e-pointer-cn.exe Unknown Click fraud Pay Per Download Malware Trojan PCAP file download traffic sample 2016-10-29

SHA256: c686cd371f5a2325a37622ee9eed194863299d091b15e4dca2621766359d2ecb
File name: e-pointer-cn.exe
Detection ratio: 2 / 56
Analysis date: 2016-10-29 07:15:48 UTC ( 0 minutes ago )
AVware Trojan.Win32.Generic!BT 20161029
VIPRE Trojan.Win32.Generic!BT 20161029

2016-10-29 01:34:10.924411 IP 192.168.1.102.64320 > 218.93.211.9.80: Flags [P.], seq 0:299, ack 1, win 256, length 299: HTTP: GET /down/e-pointer-cn.exe HTTP/1.1
E..SBY@…G….f.].     .@.P…Z….P…….GET /down/e-pointer-cn.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: sqdx.newhua.com
Connection: Keep-Alive

2016-10-29 01:34:10.924425 IP 192.168.1.102.64320 > 218.93.211.9.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
E..4BZ@…H….f.].     .@.P………….y…..

E..(..@……..f.”…B.P6…….P….L……..
2016-10-29 01:35:14.148520 IP 192.168.1.102.64322 > 23.34.0.4.80: Flags [P.], seq 0:213, ack 1, win 256, length 213: HTTP: GET /en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold HTTP/1.1
E…..@……..f.”…B.P6…….P…. ..GET /en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: tile-service.weather.microsoft.com

2016-10-29 01:35:14.173564 IP 192.168.1.102.64322 > 23.34.0.4.80: Flags [.], ack 4646, win 256, length 0
E..(..@……..f.”…B.P6….   ..P….R……..
2016-10-29 01:35:14.174601 IP 192.168.1.102.64321 > 104.244.43.103.443: Flags [.], ack 2921, win 256, length 0
E..(B.@…a….fh.+g.A..U…..e.P….,……..
2016-10-29 01:35:14.177570 IP 192.168.1.102.64321 > 104.244.43.103.443: Flags [P.], seq 190:316, ack 3909, win 252, length 126

E..(3}@…R….f6P|..C.P……..P…u^……..
2016-10-29 01:35:37.751100 IP 192.168.1.102.64323 > 54.80.124.3.80: Flags [P.], seq 0:704, ack 1, win 256, length 704: HTTP: GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
E…3~@…P0…f6P|..C.P……..P…….GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=1200000-1499999
Cookie: optimizelyEndUserId=oeu1467151488014r0.33409587144074915; optimizelySegments=%7B%22245875585%22%3A%22direct%22%2C%222427280098%22%3A%22true%22%2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A%22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%2C%221867940538%22%3A%22true%22%7D; optimizelyBuckets=%7B%7D; _ga=GA1.2.1371564214.1467151489
Connection: keep-alive

2016-10-29 01:35:41.203173 IP 192.168.1.102.64325 > 113.10.246.226.80: Flags [P.], seq 0:284, ack 1, win 256, length 284: HTTP: GET /cn/ HTTP/1.1
E..D.#@……..fq
…E.P….dH..P…e…GET /cn/ HTTP/1.1
Host: www.foredu.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-10-29 01:36:20.212017 IP 192.168.1.102.64360 > 74.113.233.180.80: Flags [P.], seq 493:1953, ack 42353, win 63347, length 1460: HTTP: GET /anemone.jhtml?anxuu=618748E4-982F-4A0E-8C67-D88C0DFE93D0&anxa=CAPDow
nloadProcess&anxv=1.0.0&anxd=2011-06-01T04%3A00%3A00Z&anxsn=dfprdsndlbfe66.df.jabodo.com&anxu=http%3A%2F%2Ffree.pdfconverterhq.com%2Findex.jhtml&anxl=en-US&anxlv=1477719324701&anxrd=pdfconverterhq.appspot.com&anxrp=pdfconverterhq&anxrk=-&anxrm=referral&anxrb=-&anxrc=-&anxrs=-&anxsq=1&anxi=62E55185-ADC1-4C68-8750-4BABFC8FCA6A&anxe=backFill&anxr=1998119352 HTTP/1.1
E…3.@……..fJq…h.P2Smk..5.P..sY…GET /anemone.jhtml?anxuu=618748E4-982F-4A0E-8C67-D88C0DFE93D0&anxa=CAPDownloadProcess&anxv=1.0.0&anxd=2011-06-01T04%3A00%3A00Z&anxsn=dfprdsndlbfe66.df.jabodo.com&anxu=http%3A%2F%2Ffree.pdfconverterhq.com%2Findex.jhtml&anxl=en-US&anxlv=1477719324701&anxrd=pdfconverterhq.appspot.com&anxrp=pdfconverterhq&anxrk=-&anxrm=referral&anxrb=-&anxrc=-&anxrs=-&anxsq=1&anxi=62E55185-ADC1-4C68-8750-4BABFC8FCA6A&anxe=backFill&anxr=1998119352 HTTP/1.1
Host: free.pdfconverterhq.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://free.pdfconverterhq.com/index.jhtml?partner=^CAM^xdm106&s1=36176646235
Cookie: sessionData=”P3SwrXVcFIGH8pG22583hDC0+OS+axUCkUrvu4x73cMQQBDlBB7sYfDDZkRVY7mJxuQWljAedxSdh+SiFsGi4K7TE7r/Rdq7ualoZks/hRT5J8v4vQNQAIBJnfgkI3VATEtcyfh1y816htsjmwHnOSu3Oo5YvXjj42Bj/Xp6OPUS5sSUDVupjcLu0fmBSNV7wTkVYREC9dxMh2JJy7R8kUpkvjkpFtTzx+RZ3yRmlYFHbMW5yi74NRwNXsAeaMmVcfO93PfMN+AuZbteqbZfLlGLoVDC0OoTUiv3MkJ6JUDCBDjzWy4B3REJ2ra+tsw70Lrx0UlU16ZniRYz4x3T1VwEMrx8/f6hx2NkYJjTM5v6pXjQj/QeARDu9CfbCDflPM3ris042F+Am9VXjfc8GMf71lCeQwZWiOW7wcUAEzt1ha0hCsUvPRqv5nlFQoPO7OEzs4xgJHJqSjg0gUnN1soSvhNLNxOqlQWJu6cBPbV+S8fZ/RVZhJmcLjLmvcbfC0wesD/1H+XCzj/J/DkHTtp3/au1y7S1okXTWHGLFw+I15s+NIi1dVezy7M9vseM0qA84hF6AmWa5o6ae+hw+gNN1U63qTPFq9X+BfZObgQi1ivGIRiUGkIhp0M8LHKB/r7Z4C5hvsIZFysfjeXIGUYAMWlVqtyi4alXh1h53M+h2jnD8vSSrmzUY23b1AUcZFjH6KPFzaO9dMuOSJu
2016-10-29 01:36:20.215720 IP 192.168.1.102.64367 > 23.50.225.18.80: Flags [.], ack 85792217, win 256, length 0
E..(aE@….7…f.2…o.PU..8….P………….
2016-10-29 01:36:20.216454 IP 192.168.1.102.64367 > 23.50.225.18.80: Flags [P.], seq 0:360, ack 1, win 256, length 360: HTTP: GET /images/vicinio/dsp-images/crx-tooltab-swap3/CAM.png HTTP/1.1
E…aF@……..f.2…o.PU..8….P…{…GET /images/vicinio/dsp-images/crx-tooltab-swap3/CAM.png HTTP/1.1
Host: ak.imgfarm.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://free.pdfconverterhq.com/index.jhtml?partner=^CAM^xdm106&s1=36176646235
Connection: keep-alive

2016-10-29 01:36:56.919685 IP 192.168.1.102.64611 > 204.2.197.211.80: Flags [P.], seq 0:411, ack 1, win 256, length 411: HTTP: GET /orbserv/hbpix?pixId=9867&pcv=79 HTTP/1.1
E…..@….~…f…..c.P…=.+w.P….B..GET /orbserv/hbpix?pixId=9867&pcv=79 HTTP/1.1
Host: idpix.media6degrees.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ip.casalemedia.com/usermatch?s=175407&cb=http%3A%2F%2Fums.adtechus.com%2Fmapuser%3Fproviderid%3D1010%3Buserid=
Cookie: cckz=1ofsnk1
Connection: keep-alive


E..(.   @…z….f…B.G.P….Yg>dP………….
2016-10-29 01:36:56.922679 IP 192.168.1.102.64583 > 204.236.237.66.80: Flags [P.], seq 1235:1802, ack 2693, win 252, length 567: HTTP: GET /track/cmf/casaleopenrtb?cm_dsp_id=70&cm_callback_url=http%3A%2F%2Fdsum.
casalemedia.com%2Fcrum&cm_user_id=WBQ1HsAoJXEAACNjXJYAAACZ HTTP/1.1
E.._.
@…xQ…f…B.G.P….Yg>dP…….GET /track/cmf/casaleopenrtb?cm_dsp_id=70&cm_callback_url=http%3A%2F%2Fdsum.casalemedia.com%2Fcrum&cm_user_id=WBQ1HsAoJXEAACNjXJYAAACZ HTTP/1.1
Host: match.adsrvr.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ip.casalemedia.com/usermatch?s=175407&cb=http%3A%2F%2Fums.adtechus.com%2Fmapuser%3Fproviderid%3D1010%3Buserid=
Cookie: TDID=cf3ac430-9606-4554-b0a1-7d3acd947654; TDCPM=CAEYBSgCMgsInr/wnInyvzQQBTgB
Connection: keep-alive

2016-10-29 01:36:56.924728 IP 192.168.1.102.64585 > 152.163.66.141.80: Flags [P.], seq 825:1291, ack 526, win 254, length 466: HTTP: GET /mapuser?providerid=1010;userid=WBQ1HsAoJXEAACNjXJYAAACZ%26934 HTTP/1.1
E…M.@….=…f..B..I.P%..R7J  .P….Y..GET /mapuser?providerid=1010;userid=WBQ1HsAoJXEAACNjXJYAAACZ%26934 HTTP/1.1
Host: ums.adtechus.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ip.casalemedia.com/usermatch?s=175407&cb=http%3A%2F%2Fums.adtechus.com%2Fmapuser%3Fproviderid%3D1010%3Buserid=
Cookie: CfP=2; JEB2=58142CF36E6516EF8B6602A3F62AA882
Connection: keep-alive