File name:

ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe

Full analysis: https://app.any.run/tasks/f14f7c89-7c12-4dfb-b32c-c09150b1da6c
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 03, 2025, 12:12:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

3D5CC3795E27E116C66B36999460FF30

SHA1:

6FD716DF3FF04DD1E4683D237CB3400036039AB6

SHA256:

CB093ACD7E5462EC3450372C76E3F6096A4F6CA75F5C9770A96C9BCF7E35950D

SSDEEP:

196608:b2kVRMMauLgWtLmmhdgHbP6bMh6cwuw7YJGTkdV+QU:ikVRMkLRLmqaHbZt3goz+5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • ADVANCEDINSTALLER mutex has been found

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Access to an unwanted program domain was detected

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Executable content was dropped or overwritten

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Checks Windows Trust Settings

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Process drops legitimate windows executable

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Reads the Windows owner or organization settings

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • There is functionality for taking screenshot (YARA)

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

  • INFO

    • Reads the computer name

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • msiexec.exe (PID: 7524)
      • msiexec.exe (PID: 7636)

    • Checks supported languages

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • msiexec.exe (PID: 7524)
      • msiexec.exe (PID: 7636)

    • The sample compiled with english language support

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Create files in a temporary directory

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Reads the machine GUID from the registry

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Checks proxy server information

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • slui.exe (PID: 7908)

    • Reads the software policy settings

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • slui.exe (PID: 7908)

    • Creates files or folders in the user directory

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:12:14 11:20:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1129472
InitializedDataSize: 621056
UninitializedDataSize: -
EntryPoint: 0xcc1f8
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 5.24.2404.0
ProductVersionNumber: 5.24.2404.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ActiveState
FileDescription: This installer database contains the logic and data required to install ActivePerl 5.24.3 Build 2404 (64-bit).
FileVersion: 5.24.2404
InternalName: ActivePerl-5.24.3.2404-MSWin32-x64-404865
LegalCopyright: Copyright (C) 2017 ActiveState
OriginalFileName: ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
ProductName: ActivePerl 5.24.3 Build 2404 (64-bit)
ProductVersion: 5.24.2404
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ADVANCEDINSTALLER activeperl-5.24.3.2404-mswin32-x64-404865.exe msiexec.exe no specs msiexec.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7428"C:\Users\admin\Desktop\ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe" C:\Users\admin\Desktop\ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
explorer.exe
User:
admin
Company:
ActiveState
Integrity Level:
MEDIUM
Description:
This installer database contains the logic and data required to install ActivePerl 5.24.3 Build 2404 (64-bit).
Version:
5.24.2404
Modules
Images
c:\users\admin\desktop\activeperl-5.24.3.2404-mswin32-x64-404865.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7524C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7636C:\Windows\syswow64\MsiExec.exe -Embedding AB6CC68D0021035DC4A7560ED9B93B9F CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7908C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 074
Read events
7 074
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
5
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\updD295.tmp
MD5:
SHA256:
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Roaming\ActiveState\ActivePerl 5.24.3 Build 2404 (64-bit) 5.24.2404\install\holder0.aiph
MD5:
SHA256:
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\shiDA27.tmpexecutable
MD5:8B28BD12A73FC10C0C6C0C1C78FEAEE7
SHA256:AC2E2CD7689E0633EFB6943D8B3B6E644AD9649CF99AD10E5E7C930141346B6F
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\MSIE26A.tmpexecutable
MD5:E0D0D82F22D7CC1A1CACD486799D5D96
SHA256:84FE1F4A7DC3C2A73ED202A9FCF4DA9B463C5B692639CB93F919BDA9F18A14E9
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_F36A5455545D090CDA0D02D56B99F7BBbinary
MD5:66E44197F79D92008744630B17E30F7B
SHA256:2077D5048FA761D551D982BA9F2EBB70D5A35F2EE014F62E107626093FCE62F7
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7428\activeperlclassicbanner.bmpimage
MD5:0075C9691BAEA2F2047FB7EC94813378
SHA256:3748BCA306DDF192954F3A5B1B5FE21659886295E9F9441012718C89E5765A7D
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Roaming\ActiveState\ActivePerl 5.24.3 Build 2404 (64-bit) 5.24.2404\install\decoder.dllexecutable
MD5:BF436648D11DE396F4B4CF1FAEB63366
SHA256:ABDEE86230F7D790976AC031522788E0A23CC5657D19E95D97096A398140EA93
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7binary
MD5:567DF045F1AB3FB06188564C4E54F7D2
SHA256:E2597A646C0FB9A9D5F9D7187092A05BBC0AB6C65AED64D13F06F0C24A6D0A0E
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7binary
MD5:DD05604A61317BEA5BC2E2D00A1CA05F
SHA256:68951F985EF33A8504E8D7D8A8F88FE427DD5A36C253E45E976BD1E7C022A0D9
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7428\activeperlclassicdialog.bmpimage
MD5:E24184D08B6C9891BC008F7A954989BF
SHA256:D26C6CC39EDECB5CA1B7D6441FE7CAFE874D26BE9490250153CCF488841F6ECB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
107.20.238.232:443
https://update.activestate.com/ActivePerl/2404/x64
unknown
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
unknown
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
GET
200
216.58.206.68:80
http://www.google.com/
unknown
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEGW5bDNNqfRI47TdcrzWVYg%3D
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
216.58.206.68:80
www.google.com
GOOGLE
US
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
44.212.139.89:443
update.activestate.com
AMAZON-AES
US
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
4932
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7908
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.google.com
  • 216.58.206.68
whitelisted
update.activestate.com
  • 44.212.139.89
  • 3.217.5.203
  • 54.174.191.73
  • 52.3.215.242
  • 107.20.238.232
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe