Malware analysis APInstaller.exe Malicious activity | ANY.RUN

Add for printing

File name:	APInstaller.exe
Full analysis:	https://app.any.run/tasks/344eaac7-430e-46a7-9c36-3697edbe1130
Verdict:	Malicious activity
Analysis date:	December 17, 2023, 11:40:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	3074DB81016323D638A2746E3656583C
SHA1:	AB8637D0116C74A077F26A313774F4C120C55600
SHA256:	0F0FA76ABE9971BCB653C333C569FF64BA336181E2F875853ABEBCD84BA757B6
SSDEEP:	24576:h6VnvKVkm+DNRCyvEY9SvD64x1n5L/Q3olBM:h6VnvKVh+DNRCyvEY9A64x15L/Q3olBM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - APInstaller.exe (PID: 548)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Creates a writable file in the system directory
  - rundll32.exe (PID: 376)
- Starts NET.EXE for service management
  - Adaware-Privacy-Installer.exe (PID: 784)
  - net.exe (PID: 2892)
- Actions looks like stealing of personal data
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Steals credentials from Web Browsers
  - Adaware-Privacy.exe (PID: 3092)
- Changes the autorun value in the registry
  - Adaware-Privacy.exe (PID: 292)
SUSPICIOUS
- Starts SC.EXE for service management
  - Adaware-Privacy-Installer.exe (PID: 784)
  - cmd.exe (PID: 2492)
- Searches for installed software
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads settings of System Certificates
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads the Internet Settings
  - Adaware-Privacy-Installer.exe (PID: 784)
  - runonce.exe (PID: 2588)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Drops a system driver (possible attempt to evade defenses)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - rundll32.exe (PID: 376)
- Uses RUNDLL32.EXE to load library
  - Adaware-Privacy-Installer.exe (PID: 784)
- Starts CMD.EXE for commands execution
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy-Installer.exe (PID: 784)
- The process verifies whether the antivirus software is installed
  - rundll32.exe (PID: 376)
  - AP-Assistant-Service.exe (PID: 2640)
  - cmd.exe (PID: 2492)
  - sc.exe (PID: 2360)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 2432)
  - cmd.exe (PID: 3000)
- Executing commands from ".cmd" file
  - Adaware-Privacy-Installer.exe (PID: 784)
- Executes as Windows Service
  - DCIService.exe (PID: 2840)
  - AP-Assistant-Service.exe (PID: 2640)
- Changes internet zones settings
  - Adaware-Privacy-Installer.exe (PID: 784)
- Process drops legitimate windows executable
  - Adaware-Privacy-Installer.exe (PID: 784)
- The process drops C-runtime libraries
  - Adaware-Privacy-Installer.exe (PID: 784)
INFO
- Checks supported languages
  - APInstaller.exe (PID: 548)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads the computer name
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Reads the machine GUID from the registry
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy.exe (PID: 3092)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 292)
- Reads Environment values
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy.exe (PID: 292)
- Create files in a temporary directory
  - APInstaller.exe (PID: 548)
  - Adaware-Privacy-Installer.exe (PID: 784)
- Creates files in the program directory
  - Adaware-Privacy-Installer.exe (PID: 784)
  - AP-Assistant-Service.exe (PID: 2640)
  - Adaware-Privacy.exe (PID: 3092)
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 292)
- Drops the executable file immediately after the start
  - rundll32.exe (PID: 376)
- Creates files in the driver directory
  - rundll32.exe (PID: 376)
- Reads the time zone
  - runonce.exe (PID: 2588)
- Creates files or folders in the user directory
  - DCIService.exe (PID: 2840)
  - Adaware-Privacy.exe (PID: 3092)
  - Adaware-Privacy-Installer.exe (PID: 784)
  - Adaware-Privacy.exe (PID: 292)
- Reads product name
  - Adaware-Privacy.exe (PID: 3092)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:04:18 20:54:06+02:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	104448
InitializedDataSize:	136704
UninitializedDataSize:	-
EntryPoint:	0x148d4
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.9.0.324
ProductVersionNumber:	1.9.0.324
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	1.9.0.324
ProductVersion:	1.9.0.324
OriginalFileName:	Adaware Privacy
InternalName:	Adaware Privacy
FileDescription:	Adaware Privacy
CompanyName:	Adaware
LegalCopyright:	Adaware Software Canada. All Rights Reserved.
ProductName:	Adaware Privacy

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

"C:\Users\admin\Desktop\APInstaller.exe"

C:\Users\admin\Desktop\APInstaller.exe

—

explorer.exe

User:

admin

Company:

Adaware

Integrity Level:

MEDIUM

Description:

Adaware Privacy

Exit code:

3221226540

Version:

1.9.0.324

Modules

Images
c:\users\admin\desktop\apinstaller.exe
c:\windows\system32\ntdll.dll

292

"C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe" --afterinstall

C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe

Adaware-Privacy-Installer.exe

User:

admin

Company:

Adaware

Integrity Level:

HIGH

Description:

Adaware Privacy

Exit code:

Version:

1.9.0.324

Modules

Images
c:\program files\adaware\adaware privacy\application\adaware-privacy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

376

"C:\Windows\system32\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files\Adaware\Adaware Privacy\Service\Win32\bddci.inf

C:\Windows\System32\rundll32.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

548

"C:\Users\admin\Desktop\APInstaller.exe"

C:\Users\admin\Desktop\APInstaller.exe

explorer.exe

User:

admin

Company:

Adaware

Integrity Level:

HIGH

Description:

Adaware Privacy

Exit code:

Version:

1.9.0.324

Modules

Images
c:\users\admin\desktop\apinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

632

"sc.exe" description "APAssistantService" "Adaware Privacy Internet security service"

C:\Windows\System32\sc.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

664

netsh http add urlacl url=http://+:8006/ user=Everyone

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

784

.\Adaware-Privacy-Installer.exe --culture=pt --install --uniqueId=8118fe79-9c62-4dc0-825b-5dd12a92684c --prod --partner=adaware --version=1.9.0.324

C:\Users\admin\AppData\Local\Temp\7zS422A461E\Adaware-Privacy-Installer.exe

APInstaller.exe

User:

admin

Company:

Adaware

Integrity Level:

HIGH

Description:

Adaware Privacy

Exit code:

Version:

1.9.0.324

Modules

Images
c:\users\admin\appdata\local\temp\7zs422a461e\adaware-privacy-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1220

"sc.exe" description "DCIService" "Webprotection Bridge service"

C:\Windows\System32\sc.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1992

C:\Windows\system32\net1 start bddci

C:\Windows\System32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

2096

"sc.exe" failure APAssistantService reset= 30 actions= restart/60000

C:\Windows\System32\sc.exe

—

Adaware-Privacy-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

25 586

Read events

25 410

Write events

175

Delete events

Modification events


(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:	write	Name:	Name
Value: Explorer.EXE
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(784) Adaware-Privacy-Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2640) AP-Assistant-Service.exe	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2640) AP-Assistant-Service.exe	Key:	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2588) runonce.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	delete value	Name:	GrpConv
Value: grpconv -o
(PID) Process:	(664) netsh.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

188

Suspicious files

120

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\fr-CA\Adaware-Privacy-Installer.resources.dll		executable
		MD5:BC19C69C570E8566EF986AD642542508	SHA256:29A0E3C5336979BA707EB489A46513985D8A27E6E2877A160A46A003F6152F6E
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\ja-JP\Adaware-Privacy-Installer.resources.dll		executable
		MD5:19645041D54B5A9B0AA15D5E22AD75B1	SHA256:5825A5FED5E264D6D5014DAF67F54AEBA828FB5BE3A2F7BC7C7D6E8FB81D02AF
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\tr-TR\Adaware-Privacy-Installer.resources.dll		executable
		MD5:DDE89709D2A1F3B9B695F1B617E76CCB	SHA256:A6868A4535D9D9E09F6990755C8BAC5F13CBE387859289CCF86786F8EDA23CBF
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\Adaware-Privacy-Installer.exe.config		xml
		MD5:507A0F6B4A28174B14CC9995CC212CC2	SHA256:B9171F9325E78517C086A1F0E4723EF6AAF75BB047252884D05FDC3A168B2040
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\Newtonsoft.Json.dll		executable
		MD5:F4603EF5D9B8268796D9324873C55131	SHA256:254CBF014D0AB77B08FBE483F8F65D3B903A7B341B930B596C4806B49E1DED4B
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\zh-CHS\Adaware-Privacy-Installer.resources.dll		executable
		MD5:C82AA7BA067A9182CB5479E9903BB9A0	SHA256:C8EAEDA368A64F7B6BE1DE33F1097DFD5D1DF04E08403CD2C4E6F09BA7E13E83
548	APInstaller.exe	C:\Users\admin\AppData\Local\Temp\7zS422A461E\ru-RU\Adaware-Privacy-Installer.resources.dll		executable
		MD5:906DF3550175A6A07844AEC13A621E14	SHA256:EF4B4306A231CDF908D4C9BE978E8A3D95BCEB70A15EAE6F26E81D61EE7EDFB7
784	Adaware-Privacy-Installer.exe	C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe		executable
		MD5:639C6C530F8DE5566C84DDFDACB20130	SHA256:58D2BE02D53BA3DE6846189127597586E541097EB40F4933CCD404646DE43815
784	Adaware-Privacy-Installer.exe	C:\Program Files\Adaware\Adaware Privacy\Application\Adaware-Privacy-Installer.exe		executable
		MD5:8087B2250B5BD3BDD12A739DD03BCBB7	SHA256:4F2F597697F51F0CEE2371B226DC5B6086AD8F33AE1745319896340C321BA847
784	Adaware-Privacy-Installer.exe	C:\Users\admin\AppData\Local\Temp\AdawarePrivacy.zip		compressed
		MD5:309898CE0AD47767BF5F2D5054555F3E	SHA256:FD81DF168DE09BEDD165128A56E74E92E11DD4BE8628752969AA7E18C3C2A216

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
784	Adaware-Privacy-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
784	Adaware-Privacy-Installer.exe	GET	200	104.17.8.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
3092	Adaware-Privacy.exe	GET	302	104.18.68.73:80	http://adaware.com/version_logs?json=true&version=1.9.0.324	unknown	—	—	unknown
3092	Adaware-Privacy.exe	GET	200	104.17.9.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown
3092	Adaware-Privacy.exe	GET	200	104.17.9.52:80	http://geo.lavasoft.com/	unknown	binary	50 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
784	Adaware-Privacy-Installer.exe	104.18.27.149:443	flwadw.com	CLOUDFLARENET	—	shared
784	Adaware-Privacy-Installer.exe	104.18.68.73:443	download.adaware.com	CLOUDFLARENET	—	unknown
784	Adaware-Privacy-Installer.exe	104.17.8.52:80	geo.lavasoft.com	CLOUDFLARENET	—	shared
784	Adaware-Privacy-Installer.exe	104.17.8.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.17.9.52:80	geo.lavasoft.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.17.8.52:443	geo.lavasoft.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.18.27.149:443	flwadw.com	CLOUDFLARENET	—	shared
3092	Adaware-Privacy.exe	104.18.67.73:443	download.adaware.com	CLOUDFLARENET	—	unknown

DNS requests

Domain	IP	Reputation
flwadw.com	104.18.27.149 104.18.26.149	unknown
download.adaware.com	104.18.68.73 104.18.67.73	unknown
geo.lavasoft.com	104.17.8.52 104.17.9.52	unknown
featureflags.lavasoft.com	104.17.8.52 104.17.9.52	unknown
rt.adaware.com	104.18.68.73 104.18.67.73	unknown
acs.lavasoft.com	104.17.8.52 104.17.9.52	unknown
acscdn.lavasoft.com	104.17.8.52 104.17.9.52	unknown
sg-bitmask.adaware.com	104.18.67.73 104.18.68.73	unknown
adaware.com	104.18.68.73 104.18.67.73	whitelisted
www.adaware.com	104.18.67.73 104.18.68.73	unknown

Threats

No threats detected

Add for printing

Process	Message
Adaware-Privacy-Installer.exe	Detecting windows culture
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: get uniqueId= 8118fe79-9c62-4dc0-825b-5dd12a92684c
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking:lastModified: 12/17/2023 11:40:19 AM
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: file name: C:\Users\admin\Desktop\APInstaller.exe
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: get modifiedDate= 2023-12-17T11:40:19.0141250Z
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> SendIPTracking: Process found
Adaware-Privacy-Installer.exe	12/17/2023 11:40:20 AM :-> Preprare request for IPTracking. URL: https://download.adaware.com/Track?uniqueId=8118fe79-9c62-4dc0-825b-5dd12a92684c&downloadedDate=2023-12-17T11%3A40%3A19.0141250Z
Adaware-Privacy-Installer.exe	12/17/2023 11:40:22 AM :-> response for IPTracking. response: Status.Ok
Adaware-Privacy-Installer.exe	12/17/2023 11:40:23 AM :-> SendIPTracking: Send Tracking info
Adaware-Privacy-Installer.exe	Preparing request for featureflag: {"Geo":"DE","Partner":"adaware","Campaign":"NA","InstallDate":"20231217","TriggerType":"install","TriggerEvent":"installer","Version":"1.9.0.324","featurewp":true,"featureal":true}

General Info

APInstaller.exe

3074DB81016323D638A2746E3656583C

AB8637D0116C74A077F26A313774F4C120C55600

0F0FA76ABE9971BCB653C333C569FF64BA336181E2F875853ABEBCD84BA757B6

24576:h6VnvKVkm+DNRCyvEY9SvD64x1n5L/Q3olBM:h6VnvKVh+DNRCyvEY9A64x15L/Q3olBM

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

Starts NET.EXE for service management

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Changes the autorun value in the registry

SUSPICIOUS

Starts SC.EXE for service management

Searches for installed software

Reads settings of System Certificates

Reads the Internet Settings

Drops a system driver (possible attempt to evade defenses)

Uses RUNDLL32.EXE to load library

Starts CMD.EXE for commands execution

The process verifies whether the antivirus software is installed

Suspicious use of NETSH.EXE

Executing commands from ".cmd" file

Executes as Windows Service

Changes internet zones settings

Process drops legitimate windows executable

The process drops C-runtime libraries

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Create files in a temporary directory

Creates files in the program directory

Drops the executable file immediately after the start

Creates files in the driver directory

Reads the time zone

Creates files or folders in the user directory

Reads product name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests