OffercastInstaller_AVR_U-0363-01-P_.exe
This report is generated from a file or URL submitted to this webservice on February 26th 2016 17:50:08 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware/Leak
- POSTs files to a webserver
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 3 domains and 1 host. View all details
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- Anti-Virus Test Result
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 8/56 Antivirus vendors marked sample as malicious (14% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
Installation/Persistance
-
Allocates virtual memory in foreign process
- details
- "<Input Sample>" allocated memory in "C:\OffercastInstaller_AVR_U_0363_01_P_.exe"
- source
- API Call
- relevance
- 7/10
-
Allocates virtual memory in foreign process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "199.36.100.103" (ASN: 14829, Owner: Mindspark Interactive Network, Inc.): ...
URL: http://pipoffers.apnpartners.com/static/partners/generic/images/install.ico (AV positives: 1/67 scanned on 02/22/2016 15:04:36)
URL: http://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id=ATU3&language=ko&version=2.6.1.0 (AV positives: 1/66 scanned on 02/10/2016 06:03:38)
URL: http://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id=ASI2&language=ko&version=2.6.10.0 (AV positives: 1/66 scanned on 02/07/2016 18:34:42)
URL: http://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id=SHD&language=ko&version=2.8.0.2 (AV positives: 1/66 scanned on 02/05/2016 21:39:10)
URL: http://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id=FAS&language=ko&version=2.6.9.1 (AV positives: 1/66 scanned on 02/04/2016 23:24:44)
File SHA256: 13c8093cb8be19ccab01bd0db0fd4a2334617ef0d1b16324367654c25a7bf8f3 (AV positives: 17/56 scanned on 02/26/2016 22:15:16)
File SHA256: 44cd8c78c2e887b36092531cb32a1ba4f04a6948337e386f8ecea42b50af1f59 (AV positives: 17/56 scanned on 02/26/2016 19:02:44)
File SHA256: 0d09ae6f08e0d5642ae944f19e7e0f9d4c1c409c65619bca2b5d9e80f4cf1bad (AV positives: 10/56 scanned on 02/26/2016 17:24:43)
File SHA256: 40e7155ce6e7fb609a2a2b41365810e21207948eb6a1d453a9711fae40d91147 (AV positives: 15/56 scanned on 02/26/2016 10:34:40)
File SHA256: f7e74bb029c45b2406bb56a9651a471f70023ed8271b65ef1425e965b5e3d13e (AV positives: 15/56 scanned on 02/26/2016 10:34:35) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 5/10
-
Accesses potentially sensitive information from local browsers
-
Suspicious Indicators 30
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003276
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003596
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003596
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003596
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003596
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll at 2846-3665-00415477
GetVersionExW@KERNEL32.dll at 2846-3937-00449DD5
GetVersion@KERNEL32.DLL from PID 00003276
GetVersionExW@KERNEL32.DLL from PID 00003276
GetVersionExW@KERNEL32.DLL from PID 00003276
GetVersion@KERNEL32.DLL from PID 00003276
GetVersionExW@KERNEL32.DLL from PID 00003276
GetVersion@KERNEL32.DLL from PID 00003276
GetVersionExW@KERNEL32.DLL from PID 00003276
GetVersion@KERNEL32.DLL from PID 00003596
GetVersionExW@KERNEL32.DLL from PID 00003596
GetVersionExW@KERNEL32.DLL from PID 00003596
GetVersion@KERNEL32.DLL from PID 00003596
GetVersionExW@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe.bin", Stream UID: "2846-3665-00415477")
which is directly followed by "cmp al, 06h" and "jc 00415685h". See related instructions: "...
+113 call 004439CDh
+118 xor eax, eax
+120 mov dword ptr [esp+30h], 00000007h
+128 mov dword ptr [esp+2Ch], ebx
+132 mov word ptr [esp+1Ch], ax
+137 mov dword ptr [esp+000000F0h], ebx
+144 call dword ptr [004971E4h] ;GetVersion
+150 cmp al, 06h
+152 jc 00415685h" ... at 2846-3665-00415477
Found API call GetLocalTime@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00012098-00003276-2630-329-009139CD")
which is directly followed by "cmp dword ptr [009905F4h], ebx" and "jne 00913A10h". See related instructions: "...
+35 lea eax, dword ptr [ebp-00000420h]
+41 push eax
+42 call dword ptr [009672A0h] ;GetLocalTime
+48 cmp dword ptr [009905F4h], ebx
+54 jne 00913A10h" ... from PID 00003276
Found API call GetVersion@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00012098-00003276-2630-1398-008E5477")
which is directly followed by "cmp al, 06h" and "jc 008E5685h". See related instructions: "...
+113 call 009139CDh
+118 xor eax, eax
+120 mov dword ptr [esp+30h], 00000007h
+128 mov dword ptr [esp+2Ch], ebx
+132 mov word ptr [esp+1Ch], ax
+137 mov dword ptr [esp+000000F0h], ebx
+144 call dword ptr [009671E4h] ;GetVersion
+150 cmp al, 06h
+152 jc 008E5685h" ... from PID 00003276
Found API call GetLocalTime@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00012098-00003276-18096-329-009139CD")
which is directly followed by "cmp dword ptr [009905F4h], ebx" and "jne 00913A10h". See related instructions: "...
+35 lea eax, dword ptr [ebp-00000420h]
+41 push eax
+42 call dword ptr [009672A0h] ;GetLocalTime
+48 cmp dword ptr [009905F4h], ebx
+54 jne 00913A10h" ... from PID 00003276
Found API call GetVersion@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00012098-00003276-18096-1398-008E5477")
which is directly followed by "cmp al, 06h" and "jc 008E5685h". See related instructions: "...
+113 call 009139CDh
+118 xor eax, eax
+120 mov dword ptr [esp+30h], 00000007h
+128 mov dword ptr [esp+2Ch], ebx
+132 mov word ptr [esp+1Ch], ax
+137 mov dword ptr [esp+000000F0h], ebx
+144 call dword ptr [009671E4h] ;GetVersion
+150 cmp al, 06h
+152 jc 008E5685h" ... from PID 00003276
Found API call GetLocalTime@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00012098-00003276-13519-329-009139CD")
which is directly followed by "cmp dword ptr [009905F4h], ebx" and "jne 00913A10h". See related instructions: "...
+35 lea eax, dword ptr [ebp-00000420h]
+41 push eax
+42 call dword ptr [009672A0h] ;GetLocalTime
+48 cmp dword ptr [009905F4h], ebx
+54 jne 00913A10h" ... from PID 00003276
Found API call GetVersion@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00012098-00003276-13519-1398-008E5477")
which is directly followed by "cmp al, 06h" and "jc 008E5685h". See related instructions: "...
+113 call 009139CDh
+118 xor eax, eax
+120 mov dword ptr [esp+30h], 00000007h
+128 mov dword ptr [esp+2Ch], ebx
+132 mov word ptr [esp+1Ch], ax
+137 mov dword ptr [esp+000000F0h], ebx
+144 call dword ptr [009671E4h] ;GetVersion
+150 cmp al, 06h
+152 jc 008E5685h" ... from PID 00003276
Found API call GetLocalTime@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00013032-00003596-10072-329-009139CD")
which is directly followed by "cmp dword ptr [009905F4h], ebx" and "jne 00913A10h". See related instructions: "...
+35 lea eax, dword ptr [ebp-00000420h]
+41 push eax
+42 call dword ptr [009672A0h] ;GetLocalTime
+48 cmp dword ptr [009905F4h], ebx
+54 jne 00913A10h" ... from PID 00003596
Found API call GetVersion@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00013032-00003596-10072-1398-008E5477")
which is directly followed by "cmp al, 06h" and "jc 008E5685h". See related instructions: "...
+113 call 009139CDh
+118 xor eax, eax
+120 mov dword ptr [esp+30h], 00000007h
+128 mov dword ptr [esp+2Ch], ebx
+132 mov word ptr [esp+1Ch], ax
+137 mov dword ptr [esp+000000F0h], ebx
+144 call dword ptr [009671E4h] ;GetVersion
+150 cmp al, 06h
+152 jc 008E5685h" ... from PID 00003596
Found API call GetLocalTime@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00013032-00003596-21860-329-009139CD")
which is directly followed by "cmp dword ptr [009905F4h], ebx" and "jne 00913A10h". See related instructions: "...
+35 lea eax, dword ptr [ebp-00000420h]
+41 push eax
+42 call dword ptr [009672A0h] ;GetLocalTime
+48 cmp dword ptr [009905F4h], ebx
+54 jne 00913A10h" ... from PID 00003596
Found API call GetVersion@KERNEL32.DLL (Target: "OffercastInstaller_AVR_U_0363_01_P_.exe", Stream UID: "00013032-00003596-21860-1398-008E5477")
which is directly followed by "cmp al, 06h" and "jc 008E5685h". See related instructions: "...
+113 call 009139CDh
+118 xor eax, eax
+120 mov dword ptr [esp+30h], 00000007h
+128 mov dword ptr [esp+2Ch], ebx
+132 mov word ptr [esp+1Ch], ax
+137 mov dword ptr [esp+000000F0h], ebx
+144 call dword ptr [009671E4h] ;GetVersion
+150 cmp al, 06h
+152 jc 008E5685h" ... from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003276
GetProcessHeap@KERNEL32.DLL from PID 00003596
GetProcessHeap@KERNEL32.DLL from PID 00003596
GetProcessHeap@KERNEL32.DLL from PID 00003596
GetProcessHeap@KERNEL32.DLL from PID 00003596
GetProcessHeap@KERNEL32.DLL from PID 00003596
GetProcessHeap@KERNEL32.DLL from PID 00003596
GetProcessHeap@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Contains ability to query the machine version
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll at 2846-3246-00402948
LockResource@KERNEL32.dll at 2846-3774-0041A76C
FindResourceW@KERNEL32.dll at 2846-3789-0041C434
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
LockResource@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
LockResource@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
LockResource@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003276
LockResource@KERNEL32.DLL from PID 00003276
FindResourceW@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /PIP/OfferAccept.jhtml HTTP/1.1
Content-Type: application/x-www-form-urlencoded" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Reads configuration files
- details
- "<Input Sample>" read file "C:\Users\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "C:\Windows\system32\tzres.dll"
"<Input Sample>" created file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" created file "%APPDATA%\Microsoft\Windows\Cookies"
"<Input Sample>" created file "%APPDATA%\Microsoft\Windows\Cookies\index.dat"
"<Input Sample>" created file "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat"
"<Input Sample>" created file "C:\Windows\system32\OLEACCRC.DLL"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"<Input Sample>" created file "C:\Windows\system32\en-US\MLANG.dll.mui"
"<Input Sample>" created file "C:\Windows\Fonts\staticcache.dat"
"<Input Sample>" created file "C:\Windows\system32\rsaenh.dll"
"<Input Sample>" created file "C:\Windows\system32\stdole2.tlb"
"<Input Sample>" created file "C:\Windows\system32\en-US\urlmon.dll.mui" - source
- API Call
- relevance
- 7/10
-
Creates/touches files in windows directory
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"2.8.1.0"
"2.5.4.11" - source
- String
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Ransomware/Banking
-
Checks warning level of secure to non-secure traffic redirection
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "WARNONHTTPSTOHTTPREDIRECT")
- source
- Registry Access
- relevance
- 7/10
-
Checks warning level of secure to non-secure traffic redirection
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.dll at 2846-3847-0043136D
CreateToolhelp32Snapshot@KERNEL32.dll at 2846-3692-0045A0B6
CreateToolhelp32Snapshot@KERNEL32.dll at 2846-4084-0045959B
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003276
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003596
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003596
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003596
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003596
CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\OffercastInstaller_AVR_U_0363_01_P_.exe" marked "%TEMP%\apn_pip_local\orchestrator.html" for deletion
"C:\OffercastInstaller_AVR_U_0363_01_P_.exe" marked "%TEMP%\apn_pip_local\rules.js" for deletion
"C:\OffercastInstaller_AVR_U_0363_01_P_.exe" marked "%TEMP%\apn_pip_local\objectmodel.js" for deletion
"C:\OffercastInstaller_AVR_U_0363_01_P_.exe" marked "%TEMP%\apn_pip_local\AveryError.png" for deletion
"C:\OffercastInstaller_AVR_U_0363_01_P_.exe" marked "%TEMP%\apn_pip_local" for deletion
"C:\OffercastInstaller_AVR_U_0363_01_P_.exe" marked "%TEMP%\APNAnalytics.xml" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\apn_pip_local\orchestrator.html" with delete access
"<Input Sample>" opened "%TEMP%\apn_pip_local\rules.js" with delete access
"<Input Sample>" opened "%TEMP%\apn_pip_local\objectmodel.js" with delete access
"<Input Sample>" opened "%TEMP%\apn_pip_local\AveryError.png" with delete access
"<Input Sample>" opened "%TEMP%\apn_pip_local\" with delete access
"<Input Sample>" opened "%TEMP%\APNAnalytics.xml" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "SETVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY", Key: "DISABLESECURITYSETTINGSCHECK")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY", Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Queries the display settings of system associated file extensions
- details
-
"<Input Sample>" (Access type: "QUERYVAL", Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.HTML", Key: "ALWAYSSHOWEXT")
"<Input Sample>" (Access type: "QUERYVAL", Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.HTML", Key: "NEVERSHOWEXT") - source
- Registry Access
- relevance
- 7/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
DeleteFileW
FindResourceExW
OutputDebugStringW
Sleep
CreateProcessW
OpenProcess
GetFileAttributesW
TerminateProcess
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
OutputDebugStringA
WinExec
DeleteFileA
CreateFileW
CreateDirectoryW
GetTickCount
FindFirstFileW
FindNextFileW
WriteFile
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW
GetCommandLineW
VirtualProtect
VirtualAlloc
GetTempPathW
GetVersionExW
CreateFileA
CopyFileW
LoadLibraryW
FindResourceW
LoadLibraryExW
GetModuleHandleW
GetModuleFileNameW
CreateThread
LockResource
CreateFileMappingW
GetProcAddress
FindWindowW
GetWindowThreadProcessId
SetWindowsHookExW
OpenProcessToken
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
ShellExecuteW
InternetCloseHandle
HttpQueryInfoW
HttpSendRequestW
InternetConnectW
InternetReadFile
InternetCrackUrlW
InternetOpenW
URLDownloadToFileW
sendto (Ordinal #20)
socket (Ordinal #23)
WSAStartup (Ordinal #115)
recvfrom (Ordinal #17) - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "92e6987779a89d77be729d77d62d9d771de2987705a29d77bee39877616f9d7768419b7700509b7700000000ad3784778b2d8477b641847700000000" to virtual address "0x74FF1000" (part of module "WSHTCPIP.DLL")
"<Input Sample>" wrote bytes "c4ca6d7680bb6d7652ba6d769fbb6d7608bb6d7646ce6d7661386e76de2f6e76d0d96d7600000000177923764f9123767f6f2376f4f7237611f72376f2832376857e237600000000" to virtual address "0x6E201000" (part of module "MSIMG32.DLL")
"<Input Sample>" wrote bytes "7739997779a89d77be729d77d62d9d771de2987705a29d77c8689c7757d1a377bee39877616f9d7768419b7700509b7700000000ad3784778b2d8477b641847700000000" to virtual address "0x75501000" (part of module "WSHIP6.DLL")
"<Input Sample>" wrote bytes "40539b7758589c77186a9c77653c9d770000000000bf6d760000000056cc6d76000000007cca6d76000000003768b5756a2c9d77d62d9d77000000002069b5750000000029a66d7600000000a48db57500000000f70e6d7600000000" to virtual address "0x761E1000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "94985e7651c15e76efb26476ee9c5e7675dc607690975e7610995e7600000000013d6e7638ed6e76cfcd6d7631236d76de2f6e76c4ca6d7680bb6d7652ba6d769fbb6d76707f6c7692bb6d7646ba6d760abf6d7600000000" to virtual address "0x70BA1000" (part of module "MSLS31.DLL") - source
- Hooks
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "AR")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "AR")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "AR-SA")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "AR-SA")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "BG")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "BG")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "BG-BG")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "BG-BG")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "CA")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "CA")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "CA-ES")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "CA-ES")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "ZH-HANS")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "ZH-HANS")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "ZH-CN")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "ZH-CN")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "CS")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "CS")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "CS-CZ")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "CS-CZ") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 7 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003276
GetLocalTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003276
GetLocalTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003276
GetLocalTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003276
GetLocalTime@KERNEL32.DLL from PID 00003276
GetLocalTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003276
GetLocalTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003276
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003596
GetLocalTime@KERNEL32.DLL from PID 00003596
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003596
GetLocalTime@KERNEL32.DLL from PID 00003596
GetLocalTime@KERNEL32.DLL from PID 00003596
GetLocalTime@KERNEL32.DLL from PID 00003596
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from PID 00003276
GetDiskFreeSpaceExW@KERNEL32.DLL from PID 00003596 - source
- StaticStream (Disassembly)
- relevance
- 3/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
-
"ak.pipoffers.apnpartners.com"
"pipoffers.apnpartners.com"
"103.100.36.199.in-addr.arpa" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "199.36.100.103:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "C:\.jenkins\jobs\PIP2.0_INSTALLER\workspace\release\AskInstaller_1_.pdb"
- source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\apn_pip_local\orchestrator.html"
"<Input Sample>" created file "%TEMP%\apn_pip_local\rules.js"
"<Input Sample>" created file "%TEMP%\apn_pip_local\objectmodel.js"
"<Input Sample>" created file "%TEMP%\apn_pip_local\AveryError.png"
"<Input Sample>" created file "%TEMP%\APNAnalytics.xml" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"\Sessions\1\BaseNamedObjects\Global\PIP_Mutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\!PrivacIE!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "orchestrator.html.4256584812" as clean (type is "HTML document, ASCII text, with CRLF line terminators")
- source
- Dropped File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /static/partners/AVR/APNAnalytics.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ak.pipoffers.apnpartners.com
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 5/10
-
Sample shows a variety of benign indicators
- details
-
The file was not detected as malicious
drops clean files and is signed with a certificate - source
- Signature combinations
- relevance
- 10/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1, see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4, see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 6A:67:AE:A2:01:E7:6B:89:57:B8:37:D5:C2:06:45:B0:24:3F:DA:7E, see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign
Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F, see report for more information) - source
- Unknown
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"APNAnalytics.xml.121766604" has type "XML document text"
"APNAnalytics[1].xml.2077236108" has type "XML document text"
"rules.js.3749633870" has type "ASCII text, with very long lines, with CRLF line terminators"
"AveryError.png.3752602598" has type "PNG image data, 594 x 360, 8-bit colormap, non-interlaced"
"objectmodel.js.3753185502" has type "ASCII text, with CRLF line terminators"
"orchestrator.html.4256584812" has type "HTML document, ASCII text, with CRLF line terminators" - source
- Dropped File
- relevance
- 3/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "pipoffers.apnpartners.com"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0"
Pattern match: "https://www.verisign.com/cps0*"
Pattern match: "http://logo.verisign.com/vslogo.gif04"
Pattern match: "http://crl.verisign.com/pca3-g5.crl04"
Pattern match: "sp.ask.com/en/docs/about/terms_of_service.shtml0"
Pattern match: "http://ak.pipoffers.apnpartners.com/static/partners/{partnerid}/APNAnalytics.xml"
Pattern match: "http://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}&src={publisher"
Pattern match: "http://localhost/APNAnalytics.xml"
Pattern match: "http://localhost/Server.jhtml?partner_id={partnerid}&language={locale}&version={version}&src={publisher" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
OffercastInstaller_AVR_U-0363-01-P_.exe
- Filename
- OffercastInstaller_AVR_U-0363-01-P_.exe
- Size
- 1011KiB (1035696 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 64ffaae707cc563f06f9d43b50d2e6b9603bcad10b9e22e030db1743b5304a53
- MD5
- 302dd0119a39f3e726721bc6d82e29a4
- SHA1
- f42337e70886db01977319e632ffb4356003050e
- ssdeep
- 24576:eu8qWJEtGWgdbERu+Ta34Y0PxlU78SqIEtNgooj9Yo:eFXfdb0a34Y0PxlUoXIEtNQj9Yo
- imphash
- 5609d8d9ea7face6c6a7d1c3496d518a
- authentihash
- 2931fc8bf3ae59ef6a77cb26ff47bb0b47a59aec815f8dab7f6bdac6b7d61d4d
Version Info
- LegalCopyright
- 2010 (c) Ask.com. All rights reserved.
- InternalName
- AskInstaller.exe
- FileVersion
- 2.8.1.0
- CompanyName
- Ask.com
- ProductName
- Offercast - APN Install Manager
- ProductVersion
- 2.8.1.0
- FileDescription
- Offercast - APN Install Manager
- OriginalFilename
- AskInstaller.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 67.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 14.2% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.3% (.EXE) Generic Win/DOS Executable
- 4.3% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/20/2012 18:00:00 12/30/2020 17:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/17/2012 19:00:00 12/29/2020 17:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Ask.com, OU=Distribution, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ask.com, L=Oakland, ST=California, C=US | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 965f2ac7236c7e1bdca44ed139b273a |
06/19/2011 19:00:00 06/18/2014 18:59:59 |
3C:C1:89:55:A0:79:C9:BA:B5:78:60:C5:19:32:A8:87 6A:67:AE:A2:01:E7:6B:89:57:B8:37:D5:C2:06:45:B0:24:3F:DA:7E |
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 5200e5aa2556fc1a86ed96c9d44b33c7 |
02/07/2010 18:00:00 02/07/2020 17:59:59 |
4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
OffercastInstaller_AVR_U_0363_01_P_.exe
(PID: 3276)
- OffercastInstaller_AVR_U_0363_01_P_.exe -se -ppd 3276 (PID: 3596)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pipoffers.apnpartners.com | 199.36.100.103 | - | United States |
ak.pipoffers.apnpartners.com | 23.78.190.3 | - | United States |
103.100.36.199.in-addr.arpa | - | - | - |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
199.36.100.103 |
80
TCP |
- |
United States
ASN: 14829 (Mindspark Interactive Network, Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
23.78.190.3:80 (ak.pipoffers.apnpartners.com) | GET | ak.pipoffers.apnpartners.com/static/partners/AVR/APNAnalytics.xml | GET /static/partners/AVR/APNAnalytics.xml HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ak.pipoffers.apnpartners.com Connection: Keep-Alive |
199.36.100.103:80 (pipoffers.apnpartners.com) | POST | pipoffers.apnpartners.com/PIP/OfferAccept.jhtml | POST /PIP/OfferAccept.jhtml HTTP/1.1 Content-Type: application/x-www-form-urlencoded Readable: &anxa=APNPIP&anxv=2.8.1.0&anxd=2016-02-26T15:52:32.370-8:00&anxe=PIPStats&anxpt=windows&anxpv=7&anxf=&anxw=1022&anxh=613&anxcd=32&app=&anxr=6AAFE7B1DBE14539B55B0914002719CE&partnerID=AVR&exitCode=0&&WFType=Remote&funnelID=0BE7975B-B683-459B-996D-8D98E8943EE5&machineID=&InitializationEx=47333&APNAnalyticsDl=10505&DlgInitEx=10555 Raw hex: 26616E78613D41504E50495026616E78 763D322E382E312E3026616E78643D32 3031362D30322D32365431353A35323A 33322E3337302D383A303026616E7... |
199.36.100.103:80 (pipoffers.apnpartners.com) | POST | pipoffers.apnpartners.com/PIP/OfferAccept.jhtml | POST /PIP/OfferAccept.jhtml HTTP/1.1 Content-Type: application/x-www-form-urlencoded Readable: &anxa=APNPIP&anxv=2.8.1.0&anxd=2016-02-26T15:52:16.542-8:00&anxe=PIPOutcome&anxpt=windows&anxpv=7&anxf=&anxw=1022&anxh=613&anxcd=32&app=&anxr=F7669B1908E147C6A4FD54281B667CBC&pipPartnerName=AVR&machineID=&funnelID=64189273-B0FD-4764-ABFB-D8ACC53B4CF7&CBID=AVX&campaignID=&ioID=&placementID=&WFType=Local&offerCount=0&offerType=Static offer&offerProvider=&offerScreenVersion=&userAcceptance=true&userUIChoice=Next&installerLaunched=NoAttempt&downloadStatus=NoAttempt&downloadTime=-1&errorCondition=0&reasonCode=0&reasonString=&userSelection=&language=U Raw hex: 26616E78613D41504E50495026616E78 763D322E382E312E3026616E78643D32 3031362D30322D32365431353A35323A 31362E3534322D383A303026616E7... |
199.36.100.103:80 (pipoffers.apnpartners.com) | POST | pipoffers.apnpartners.com/PIP/OfferAccept.jhtml | POST /PIP/OfferAccept.jhtml HTTP/1.1 Content-Type: application/x-www-form-urlencoded Readable: &anxa=APNPIP&anxv=2.8.1.0&anxd=2016-02-26T15:52:16.542-8:00&anxe=PIPOutcome&anxpt=windows&anxpv=7&anxf=&anxw=1022&anxh=613&anxcd=32&app=&anxr=F7669B1908E147C6A4FD54281B667CBC&pipPartnerName=AVR&machineID=&funnelID=64189273-B0FD-4764-ABFB-D8ACC53B4CF7&CBID=AVX&campaignID=&ioID=&placementID=&WFType=Local&offerCount=-1&offerType=&offerProvider=&offerScreenVersion=&userAcceptance=false&userUIChoice=NoAttempt&installerLaunched=NoAttempt&downloadStatus=NoAttempt&downloadTime=-1&errorCondition=0&reasonCode=0&reasonString=&userSelection=&language=U Raw hex: 26616E78613D41504E50495026616E78 763D322E382E312E3026616E78643D32 3031362D30322D32365431353A35323A 31362E3534322D383A303026616E7... |
199.36.100.103:80 (pipoffers.apnpartners.com) | POST | pipoffers.apnpartners.com/PIP/OfferAccept.jhtml | POST /PIP/OfferAccept.jhtml HTTP/1.1 Content-Type: application/x-www-form-urlencoded Readable: &anxa=APNPIP&anxv=2.8.1.0&anxd=2016-02-26T15:52:16.542-8:00&anxe=PIPAttempt&anxpt=windows&anxpv=7&anxf=&anxw=1022&anxh=613&anxcd=32&app=&anxr=F7669B1908E147C6A4FD54281B667CBC&status=0&UIReadyTime=21594&pipPartnerName=AVR&WFType=Local&funnelID=64189273-B0FD-4764-ABFB-D8ACC53B4CF7&machineID=&language=U Raw hex: 26616E78613D41504E50495026616E78 763D322E382E312E3026616E78643D32 3031362D30322D32365431353A35323A 31362E3534322D383A303026616E7... |
199.36.100.103:80 (pipoffers.apnpartners.com) | POST | pipoffers.apnpartners.com/PIP/OfferAccept.jhtml | POST /PIP/OfferAccept.jhtml HTTP/1.1 Content-Type: application/x-www-form-urlencoded Readable: &anxa=APNPIP&anxv=2.8.1.0&anxd=2016-02-26T15:52:16.542-8:00&anxe=PIPStats&anxpt=windows&anxpv=7&anxf=&anxw=1022&anxh=613&anxcd=32&app=&anxr=F7669B1908E147C6A4FD54281B667CBC&partnerID=AVR&exitCode=0&&WFType=Local&funnelID=64189273-B0FD-4764-ABFB-D8ACC53B4CF7&machineID=&InitializationEx=4328&DlgInitEx=3312&uiDl=31&ConfigEx=62&orchestratorDl=8969&ParseUiEx=0&LoadEx=9094&uiReady=21594 Raw hex: 26616E78613D41504E50495026616E78 763D322E382E312E3026616E78643D32 3031362D30322D32365431353A35323A 31362E3534322D383A303026616E7... |
Memory Forensics
String | Context | Stream UID |
---|---|---|
pipoffers.apnpartners.com | Domain/IP reference | 00013032-00003596-21860-1186-0091E8C4 |
1.3.6.1 | Domain/IP reference | 00013032-00003596-21860-1630-00926BC1 |
11.2.1.12 | Domain/IP reference | 00013032-00003596-21860-1630-00926BC1 |
2.8.1.0 | Domain/IP reference | 00013032-00003596-21860-510-00906104 |
www.google.com | Domain/IP reference | 00013032-00003596-21860-1390-008E4C7A |
2.5.4.11 | Domain/IP reference | 00013032-00003596-21860-1627-009269D0 |
avery.com | Domain/IP reference | 00013032-00003596-21860-47-008D845B |
Extracted Strings
Extracted Files
-
Clean 1
-
-
orchestrator.html
- Size
- 13KiB (13196 bytes)
- Type
- HTML document, ASCII text, with CRLF line terminators
- AV Scan Result
- 0/55
- MD5
- fdd740a29f5849b4082b4267c045e33e
- SHA1
- f859657d5b5d244218d7a4b051681a042eaecb87
- SHA256
- 1c784689cbe6f5597d72e6a672fbd5d7d536e288e2b6fc3c0f55d67d2fd86752
-
-
Informative 5
-
-
APNAnalytics[1].xml
- Size
- 2.5KiB (2517 bytes)
- Type
- XML document text
- MD5
- c512efa072396eac3b40d89a161b5ede
- SHA1
- 02f4bb498f9ec385f337c85ce7923e6131781775
- SHA256
- f471d2a652977c0de06a3338a712eaaf45e8aade4b9b0b186db9c2d6be0b3be9
-
APNAnalytics.xml
- Size
- 2.5KiB (2517 bytes)
- Type
- XML document text
- MD5
- c512efa072396eac3b40d89a161b5ede
- SHA1
- 02f4bb498f9ec385f337c85ce7923e6131781775
- SHA256
- f471d2a652977c0de06a3338a712eaaf45e8aade4b9b0b186db9c2d6be0b3be9
-
AveryError.png
- Size
- 4.8KiB (4940 bytes)
- Type
- PNG image data, 594 x 360, 8-bit colormap, non-interlaced
- MD5
- d12d18809b8203f7dbaf6ed4a95ba79d
- SHA256
- 510b561ecc6d456c149a77c98b2afff99a3bb233dbe96ae619ef337730a482d5
-
objectmodel.js
- Size
- 1.3KiB (1354 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- 452a7be33226b83f62bb477cfefb624e
- SHA1
- 387902216ccbc6d8f014214ad61723b5198e635a
- SHA256
- afa1881d3b2b142fa20a47c7bec3ac0d3d6e2dfc427e335e2911f68c77ea9fc0
-
rules.js
- Size
- 60KiB (61364 bytes)
- Type
- ASCII text, with very long lines, with CRLF line terminators
- MD5
- 9acb27a7c4ec3b69f3b69fd334510177
- SHA1
- 824f17653ad8ccceb8b231456c177bd999230df4
- SHA256
- 768b45cf3776abd3bcee7b09e1204ca7cf1ab66ec939aeedbb18fd70ea21dfdd
-
Notifications
-
Runtime
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "stream-2" are available in the report
- Not all sources for signature ID "stream-32" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Some low-level details are hidden from the report due to oversize