File name:	pia-windows-x64-3.5.7-08120.exe
Full analysis:	https://app.any.run/tasks/c510e55a-760d-4714-bf87-581e1ade913b
Verdict:	Malicious activity
Analysis date:	June 10, 2024, 00:47:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	C5A4DAD9025BD2196874B395DB2093E7
SHA1:	F38AC163E2064F249190A2CF7B3E50E1C66BEEF8
SHA256:	013A8235CB3126EA004C16A48671CB3045F81031864F2AF56BB9E50A6737EA28
SSDEEP:	393216:ltZJAGZxQBpPmXGawOgKoiOT+w57wghr:jZOB/CgkOFhr

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:03:27 12:04:13+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	340992
InitializedDataSize:	21925376
UninitializedDataSize:	-
EntryPoint:	0x2cd84
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(6460) pia-windows-x64-3.5.7-08120.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piavpn
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(6460) pia-windows-x64-3.5.7-08120.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap-pia-0901
Operation:	write	Name:	Owners
Value: oem1.inf
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/tap-pia-0901.sys
Operation:	write	Name:	Owners
Value: oem1.inf
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_4c9c04020589fe8d\Descriptors\tap-pia-0901
Operation:	write	Name:	Configuration
Value: tap-pia-0901.ndi
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_4c9c04020589fe8d\Descriptors\tap-pia-0901
Operation:	write	Name:	Manufacturer
Value: %provider%
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_4c9c04020589fe8d\Descriptors\tap-pia-0901
Operation:	write	Name:	Description
Value: %devicedescription%
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_4c9c04020589fe8d\Configurations\tap-pia-0901.ndi
Operation:	write	Name:	Service
Value: tap-pia-0901
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_4c9c04020589fe8d\Configurations\tap-pia-0901.ndi
Operation:	write	Name:	ConfigScope
Value: 5
(PID) Process:	(6828) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_4c9c04020589fe8d\Configurations\tap-pia-0901.ndi\Driver\Ndi
Operation:	write	Name:	Service
Value: tap-pia-0901

PID	Process	Filename		Type
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\architecture.txt		text
		MD5:0027F42E1E5DFCB4FD5F8F9C6DB89AF3	SHA256:7520B5A1B312EFDE4FD7E2793EF4BC0CF8F1C235F778D203AB7216A0E31B3880
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\LICENSE.txt		text
		MD5:50B53397867963369D87695B4E70BE7F	SHA256:6EB99D0D071493B43AF549145F3CC311EB8EF593B4FB2D8C9E8A8743255FDA6B
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\Qt\labs\folderlistmodel\plugins.qmltypes		text
		MD5:3E72475117B4FCA01344C01E945D2E4E	SHA256:5F3888C687398413E1273BC7380FDFA50CBD3D502EB9FF3F63B40BD4D66F29BD
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\brand.txt		text
		MD5:1A212F8DB4799461E7B4EA4C5316BD4E	SHA256:0CCEDD0B0F8D3B7812836DF5B13D7F24935863F9D1302513E72EDF3ACA2B2261
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\QtGraphicalEffects\BrightnessContrast.qml		text
		MD5:4D10A854471E82FE9C1639FA31C650B7	SHA256:98060BFD123D2EE8A00FC6E9EA1C769390EF449CAE69343B84B3D3602769CBB1
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\openvpn_updown.bat		text
		MD5:73A2EE74F3A9556C6649F20C439F6459	SHA256:FB0635A6DA420CA611925EAD022C76815B0A174B6FB37D9EFFF211DAC3E3AA80
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\modern_shadowsocks.json		text
		MD5:E02B8341E944A52C634DBDE7DDECF0B1	SHA256:81DBA9EB3E77C1D87CC742C834C1BB569FF58F7E1CF493693F91C39825BD4053
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\Qt\labs\platform\plugins.qmltypes		text
		MD5:4B1DAC5DD47A1928E4B1635968774D68	SHA256:2E1A5C057B921CA6AA70BDD28E87F5BE907F6E8AD34B45DD8504E5FE6F92A632
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\modern_region_meta.json		text
		MD5:BEC6CEF4EDE461FE7757D058960F1A33	SHA256:077F3FA286E27561935D0284976E0670FB76F579A140EA9156F1384D298FF584
6460	pia-windows-x64-3.5.7-08120.exe	C:\Program Files\Private Internet Access\Qt\labs\settings\plugins.qmltypes		text
		MD5:6669D4C46230AB0F3481099D627FFB99	SHA256:79BF121D97758B4F7982BECB71D50A39C4EF65161857279CB5E53ABC84C4BFEB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5576	svchost.exe	GET	200	2.19.117.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5576	svchost.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
—	—	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
—	—	GET	—	104.18.159.201:443	https://serverlist.piaservers.net/vpninfo/regions/v2	unknown	—	—	—
—	—	POST	204	104.110.240.59:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	172.64.151.73:443	https://api.privateinternetaccess.com/api/client/status	unknown	binary	39 b	—
—	—	GET	200	104.19.240.167:443	https://serverlist.piaservers.net/vpninfo/servers/v6	unknown	text	114 Kb	—
—	—	GET	200	104.19.240.167:443	https://serverlist.piaservers.net/shadow_socks	unknown	text	1.50 Kb	—
—	—	GET	200	104.110.240.131:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5140	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5576	svchost.exe	2.19.117.22:80	crl.microsoft.com	Akamai International B.V.	GB	unknown
5576	svchost.exe	2.17.0.227:80	www.microsoft.com	AKAMAI-AS	DK	unknown
—	—	2.17.0.227:80	www.microsoft.com	AKAMAI-AS	DK	unknown
5140	MoUsoCoreWorker.exe	2.17.0.227:80	www.microsoft.com	AKAMAI-AS	DK	unknown
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5576	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5140	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
crl.microsoft.com	2.19.117.22 2.19.117.18	whitelisted
www.microsoft.com	2.17.0.227	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
api.privateinternetaccess.com	172.64.151.73 104.18.36.183	unknown
www.privateinternetaccess.com	172.64.151.73 104.18.36.183	unknown
serverlist.piaservers.net	104.19.240.167 104.18.159.201	unknown
r.bing.com	104.110.240.59 104.110.240.131	whitelisted
self.events.data.microsoft.com	52.182.143.214	whitelisted

General Info

pia-windows-x64-3.5.7-08120.exe

C5A4DAD9025BD2196874B395DB2093E7

F38AC163E2064F249190A2CF7B3E50E1C66BEEF8

013A8235CB3126EA004C16A48671CB3045F81031864F2AF56BB9E50A6737EA28

393216:ltZJAGZxQBpPmXGawOgKoiOT+w57wghr:jZOB/CgkOFhr

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Creates a writable file in the system directory

Drops the executable file immediately after the start

SUSPICIOUS

Drops a system driver (possible attempt to evade defenses)

Checks Windows Trust Settings

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Creates files in the driver directory

Creates or modifies Windows services

Executes as Windows Service

Detected use of alternative data streams (AltDS)

Reads the Windows owner or organization settings

Creates a software uninstall entry

INFO

Reads the computer name

Checks supported languages

Creates files in the program directory

Reads the machine GUID from the registry

Reads the software policy settings

Create files in a temporary directory

Executable content was dropped or overwritten

Creates files or folders in the user directory

Application launched itself

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings