File name:

ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe

Full analysis: https://app.any.run/tasks/f14f7c89-7c12-4dfb-b32c-c09150b1da6c
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 03, 2025, 12:12:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

3D5CC3795E27E116C66B36999460FF30

SHA1:

6FD716DF3FF04DD1E4683D237CB3400036039AB6

SHA256:

CB093ACD7E5462EC3450372C76E3F6096A4F6CA75F5C9770A96C9BCF7E35950D

SSDEEP:

196608:b2kVRMMauLgWtLmmhdgHbP6bMh6cwuw7YJGTkdV+QU:ikVRMkLRLmqaHbZt3goz+5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Reads security settings of Internet Explorer

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Access to an unwanted program domain was detected

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Executable content was dropped or overwritten

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Process drops legitimate windows executable

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Checks Windows Trust Settings

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Reads the Windows owner or organization settings

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • There is functionality for taking screenshot (YARA)

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

  • INFO

    • The sample compiled with english language support

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Checks supported languages

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • msiexec.exe (PID: 7524)
      • msiexec.exe (PID: 7636)

    • Reads the computer name

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • msiexec.exe (PID: 7524)
      • msiexec.exe (PID: 7636)

    • Create files in a temporary directory

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Reads the machine GUID from the registry

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)

    • Reads the software policy settings

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • slui.exe (PID: 7908)

    • Checks proxy server information

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
      • slui.exe (PID: 7908)

    • Creates files or folders in the user directory

      • ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe (PID: 7428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:12:14 11:20:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1129472
InitializedDataSize: 621056
UninitializedDataSize: -
EntryPoint: 0xcc1f8
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 5.24.2404.0
ProductVersionNumber: 5.24.2404.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ActiveState
FileDescription: This installer database contains the logic and data required to install ActivePerl 5.24.3 Build 2404 (64-bit).
FileVersion: 5.24.2404
InternalName: ActivePerl-5.24.3.2404-MSWin32-x64-404865
LegalCopyright: Copyright (C) 2017 ActiveState
OriginalFileName: ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
ProductName: ActivePerl 5.24.3 Build 2404 (64-bit)
ProductVersion: 5.24.2404
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ADVANCEDINSTALLER activeperl-5.24.3.2404-mswin32-x64-404865.exe msiexec.exe no specs msiexec.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7428"C:\Users\admin\Desktop\ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe" C:\Users\admin\Desktop\ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
explorer.exe
User:
admin
Company:
ActiveState
Integrity Level:
MEDIUM
Description:
This installer database contains the logic and data required to install ActivePerl 5.24.3 Build 2404 (64-bit).
Version:
5.24.2404
Modules
Images
c:\users\admin\desktop\activeperl-5.24.3.2404-mswin32-x64-404865.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7524C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7636C:\Windows\syswow64\MsiExec.exe -Embedding AB6CC68D0021035DC4A7560ED9B93B9F CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7908C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 074
Read events
7 074
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
5
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\updD295.tmp
MD5:
SHA256:
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Roaming\ActiveState\ActivePerl 5.24.3 Build 2404 (64-bit) 5.24.2404\install\holder0.aiph
MD5:
SHA256:
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Roaming\ActiveState\ActivePerl 5.24.3 Build 2404 (64-bit) 5.24.2404\install\0574CAE\ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe.msiexecutable
MD5:F5F05F70139417DC3B425006CC472880
SHA256:3CB56935A83AB00509D61812990291E61DBFD875CF36ED025996D0038EEB913F
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\shiDA27.tmpexecutable
MD5:8B28BD12A73FC10C0C6C0C1C78FEAEE7
SHA256:AC2E2CD7689E0633EFB6943D8B3B6E644AD9649CF99AD10E5E7C930141346B6F
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\MSIE1BA.tmpexecutable
MD5:E0D0D82F22D7CC1A1CACD486799D5D96
SHA256:84FE1F4A7DC3C2A73ED202A9FCF4DA9B463C5B692639CB93F919BDA9F18A14E9
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7428\completiimage
MD5:45B0E074F96A859ADAE198187AB9FA11
SHA256:050282E679AC80F6A357FFF92F1E7A95D30A06B35247E25CBFD2DD8CEEE1A412
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_F36A5455545D090CDA0D02D56B99F7BBbinary
MD5:66E44197F79D92008744630B17E30F7B
SHA256:2077D5048FA761D551D982BA9F2EBB70D5A35F2EE014F62E107626093FCE62F7
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Roaming\ActiveState\ActivePerl 5.24.3 Build 2404 (64-bit) 5.24.2404\install\decoder.dllexecutable
MD5:BF436648D11DE396F4B4CF1FAEB63366
SHA256:ABDEE86230F7D790976AC031522788E0A23CC5657D19E95D97096A398140EA93
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7binary
MD5:567DF045F1AB3FB06188564C4E54F7D2
SHA256:E2597A646C0FB9A9D5F9D7187092A05BBC0AB6C65AED64D13F06F0C24A6D0A0E
7428ActivePerl-5.24.3.2404-MSWin32-x64-404865.exeC:\Users\admin\AppData\Local\Temp\MSIE228.tmpexecutable
MD5:E0D0D82F22D7CC1A1CACD486799D5D96
SHA256:84FE1F4A7DC3C2A73ED202A9FCF4DA9B463C5B692639CB93F919BDA9F18A14E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
107.20.238.232:443
https://update.activestate.com/ActivePerl/2404/x64
unknown
unknown
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
GET
200
216.58.206.68:80
http://www.google.com/
unknown
whitelisted
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
unknown
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEGW5bDNNqfRI47TdcrzWVYg%3D
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
216.58.206.68:80
www.google.com
GOOGLE
US
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
44.212.139.89:443
update.activestate.com
AMAZON-AES
US
whitelisted
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
4932
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7908
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.google.com
  • 216.58.206.68
whitelisted
update.activestate.com
  • 44.212.139.89
  • 3.217.5.203
  • 54.174.191.73
  • 52.3.215.242
  • 107.20.238.232
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7428
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe