Malware analysis APInstaller.exe Malicious activity | ANY.RUN

Add for printing

File name:	APInstaller.exe
Full analysis:	https://app.any.run/tasks/344eaac7-430e-46a7-9c36-3697edbe1130
Verdict:	Malicious activity
Analysis date:	December 17, 2023, 11:40:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	3074DB81016323D638A2746E3656583C
SHA1:	AB8637D0116C74A077F26A313774F4C120C55600
SHA256:	0F0FA76ABE9971BCB653C333C569FF64BA336181E2F875853ABEBCD84BA757B6
SSDEEP:	24576:h6VnvKVkm+DNRCyvEY9SvD64x1n5L/Q3olBM:h6VnvKVh+DNRCyvEY9A64x15L/Q3olBM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - APInstaller.exe (PID: 548)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Starts NET.EXE for service management
  - net.exe (PID: 2892)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Creates a writable file in the system directory
  - rundll32.exe (PID: 376)
- Steals credentials from Web Browsers
  - Adaware-Privacy.exe (PID: 3092)
- Actions looks like stealing of personal data
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Changes the autorun value in the registry
  - Adaware-Privacy.exe (PID: 292)
SUSPICIOUS
- Searches for installed software
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads settings of System Certificates
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Drops a system driver (possible attempt to evade defenses)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - rundll32.exe (PID: 376)
- Reads the Internet Settings
  - Adaware-Privacy-Installer.exe (PID: 784)
  - runonce.exe (PID: 2588)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Process drops legitimate windows executable
  - Adaware-Privacy-Installer.exe (PID: 784)
- The process drops C-runtime libraries
  - Adaware-Privacy-Installer.exe (PID: 784)
- Executes as Windows Service
  - AP-Assistant-Service.exe (PID: 2640)
  - DCIService.exe (PID: 2840)
- The process verifies whether the antivirus software is installed
  - AP-Assistant-Service.exe (PID: 2640)
  - rundll32.exe (PID: 376)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - sc.exe (PID: 2360)
  - DCIService.exe (PID: 2840)
  - cmd.exe (PID: 2492)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Starts CMD.EXE for commands execution
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 2432)
  - cmd.exe (PID: 3000)
- Executing commands from ".cmd" file
  - Adaware-Privacy-Installer.exe (PID: 784)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2492)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Changes internet zones settings
  - Adaware-Privacy-Installer.exe (PID: 784)
- Uses RUNDLL32.EXE to load library
  - Adaware-Privacy-Installer.exe (PID: 784)
INFO
- Checks supported languages
  - APInstaller.exe (PID: 548)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads the computer name
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Create files in a temporary directory
  - APInstaller.exe (PID: 548)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Reads the machine GUID from the registry
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy.exe (PID: 3092)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 292)
- Reads Environment values
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Creates files in the program directory
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy.exe (PID: 3092)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 292)
- Creates files in the driver directory
  - rundll32.exe (PID: 376)
- Reads the time zone
  - runonce.exe (PID: 2588)
- Creates files or folders in the user directory
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads product name
  - Adaware-Privacy.exe (PID: 3092)
- Drops the executable file immediately after the start
  - rundll32.exe (PID: 376)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:04:18 20:54:06+02:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	104448
InitializedDataSize:	136704
UninitializedDataSize:	-
EntryPoint:	0x148d4
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.9.0.324
ProductVersionNumber:	1.9.0.324
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	1.9.0.324
ProductVersion:	1.9.0.324
OriginalFileName:	Adaware Privacy
InternalName:	Adaware Privacy
FileDescription:	Adaware Privacy
CompanyName:	Adaware
LegalCopyright:	Adaware Software Canada. All Rights Reserved.
ProductName:	Adaware Privacy

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

"C:\Users\admin\Desktop\APInstaller.exe"

C:\Users\admin\Desktop\APInstaller.exe

—

explorer.exe

User:

admin

Company:

Adaware

Integrity Level:

MEDIUM

Description:

Adaware Privacy

Exit code:

3221226540

Version:

1.9.0.324

Modules

Images
c:\users\admin\desktop\apinstaller.exe
c:\windows\system32\ntdll.dll

292

"C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe" --afterinstall

C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe

Adaware-Privacy-Installer.exe

User:

admin

Company:

Adaware

Integrity Level:

HIGH

Description:

Adaware Privacy

Exit code:

Version:

1.9.0.324

Modules

Images
c:\program files\adaware\adaware privacy\application\adaware-privacy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

376

"C:\Windows\system32\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files\Adaware\Adaware Privacy\Service\Win32\bddci.inf

C:\Windows\System32\rundll32.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

548

"C:\Users\admin\Desktop\APInstaller.exe"

C:\Users\admin\Desktop\APInstaller.exe

explorer.exe

User:

admin

Company:

Adaware

Integrity Level:

HIGH

Description:

Adaware Privacy

Exit code:

Version:

1.9.0.324

Modules

Images
c:\users\admin\desktop\apinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

632

"sc.exe" description "APAssistantService" "Adaware Privacy Internet security service"

C:\Windows\System32\sc.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

664

netsh http add urlacl url=http://+:8006/ user=Everyone

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

784

.\Adaware-Privacy-Installer.exe --culture=pt --install --uniqueId=8118fe79-9c62-4dc0-825b-5dd12a92684c --prod --partner=adaware --version=1.9.0.324

C:\Users\admin\AppData\Local\Temp\7zS422A461E\Adaware-Privacy-Installer.exe

APInstaller.exe

User:

admin

Company:

Adaware

Integrity Level:

HIGH

Description:

Adaware Privacy

Exit code:

Version:

1.9.0.324

Modules

Images
c:\users\admin\appdata\local\temp\7zs422a461e\adaware-privacy-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1220

"sc.exe" description "DCIService" "Webprotection Bridge service"

C:\Windows\System32\sc.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1992

C:\Windows\system32\net1 start bddci

C:\Windows\System32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

2096

"sc.exe" failure APAssistantService reset= 30 actions= restart/60000

C:\Windows\System32\sc.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

25 586

Read events

25 410

Write events

175

Delete events

Modification events


(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:	write	Name:	Name
Value: Explorer.EXE
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2640) AP-Assistant-Service.exe	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2640) AP-Assistant-Service.exe	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2588) runonce.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	delete value	Name:	GrpConv
Value: grpconv -o
(PID) Process:	(664) netsh.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

188

Suspicious files

120

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\it-IT\Adaware-Privacy-Installer.resources.dll		executable
		MD5:AEFC591A766704F221E2192139CA4B99	SHA256:391C1E14BC2B871F7B29078BA349C6D41697A8CDF01C3EA39FF847F6CA7D7B31
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\ICSharpCode.SharpZipLib.dll		executable
		MD5:C6EBF27C47A36BE749A632C58CA5C3C6	SHA256:01A730BE601E505DDDF4A3E94A573B5050074FE512BDCD2ADDB49E0DF1670BC0
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\Adaware-Privacy-Installer.exe.config		xml
		MD5:507A0F6B4A28174B14CC9995CC212CC2	SHA256:B9171F9325E78517C086A1F0E4723EF6AAF75BB047252884D05FDC3A168B2040
784	Adaware-Privacy-Installer.exe	C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe.config		xml
		MD5:9BDBF5D5EE8F4279622527C5F9FAC256	SHA256:7EDD249E2B78B0EEDE2D3B6571AE7B9B4124ADF4771872298DC08F56547F329B
784	Adaware-Privacy-Installer.exe	C:\Program Files\Adaware\Adaware Privacy\Application\AdawarePrivacyIcon.ico		image
		MD5:33A3CACD1FC180DA9D9C991E6CAF37CB	SHA256:83F7FCD34F6EB3DFD73F1A3CC8683E9D0B82F0B909A08CBD91F3D4E915ABA7C8
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\ja-JP\Adaware-Privacy-Installer.resources.dll		executable
		MD5:19645041D54B5A9B0AA15D5E22AD75B1	SHA256:5825A5FED5E264D6D5014DAF67F54AEBA828FB5BE3A2F7BC7C7D6E8FB81D02AF
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\zh-CHS\Adaware-Privacy-Installer.resources.dll		executable
		MD5:C82AA7BA067A9182CB5479E9903BB9A0	SHA256:C8EAEDA368A64F7B6BE1DE33F1097DFD5D1DF04E08403CD2C4E6F09BA7E13E83
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\ru-RU\Adaware-Privacy-Installer.resources.dll		executable
		MD5:906DF3550175A6A07844AEC13A621E14	SHA256:EF4B4306A231CDF908D4C9BE978E8A3D95BCEB70A15EAE6F26E81D61EE7EDFB7
784	Adaware-Privacy-Installer.exe	C:\ProgramData\Adaware\Adaware Privacy\Options\Statistics.txt		binary
		MD5:B0F40142E8741462036AFB070F90CFE2	SHA256:E3F714B7E194EFF02B058BB1545A90D98CF8301BCDCA539BFE27AC24D16C8D89
784	Adaware-Privacy-Installer.exe	C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy-Installer.exe		executable
		MD5:8087B2250B5BD3BDD12A739DD03BCBB7	SHA256:4F2F597697F51F0CEE2371B226DC5B6086AD8F33AE1745319896340C321BA847

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3092	Adaware-Privacy.exe	GET	200	104.17.9.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
784	Adaware-Privacy-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
3092	Adaware-Privacy.exe	GET	302	104.18.68.73:80	http://adaware.com/version_logs?json=true&version=1.9.0.324	unknown	—	—	unknown
784	Adaware-Privacy-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
3092	Adaware-Privacy.exe	GET	200	104.17.9.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
784	Adaware-Privacy-Installer.exe	104.18.27.149:443	flwadw.com	CLOUDFLARENET	—	shared
784	Adaware-Privacy-Installer.exe	104.18.68.73:443	download.adaware.com	CLOUDFLARENET	—	unknown
784	Adaware-Privacy-Installer.exe	104.17.8.52:80	geo.lavasoft.com	CLOUDFLARENET	—	shared
784	Adaware-Privacy-Installer.exe	104.17.8.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.17.9.52:80	geo.lavasoft.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.17.8.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.18.27.149:443	flwadw.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.18.67.73:443	download.adaware.com	CLOUDFLARENET	—	unknown

DNS requests

Domain	IP	Reputation
flwadw.com	104.18.27.149 104.18.26.149	unknown
download.adaware.com	104.18.68.73 104.18.67.73	unknown
geo.lavasoft.com	104.17.8.52 104.17.9.52	unknown
featureflags.lavasoft.com	104.17.8.52 104.17.9.52	unknown
rt.adaware.com	104.18.68.73 104.18.67.73	unknown
acs.lavasoft.com	104.17.8.52 104.17.9.52	unknown
acscdn.lavasoft.com	104.17.8.52 104.17.9.52	unknown
sg-bitmask.adaware.com	104.18.67.73 104.18.68.73	unknown
adaware.com	104.18.68.73 104.18.67.73	whitelisted
www.adaware.com	104.18.67.73 104.18.68.73	unknown

Threats

No threats detected

Add for printing

Process	Message
Adaware-Privacy-Installer.exe	Detecting windows culture
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: get uniqueId= 8118fe79-9c62-4dc0-825b-5dd12a92684c
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking:lastModified: 12/17/2023 11:40:19 AM
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: file name: C:\Users\admin\Desktop\APInstaller.exe
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: get modifiedDate= 2023-12-17T11:40:19.0141250Z
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: Process found
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> Preprare request for IPTracking. URL: https://download.adaware.com/Track?uniqueId=8118fe79-9c62-4dc0-825b-5dd12a92684c&downloadedDate=2023-12-17T11%3A40%3A19.0141250Z
Adaware-Privacy-Installer.exe	12/17/2023 11:40:22 AM :-> response for IPTracking. response: Status.Ok
Adaware-Privacy-Installer.exe	12/17/2023 11:40:23 AM :-> SendIPTracking: Send Tracking info
Adaware-Privacy-Installer.exe	Preparing request for featureflag: {"Geo":"DE","Partner":"adaware","Campaign":"NA","InstallDate":"20231217","TriggerType":"install","TriggerEvent":"installer","Version":"1.9.0.324","featurewp":true,"featureal":true}

General Info

APInstaller.exe

3074DB81016323D638A2746E3656583C

AB8637D0116C74A077F26A313774F4C120C55600

0F0FA76ABE9971BCB653C333C569FF64BA336181E2F875853ABEBCD84BA757B6

24576:h6VnvKVkm+DNRCyvEY9SvD64x1n5L/Q3olBM:h6VnvKVh+DNRCyvEY9A64x15L/Q3olBM

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Starts NET.EXE for service management

Creates a writable file in the system directory

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

Searches for installed software

Reads settings of System Certificates

Drops a system driver (possible attempt to evade defenses)

Reads the Internet Settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Executes as Windows Service

The process verifies whether the antivirus software is installed

Starts CMD.EXE for commands execution

Suspicious use of NETSH.EXE

Executing commands from ".cmd" file

Starts SC.EXE for service management

Changes internet zones settings

Uses RUNDLL32.EXE to load library

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Reads Environment values

Creates files in the program directory

Creates files in the driver directory

Reads the time zone

Creates files or folders in the user directory

Reads product name

Drops the executable file immediately after the start

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests