hash
Win32.Crypto.Provider
Win32.Crypto.Provider
@MIME 1.0.3
@MIME 1.0.3
debug.pdb
debug.pdb
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
comdlg32.dll
comdlg32.dll
ole32.dll
ole32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
msvcrt.dll
msvcrt.dll
_acmdln
_acmdln
_amsg_exit
_amsg_exit
luabridge.classes
luabridge.classes
resources.compressed
resources.compressed
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
return require('cleanup').runCleanup()
resources.binlib
resources.binlib
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
table.insert(buf,seg);
return table.concat(buf)
return table.concat(buf)
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
function M.defaultDict()
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.unfilter = M.unb64
M.setSymbols(loadarg);
M.setSymbols(loadarg);
return M.unb64;
return M.unb64;
luabridge.net
luabridge.net
win32.shell
win32.shell
luabridge.config
luabridge.config
dialog.image
dialog.image
resources.nsis
resources.nsis
dialog.html
dialog.html
Press any key to continue
Press any key to continue
luabridge.fs
luabridge.fs
luabridge.win32
luabridge.win32
luabridge.registry
luabridge.registry
luabridge.nsis
luabridge.nsis
resources.js
resources.js
%d.%.%d
%d.%.%d
mime.core
mime.core
.ViLPW
.ViLPW
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
CryptDuplicateKey
CryptDuplicateKey
lua51.dll
lua51.dll
luabridge.dll
luabridge.dll
shared_library.dll
shared_library.dll
zcÃ
zcÃ
|[%s!
|[%s!
.xuUF
.xuUF
%xG=Q1
%xG=Q1
M'0%S
M'0%S
P@.mO8I
P@.mO8I
<.wd>
<.wd>
2.xU9
2.xU9
Ln%Fqo
Ln%Fqo
(aö>
(aö>
d].Jt
d].Jt
.Pla:
.Pla:
PJI%uS|
PJI%uS|
qX.Zmm&;
qX.Zmm&;
9^.zd>rb
9^.zd>rb
f[2)|%F
f[2)|%F
E.tr[
E.tr[
l-Y}kOv
l-Y}kOv
c~.Ibc_
c~.Ibc_
_D-AfU%C&
_D-AfU%C&
Dk.pz
Dk.pz
I.rJ3
I.rJ3
O.zDE(3
O.zDE(3
JuBY%4U
JuBY%4U
ZJZ.vS
ZJZ.vS
6G.QG
6G.QG
w.Wh>
w.Wh>
#.Fl1
#.Fl1
l}PÃœe
l}PÃœe
.OO}V?CH}
.OO}V?CH}
E#h%S
E#h%S
-M}A%y
-M}A%y
]dS
]dS
C`n:d%S
C`n:d%S
3j.AK
3j.AK
yJ.AG
yJ.AG
)9V.WzS
)9V.WzS
l-z}yL
l-z}yL
g#,.JZP
g#,.JZP
8$.WB
8$.WB
,'%fG
,'%fG
o.YaMZ!
o.YaMZ!
.yH}v
.yH}v
NW%Xh
NW%Xh
L0 ð
L0 ð
!r_of
!r_of
J .skn
J .skn
w.jtO
w.jtO
9~'.zB
9~'.zB
.NqEc
.NqEc
{%Fve
{%Fve
.hf-a
.hf-a
$}ßDq
$}ßDq
o4g%C
o4g%C
/.KQP
/.KQP
.vWTDB
.vWTDB
ym%F!/
ym%F!/
[j%UKlU
[j%UKlU
.cGH'
.cGH'
ny-.FF
ny-.FF
Jb$%uFK
Jb$%uFK
/tX.NLe
/tX.NLe
6.DmM
6.DmM
stdole2.tlbWWW
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Sun Aug 02 21:17:40 2015
Created by MIDL version 7.00.0555 at Sun Aug 02 21:17:40 2015
version="50.4.8.219"
version="50.4.8.219"
setup.exe
setup.exe
50.4.8.219
50.4.8.219
%original file name%.exe_608:
.text
.text
`.rdata
`.rdata
@.data
@.data
.bindat
.bindat
@.script
@.script
@.rsrc
@.rsrc
PSSSSSSh
PSSSSSSh
%d.%d.%d
%d.%d.%d
./shared_library.dll
./shared_library.dll
./extramod.dll
./extramod.dll
./lua51.dll
./lua51.dll
advapi32.dll
advapi32.dll
Error creating ShellLink(rc=%d)
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
All Files|*.*
miniz.InflateZStream
miniz.InflateZStream
miniz.DeflateZStream
miniz.DeflateZStream
inflate() failed(rc=%d)
inflate() failed(rc=%d)
deflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
Unsupported filter input(string|nil) expected
deflateInit() failed (rc=%s)
deflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
derive_key
derive_key
default_key
default_key
KEYLEN
KEYLEN
UPDATE_KEY
UPDATE_KEY
EXPORTABLE
EXPORTABLE
DELETE_KEYSET
DELETE_KEYSET
MACHINE_KEYSET
MACHINE_KEYSET
NEWKEYSET
NEWKEYSET
BAD_KEYSET
BAD_KEYSET
NO_KEY
NO_KEY
BAD_PUBLIC_KEY
BAD_PUBLIC_KEY
bad argument #%d to %s('%s' expected)
bad argument #%d to %s('%s' expected)
%s
%s
provider_derive_key
provider_derive_key
key_destroy
key_destroy
%s expected data in index [1]
%s expected data in index [1]
%s expected 'length' with lightuserdata
%s expected 'length' with lightuserdata
%s expected table argument
%s expected table argument
key_encrypt
key_encrypt
key_decrypt
key_decrypt
key_duplicate
key_duplicate
Win32.Crypt.Key
Win32.Crypt.Key
Win32.Crypt.Hash
Win32.Crypt.Hash
Win32.Crypto.Provider
Win32.Crypto.Provider
@MIME 1.0.3
@MIME 1.0.3
debug.pdb
debug.pdb
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
comdlg32.dll
comdlg32.dll
ole32.dll
ole32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
msvcrt.dll
msvcrt.dll
_acmdln
_acmdln
_amsg_exit
_amsg_exit
luabridge.classes
luabridge.classes
resources.compressed
resources.compressed
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
return require('cleanup').runCleanup()
resources.binlib
resources.binlib
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
table.insert(buf,seg);
return table.concat(buf)
return table.concat(buf)
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
function M.defaultDict()
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.unfilter = M.unb64
M.setSymbols(loadarg);
M.setSymbols(loadarg);
return M.unb64;
return M.unb64;
luabridge.net
luabridge.net
win32.shell
win32.shell
luabridge.config
luabridge.config
dialog.image
dialog.image
resources.nsis
resources.nsis
dialog.html
dialog.html
Press any key to continue
Press any key to continue
luabridge.fs
luabridge.fs
luabridge.win32
luabridge.win32
luabridge.registry
luabridge.registry
luabridge.nsis
luabridge.nsis
resources.js
resources.js
%d.%.%d
%d.%.%d
mime.core
mime.core
.ViLPW
.ViLPW
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
CryptDuplicateKey
CryptDuplicateKey
lua51.dll
lua51.dll
luabridge.dll
luabridge.dll
shared_library.dll
shared_library.dll
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/FvxiEESGs0th3PHLIZs
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/FvxiEESGs0th3PHLIZs
c:\%original file name%.exe
c:\%original file name%.exe
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
|[%s!
|[%s!
.xuUF
.xuUF
%xG=Q1
%xG=Q1
M'0%S
M'0%S
P@.mO8I
P@.mO8I
<.wd>
<.wd>
2.xU9
2.xU9
Ln%Fqo
Ln%Fqo
(aö>
(aö>
d].Jt
d].Jt
.Pla:
.Pla:
PJI%uS|
PJI%uS|
qX.Zmm&;
qX.Zmm&;
9^.zd>rb
9^.zd>rb
f[2)|%F
f[2)|%F
E.tr[
E.tr[
l-Y}kOv
l-Y}kOv
c~.Ibc_
c~.Ibc_
_D-AfU%C&
_D-AfU%C&
Dk.pz
Dk.pz
I.rJ3
I.rJ3
O.zDE(3
O.zDE(3
JuBY%4U
JuBY%4U
ZJZ.vS
ZJZ.vS
6G.QG
6G.QG
w.Wh>
w.Wh>
#.Fl1
#.Fl1
l}PÃœe
l}PÃœe
.OO}V?CH}
.OO}V?CH}
E#h%S
E#h%S
-M}A%y
-M}A%y
]dS
]dS
C`n:d%S
C`n:d%S
3j.AK
3j.AK
yJ.AG
yJ.AG
)9V.WzS
)9V.WzS
l-z}yL
l-z}yL
g#,.JZP
g#,.JZP
8$.WB
8$.WB
,'%fG
,'%fG
o.YaMZ!
o.YaMZ!
.yH}v
.yH}v
NW%Xh
NW%Xh
L0 ð
L0 ð
!r_of
!r_of
J .skn
J .skn
w.jtO
w.jtO
9~'.zB
9~'.zB
.NqEc
.NqEc
{%Fve
{%Fve
.hf-a
.hf-a
$}ßDq
$}ßDq
o4g%C
o4g%C
/.KQP
/.KQP
.vWTDB
.vWTDB
ym%F!/
ym%F!/
[j%UKlU
[j%UKlU
.cGH'
.cGH'
ny-.FF
ny-.FF
Jb$%uFK
Jb$%uFK
/tX.NLe
/tX.NLe
6.DmM
6.DmM
stdole2.tlbWWW
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Sun Aug 02 21:17:40 2015
Created by MIDL version 7.00.0555 at Sun Aug 02 21:17:40 2015
version="50.4.8.219"
version="50.4.8.219"
setup.exe
setup.exe
50.4.8.219
50.4.8.219