SearchProtectToolbar_pcap_4b1686cef4

by malwarelabrobot on February 2nd, 2016 in Malware Descriptions.

SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4b1686cef42937337c03faaeb57ff456
SHA1: 37b924ea0a71cb34a8b36cdbab6a121b70bc5e12
SHA256: fbb6737d1a80772b012305a144827b681ecfb8b0cbb713003cc9f3aee67f2999
SSDeep: 12288:OIfWCyIvqyFUxigjxKPx7OUinhjIGB9aiUaMU/DmuqNZw3Z6gRNa3bkp:OI93l8igjxKPx76hcGBU1VeDUu4ia34p
Size: 905024 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Super Download Media
Created at: 2014-11-25 08:52:53
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:292
%original file name%.exe:460
%original file name%.exe:376

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:292 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\knockout-2.js (10370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\jquery.js (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\common.js (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\AutoFeatureMod.js (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconChe.gif (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\141\arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\wbk2.tmp (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\185\onesystemcare_tidy_double628.mht (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\options.json (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OfferScreenParamete.js (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\173\knctr_nowuseeit_tidy_triple_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\187\nowuseeit_tidy_double_628_3.mht (8844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\266I2YxLst.dll (1486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\lua51.dll (3579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\157\arcadetwist_knctr_nowuseeit_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\149\arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\1CWAS18Jp.dll (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\165\knctr_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\181\tidy_nowuseeit_onesystemcare_triple_628_3.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\169\knctr_nowuseeit_tidy_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\177\tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\knockout.js (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\145\arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\153\arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht (10204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\1\sien.mht (7772 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OfferScreenParamete.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\knockout-2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconChe.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\AutoFeatureMod.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wbk6.tmp (0 bytes)

Registry activity

The process %original file name%.exe:292 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016020120160202]
"CachePrefix" = ":2016020120160202:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016020120160202]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016020120160202\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016020120160202]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016020120160202]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 ED 5C A8 F3 AA 48 A0 E8 F7 5E 8C 85 31 89 89"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016020120160202]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:460 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 63 EE 9D 5C 36 FB FE 24 2B A3 0F 73 7A 41 E8"

The process %original file name%.exe:376 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 B2 2B 68 99 11 28 A0 EA C7 DD 42 24 90 F1 07"

Dropped PE files

MD5 File path
732cd46d3c7e0cbd2e18ec8d2ccc83aa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\1CWAS18Jp.dll
d3eaf3038e6eb9f55256725bde583d4c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\266I2YxLst.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\kLoPVvrSyZOofGUugHSsEez1.dll
f0c59526f8186eadaf2171b8fd2967c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\lua51.dll
44dac7f87bdf94d553f8d2cf073d605d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Super Download Media
Product Name: Super Download Media
Product Version: 4.8.7.3330
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 4.8.7.3330
File Description: Super Download Media
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 54555 54784 4.4517 6b76e0aa335fbfa8a09b9244e8359863
.rdata 61440 230060 230400 5.53597 b47301a4001e7e46601ff2369593a9cc
.data 294912 19580 15872 4.97239 bf1ffb655f0c789312d205ead694f56b
.dta2 315392 589111 589312 5.54496 7772f09846a8faf9842f34d4e00044d9
.rsrc 905216 6944 7168 3.18165 28e79ccec7eadea12e45dfe9638b8d62

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://50.22.63.140/install?bc=1191699&pid=nextad&brand=nextad&aid=test_aid&s=test_source&c=4s&country=US&osName=Windows&osVersion=7&browserName=Firefox&browserVersion=41&secure=true&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&checksum=0
hxxp://a728.g.akamai.net/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip
hxxp://50.22.63.140/env?browserVersion=41&osVersion=7&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&s=test_source&browserName=Firefox&c=4s&brand=nextad&pid=nextad&aid=test_aid&bc=1191699&osName=Windows&country=UA
hxxp://a728.g.akamai.net/binstallers/BM2/sien/ipage/sien.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadetwist_knctr_nowuseeit_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_nowuseeit_onesystemcare_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_nowuseeit_tidy_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_nowuseeit_tidy_triple_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidy_nowuseeit_onesystemcare_triple_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/combos/onesystemcare_tidy_double628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/nowuseeit_tidy_double_628_3.mht
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_nowuseeit_onesystemcare_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_nowuseeit_tidy_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/onesystemcare_tidy_double628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/knctr_nowuseeit_tidy_triple_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/tidy_nowuseeit_onesystemcare_triple_628_3.mht 62.140.236.155
hxxp://service.downloadadmin.com/env?browserVersion=41&osVersion=7&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&s=test_source&browserName=Firefox&c=4s&brand=nextad&pid=nextad&aid=test_aid&bc=1191699&osName=Windows&country=UA
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/arcadetwist_knctr_nowuseeit_updateadmin_628.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/products/BM2/combos/nowuseeit_tidy_double_628_3.mht 62.140.236.155
hxxp://mirror.downloadnet1210.com/binstallers/BM2/sien/ipage/sien.mht 62.140.236.155
hxxp://service.downloadadmin.com/install?bc=1191699&pid=nextad&brand=nextad&aid=test_aid&s=test_source&c=4s&country=US&osName=Windows&osVersion=7&browserName=Firefox&browserVersion=41&secure=true&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&checksum=0


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /env?browserVersion=41&osVersion=7&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&s=test_source&browserName=Firefox&c=4s&brand=nextad&pid=nextad&aid=test_aid&bc=1191699&osName=Windows&country=UA HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 01 Feb 2016 13:36:32 GMT
Age: 0
X-TVAR: 
X-Cache: MISS
0018bb..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&
lt;Installer><Environment><Entry name="over-threshold:Opti
mizer Pro (US)">true</Entry><Entry name="over-threshold:Su
per Optimizer (US)">true</Entry><Entry name="over-threshol
d:PremierOpinion (UK)">true</Entry><Entry name="over-thres
hold:Optimizer Pro (UK)">true</Entry><Entry name="over-thr
eshold:Super Optimizer (GB)">true</Entry><Entry name="over
-threshold:Optimizer Pro (CA)">true</Entry><Entry name="ov
er-threshold:Optimizer Pro (AU)">true</Entry><Entry name="
over-threshold:Web Bar (AU)">true</Entry><Entry name="over
-threshold:Optimizer Pro (Tier 2)">true</Entry><Entry name
="over-threshold:Optimizer Pro (ES)">true</Entry><Entry na
me="over-threshold:Optimizer Pro (AR)">true</Entry><Entry 
name="over-threshold:Optimizer Pro (MX)">true</Entry><Entr
y name="over-threshold:Optimizer Pro (BR)">true</Entry><En
try name="over-threshold:Optimizer Pro (TR)">true</Entry><
Entry name="over-threshold:Super Optimizer (DE)">true</Entry>
<Entry name="over-threshold:Super Optimizer (IN)">true</Entry
><Entry name="over-threshold:Super Optimizer (RU)">true</E
ntry><Entry name="over-threshold:Super Optimizer (CN)">true&l
t;/Entry><Entry name="over-threshold:Super Optimizer (ES)">tr
ue</Entry><Entry name="over-threshold:Super Optimizer (CH
<<< skipped >>>


GET /skins/da/11122015/megazord_darkskin_nondlm_cancel.zip HTTP/1.1
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "398d4b8eeb1f419a51f5c199a58139a2:1447358884"
Last-Modified: Thu, 12 Nov 2015 20:08:04 GMT
Accept-Ranges: bytes
Content-Length: 73310
Content-Type: application/zip
Date: Mon, 01 Feb 2016 13:36:29 GMT
Connection: keep-alive
PK........,nkG].\.............options.json].... .D.~......... .e..-4..
......t.o.&...=b.r.%s..Z..F0.....Qi.....t..Q...";..i..)..l{.E...v....O
.F..s gsHK..P...of.v........}$G......:.;G.....PK.........`.Dj..m......
......assets/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P.
[email protected]|?MD...>....k<...]...V.y......f...m^.Z
........e...".............0..u.....'<.[7n......p..-le.W.."...PK....
....8d.D3.......%.......assets/accept.png.VwXSg......2d.....$.D.BB$@..
.A!$7.F.$.$ .Ph..V....`.2.Z.2..(.....".Td....._....?........9.y...7...
.[.4. ....5.^.g.^..r2i`[email protected]..@.....=.dK......<..."ta
[email protected]/.$.G......r.d.3..f.P.o.u..p.9....e..0s3...$3.
[email protected]..%.. .(..O../..WP...P....x.....`.........8...`Qh.C@`p$<
;..5.~j0.7>.C...>....0o.0..B.D".....O.0D"q.....i ....)F.........
.... ..2gz.AB2..z......a..S.d)C...(.....G.j............e... >Kv....
..w...,..!>Wv)L?*....xB:.... .\6...YQ... .........[P.8#*.K....Wm...
J..).cc.....X..X.pT,.m.AcM.F..X:O d.X.*...,._.$..`.A.#...V.aoP.....(..
.....c."....|...s..6...C../[email protected]^97.K36..hh......a....'g(Y0.
.)..%Y...?..l..<.O.....Q#......t....{.........u....rHE.Q...J.l.w[$.
X5N...3...G3>...)N.w7h.^...I.>.../Us2.}.l..........>R...B..fA
|8.!^I....J....k.....oo.....1!M9.}.._|.,k.bj.&B.g...D.......g_....T.S3
 .G.7.5...v..5...........n.&hy.u=1..h..K1...D...}.|.../.x....R.}..r..W
..u53...x...(A.hy.s^..S..f....l.P...."......k.v............R^V....9...
=..&../...o.w.p....t'=]96.G.!W...........;~.<@..". .-......*.6l
<<< skipped >>>

GET /binstallers/BM2/sien/ipage/sien.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "93b001f93b7f7aeea13c8103d49ae99c:1430792886"
Last-Modified: Tue, 05 May 2015 02:28:06 GMT
Accept-Ranges: bytes
Content-Length: 61629
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:33 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Product Name..Date: Mo
n, 20 Oct 2014 17:40:00 -0400..MIME-Version: 1.0..Content-Type: multip
art/related;...type="text/html";...boundary="----=_NextPart_000_0000_0
1CFEC8C.DF382910"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.
17609..This is a multi-part message in MIME format...------=_NextPart_
000_0000_01CFEC8C.DF382910..Content-Type: text/html;...charset="utf-8"
..Content-Transfer-Encoding: quoted-printable..Content-Location: file:
//C:\offerscreen\vitallia_primary_4.html..=EF=BB=BF<!DOCTYPE HTML P
UBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/
TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC 
"-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/199
9/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..ME
TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..&l
t;META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000"> =20
..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D
"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///
C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"><
;/SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/OfferScre
enParameters.js" =..type=3D"text/javascript"></SCRIPT>..  <
;TITLE =..data-bind=3D"text:$root.customParameters()['ProductName']"&g
t;Product=20..Name</TITLE>=20..<META http-equiv=3D"Content-Ty
pe" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "d5b059b9def0504411bdb2db9c216a3d:1449767805"
Last-Modified: Thu, 10 Dec 2015 17:16:45 GMT
Accept-Ranges: bytes
Content-Length: 75985
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:33 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "38cbe3d5d882081bb71074b52758b9b4:1453907915"
Last-Modified: Wed, 27 Jan 2016 15:18:35 GMT
Accept-Ranges: bytes
Content-Length: 76038
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:33 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "1dd737541e3940f4cef74621f76b62fa:1449767804"
Last-Modified: Thu, 10 Dec 2015 17:16:44 GMT
Accept-Ranges: bytes
Content-Length: 76128
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:33 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "7252da07c31ba2110f2caaeba0890e3c:1449767806"
Last-Modified: Thu, 10 Dec 2015 17:16:46 GMT
Accept-Ranges: bytes
Content-Length: 76048
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadetwist_knctr_nowuseeit_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "ae50f47b8f976fcba8edfd829fcf5aaa:1450365473"
Last-Modified: Thu, 17 Dec 2015 15:17:53 GMT
Accept-Ranges: bytes
Content-Length: 76057
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_nowuseeit_onesystemcare_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "ed4b9b12f39800406f507196a9e05501:1449767804"
Last-Modified: Thu, 10 Dec 2015 17:16:44 GMT
Accept-Ranges: bytes
Content-Length: 76046
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_nowuseeit_tidy_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "747cfe38befb558e90d4aff2c748848a:1449767805"
Last-Modified: Thu, 10 Dec 2015 17:16:45 GMT
Accept-Ranges: bytes
Content-Length: 76151
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_nowuseeit_tidy_triple_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "1ee70d370acae337db961198ce34abcf:1449767805"
Last-Modified: Thu, 10 Dec 2015 17:16:45 GMT
Accept-Ranges: bytes
Content-Length: 75801
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Mon, 7 Apr 2014 14:26:55 -0400..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01CF526D.6D799070"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01CF526D.6D799070..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\highlightly_stormalerts_optimizerpro_triple_6
28.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Trans
itional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0
000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///
C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SC
RIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureMod
el.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>S
earch.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-
Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=
0A=..=0A=../* set the background color to match the offer. */=0A=..bod
y {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..
verdana, sans serif;color:#222;position:relative;height: 282px;width: 
=..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-siz
e: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {m
argin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COL
<<< skipped >>>

GET /products/BM2/combos/tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "ab612260ebb800ba44e230e95419a646:1449767803"
Last-Modified: Thu, 10 Dec 2015 17:16:43 GMT
Accept-Ranges: bytes
Content-Length: 76041
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/tidy_nowuseeit_onesystemcare_triple_628_3.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "c93b2f0ef2e880670430fcf302b32d12:1449767803"
Last-Modified: Thu, 10 Dec 2015 17:16:43 GMT
Accept-Ranges: bytes
Content-Length: 75992
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Thu, 11 Sep 2014 14:28:18 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0007_01CFCDCC.A1C309D0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0007_01CFCDCC.A1C309D0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\tidy_rapidwatch_optimizerpro_triple_628_3.ht
ml..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transition
al//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" 
=..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 
282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Co
mpatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/
offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtex
t/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js">
;</SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http
-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-F
AMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative
; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT:
 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}
..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px
; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FO
<<< skipped >>>

GET /products/BM2/combos/onesystemcare_tidy_double628.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "b2b2ba26d95808459c2f3b647fbec299:1439558956"
Last-Modified: Fri, 14 Aug 2015 13:29:16 GMT
Accept-Ranges: bytes
Content-Length: 72381
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 9"..Subject: 628 by 282 Icy 
Offer..Date: Mon, 7 Jan 2013 11:23:06 -0500..MIME-Version: 1.0..Conten
t-Type: multipart/related;...type="text/html";...boundary="----=_NextP
art_000_0010_01CDECC9.5D450B40"..X-MimeOLE: Produced By Microsoft Mime
OLE V6.1.7601.17609..This is a multi-part message in MIME format...---
---=_NextPart_000_0010_01CDECC9.5D450B40..Content-Type: text/html;...c
harset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-L
ocation: file://C:\offerscreen\strongvault_tidy_double628.html..=EF=BB
=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =
.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<
;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML>&
lt;HEAD>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/
offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3D"te
xt/javascript" =..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"&g
t;</SCRIPT>..<TITLE>628 by 282 Icy Offer</TITLE>..&l
t;META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3D"Content
-Type"><!--=20..Edited by: Insert Initials & Date..Template Name
: 628_Icy_2col_toolbar_EULA.php..-->..<STYLE>=0A=../* Overall
 page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;p
adding:0;font-family: arial, =..verdana, sans serif;color:#707271;}=0A
=..#content {width:628px;height:282px; overflow:hidden; =..backgro
<<< skipped >>>

GET /products/BM2/combos/nowuseeit_tidy_double_628_3.mht HTTP/1.1


User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "6d5e59b839ac2c6daa141dcf782ccd4d:1450365474"
Last-Modified: Thu, 17 Dec 2015 15:17:54 GMT
Accept-Ranges: bytes
Content-Length: 68712
Content-Type: text/plain
Date: Mon, 01 Feb 2016 13:36:34 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..
Date: Thu, 11 Sep 2014 14:39:31 -0400..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01CFCDCE.32759F00"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01CFCDCE.32759F00..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\stormwatch_tidy_double_628_2.html..=EF=BB=BF&
lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."h
ttp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DO
CTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://
VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><
;HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-C
ompatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..&l
t;META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20.
.<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"
text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:
/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></
SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/
html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Ini
tials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0
A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0px; BACK
<<< skipped >>>


POST /install?bc=1191699&pid=nextad&brand=nextad&aid=test_aid&s=test_source&c=4s&country=US&osName=Windows&osVersion=7&browserName=Firefox&browserVersion=41&secure=true&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1191699&pid=nextad&brand=nextad&aid=test_aid&s=test_source&c=4s&country=US&osName=Windows&osVersion=7&browserName=Firefox&browserVersion=41&secure=true&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1191699&pid=nextad&brand=nextad&aid=test_aid&s=test_source&c=4s&country=US&osName=Windows&osVersion=7&browserName=Firefox&browserVersion=41&secure=true&productKey=fwsfiqkzcucmr6navsyhy3i53xyeb3ic
Content-Length: 10
Content-Type: application/x-www-form-urlencoded
X-Exename: %original file name%.exe
Accept-Encoding: identify, enc(RC4/sha1:dc724af1), enc(RC4/sha1:eb7eb628), enc(RC4/sha1:66ed45ce), enc(RC4/sha1:39443636)
User-Agent: Super Download Media(ref=[2e3206349b24896aeaa4f324d449362b51026712];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=1201890;pid=292)
Host: service.downloadadmin.com
Connection: Keep-Alive

delta=1063
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Mon, 01 Feb 2016 13:36:25 GMT
Age: 0
X-Cache: MISS
0..HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Mon, 01 Feb 2016
 13:36:25 GMT..Age: 0..X-Cache: MISS..0..

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_376:

.text
`.rdata
@.data
.dta2
@.rsrc
PSSSSSSh
advapi32.dll
gy%x*
0GT%uP
7,G.mG
t&;.ylU
.yPI0m
#.Kb\
%DN_'?0
c-x},
.SQaR1?
IÏE
|.Cd9
g.tE'/
h%DI!L
l.TR}
.HefC
yg.tw
$=m.rvx
A t:R%S
~3.ux=
debug.pdb
GDI32.dll
ConnectNamedPipe
CreateNamedPipeA
KERNEL32.dll
comdlg32.dll
USER32.dll
msvcrt.dll
_acmdln
_amsg_exit
ole32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
shared_library.dll
CoCreateInstance failed(rc=%d)
Error creating ShellLink(rc=%d)
All Files|*.*
__LOCALEXPORTS
./extramod.dll
./lua51.dll
luabridge.dll
luabridge.win32
%d.%.%d
dialog.image
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
resources.binlib
mime.core
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
777777777
win32.shell
Press any key to continue
resources.overlay
luabridge.net
lua51.dll
resources.js
%d.%d.%d
luabridge.nsis
resources.nsis
dialog.html
resources.compressed
luabridge.fs
luabridge.classes
luabridge.registry
luabridge.config
CryptDestroyKey
CryptDuplicateKey
CryptDeriveKey
5555555
9999999
key_destroy
key_decrypt
%s expected data in index [1]
key_encrypt
%s<%p>
default_key
%s expected 'length' with lightuserdata
Win32.Crypto.Provider
provider_dervice_key
bad argument #%d to %s('%s' expected)
key_duplicate
%s expected table argument
Win32.Crypt.Hash
derive_key
Win32.Crypt.Key
deflate() failed(rc=%d)
deflateInit() failed (rc=%s)
Unsupported filter input(string|nil) expected
miniz.InflateZStream
inflate() failed(rc=%d)
miniz.DeflateZStream
inflateInit() failed (rc=%s)
Mime 1.0.3
zcÁ
fT'.P-G.qE
kc.hy1/
.MJ6)
GZ.Ml
kS4.nM
{0g92%u
i'~%uZ=d
' |%X
s.AC0^-n5
%F;_YT
W.Ynt
__.Uv%
.eS"E
.ZLc9
bD:.eW
:p.ld
y-.qG
U.ZdC
Lz%FU0i
.lj]R`
2C7%S]u
%9xc]z5
;.VEjLs
%s7H$S
wX:%CT
b.Dbu
ÌLi;
0(yJ%c
RC%uc
7.Nr|-A
F.WI<
Lo&%s
.Mq4c
U.rj{vb
.SOYs_
&.cky~
%c:{D
\b|%.S
.nU Z
Y0wlz.DJy
N0_s.xUu
"OA-m}
uJ.wa
8'%d| 
m[_.MG
2 .wq
.tn:%
NqG%S
M,.uG\S.
.sAaV
&%D~6
sQlr
.iV8Ca
.xv,`w
.ay/"V
za.BX
km.GN
.tqU4UD
Keyyh
.QL[K
%FiJt
version="4.8.7.3330"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
setup.exe
4.8.7.3330

%original file name%.exe_292:

.text
`.rdata
@.data
.dta2
@.rsrc
PSSSSSSh
advapi32.dll
gy%x*
0GT%uP
7,G.mG
t&;.ylU
.yPI0m
#.Kb\
%DN_'?0
c-x},
.SQaR1?
IÏE
|.Cd9
g.tE'/
h%DI!L
l.TR}
.HefC
yg.tw
$=m.rvx
A t:R%S
~3.ux=
debug.pdb
GDI32.dll
ConnectNamedPipe
CreateNamedPipeA
KERNEL32.dll
comdlg32.dll
USER32.dll
msvcrt.dll
_acmdln
_amsg_exit
ole32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
shared_library.dll
CoCreateInstance failed(rc=%d)
Error creating ShellLink(rc=%d)
All Files|*.*
__LOCALEXPORTS
./extramod.dll
./lua51.dll
luabridge.dll
luabridge.win32
%d.%.%d
dialog.image
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
resources.binlib
mime.core
require("logging").loggerFor("bundle_manager").Info("RunLoop Exited .. Cleaning Up");
return require('cleanup').runCleanup()
777777777
win32.shell
Press any key to continue
resources.overlay
luabridge.net
lua51.dll
resources.js
%d.%d.%d
luabridge.nsis
resources.nsis
dialog.html
resources.compressed
luabridge.fs
luabridge.classes
luabridge.registry
luabridge.config
CryptDestroyKey
CryptDuplicateKey
CryptDeriveKey
5555555
9999999
key_destroy
key_decrypt
%s expected data in index [1]
key_encrypt
%s<%p>
default_key
%s expected 'length' with lightuserdata
Win32.Crypto.Provider
provider_dervice_key
bad argument #%d to %s('%s' expected)
key_duplicate
%s expected table argument
Win32.Crypt.Hash
derive_key
Win32.Crypt.Key
deflate() failed(rc=%d)
deflateInit() failed (rc=%s)
Unsupported filter input(string|nil) expected
miniz.InflateZStream
inflate() failed(rc=%d)
miniz.DeflateZStream
inflateInit() failed (rc=%s)
Mime 1.0.3
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/TmucgQqHiSEGAiC5AXN
c:\%original file name%.exe
?456789:;<=
!"#$%&'()* ,-./0123
fT'.P-G.qE
kc.hy1/
.MJ6)
GZ.Ml
kS4.nM
{0g92%u
i'~%uZ=d
' |%X
s.AC0^-n5
%F;_YT
W.Ynt
__.Uv%
.eS"E
.ZLc9
bD:.eW
:p.ld
y-.qG
U.ZdC
Lz%FU0i
.lj]R`
2C7%S]u
%9xc]z5
;.VEjLs
%s7H$S
wX:%CT
b.Dbu
ÌLi;
0(yJ%c
RC%uc
7.Nr|-A
F.WI<
Lo&%s
.Mq4c
U.rj{vb
.SOYs_
&.cky~
%c:{D
\b|%.S
.nU Z
Y0wlz.DJy
N0_s.xUu
"OA-m}
uJ.wa
8'%d| 
m[_.MG
2 .wq
.tn:%
NqG%S
M,.uG\S.
.sAaV
&%D~6
sQlr
.iV8Ca
.xv,`w
.ay/"V
za.BX
km.GN
.tqU4UD
Keyyh
.QL[K
%FiJt
version="4.8.7.3330"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
setup.exe
4.8.7.3330


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:292
    %original file name%.exe:460
    %original file name%.exe:376

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\accept-lg.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\step_off.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\skin.png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\knockout-2.js (10370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\progress-bar.gif (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\next.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\back.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\jquery.js (1843 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin.zip (9476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\common.js (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\step_on.png (999 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\kLoPVvrSyZOofGUugHSsEez1.dll (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\AutoFeatureMod.js (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconChe.gif (740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\minify.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\141\arcadetwist_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\run.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\wbk2.tmp (242 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\.DS_Store (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\185\onesystemcare_tidy_double628.mht (9476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\options.json (197 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OfferScreenParamete.js (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\173\knctr_nowuseeit_tidy_triple_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\187\nowuseeit_tidy_double_628_3.mht (8844 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\index.html (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\266I2YxLst.dll (1486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\progress.gif (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\progressPause.gif (517 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\lua51.dll (3579 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\close.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\157\arcadetwist_knctr_nowuseeit_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\skin.psd (42457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\SsaBz1bCz1Ttz1fGhI67jKCcLl67aBuVXx (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\cancel.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\step_bg.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\save.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\149\arcadetwist_nowuseeit_pcacceleratepro_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\skipall.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\1CWAS18Jp.dll (677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\main.css (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\common.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\165\knctr_nowuseeit_onesystemcare_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\decline.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\181\tidy_nowuseeit_onesystemcare_triple_628_3.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\169\knctr_nowuseeit_tidy_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\accept.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\177\tidynetwork_nowuseeit_propccleaner_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\res\knockout.js (2039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\145\arcadetwist_nowuseeit_systemhealer_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\skin\assets\default_logo.png (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\153\arcadetwist_nowuseeit_pcprocleaner_updateadmin_628.mht (10204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TmucgQqHiSEGAiC5AXN\1\sien.mht (7772 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now