File name:

OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe.zip

Full analysis: https://app.any.run/tasks/72f7581a-9ae4-4988-a8ec-8e96549c7170
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 08, 2020, 19:21:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
pua
adware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6896CFEBABF2EE53A88AB2B2064391AA

SHA1:

944F9D77AC56024BD55CB49A3D920E4A0745717C

SHA256:

75B0E476A8F36B1ED5D9EEF68EB15FA37D381B1ED503341C50925B96B5F0A339

SSDEEP:

24576:yfLIMOQiz5o40NxrdtWOvPNGqKhybDXwL+HweAu:yf8EiFo4cdtzFKhaDX9dAu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 4000)
      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Loads dropped or rewritten executable

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Actions looks like stealing of personal data

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Changes settings of System certificates

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1412)
      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Reads Internet Cache Settings

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Reads internet explorer settings

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Adds / modifies Windows certificates

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

  • INFO

    • Manual execution by user

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 4000)
      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)

    • Reads settings of System Certificates

      • OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0xce35e64d
ZipCompressedSize: 842994
ZipUncompressedSize: 915776
ZipFileName: OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe offercastinstaller_avr_u-0026-01-l_ (1) (2016_07_29 19_26_30 utc).exe no specs offercastinstaller_avr_u-0026-01-l_ (1) (2016_07_29 19_26_30 utc).exe

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3180"C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe" C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
explorer.exe
User:
admin
Company:
Ask.com
Integrity Level:
HIGH
Description:
Offercast - APN Install Manager
Exit code:
0
Version:
3.8.1.17592
Modules
Images
c:\users\admin\desktop\offercastinstaller_avr_u-0026-01-l_ (1) (2016_07_29 19_26_30 utc).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
4000"C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe" C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeexplorer.exe
User:
admin
Company:
Ask.com
Integrity Level:
MEDIUM
Description:
Offercast - APN Install Manager
Exit code:
3221226540
Version:
3.8.1.17592
Modules
Images
c:\users\admin\desktop\offercastinstaller_avr_u-0026-01-l_ (1) (2016_07_29 19_26_30 utc).exe
c:\systemroot\system32\ntdll.dll
Total events
1 813
Read events
585
Write events
1 228
Delete events
0

Modification events

(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1412) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1412) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe.zip
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
Executable files
2
Suspicious files
0
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3.tmp
MD5:
SHA256:
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4F3.tmp
MD5:
SHA256:
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\apnanalytic.jstext
MD5:9CD28CFD9AEF5385929D6E54EF440A89
SHA256:62900808A7FA7189F7BED39AD685AB65DB2F968BF168C78BBCC1B27DC497BC0A
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\Start.htmhtml
MD5:2291F09C66793F5B20CD6FDACD8B0256
SHA256:5C2F1F27064F3F2F4B25374C9F7426B13E01C17E4DE2BE24419E99056B817B1F
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\OCDLL.dllexecutable
MD5:2A042DD0FF63C92A2CD013A07B740F5B
SHA256:8C6F3DF962DD1F0192582D7AE018268D48F58C18F8E584D8DB90DC8D6F037D32
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\embedoffer2xtemplate.htmhtml
MD5:98C2660066F0D4E1621CB8052892423F
SHA256:DF0C7B544919DD25B73ACBEBA2676EBDF957BFD1B72EAFC832EA6BD371E0147A
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\embedmasterrule.jstext
MD5:6572327012F7325576E1A71A8F76AC4A
SHA256:7B837B9A7325036B3188CBCABC4685A03A93D887BBDD5AD33104BE198A76329E
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\ocerror.jstext
MD5:8D468F39F8CBAA26E4B573D4A38E770E
SHA256:E62E586BA2DCB886AB3F5F79768BE84ADCE76630B3342FAB126814000ED2B1AE
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\images\Error_Msg1.pngimage
MD5:A74508CA7C054C546B45487C7F645C1C
SHA256:0B07B7799308675239E93ED61A4644D9128D35E7F8A8BA7F80E4D4F3C9ADF358
3180OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exeC:\Users\admin\AppData\Local\Temp\oc_D4D3\embedorchestrator.htmhtml
MD5:DFC98CC386D67D44BDD6433310E3D952
SHA256:9FBD5D1BD91485E7CB82729A2CC2003FAB2EB92E13434FCB77D70FECDEA98C81
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
13
DNS requests
6
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
HEAD
200
35.244.183.133:80
http://pipoffers.apnpartners.com/static/partners/generic/images/install.ico
US
malicious
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
GET
200
2.19.38.201:80
http://ak.pipoffers.apnpartners.com/static/partners/utility/download.htm?partner_id=AVR&language=en
unknown
html
10.4 Kb
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
GET
503
2.16.186.26:80
http://offers.offercast.com/PIP/Server.jhtml?partner_id=AVR&language=en&format=CJSON&var=dynpipclient&version=3.8.1.17592&pProductID=U-0026-01-L&mrb=&trackID=%20(1)%20(2016
unknown
html
269 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
POST
503
2.16.186.26:80
http://offers.offercast.com/PIP/OfferAccept.jhtml?rnd=qurIq
unknown
html
269 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
POST
503
2.16.186.26:80
http://offers.offercast.com/PIP/OfferAccept.jhtml?rnd=JLZid
unknown
html
269 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
POST
503
2.16.186.26:80
http://offers.offercast.com/PIP/OfferAccept.jhtml?rnd=8xKF0
unknown
html
269 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
POST
503
2.16.186.26:80
http://offers.offercast.com/PIP/OfferAccept.jhtml?rnd=yGSDl
unknown
html
269 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
POST
503
2.16.186.26:80
http://offers.offercast.com/PIP/OfferAccept.jhtml?rnd=cAdYk
unknown
html
269 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
GET
302
2.19.38.201:80
http://ak.pipoffers.apnpartners.com/static/partners/upgrade/AVR/3.8.1/upgrade.zip
unknown
html
209 b
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
GET
200
2.19.38.201:80
http://ak.pipoffers.apnpartners.com/static/partners/utility/orchestrator.htm?partner_id=AVR&language=en
unknown
html
38.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
2.19.38.201:80
Akamai International B.V.
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
34.102.244.163:80
errdocs.zwinky.com
US
malicious
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
35.244.183.133:80
pipoffers.apnpartners.com
US
malicious
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
35.244.253.184:443
www.gamingwonderland.com
US
unknown
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
2.16.186.26:80
ak.pipoffers.apnpartners.com
Akamai International B.V.
whitelisted
2.16.186.26:80
ak.pipoffers.apnpartners.com
Akamai International B.V.
whitelisted
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
172.217.22.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
ak.pipoffers.apnpartners.com
  • 2.16.186.26
  • 2.16.186.33
whitelisted
errdocs.zwinky.com
  • 34.102.244.163
malicious
www.gamingwonderland.com
  • 35.244.253.184
unknown
pipoffers.apnpartners.com
  • 35.244.183.133
malicious
offers.offercast.com
whitelisted
ocsp.pki.goog
  • 172.217.22.99
whitelisted

Threats

PID
Process
Class
Message
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
A Network Trojan was detected
MALWARE [PTsecurity] Adware/PUP User-Agent (OfferCast)
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.APNToolBar
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.APNToolBar
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.APNToolBar
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.APNToolBar
3180
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.APNToolBar
13 ETPRO signatures available at the full report
Process
Message
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Begin extraction 0
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
OC exe built: Aug 28 2015, 08:15:17
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Done extracting DLL 31
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
begin extracting HTML 31
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Begin load ocdll 78
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
begin load dll C:\Users\admin\AppData\Local\Temp\oc_D4D3\OCDLL.DLL, 78
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Done extracting HTML 78
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Done mapping dll functions 172
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Start main app 172
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe
Done load ocdll 172
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OffercastInstaller_AVR_U-0026-01-L_ (1) (2016_07_29 19_26_30 UTC).exe.zip