not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b8e98783b2c26aa2defbba363852676b
SHA1: cd5b9d5aed2be2b013f203d62b5f902455f18a4e
SHA256: 154386a0feb227ce0ec9dd8b90cb070ca4e8ae74ac666a1012c50c2e55edba07
SSDeep: 12288:79RUJg96 7RAA5OfkogdMfJBYMYevPIMZB8y7RP:7/UepP5Qg2nPfZB8
Size: 575776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wmic.exe:832
Setup_product_8181.exe:452
dwwin.exe:1776
%original file name%.exe:1652
MiniGet.exe:204
mscorsvw.exe:1912
The Trojan injects its code into the following process(es):
rdm.exe:988
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process wmic.exe:832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (238 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (0 bytes)
The process Setup_product_8181.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Desktop\MiniGet.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj81.tmp (48331 bytes)
%Program Files%\MiniGet\uninst.exe (314 bytes)
%Program Files%\MiniGet\MiniGetHelper1.11.dll (5064 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Uninstall.lnk (499 bytes)
%Program Files%\MiniGet\MiniGet.url (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\Internet.dll (4 bytes)
%Program Files%\MiniGet\MiniGet.exe (51840 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Website.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\UserInfo.dll (4 bytes)
%Program Files%\MiniGet\Language.dat (3312 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\MiniGet.lnk (678 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\Internet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp (0 bytes)
The process dwwin.exe:1776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2885B7.dmp (173147 bytes)
The process %original file name%.exe:1652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\Convert.dll (3767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdm.zip (57028 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdm.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp (0 bytes)
The process rdm.exe:988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bottomLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\topLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\topComp[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Setup_product_8181[1].exe (104889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-ui.min[1].js (7055 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\834b_appcompat.txt (5890 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bgImg[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\914065962350\Setup_product_8181.exe (74898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery-ui[1].css (33 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (0 bytes)
The process MiniGet.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MiniGet\Config\geturl.html (3 bytes)
Registry activity
The process wmic.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD E3 09 17 92 FB 9E DE 43 05 94 7B 5D 57 61 26"
The process Setup_product_8181.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\BhoPlugin.MiniGetBHO.1]
"(Default)" = "MiniGetBHO Class"
[HKCR\Torrent\DefaultIcon]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\BhoPlugin.MiniGetBHO\CurVer]
"(Default)" = "BhoPlugin.MiniGetBHO.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"Publisher" = "MiniGet"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MiniGet.exe]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe"
[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\ProgID]
"(Default)" = "BhoPlugin.MiniGetBHO.1"
[HKCR\BhoPlugin.MiniGetBHO.1\CLSID]
"(Default)" = "{10E1725C-7237-41A9-954A-04DCCB1FD16C}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\.torrent]
"(Default)" = "Torrent"
[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0]
"(Default)" = "BhoPlugin 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4E38368B-9E70-487b-9D85-400D462A20AC}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\BhoPlugin.MiniGetBHO]
"(Default)" = "MiniGetBHO Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\TypeLib]
"(Default)" = "{3C8BF053-0A65-46FE-A757-2187BD66EF34}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Torrent\shell\open\command]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"DisplayName" = "MiniGet 1.0.8.2504"
[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4E38368B-9E70-487b-9D85-400D462A20AC}]
"AppName" = "MiniGet.exe"
"AppPath" = "%Program Files%\MiniGet\MiniGet.exe"
[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}]
"(Default)" = "IMiniGetBHO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"DisplayIcon" = "%Program Files%\MiniGet\MiniGet.exe"
[HKCR\Torrent]
"(Default)" = "Torrent"
[HKCR\Torrent\shell]
"(Default)" = "open"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"UninstallString" = "%Program Files%\MiniGet\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\BhoPlugin.MiniGetBHO\CLSID]
"(Default)" = "{10E1725C-7237-41A9-954A-04DCCB1FD16C}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCR\Torrent\shell\edit]
"(Default)" = "Edit Torrent"
[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\InprocServer32]
"(Default)" = "%Program Files%\MiniGet\MiniGetHelper1.11.dll"
[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0\0\win32]
"(Default)" = "%Program Files%\MiniGet\MiniGetHelper1.11.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"URLInfoAbout" = "http://www.miniget001.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 4C 43 42 11 B9 69 25 A1 E0 C8 D5 16 D4 6C 1F"
[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\TypeLib]
"Version" = "1.0"
[HKCR\Torrent\shell\edit\command]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}]
"(Default)" = "MiniGetBHO Class"
[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\TypeLib]
"(Default)" = "{3C8BF053-0A65-46FE-A757-2187BD66EF34}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MiniGet"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"DisplayVersion" = "1.0.8.2504"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\VersionIndependentProgID]
"(Default)" = "BhoPlugin.MiniGetBHO"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E1725C-7237-41A9-954A-04DCCB1FD16C}]
"(Default)" = "MiniGetHelper"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E1725C-7237-41A9-954A-04DCCB1FD16C}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"
"ProxyServer"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MiniGet"
The process dwwin.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 70 42 FB FE 4A B2 B8 12 4F 24 3D B6 D7 79 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 61 7B AB 3F 0F 23 F9 40 14 F1 7D 46 3B 07 B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rdm.exe:988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdm.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdm.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdm.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E5 3A DE C9 EA B4 47 01 FC B0 A4 D8 00 34 D7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process MiniGet.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\TypeLib]
"(Default)" = "{8D1D099E-10E3-4A58-B430-0743E92DD35A}"
[HKCR\WtlEasyDownload.MiniGet\CurVer]
"(Default)" = "WtlEasyDownload.MiniGet.1"
[HKCR\WtlEasyDownload.MiniGet.1\CLSID]
"(Default)" = "{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}"
[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download by MiniGet]
"(Default)" = "%Program Files%\MiniGet\Config\geturl.html"
[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}]
"AppID" = ""
[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0]
"(Default)" = "WtlEasyDownload 1.0 typelib"
[HKCR\AppID\MiniGet.exe]
"AppID" = "{FB842EEC-64FD-4F93-9AA4-2B5ED5967833}"
[HKCR\WtlEasyDownload.MiniGet]
"(Default)" = "MiniGet Class"
[HKCR\WtlEasyDownload.MiniGet\CLSID]
"(Default)" = "{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\Version]
"(Default)" = "1.0"
[HKCR\WtlEasyDownload.MiniGet.1]
"(Default)" = "MiniGet Class"
[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\VersionIndependentProgID]
"(Default)" = "WtlEasyDownload.MiniGet"
[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MiniGet"
[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}]
"(Default)" = "IMiniGet"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\AppID\{FB842EEC-64FD-4F93-9AA4-2B5ED5967833}]
"(Default)" = "MiniGet.exe"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\TypeLib]
"(Default)" = "{8D1D099E-10E3-4A58-B430-0743E92DD35A}"
[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download by MiniGet]
"Contexts" = "34"
[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0\0\win32]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 65 BE 4C 2B 3D FF 4C 6A 2F 54 78 CD D0 BC 1F"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\ToolboxBitmap32]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe, 102"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\LocalServer32]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}]
"(Default)" = "MiniGet Class"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\ProgID]
"(Default)" = "WtlEasyDownload.MiniGet.1"
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
Dropped PE files
MD5 | File path |
---|---|
3b59515d6422423c08f40792b281fa18 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\914065962350\Setup_product_8181.exe |
d6e0ddfb07ce57131822da50e4683913 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw7F.tmp\Convert.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw7F.tmp\nsisunz.dll |
262baaa1c13e12792aa4e4ae1d8adf6e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\rdm.exe |
3b59515d6422423c08f40792b281fa18 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Setup_product_8181[1].exe |
06a9f7c6a2c0888eed6ed76ef868b26d | c:\Program Files\MiniGet\MiniGet.exe |
629c73313668a099bcf7901c0736ed4a | c:\Program Files\MiniGet\MiniGetHelper1.11.dll |
fcc1b73023b0e939934782e217de53cb | c:\Program Files\MiniGet\uninst.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name:
Product Name: MiniGetSmartDownloader
Product Version: 5.0
Legal Copyright: MiniGetSmartDownloader
Legal Trademarks: MiniGetSmartDownloader
Original Filename:
Internal Name:
File Version:
File Description: MiniGetSmartDownloader
Comments: setup Installer
Language: English (United States)
Company Name: Product Name: MiniGetSmartDownloaderProduct Version: 5.0Legal Copyright: MiniGetSmartDownloaderLegal Trademarks: MiniGetSmartDownloaderOriginal Filename: Internal Name: File Version: File Description: MiniGetSmartDownloaderComments: setup InstallerLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 36864 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 229376 | 3304 | 3584 | 2.83326 | 550717244b27c3883eae8c7b64ece48e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 22
5cc69dc58b1346cf23749986ae796b7c
49289cbc4310ffe886146d521d7b082d
fd0d0a6bece4326345d2ee96b281888b
fcbba6f30b0e4d42025a3ee736271e3e
29de71ac44e376bd0d98b84c1d23b7e4
ad10be0743fbe2d15515b27747c29514
b586d5a9c7a5b7d8d12667675ab965ef
f446d63fbaa6ae523b61e1f524f4b56b
af454d0d4ddf9304e9881d7251ef2f21
296586b670b1c6941d30cd68380522de
4591d0f929504003a4275809dd26aa55
b66346f025e03d6cb27e7c0fe6c641c6
267f703131ee0797f1ff1897c00161a5
40138d8f5cfd8c4edd506693f7866bf8
679c5fc02b97f50c32daec1d9307699d
bbc7316634ebbd060a87cb086d77851f
65743159432f5bf946a43073eca2db27
9f15c6681e672da21e85000c5801ffe8
5b2d970322724d3f4c0f1c04695f92cd
d1771516c531cc8c7ef3f2aff2555ff0
8a865f2235ec6911cad1b83acc6e49a0
e2360edefe73ae09bfa0d666e3c2823b
Network Activity
URLs
URL | IP |
---|---|
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.3 | |
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/Files//Setup_product_8181.exe | |
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0& | |
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&reqid=127431706&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=8181&offerscreenid=&offerorder=15&downloadduration=1281&installduration=454&issecond=0 | |
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css | |
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css | |
hxxp://www.miniget001.com/report.php?action=0&ver=1.0.8.2504 | 50.116.42.156 |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js | |
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/topLine.jpg | |
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/bgImg.jpg | |
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/topComp.png | |
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/bottomLine.jpg | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png | |
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png | |
hxxp://static.revenyou.com/offers/images/Theme7/topComp.png | 198.232.124.224 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png | 64.233.171.95 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png | 64.233.171.95 |
hxxp://dl.revenyou.com/Files//Setup_product_8181.exe | 198.232.124.224 |
hxxp://data.getserverinfo.com/Installer/Flow?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.3 | 54.204.28.81 |
hxxp://data.getserverinfo.com/Installer/Track?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&reqid=127431706&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=8181&offerscreenid=&offerorder=15&downloadduration=1281&installduration=454&issecond=0 | 54.204.28.81 |
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js | 64.233.171.95 |
hxxp://static.revenyou.com/offers/images/Theme7/bottomLine.jpg | 198.232.124.224 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css | 64.233.171.95 |
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js | 64.233.171.95 |
hxxp://static.revenyou.com/offers/images/Theme7/bgImg.jpg | 198.232.124.224 |
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css | 198.232.124.224 |
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0& | 54.204.28.81 |
hxxp://static.revenyou.com/offers/images/Theme7/topLine.jpg | 198.232.124.224 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/css; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 29 Jul 2014 05:18:10 GMT
Expires: Tue, 29 Jul 2014 06:18:10 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 6091
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 3019
Alternate-Protocol: 80:quic
...........=k.....3...E...yl.=.=.....7@..6..~...e.#K.$.#A..=.!%J|iz...;@Z.:...y..}..........X.H~{G...O~......-.M^M....@o..c.....Og.s............!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.WO8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ........... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}...t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>......|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}g@G..m^...S2.gn.h......;V.yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or..%X...78.I.>..Y.99@.........U......4....5.......2.......UY.<.W EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M... ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<._.. J.YK.:9.H}3....U.B..$..W..f$l]^m....@..c..........0.h...l.q.,(."......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v..~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4...1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t...M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 29 Jul 2014 05:46:41 GMT
Expires: Tue, 29 Jul 2014 06:46:41 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 88
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 1312
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....G,Z`....IDAT..c.....&.....G0..ed.......w...........IEND.B`.....
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 12 Oct 2012 18:27:19 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Tue, 29 Jul 2014 05:29:16 GMT
Expires: Tue, 29 Jul 2014 06:29:16 GMT
Age: 2358
Server: GFE/2.0
Alternate-Protocol: 80:quic
GET /Files//Setup_product_8181.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dl.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 06:08:28 GMT
Content-Type: application/octet-stream
Content-Length: 697949
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Thu, 27 Feb 2014 09:31:46 GMT
ETag: "19acebb9e33cf1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Tue, 05 Aug 2014 06:08:28 GMT
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........(............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...(............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<
<<< skipped >>>
GET /Installer/Flow?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: data.getserverinfo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Tue, 29 Jul 2014 06:08:27 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 18943
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8 $.Fmkcsez_oajgRvjdo"8.*(, ).QagI`q.3 EEDU_APJM>LQYTOEP.Kj_rt[qa\ZN]\kaeJqktc^lRL ).QagI`q1- 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWTN^_o]gLrmo]^mUP. .RckgmmL^gd.: N]\kaeJqktc^l.PQ/. .Ppj\p\rF>!6153,-% >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7 .Ev`MME 7.gptn5'*]j.(ckwln]moco,-_ok*Ailr^fkar-N]\kaeJqktc^lB^lblh_/Q`Ym\fMlnpeao?`gcocb..cs].% BrdQRJ-.5.fqno6/-_d,'blqmoepq]m ,`il Ilnl\ejbl.Oe_m[cIplnd_tE`f`kg`)Raap^`Kkmq_bpGci]mba/(dte '.>hkj[m`Lgi].3 .)QAG;RK...,=SED;>L.,03,21"*.Ga_coOQH"8.`omn7).`ip`[o're_,]pnn%ok_`e-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8*/4 onobp[obb: 6440!\dlrf^<47.,.g^_aj<416,.^hsknquib8/,.qvmaet;.*!]d_7/"h`8(.% O[sa"8()'.?a^hpimiYg=_q[!6" '.<grfphnuq`kM^eH_xo"8..'.N^snqt 5%,% B`eacrdn`.8* .PpjejmglhQ]tc.2(**.>hocp`h\gavL`pe 5%,% Pfdap?al`kGkms]lj.2 v*x.Oksr@p`.8.. .Pp`=s^ 7.!("AjekhlbhsPyn`.5)*.Gnjirdr\mglhSupcn.5.0*-,-5 '.M^eH_x.: CC@R]@OQNELOWPLCO.RkfrrYm^ZYMd]racHmhrb]sENR-.'.PbaJay4/.5.FH?X[CSMJ@GR\ORAR.Ngamu^ldX\Q`Ym\fMlnpeaoAIM0.&!NenjjoG_j_!6"Q`Ym\fMlnpeaoAIM0.&!Lrm_m^mGA.9014-$.:jt[xoOda]m.8-&!EsU\ao?moCmot_gd.3/).DteSMD.3 ensl:-*\g*,aivjscmn`k/ ]ni/GikoZji_q Sc\j^aNoisacrB]i^pf].Oe_m[cIplnd_tE`f`kg`.Ratsk&`qc.&!AxcPJG 7.gptn5'*]j.(ckwln]moco -_ok*Ailr^fkar-N]\kaeJqktc^lB^lblh_/Q`Ym\fMlnpeao?`gcocb0Scomk'cu_!("AjehZlaFhje 5..(PBA<ENR-..(AQCC9CR. ,250-!("Ma^`kSOF!6"folk3-,^hneao&oac*[
<<
<<< skipped >>>
GET /Installer/Track?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&reqid=127431706&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=8181&offerscreenid=&offerorder=15&downloadduration=1281&installduration=454&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: data.getserverinfo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Tue, 29 Jul 2014 06:08:27 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Tue, 29 Jul 2014 06:08:27 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....
GET /report.php?action=0&ver=1.0.8.2504 HTTP/1.1
User-Agent: Lobo Lunar
Host: VVV.miniget001.com
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 06:08:32 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.19
Vary: Accept-Encoding
Content-Length: 2
Content-Type: text/html
1...
GET //offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: direct.the-apps-track.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Tue, 29 Jul 2014 06:08:27 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 7095
Connection: keep-alive
.<html>. <head>. . <style type="text/css">. .ui-progressbar-value { background-image: url(images/pbar-ani.gif); }. </style>. . <link type="text/css" href="hXXp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css" rel="stylesheet" />. <link href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="hXXp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js"></script>. <script type="text/javascript" src="hXXp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>.. <title>2 - NonProduct (MiniGet Smart Downloader)</title><script type='text/javascript'></script><style type='text/css'>body { width:100%; height:100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12px; } .divLeadpName { margin-left:61px; margin-top:9px; font-size:font-family:helvetica; font-style:italic; font-size:25px; font-weight:bold; color:black; position:absolute; } .divOnNext { position:absolute; bottom:11px; right:28px; width:124px; height:35px; cursor:pointer; background:url("hXXp://static.revenyou.com/offers/images/Theme7/button.png");} .divAccept { text-align:center; f
<<
<<< skipped >>>
GET /offers/ui/css/start/jquery-ui-1.8.19.custom.css HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 06:08:29 GMT
Content-Type: text/css
Content-Length: 20706
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Thu, 26 Apr 2012 17:23:56 GMT
ETag: "ca38195cd123cd1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Tue, 05 Aug 2014 06:08:29 GMT
X-Cache: HIT
Accept-Ranges: bytes
/*!. * jQuery UI CSS Framework 1.8.19. *. * Copyright 2012, AUTHORS.txt (hXXp://jqueryui.com/about). * Dual licensed under the MIT or GPL Version 2 licenses.. * hXXp://jquery.org/license. *. * hXXp://docs.jquery.com/UI/Theming/API. */../* Layout helpers.----------------------------------*/..ui-helper-hidden { display: none; }..ui-helper-hidden-accessible { position: absolute !important; clip: rect(1px 1px 1px 1px); clip: rect(1px,1px,1px,1px); }..ui-helper-reset { margin: 0; padding: 0; border: 0; outline: 0; line-height: 1.3; text-decoration: none; font-size: 100%; list-style: none; }..ui-helper-clearfix:before, .ui-helper-clearfix:after { content: ""; display: table; }..ui-helper-clearfix:after { clear: both; }..ui-helper-clearfix { zoom: 1; }..ui-helper-zfix { width: 100%; height: 100%; top: 0; left: 0; position: absolute; opacity: 0; filter:Alpha(Opacity=0); }.../* Interaction Cues.----------------------------------*/..ui-state-disabled { cursor: default !important; }.../* Icons.----------------------------------*/../* states and images */..ui-icon { display: block; text-indent: -99999px; overflow: hidden; background-repeat: no-repeat; }.../* Misc visuals.----------------------------------*/../* Overlays */..ui-widget-overlay { position: absolute; top: 0; left: 0; width: 100%; height: 100%; }.../*!. * jQuery UI CSS Framework 1.8.19. *. * Copyright 2012, AUTHORS.txt (hXXp://jqueryui.com/about). * Dual licensed under the MIT or GPL Version 2 licenses.. * hXXp://jquery.org/license. *. * hXXp://docs.jquery.com/
<<
<<< skipped >>>
GET /offers/images/Theme7/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 06:08:33 GMT
Content-Type: image/jpeg
Content-Length: 1785
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Tue, 12 Mar 2013 18:05:10 GMT
ETag: "0fac224c1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Tue, 05 Aug 2014 06:08:33 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................2.N.............\.................................................................R..T.................................?.....mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2................................................................................................................ ................................................................................................................... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD.(......P..@(......P..@(......P..@(......P..@(......P..@(......P..@(......
<<
<<< skipped >>>
GET /offers/images/Theme7/bgImg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 06:08:33 GMT
Content-Type: image/jpeg
Content-Length: 2801
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Tue, 12 Mar 2013 18:05:10 GMT
ETag: "0fac224c1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Tue, 05 Aug 2014 06:08:33 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................,.N.............Q...........................................................................................?..H........ ... .U..@E.....@@............( .PE..E...@P...............................%.A..D...@.@@...."......"..%.P...@..E.@................- ..... ........@..D...@.@@....".......(...(......". ................FZ....P...QA...@..D...@.@@.....P.@.P@........E...........................(. ... ........... ..... .. .( ...."..."... (... ..............Q......@.T.@.P...P...............A......@.......D..................j2..........%P...P.......... .. .. ."..%Q...P..D..@...................- .. .... .E............( ..............@..E..A.....@...............j2.(.......P....@.A......... . . .."..%.P...@..E.@...................i................... .....(. .( ........".........................4.i.........A.@.A......@....@.P@........E............................H ... .(...(...................... ...............................e@.EA..@...@.@.....J.............. . .............................I..E.@........ ........@P.@T...A...(.....".. ......................4.i...J(. .(...(........A@A.AA.E..J....".. ..... ....................E........@.A......... . . ..".. ".......(.........................4YP.E..E...E........A@A.AA.@..@.@.......@.........................,........ ..... ..........( .(. .(..".............................U..A....
<<
<<< skipped >>>
GET /offers/images/Theme7/bottomLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 06:08:33 GMT
Content-Type: image/jpeg
Content-Length: 1654
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Wed, 13 Mar 2013 13:08:16 GMT
ETag: "35420d3eb1fce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Tue, 05 Aug 2014 06:08:33 GMT
X-Cache: HIT
Accept-Ranges: bytes
......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................2.N.............[..............................................................Q.....T................................?..?/.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...\................................................................................................................@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..j.N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N...................................................................................................................................................
<<
<<< skipped >>>
GET /ajax/libs/jquery/1.5/jquery.min.js HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT
Date: Tue, 29 Jul 2014 05:23:35 GMT
Expires: Tue, 29 Jul 2014 06:23:35 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 29947
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 2694
Alternate-Protocol: 80:quic
...............F....>..R..1.d...j0!^Y....l..jW....@..w.Le.I............@0.....$..}9[.......O....f.O.......6......6...W.?..!.t............C...r....'.}.Y..J5.....?g.|...n.Ec...j.....Q.m..Y..w...m..?}...l.....3.o.>mp..t.g..w.tq;.v...o.-..l...q.lg:z..w..W....zM.....d.9[d.IOU....T#^....;..1..,..o.o.m.......g...}.m5.._u........*ES~.....5.....m......v..%_..w......Z..w.6Y.E.....l......gw.C....l...a..X.:F...o&...a...z.D#...Zq.{...x..V.wk.K..O^..(i.......f.SR/io...c..=.,.^x..*...~..4...:.{=n(J.z(..t(.q..i.p...Y.N.tD..J.=........vXn.K..e.-xH..i..F.1..f.....e.o?..\ew....>~...c2........z..............Gj.zB.;:....2..M.sF.s../..*8..o....x.;....>& n.... .....y......4Ui.@......b.m/.h...?U.....=T.EE.N.i..DMU.e.E....j..Q6...B-.J....>M....:.MZ-.4.Z..._..i.%..m..]..........o.........~.......3...HN..t.................E/[....-..vq..y....-....j......0.xO..U4W..&Jx.ktt.<..u.6oNK..x..h....p.Oh.......P...6...R.C..\.n..m..?..W....6..G.....hn..h.o......!.ep6...T..N..$.......5.)P...3.V......_.O...5..gl.5........c......6.m...^..b...c.y.r..$.....L..p...o.................(,uB..T.2_28....d..us.f1.L..=..&..bV..m<..=........3D..\.Y..r3....A_.Y.G.%.....7|.$t.Z.k..C..\.8?.h...q....naF.i-.......B..`6t.._..h12n....v..".pq..C.h.......x...N.L...p..............f`E@.ha.....m..zj.] h........v..(i....|mv....7.......t......j..j...c.K2...;.4.$;Ve...-o4.~.;..h.M...(*N....m0T.G]5.......K`#.&..Z.V...3......m2.Z.hJ;..F...`Q.QM.?.,..E........@......=.b.........._.Fi.h6........l....2.}$...>.=.N.M)....$eP..]..p%M....|.e......&jJ...x.u...:..
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 29 Jul 2014 05:34:22 GMT
Expires: Tue, 29 Jul 2014 06:34:22 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 51558
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 2051
Alternate-Protocol: 80:quic
............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...AP...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3..................E1.-.uz..........ZXI..rZm....../X...4.......@..Z......yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,......j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,....J.@.b.....l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xvrR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9..S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvIo^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../...._.........4..s........x..z|...^|.../.._..?.z..............?.......?=......N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y....c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3........Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T.....D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\..m...@.0......\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!Vo........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 29 Jul 2014 05:29:16 GMT
Expires: Tue, 29 Jul 2014 06:29:16 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 3457
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 2357
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B....6...._.d.c.......*...V......|U.......w-...p..>Z..........`............`............`............`............`............`............`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."...-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C.....y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._<....p.p....`............`..b.......:............:.............Xj)...w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7.....;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O.....m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD..M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x.....].?/..9r......h...]^}M....<....;..........p.p....`........}.....n..~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M......j..4.%..x......!ij....bXcT..^ file.
%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (238 bytes)%Documents and Settings%\%current user%\Desktop\MiniGet.lnk (666 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsj81.tmp (48331 bytes)%Program Files%\MiniGet\uninst.exe (314 bytes)%Program Files%\MiniGet\MiniGetHelper1.11.dll (5064 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Uninstall.lnk (499 bytes)%Program Files%\MiniGet\MiniGet.url (51 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\Internet.dll (4 bytes)%Program Files%\MiniGet\MiniGet.exe (51840 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Website.lnk (678 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\UserInfo.dll (4 bytes)%Program Files%\MiniGet\Language.dat (3312 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\MiniGet.lnk (678 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\2885B7.dmp (173147 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\nsisunz.dll (211 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\Convert.dll (3767 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\rdm.zip (57028 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bottomLine[1].jpg (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\topLine[1].jpg (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\topComp[1].png (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Setup_product_8181[1].exe (104889 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-ui.min[1].js (7055 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\834b_appcompat.txt (5890 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bgImg[1].jpg (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (2321 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-ui-1.8.19.custom[1].css (5521 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\914065962350\Setup_product_8181.exe (74898 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (948 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery-ui[1].css (33 bytes)%Program Files%\MiniGet\Config\geturl.html (3 bytes)