ContentExplorer.exe

Lake Ventures LLC

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application ContentExplorer.exe by Lake Ventures has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘ContentExplorer’. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins.
Publisher:
ContentExplorer  (signed by Lake Ventures LLC)

Product:
ContentExplorer

Version:
8.0

MD5:
5d9f0b1b2f62100e3a927e4297b5ad7c

SHA-1:
aa989407aa6e4bd33349fdafb41c6f3356202631

SHA-256:
d24a9bbeb2e263f7389a949cd4966f13f34a3f80251f236bedc3df97f3e8d137

Scanner detections:
9 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
10/31/2024 10:34:36 PM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
AdWare.W32.InstallBrain
2.1.4+

Avira AntiVirus
TR/Dropper.MSIL.Gen
7.11.141.68

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.14112

Dr.Web
Adware.iBryte.491
9.0.1.05190

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10547

McAfee
Artemis!3C5098BEA3C0
5600.6958

Reason Heuristics
PUP.Startup.LakeVentures.P
14.11.2.20

Sophos
Generic PUA CJ
4.98

Trend Micro House Call
Suspicious_GEN.F47V0819
7.2.306

File size:
2.3 MB (2,429,680 bytes)

Product version:
8.0

Copyright:
Copyright © ContentExplorer 2014

Original file name:
ContentExplorer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\contentexplorer\contentexplorer.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
12/17/2013 2:22:44 PM

Valid to:
12/17/2014 2:22:44 PM

Subject:
CN=Lake Ventures LLC, O=Lake Ventures LLC, L=Aliso Viejo, S=California, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B14BBCA37F140

File PE Metadata
Compilation timestamp:
11/2/2014 5:00:27 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:7xizkaL0ma9RzqZmfpt4op9nLC/jn/uu4XQJemXZSV7ubm:Uom8Rz6Gpt4y9e/LWtgJeKZSBubm

Entry address:
0x2500A2

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.7824

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.3 MB (2,417,152 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ContentExplorer

Command:
"C:\users\{user}\appdata\roaming\contentexplorer\contentexplorer.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to yyz08s13-in-f30.1e100.net  (74.125.226.126:443)

TCP (HTTP SSL):
Connects to server-54-192-91-178.ind6.r.cloudfront.net  (54.192.91.178:443)

TCP (HTTP SSL):
Connects to r-199-59-148-84.twttr.com  (199.59.148.84:443)

TCP (HTTP SSL):
Connects to ord08s12-in-f0.1e100.net  (74.125.225.0:443)

TCP (HTTP SSL):
Connects to ord08s11-in-f28.1e100.net  (173.194.46.92:443)

TCP (HTTP SSL):
Connects to ord08s11-in-f25.1e100.net  (173.194.46.89:443)

TCP (HTTP SSL):
Connects to ord08s11-in-f18.1e100.net  (173.194.46.82:443)

TCP (HTTP SSL):
Connects to ord08s11-in-f13.1e100.net  (173.194.46.77:443)

TCP (HTTP SSL):
Connects to m.xp1.ru4.com  (199.38.165.155:443)

TCP (HTTP SSL):
Connects to iad23s05-in-f2.1e100.net  (74.125.228.2:443)

TCP (HTTP SSL):
Connects to errserv-21.btrll.com  (162.208.21.166:443)

TCP (HTTP SSL):
Connects to errserv-20.btrll.com  (162.208.20.166:443)

TCP (HTTP SSL):
Connects to edge-star-shv-12-frc1.facebook.com  (173.252.100.27:443)

TCP (HTTP):
Connects to ec2-54-243-170-97.compute-1.amazonaws.com  (54.243.170.97:80)

TCP (HTTP SSL):
Connects to ec2-54-197-228-159.compute-1.amazonaws.com  (54.197.228.159:443)

TCP (HTTP):
Connects to ec2-23-23-150-209.compute-1.amazonaws.com  (23.23.150.209:80)

TCP (HTTP SSL):
Connects to ec2-23-21-169-67.compute-1.amazonaws.com  (23.21.169.67:443)

TCP (HTTP SSL):
Connects to d.xp1.ru4.com  (199.38.165.156:443)

TCP (HTTP SSL):
Connects to convserv-21.btrll.com  (162.208.21.164:443)

TCP (HTTP SSL):
Connects to accounts.ea.com  (159.153.228.75:443)

Remove ContentExplorer.exe - Powered by Reason Core Security