anyprotectsetup.exe

Online Backup!

ClickMeIn Limited

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application anyprotectsetup.exe has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from download-servers.com. While running, it connects to the Internet address 198.105.215.132.static.midphase.com on port 80 using the HTTP protocol.
Publisher:
ClickMeIn Limited

Product:
Online Backup!

Description:
Setup

Version:
1.0.0.1

MD5:
05e442957b2c21745413909e95e54d6d

SHA-1:
faacea5e04c2482c5ac74f78443a869b735b3e4a

SHA-256:
850f5cbcf549ca6b179179f7d73f21574dd3e29c3b3f474b23f7c911df9bd747

Scanner detections:
3 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/28/2024 12:07:10 PM UTC  (today)

Scan engine
Detection
Engine version

F-Prot
W32/A-a5d79c65
v6.4.7.1.166

Reason Heuristics
PUP.Installer.ClickMeInLimited.P
14.9.11.15

Sophos
ClickMeIn Installer
4.98

File size:
602.9 KB (617,369 bytes)

Product version:
1.0.0.1

Copyright:
Copyright 2013

Trademarks:
Registered trademark of CMI

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\anyprotectsetup.exe

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:35 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:6EKbw1mP/VjP3ZB7x5weGCgtB4T+Du2bYy+rXCZ5z:6EKcE/VlFx50tB4auDy+rXg5z

Entry address:
0x323F

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 98, 27, 7A, 00, E8, 09, 2C, 00, 00, A3, E4, 26, 7A, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, DC, 79, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, E0, 1E, 7A, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 80, 7A, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9672

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file anyprotectsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 198.105.215.132.static.midphase.com  (198.105.215.132:80)

Remove anyprotectsetup.exe - Powered by Reason Core Security