windows 8 activator loader 2013 v4.0 full version__4502_il800.exe

Installer

The application windows 8 activator loader 2013 v4.0 full version__4502_il800.exe has been detected as a potentially unwanted program by 27 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.formerdownload.com and multiple other hosts. While running, it connects to the Internet address server-52-84-174-121.gru50.r.cloudfront.net on port 80 using the HTTP protocol.
Product:
Installer

Version:
1.1.6.20

MD5:
84e5b8b179f75cb8cbd3f6dd75e41f34

SHA-1:
4be6182eb0babdb8ee73035bdb74aac7e5e996e2

SHA-256:
bbc3ea87d77898d097a18d4fbb9d50d52ee56b4563e6115381b071593207f76b

Scanner detections:
27 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 1:55:44 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Amonetize.14
389

Agnitum Outpost
PUA.Amonetize
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetiz
2015.07.11

Avira AntiVirus
ADWARE/Adware.Gen2
8.3.1.6

Arcabit
Trojan.Application.Bundler.Amonetize.14
1.0.0.425

avast!
Win32:Amonetize-E [PUP]
2014.9-160111

AVG
Generic_r
2017.0.2867

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.16111

Bitdefender
Gen:Variant.Application.Bundler.Amonetize.14
1.0.20.55

Comodo Security
ApplicUnwnt
22730

Dr.Web
Adware.Downware.2160
9.0.1.011

ESET NOD32
Win32/Amonetize.AG potentially unwanted (variant)
10.11924

Fortinet FortiGate
Riskware/Amonetize
1/11/2016

F-Secure
Gen:Variant.Application.Bundler
11.2016-11-01_2

G Data
Gen:Variant.Application.Bundler.Amonetize.14
16.1.25

K7 AntiVirus
Trojan
13.205.16532

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Amonetize
14.0.0.830

Malwarebytes
PUP.Optional.Amonetize
v2016.01.11.10

McAfee
Artemis!84E5B8B179F7
5600.6523

MicroWorld eScan
Gen:Variant.Application.Bundler.Amonetize.14
17.0.0.33

NANO AntiVirus
Trojan.Win32.Downware.ctleff
0.30.24.2487

Panda Antivirus
Trj/Genetic.gen
16.01.11.10

Reason Heuristics
PUP.Amonetize (M)
16.1.11.22

Rising Antivirus
PE:Malware.Adware!6.1574
23.00.65.16109

Trend Micro
TROJ_GEN.R0C1C0OLC14
10.465.11

VIPRE Antivirus
Trojan.Win32.Generic
41910

Zillya! Antivirus
Backdoor.PePatch.Win32.39612
2.0.0.2282

File size:
326 KB (333,824 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\windows 8 activator loader 2013 v4.0 full version__4502_il800.exe

File PE Metadata
Compilation timestamp:
1/30/2014 8:29:53 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:MY4KxJJMF/F9fo6+cFeBm452dCgeCjIilEb02r4IGY08ipT:MYTxJJu/F9fP+cFem44UilZ2ENYWpT

Entry address:
0x27684

Entry point:
E8, 9A, 95, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Entropy:
6.4277

Code size:
231.5 KB (237,056 bytes)

The file windows 8 activator loader 2013 v4.0 full version__4502_il800.exe has been seen being distributed by the following 5 URLs.

http://www.formerdownload.com/download.php?version=1.1.6.20&prefix=StartIsBack 2.1.2 / StartIsBack 1.5.2 Full Crack&campid=3113&instid[appname]=StartIsBack 2.1.2 / StartIsBack 1.5.2 Full Crack&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.conductdownload.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=install*flashplayer&ti1=OTQwfDE3MzR8TVh8M3wxfHw|f1083ef8b33baf993d96198897c89bb7

http://www.conductdownload.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=install*flashplayer&ti1=OTQwfDE3MzR8QlJ8M3wxfHw|f1083ef8b33baf993d96198897c89bb7

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-84-174-121.gru50.r.cloudfront.net  (52.84.174.121:80)

TCP (HTTP):
Connects to server-52-84-174-148.gru50.r.cloudfront.net  (52.84.174.148:80)

TCP (HTTP):
Connects to ec2-107-20-147-93.compute-1.amazonaws.com  (107.20.147.93:80)