Ad4Pop Ads

The Ad4Pop software is promoted a free gaming platform that hosts Adobe Flash Player games and offers users access to premium content if certain conditions are accepted. The Ad4Pop software may allow users to play premium games like Crime Buster and King of Thieves if they commit to participating in marketing surveys and allow advertisers to treat their desktop as an advertising panel. Users that are interested in the content by Ad4Pop may need to give marketers permission to post promotional images and videos on their browser. Also, Ad4Pop may require access to your social media profile to share your progress in games at Ad4pop.com and reviews on products from sponsors. Security experts classify the Ad4Pop app as an adware that may present free games as premium content and welcome users to provide their address, phone number and email. The Ad4Pop can be found in freeware packages including applications like Dolphin Deals and FB Photo Zoom.

The Ad4Pop adware may bring up a command prompt to the user and close the browsers to complete its installation. You may notice that the Ad4Pop adware has changed your search provider and homepage to Startpage.com, which is associated with a browser hijacker. The Ad4Pop adware may appear as a browser extension and inject in-text hyperlinks to items on Amazon, AliExpress and eBay. The ads by Ad4Pop may be shown on pop-up and pop-under windows as well. Security experts note that the Ad4Pop adware may load insecure pages on your screen and welcome users to log-in with their Facebook and Twitter accounts. Needless to say, you should not follow instructions by Ad4Pop because third parties could hijack your accounts. The Ad4Pop adware may install its files in the Temp directory and runs as background service. You may need to use a credible anti-spyware tool to eradicate the Ad4Pop adware and secure your OS.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Trojan.Agent.LA
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: dba67c011f3ffb5382677f97411f3447 SHA1: d0dd98788015bc383ae9a6b5e610b34888e7ed22 File Size: 985.74 KB, 985744 bytes

MD5: 3519bfc62d61a6f4e1dcb8fd7f51dd5a SHA1: 43f04afe0b2d3a30018b58f22ae4998fed2591fd SHA256: A052C14B38604840EBF28D6CA753A6020C8B4C54EB3F1C1A0020E6507FEBAC15 File Size: 2.93 MB, 2925864 bytes

MD5: de0553c095bda6c7ef2250d2b3342ef7 SHA1: ba20508fc823aae7ce61ec977eb5ba007e2643a9 SHA256: E7B5EBE8E67C251930158F8DFF2F0167135550C5E99EB3FFE47C4038356D3DFE File Size: 9.20 MB, 9202408 bytes

MD5: 08f5d1c64fc0455bf680e96df41f16ec SHA1: c27ad3ac3223bd609d7f0c3b4851c8b1dcb02e70 SHA256: 008C59646FAFA9349F2E68F398EA1C8FA3938EDB92CEF5F0ECD5F59EC4514DD2 File Size: 82.25 KB, 82248 bytes

MD5: 656df209d1ca06367d6d8a44619dca51 SHA1: a1d5637d5c60e86aa9174f9b702b5154e20948f9 SHA256: 54FA9E00B43D1D804EEBCFCA7464DC7B2BAE6B97698FFC42B744B6916C954D1C File Size: 2.51 MB, 2511360 bytes

Show More

MD5: be7ab27654856d513b9600320795fc5b SHA1: 56809caecafc2f424766f18a0944e3123029efa5 SHA256: EAB06D7902BAD1C8971369B7633F8A179AEE9092E35FB54D33C21969681F902D File Size: 241.42 KB, 241419 bytes

MD5: 228c16e1bf39dc9b24a0985cc5e96f2c SHA1: 3404926f4712cf6812474de18d90b9bcf47a1287 SHA256: E563207991B032083B99386C8BD3230C8EC0B5F3CD43D3CEB0A4B3E206A1832F File Size: 154.70 KB, 154696 bytes

MD5: 30f8d39e0dbf226478f99c063dc742b6 SHA1: 7d53dd3ee83517ad5bc314de75656dc715bf74e2 SHA256: 4EF17388317C1529CBB6BF292F3A915CE838DC277B53C5CCAC02063E5C5796D4 File Size: 33.96 KB, 33960 bytes

MD5: a6d4e23d74f62eb0bf88c9b723dfa805 SHA1: 64138f8927d5078ae5f6a1be2e3e36b7a0ca232f SHA256: 9D730F8488B2AF473AFCAB8DB56FEC834C8ECD7EE676C228D6BC17E53CC8659C File Size: 81.92 KB, 81920 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has been packed
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	This Launcher uses Sciter Engine (http://sciter.com/), copyright Terra Informatica Software, Inc.
Company Name	Blizzard Entertainment Gaijin iAnywhere Solutions, Inc. Microsoft Corporation philandro Software GmbH
File Description	Adaptive Server Anywhere Database Engine AnyDesk Battle․net Gaijin Smart Launcher Office Source Engine PrinterTool Module Setup Installer
File Version	15.0.4454.1000 10.0.30319.1 built by: RTMRel 8.0.3.5594 5.2.1.0 2.43.0.15419 1.0.3.51 1, 0, 48, 05 1, 0, 0, 1
Full Copyright	Copyright © 1989-2004 Sybase, Inc. Portions Copyright © 2002-2004, iAnywhere Solutions, Inc. All rights reserved. All unpublished rights reserved.
Internal Name	Battle.net dbeng8 Gaijin Smart Launcher ose PrinterTool Setup.exe
Legal Copyright	(C) 2019 philandro Software GmbH Copyright 2015 Copyright © 1989-2004 Sybase, Inc. Portions Copyright © 2002-2004, iAnywhere Solutions, Inc. All rights reserved. All unpublished rights reserved. © 2012-2024 Blizzard Entertainment Inc. © Gaijin Games KFT © Microsoft Corporation. All rights reserved.
Legal Trademarks	Sybase is a trademark of Sybase, Inc.
Legal Trademarks1	Microsoft® is a registered trademark of Microsoft Corporation.
Legal Trademarks2	Windows® is a registered trademark of Microsoft Corporation.
Original Filename	Battle.net.exe dbeng8 Launcher ose.exe PrinterTool.exe SetupUI.exe
Product Name	AnyDesk Battle.net CrossoutLauncher Microsoft® .NET Framework Office Source Engine PrinterTool Module Sybase Adaptive Server Anywhere
Product Version	15.0.4454.1000 10.0.30319.1 8.0.3.5594 5.2 2.43.0.15419 1.0.3.51 1, 0, 48, 05 1, 0, 0, 1

File Traits

• 2+ executable sections
• HighEntropy
• Installer Manifest
• Installer Version
• No Version Info
• packed
• upx
• UPX!
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	103
Potentially Malicious Blocks:	8
Whitelisted Blocks:	94
Unknown Blocks:	1

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 1 ? 0 x x x 0 x x x x 0 x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Agent.M
• Expiro.DA
• Expiro.ID
• Expiro.KA
• Rozena.AX

Show More

• Rozena.H

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey

Show More

HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix

Visited:

RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Network Winhttp	WinHttpOpen
Service Control	StartServiceCtrlDispatcher