File name:

OffercastInstaller_AVR_U-0087-01-P_.exe

Full analysis: https://app.any.run/tasks/e0e3cba3-a7ba-41f9-a6f8-7821a022a727
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 14, 2020, 16:28:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

302DD0119A39F3E726721BC6D82E29A4

SHA1:

F42337E70886DB01977319E632FFB4356003050E

SHA256:

64FFAAE707CC563F06F9D43B50D2E6B9603BCAD10B9E22E030DB1743B5304A53

SSDEEP:

24576:eu8qWJEtGWgdbERu+Ta34Y0PxlU78SqIEtNgooj9Yo:eFXfdb0a34Y0PxlUoXIEtNQj9Yo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 2656)

  • SUSPICIOUS

    • Reads internet explorer settings

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 3852)

    • Reads Internet Cache Settings

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 2656)
      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 3852)

    • Application launched itself

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 3852)

    • Creates files in the user directory

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 2656)

    • Adds / modifies Windows certificates

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 2656)

  • INFO

    • Reads settings of System Certificates

      • OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:12 01:44:05+02:00
PEType: PE32
LinkerVersion: 10
CodeSize: 613888
InitializedDataSize: 414208
UninitializedDataSize: -
EntryPoint: 0x74eb3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.8.1.0
ProductVersionNumber: 2.8.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Ask.com
FileDescription: Offercast - APN Install Manager
FileVersion: 2.8.1.0
InternalName: AskInstaller.exe
LegalCopyright: 2010 (c) Ask.com. All rights reserved.
OriginalFileName: AskInstaller.exe
ProductName: Offercast - APN Install Manager
ProductVersion: 2.8.1.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Jun-2013 23:44:05
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • C:\.jenkins\jobs\PIP2.0_INSTALLER\workspace\release\AskInstaller_1_.pdb
CompanyName: Ask.com
FileDescription: Offercast - APN Install Manager
FileVersion: 2.8.1.0
InternalName: AskInstaller.exe
LegalCopyright: 2010 (c) Ask.com. All rights reserved.
OriginalFilename: AskInstaller.exe
ProductName: Offercast - APN Install Manager
ProductVersion: 2.8.1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 11-Jun-2013 23:44:05
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00095C41
0x00095E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.6039
.rdata
0x00097000
0x000216DC
0x00021800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.59024
.data
0x000B9000
0x000088C4
0x00005A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.7309
.rsrc
0x000C2000
0x000323C8
0x00032400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.50572
.reloc
0x000F5000
0x0000BAA4
0x0000BC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.71252

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.19782
1025
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.74956
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.85828
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
5.53782
2440
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
4.4313
16936
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
3.05506
218
Latin 1 / Western European
English - United States
RT_STRING
8
3.09636
230
Latin 1 / Western European
English - United States
RT_STRING
99
2.86251
76
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
106
2.91336
714
Latin 1 / Western European
English - United States
RT_DIALOG
108
2.89091
204
Latin 1 / Western European
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start offercastinstaller_avr_u-0087-01-p_.exe offercastinstaller_avr_u-0087-01-p_.exe offercastinstaller_avr_u-0087-01-p_.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2656"C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0087-01-P_.exe" -se -ppd 3852C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0087-01-P_.exe
OffercastInstaller_AVR_U-0087-01-P_.exe
User:
admin
Company:
Ask.com
Integrity Level:
HIGH
Description:
Offercast - APN Install Manager
Exit code:
50002
Version:
2.8.1.0
Modules
Images
c:\users\admin\appdata\local\temp\offercastinstaller_avr_u-0087-01-p_.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
3760"C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0087-01-P_.exe" C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0087-01-P_.exeexplorer.exe
User:
admin
Company:
Ask.com
Integrity Level:
MEDIUM
Description:
Offercast - APN Install Manager
Exit code:
3221226540
Version:
2.8.1.0
Modules
Images
c:\users\admin\appdata\local\temp\offercastinstaller_avr_u-0087-01-p_.exe
3852"C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0087-01-P_.exe" C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0087-01-P_.exe
explorer.exe
User:
admin
Company:
Ask.com
Integrity Level:
HIGH
Description:
Offercast - APN Install Manager
Exit code:
0
Version:
2.8.1.0
Modules
Images
c:\users\admin\appdata\local\temp\offercastinstaller_avr_u-0087-01-p_.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
Total events
1 325
Read events
118
Write events
1 206
Delete events
1

Modification events

(PID) Process:(3852) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\apn_pip_local\orchestrator.html
(PID) Process:(3852) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3852) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2656) OffercastInstaller_AVR_U-0087-01-P_.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
4
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Temp\Cab1B8A.tmp
MD5:
SHA256:
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Temp\Tar1B8B.tmp
MD5:
SHA256:
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5VK9WWRU.txt
MD5:
SHA256:
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_70D49E8A408648C635FB6B9F5D8BA72Cder
MD5:
SHA256:
3852OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Temp\apn_pip_local\rules.jstext
MD5:9ACB27A7C4EC3B69F3B69FD334510177
SHA256:768B45CF3776ABD3BCEE7B09E1204CA7CF1AB66EC939AEEDBB18FD70EA21DFDD
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\APNAnalytics[1].xmlxml
MD5:C512EFA072396EAC3B40D89A161B5EDE
SHA256:F471D2A652977C0DE06A3338A712EAAF45E8AADE4B9B0B186DB9C2D6BE0B3BE9
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Temp\APNAnalytics.xmlxml
MD5:C512EFA072396EAC3B40D89A161B5EDE
SHA256:F471D2A652977C0DE06A3338A712EAAF45E8AADE4B9B0B186DB9C2D6BE0B3BE9
3852OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Temp\apn_pip_local\orchestrator.htmlhtml
MD5:FDD740A29F5849B4082B4267C045E33E
SHA256:1C784689CBE6F5597D72E6A672FBD5D7D536E288E2B6FC3C0F55D67D2FD86752
3852OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Local\Temp\apn_pip_local\objectmodel.jstext
MD5:452A7BE33226B83F62BB477CFEFB624E
SHA256:AFA1881D3B2B142FA20A47C7BEC3AC0D3D6E2DFC427E335E2911F68C77EA9FC0
2656OffercastInstaller_AVR_U-0087-01-P_.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\EYF81PBD.txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
GET
200
216.58.215.99:80
http://ocsp.pki.goog/gts1d2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT4YwNSyUnwC88de5a5l4eUO%2BLQewQUsd0yXei3N3LSzlzOJv5HeeIBCOkCEER9XnOW%2FtwUCgAAAAAa%2F2Y%3D
US
der
471 b
whitelisted
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
GET
302
34.102.244.163:80
http://errdocs.zwinky.com/
US
html
217 b
malicious
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
GET
200
216.58.215.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJ13zfQMBhkWtuM%3D
US
der
468 b
whitelisted
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
GET
302
34.102.244.163:80
http://errdocs.zwinky.com/
US
html
217 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
104.122.33.250:80
ak.pipoffers.apnpartners.com
Akamai Technologies, Inc.
NL
unknown
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
35.244.183.133:80
pipoffers.apnpartners.com
US
malicious
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
34.102.244.163:80
errdocs.zwinky.com
US
malicious
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
35.244.253.184:443
www.gamingwonderland.com
US
unknown
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
216.58.215.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
pipoffers.apnpartners.com
  • 35.244.183.133
malicious
133.183.244.35.in-addr.arpa
malicious
ak.pipoffers.apnpartners.com
  • 104.122.33.250
whitelisted
errdocs.zwinky.com
  • 34.102.244.163
malicious
www.gamingwonderland.com
  • 35.244.253.184
unknown
ocsp.pki.goog
  • 216.58.215.99
whitelisted

Threats

PID
Process
Class
Message
2656
OffercastInstaller_AVR_U-0087-01-P_.exe
Misc activity
ADWARE [PTsecurity] Bundled.Toolbar.Ask POST
1 ETPRO signatures available at the full report
Process
Message
OffercastInstaller_AVR_U-0087-01-P_.exe
CreateSO called
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OffercastInstaller_AVR_U-0087-01-P_.exe