File name:

ABDownloadManager_1.6.8_windows_x64.exe

Full analysis: https://app.any.run/tasks/3862e64f-af54-4a7e-9544-c84c7fb44bce
Verdict: Malicious activity
Analysis date: August 01, 2025, 20:59:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
antivm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

B47962F545EB06E57AB1B3BB828ACD63

SHA1:

98A18D712E10C25120CB2607252C3B86F1A7E437

SHA256:

DAF7151CC9AA3DF357DE33917B4DB4572F510436E5F3577EDF456974352ECD71

SSDEEP:

786432:maJayluCzG9FU2Tz9SHHVT0jZN5NEdBNUM:paydzG9FBFcVTaN/ELNZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ABDownloadManager.exe (PID: 188)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • The process creates files with name similar to system file names

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • Uses TASKKILL.EXE to kill process

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • There is functionality for taking screenshot (YARA)

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)
      • ABDownloadManager.exe (PID: 188)

    • Process drops legitimate windows executable

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • Creates a software uninstall entry

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • Application launched itself

      • ABDownloadManager.exe (PID: 4112)
      • ABDownloadManager.exe (PID: 3628)

    • The process drops C-runtime libraries

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • Executable content was dropped or overwritten

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)
      • ABDownloadManager.exe (PID: 188)

    • Creates file in the systems drive root

      • ABDownloadManager.exe (PID: 188)

    • There is functionality for VM detection VirtualBox (YARA)

      • ABDownloadManager.exe (PID: 188)

    • There is functionality for VM detection antiVM strings (YARA)

      • ABDownloadManager.exe (PID: 188)

    • There is functionality for VM detection VMWare (YARA)

      • ABDownloadManager.exe (PID: 188)

  • INFO

    • Checks supported languages

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)
      • ABDownloadManager.exe (PID: 4112)
      • ABDownloadManager.exe (PID: 188)
      • ABDownloadManager.exe (PID: 3628)
      • ABDownloadManager.exe (PID: 3112)

    • Reads the computer name

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)
      • ABDownloadManager.exe (PID: 188)
      • ABDownloadManager.exe (PID: 3112)

    • The sample compiled with english language support

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)

    • Create files in a temporary directory

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)
      • ABDownloadManager.exe (PID: 188)
      • ABDownloadManager.exe (PID: 3112)

    • Creates files or folders in the user directory

      • ABDownloadManager_1.6.8_windows_x64.exe (PID: 2040)
      • ABDownloadManager.exe (PID: 188)

    • Reads Environment values

      • ABDownloadManager.exe (PID: 188)
      • ABDownloadManager.exe (PID: 3112)

    • Reads CPU info

      • ABDownloadManager.exe (PID: 188)
      • ABDownloadManager.exe (PID: 3112)

    • Reads the machine GUID from the registry

      • ABDownloadManager.exe (PID: 188)
      • ABDownloadManager.exe (PID: 3112)

    • Launching a file from a Registry key

      • ABDownloadManager.exe (PID: 188)

    • Process checks computer location settings

      • ABDownloadManager.exe (PID: 188)

    • Manual execution by a user

      • ABDownloadManager.exe (PID: 3628)

    • Reads the software policy settings

      • slui.exe (PID: 5244)

    • Checks proxy server information

      • slui.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.6.8.0
ProductVersionNumber: 1.6.8.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: AB Download Manager
FileVersion: 1.6.8.0
LegalCopyright: © 2024-present AB Download Manager App
ProductName: AB Download Manager
ProductVersion: 1.6.8.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start abdownloadmanager_1.6.8_windows_x64.exe taskkill.exe no specs conhost.exe no specs abdownloadmanager.exe no specs abdownloadmanager.exe abdownloadmanager.exe no specs abdownloadmanager.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
188C:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exeC:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exe
ABDownloadManager.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\abdownloadmanager\abdownloadmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1216taskkill /F /IM "ABDownloadManager.exe"C:\Windows\SysWOW64\taskkill.exeABDownloadManager_1.6.8_windows_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2040"C:\Users\admin\Desktop\ABDownloadManager_1.6.8_windows_x64.exe" C:\Users\admin\Desktop\ABDownloadManager_1.6.8_windows_x64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AB Download Manager
Exit code:
0
Version:
1.6.8.0
Modules
Images
c:\users\admin\desktop\abdownloadmanager_1.6.8_windows_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3112C:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exe --backgroundC:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exeABDownloadManager.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\abdownloadmanager\abdownloadmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3628"C:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exe" --backgroundC:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\abdownloadmanager\abdownloadmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4112C:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exeC:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exeABDownloadManager_1.6.8_windows_x64.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\abdownloadmanager\abdownloadmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5244C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 621
Read events
4 610
Write events
11
Delete events
0

Modification events

(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:DisplayName
Value:
AB Download Manager
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:DisplayIcon
Value:
"C:\Users\admin\AppData\Local\ABDownloadManager\ABDownloadManager.exe"
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:DisplayVersion
Value:
1.6.8
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:Publisher
Value:
abdownloadmanager.com
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:InstallLocation
Value:
"C:\Users\admin\AppData\Local\ABDownloadManager"
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\ABDownloadManager\uninstall.exe"
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:NoModify
Value:
1
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABDownloadManager
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\ABDownloadManager
Operation:writeName:InstallPath
Value:
C:\Users\admin\AppData\Local\ABDownloadManager
(PID) Process:(2040) ABDownloadManager_1.6.8_windows_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\ABDownloadManager
Operation:writeName:Version
Value:
1.6.8
Executable files
90
Suspicious files
101
Text files
87
Unknown types
46

Dropped files

PID
Process
Filename
Type
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\animation-desktop-1.8.2-aa361a5749a780284bf03455dbd58ba2.jarcompressed
MD5:AA361A5749A780284BF03455DBD58BA2
SHA256:80AF3D6BF305F0B6C0CFBE8175AE7EC46BF7B3027A9BAC1616E05B0E21422432
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\arrow-core-jvm-2.1.2-a54a9df53c451017a890ce34d77bbd3.jarcompressed
MD5:A54A9DF53C451017A890CE34D77B0BD3
SHA256:26C4F0A5BDC0353C866ED5039BCE489D5595726A78433F03E0B219A4A2803DA8
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\app-8e83dc0eab51a5ed3c02b451ca44544.jarcompressed
MD5:08E83DC0EAB51A5ED3C02B451CA44544
SHA256:70ABC0C426C2F924B68025604682CB585B10EE7BB587D4D6475FF6BBCC3D5244
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\annotations-23.0.0-8484cd17d040d837983323f760b2c660.jarcompressed
MD5:8484CD17D040D837983323F760B2C660
SHA256:7B0F19724082CBFCBC66E5ABEA2B9BC92CF08A1EA11E191933ED43801EB3CD05
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\arrow-annotations-jvm-2.1.2-3e2cd13186b691a04fcaff47d5f76a.jarcompressed
MD5:3E2CD13186B691A004FCAFF407D5F76A
SHA256:CED7CA0261E3D0FC502C1B8CFF4395DC0395AD6C316FFFCC596F7F1E1DDB9E5B
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\app-utils-3da626a14d77fbea28c0214135fce9.jarcompressed
MD5:3DA6260A14D77FBEA208C0214135FCE9
SHA256:DDC7B580F9E3AC71B6CDA89962FC7B82CCED37B5DDB88E65849706E9F92E8A38
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\Temp\nsrE963.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\arrow-atomic-jvm-2.1.2-88990aad695468c0ae99f6a3c932c.jarcompressed
MD5:889900AAD6095468C0AE99F60A3C932C
SHA256:FDB36C4E152A89676239B8CBD5A132AAE8A72FCA14B56D91C7E7AC6B47E97BF1
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\ABDownloadManager\app\animation-core-desktop-1.8.2-89882254a9c39d5b61e9ebfe58237d8.jarcompressed
MD5:89882254A90C39D5B61E9EBFE58237D8
SHA256:710EEB91FD8552E10B67ECAE12B1DC31AB317EB6E5BCEB04D4C21E3F34252407
2040ABDownloadManager_1.6.8_windows_x64.exeC:\Users\admin\AppData\Local\Temp\nsrE963.tmp\modern-header.bmpimage
MD5:8DF3FE4D2F0477C99C7D1420417E510C
SHA256:0167FFC65E6F330BDCFEB1ABD911587ADE472382CB544CD69FF4F55A105C1D60
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
193.108.153.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
193.108.153.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
193.108.153.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
193.108.153.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
193.108.153.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
193.108.153.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 193.108.153.159
  • 193.108.153.175
  • 193.108.153.163
  • 193.108.153.170
  • 193.108.153.155
  • 193.108.153.135
  • 193.108.153.165
  • 193.108.153.169
  • 193.108.153.132
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 52.168.112.67
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ABDownloadManager_1.6.8_windows_x64.exe