analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TinyUmbrella_8.2.0.60_Soft32.exe

Full analysis: https://app.any.run/tasks/090b159e-25cf-461a-bd7d-ae1b6ef320ff
Verdict: Malicious activity
Analysis date: November 29, 2020, 23:56:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
adware
pua
lavasoft
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F21E68633E073F474ABA3582A1358CD3

SHA1:

A5B9E191C16D510466DF94324B4BBDEBA5598C7C

SHA256:

1EE8CBE9E88E6CCD61E469FB809EC852A86C6A561D9FB55012988493C81395A2

SSDEEP:

49152:yG5UfgYdpruZ68j1eqCO++x5KqLyLixvhEYJ/4jzrSEPOMAOd00IF9J:yG5QgYdpM7ZB1++xgqLei3jdq+O/Q9J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • installer.exe (PID: 1688)
      • GenericSetup.exe (PID: 2316)

    • Application was dropped or rewritten from another process

      • installer.exe (PID: 1688)
      • GenericSetup.exe (PID: 2316)
      • WebCompanionInstaller.exe (PID: 1916)
      • dehoyrr3.4mv.exe (PID: 3652)

    • Changes settings of System certificates

      • GenericSetup.exe (PID: 2316)
      • WebCompanionInstaller.exe (PID: 1916)

    • Drops executable file immediately after starts

      • TinyUmbrella_8.2.0.60_Soft32.exe (PID: 2916)
      • dehoyrr3.4mv.exe (PID: 3652)

    • LAVASOFT was detected

      • installer.exe (PID: 1688)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GenericSetup.exe (PID: 2316)
      • TinyUmbrella_8.2.0.60_Soft32.exe (PID: 2916)
      • dehoyrr3.4mv.exe (PID: 3652)

    • Drops a file with a compile date too recent

      • GenericSetup.exe (PID: 2316)
      • TinyUmbrella_8.2.0.60_Soft32.exe (PID: 2916)
      • dehoyrr3.4mv.exe (PID: 3652)

    • Starts CMD.EXE for commands execution

      • GenericSetup.exe (PID: 2316)

    • Drops a file with too old compile date

      • TinyUmbrella_8.2.0.60_Soft32.exe (PID: 2916)

    • Adds / modifies Windows certificates

      • GenericSetup.exe (PID: 2316)
      • WebCompanionInstaller.exe (PID: 1916)

    • Reads the Windows organization settings

      • GenericSetup.exe (PID: 2316)

    • Reads Windows owner or organization settings

      • GenericSetup.exe (PID: 2316)

    • Drops a file that was compiled in debug mode

      • TinyUmbrella_8.2.0.60_Soft32.exe (PID: 2916)
      • dehoyrr3.4mv.exe (PID: 3652)

    • Reads Environment values

      • GenericSetup.exe (PID: 2316)

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 1916)

    • Searches for installed software

      • GenericSetup.exe (PID: 2316)

  • INFO

    • Reads settings of System Certificates

      • GenericSetup.exe (PID: 2316)
      • WebCompanionInstaller.exe (PID: 1916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

ProductVersion: 1.0.3.3914
ProductName: Soft32 Downloader
OriginalFileName: GenericSetup.exe
LegalCopyright: ITNT SRL
InternalName: GenericSetup.exe
FileVersion: 1.0.3.3914
FileDescription: Soft32 Downloader
CompanyName: ITNT SRL
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.3.3914
FileVersionNumber: 1.0.3.3914
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x148d4
UninitializedDataSize: -
InitializedDataSize: 36352
CodeSize: 104448
LinkerVersion: 6
PEType: PE32
TimeStamp: 2011:04:18 20:54:06+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Apr-2011 18:54:06
Detected languages:
  • English - United States
CompanyName: ITNT SRL
FileDescription: Soft32 Downloader
FileVersion: 1.0.3.3914
InternalName: GenericSetup.exe
LegalCopyright: ITNT SRL
OriginalFilename: GenericSetup.exe
ProductName: Soft32 Downloader
ProductVersion: 1.0.3.3914

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Apr-2011 18:54:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000197C0
0x00019800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60823
.rdata
0x0001B000
0x00004490
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.38378
.data
0x00020000
0x00005A68
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.37934
.sxdata
0x00026000
0x00000004
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00027000
0x000012D0
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.93218

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01523
1663
Latin 1 / Western European
English - United States
RT_MANIFEST
5
1.43775
52
Latin 1 / Western European
English - United States
RT_STRING
500
3.09294
184
Latin 1 / Western European
English - United States
RT_DIALOG
MAINICON
2.01924
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start tinyumbrella_8.2.0.60_soft32.exe #LAVASOFT installer.exe genericsetup.exe cmd.exe no specs dehoyrr3.4mv.exe webcompanioninstaller.exe

Process information

PID
CMD
Path
Indicators
Parent process
2916"C:\Users\admin\AppData\Local\Temp\TinyUmbrella_8.2.0.60_Soft32.exe" C:\Users\admin\AppData\Local\Temp\TinyUmbrella_8.2.0.60_Soft32.exe
explorer.exe
User:
admin
Company:
ITNT SRL
Integrity Level:
MEDIUM
Description:
Soft32 Downloader
Version:
1.0.3.3914
1688.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\installer.exe
TinyUmbrella_8.2.0.60_Soft32.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
Software Installation
Version:
6.0.1.3914
2316"C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe" C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe hik=bf7f5da9-ac45-4a94-966d-e42fb67cd6cd hmk=05a78e0d-a137-25df-1d19-24406758f4c8 hut=Admin hpp="QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXFRpbnlVbWJyZWxsYV84LjIuMC42MF9Tb2Z0MzIuZXhl" hts=1606694183722C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe
installer.exe
User:
admin
Company:
Adaware
Integrity Level:
HIGH
Description:
Soft32 Downloader
Version:
1.0.3.3914
2928"C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\dehoyrr3.4mv.exe" --silent --homepage=11 --search=7 --partner=SFT180101"C:\Windows\system32\cmd.exeGenericSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3652"C:\Users\admin\AppData\Local\Temp\dehoyrr3.4mv.exe" --silent --homepage=11 --search=7 --partner=SFT180101C:\Users\admin\AppData\Local\Temp\dehoyrr3.4mv.exe
cmd.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Version:
7.0.2367.4198
1916.\WebCompanionInstaller.exe --partner=SFT180101 --version=7.0.2367.4198 --prod --silent --homepage=11 --search=7 --partner=SFT180101C:\Users\admin\AppData\Local\Temp\7zS44E4A795\WebCompanionInstaller.exe
dehoyrr3.4mv.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion
Version:
7.0.2367.4198
Total events
5 324
Read events
5 278
Write events
46
Delete events
0

Modification events

(PID) Process:(1688) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1688) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2316) GenericSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2316) GenericSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2316) GenericSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2316) GenericSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Operation:writeName:Blob
Value:
040000000100000010000000ACB694A59C17E0D791529BB19706A6E40F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE4741D0000000100000010000000918AD43A9475F78BB5243DE886D8103C140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF062000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB0B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000009000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030853000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C019000000010000001000000068CB42B035EA773E52EF50ECF50EC52920000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
(PID) Process:(2316) GenericSetup.exeKey:HKEY_CURRENT_USER\Software\Opera Stable Offer
Operation:writeName:LastTimeOfferShown
Value:
1606694206
(PID) Process:(2316) GenericSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
Operation:writeName:Blob
Value:
0400000001000000100000004BE2C99196650CF40E5A9392A00AFEB20F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD940300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D41D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D341400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB0B000000010000001800000045006E00740072007500730074002E006E0065007400000062000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F33953000000010000002400000030223020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308060A2B0601040182370A030406082B0601050507030606082B06010505070307190000000100000010000000FA46CE7CBB85CFB4310075313A09EE052000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6
(PID) Process:(2316) GenericSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Operation:writeName:Blob
Value:
04000000010000001000000087CE0B7B2A0E4900E158719B37A893720F00000001000000140000006DCA5BD00DCF1C0F327059D374B29CA6E3C50AA60300000001000000140000000563B8630D62D75ABBC8AB1E4BDFB5A899B24D431D00000001000000100000004F5F106930398D09107B40C3C7CA8F1C0B000000010000001200000044006900670069004300650072007400000014000000010000001400000045EBA2AFF492CB82312D518BA7A7219DF36DC80F6200000001000000200000003E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C5300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308190000000100000010000000749966CECC95C1874194CA7203F9B6202000000001000000BB030000308203B73082029FA00302010202100CE7E0E517D846FE8FE560FC1BF03039300D06092A864886F70D01010505003065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F74204341301E170D3036313131303030303030305A170D3331313131303030303030305A3065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100AD0E15CEE443805CB187F3B760F97112A5AEDC269488AAF4CEF520392858600CF880DAA9159532613CB5B128848A8ADC9F0A0C83177A8F90AC8AE779535C31842AF60F98323676CCDEDD3CA8A2EF6AFB21F25261DF9F20D71FE2B1D9FE1864D2125B5FF9581835BC47CDA136F96B7FD4B0383EC11BC38C33D9D82F18FE280FB3A783D6C36E44C061359616FE599C8B766DD7F1A24B0D2BFF0B72DA9E60D08E9035C678558720A1CFE56D0AC8497C3198336C22E987D0325AA2BA138211ED39179D993A72A1E6FAA4D9D5173175AE857D22AE3F014686F62879C8B1DAE45717C47E1C0EB0B492A656B3BDB297EDAAA7F0B7C5A83F9516D0FFA196EB085F18774F0203010001A3633061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041445EBA2AFF492CB82312D518BA7A7219DF36DC80F301F0603551D2304183016801445EBA2AFF492CB82312D518BA7A7219DF36DC80F300D06092A864886F70D01010505000382010100A20EBCDFE2EDF0E372737A6494BFF77266D832E4427562AE87EBF2D5D9DE56B39FCCCE1428B90D97605C124C58E4D33D834945589735691AA847EA56C679AB12D8678184DF7F093C94E6B8262C20BD3DB32889F75FFF22E297841FE965EF87E0DFC16749B35DEBB2092AEB26ED78BE7D3F2BF3B726356D5F8901B6495B9F01059BAB3D25C1CCB67FC2F16F86C6FA6468EB812D94EB42B7FA8C1EDD62F1BE5067B76CBDF3F11F6B0C3607167F377CA95B6D7AF112466083D72704BE4BCE97BEC3672A6811DF80E70C3366BF130D146EF37F1F63101EFA8D1B256D6C8FA5B76101B1D2A326A110719DADE2C3F9C39951B72B0708CE2EE650B2A7FA0A452FA2F0F2
(PID) Process:(1916) WebCompanionInstaller.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
43
Suspicious files
0
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\tis\ViewStateLoader.tistext
MD5:EF47B355F8A2E6AB49E31E93C587A987
SHA256:E77239DBDCC6762F298CD5C216A4003CF2AA7B0EF45D364DD558A4BD7F3CDB25
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\Carrier.HTMLhtml
MD5:E7E3A52DB91527979011F51100539DC1
SHA256:8D1728FFF0C53DA0D613A5231E9B468CCC4FA09C81D73294E82F239E90D93775
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\ScanningPage.htmlhtml
MD5:5A9171F03D7CFD1495F889A6615D124E
SHA256:FD3A52D05644459CB751594AFD2109DC6E213CB6B75BB49BEC3FABD4CFC8B587
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe.configxml
MD5:548295768DFBB17F815BBADDC637E086
SHA256:FAC76E88FAA3675129DECB9045BECF11021A96C453A230F3A0F6AA970DABBA34
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\DevLib.dllexecutable
MD5:39BECF235D06AF9B83A9F92020013844
SHA256:93B0B5BBE87356C9BC2FEF0A4D34E2B4FA52A5424B4231C5AFF0B2A2C090FED3
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\ExternalResource.XMLtext
MD5:D059B8508221E71E99D4984E3146CE09
SHA256:F6ED426094AD172B61436FDE6C59EE4D9923FAC2C6E44DDFC62CD18F2360A23D
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\LaunchCarrierPage.htmlhtml
MD5:1A820C6D824A96BB7BA39825534AAABD
SHA256:7298E88AF3FDA7BA7FD2ACE6665105F35B145C5FC8C5221A42143E1C593ACB50
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\tis\EventHandler.tistext
MD5:E6535FD3DB483868FCBB4C0AE2C79A2D
SHA256:9B3B49EABC6BA12CCF6EEAAF31F795CC0BDA2DAF72426B8C7D05462752306438
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\InstallingPage.htmlhtml
MD5:454C0478743CC27ECD49531DC4B3CC24
SHA256:0B6C500EEDCBF0C72FEB2C7BCE33642B46330A5AF66595CDCDEC752FB65318EF
2916TinyUmbrella_8.2.0.60_Soft32.exeC:\Users\admin\AppData\Local\Temp\7zS46B98665\BundleConfig.jsontext
MD5:A24A92CC259163EC981C90CC42818C29
SHA256:322FB913BA62BB1E83785844D86EEDFA3B0D42097ECA00613AA77BD2829BB8C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
10
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2316
GenericSetup.exe
GET
104.17.177.102:80
http://webcompanion.com/nano_download.php?partner=SFT180101
US
malicious
2316
GenericSetup.exe
HEAD
200
104.17.177.102:80
http://webcompanion.com/nano_download.php?partner=SFT180101
US
malicious
2316
GenericSetup.exe
GET
206
104.17.177.102:80
http://webcompanion.com/nano_download.php?partner=SFT180101
US
binary
247 Kb
malicious
1916
WebCompanionInstaller.exe
POST
64.18.87.82:80
http://wc-update-service.lavasoft.com/update.asmx
CA
whitelisted
1916
WebCompanionInstaller.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
text
29 b
whitelisted
1916
WebCompanionInstaller.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
text
29 b
whitelisted
1916
WebCompanionInstaller.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
text
29 b
whitelisted
1916
WebCompanionInstaller.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
text
29 b
whitelisted
1688
installer.exe
POST
200
104.18.87.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
US
text
29 b
whitelisted
1916
WebCompanionInstaller.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1
US
text
29 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1688
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
2316
GenericSetup.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared
1916
WebCompanionInstaller.exe
104.18.88.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
2316
GenericSetup.exe
104.16.235.79:443
h2oapi.adaware.com
Cloudflare Inc
US
shared
2316
GenericSetup.exe
104.17.177.102:80
webcompanion.com
Cloudflare Inc
US
shared
1916
WebCompanionInstaller.exe
64.18.87.82:80
wc-update-service.lavasoft.com
COGECODATA
CA
unknown

DNS requests

Domain
IP
Reputation
flow.lavasoft.com
  • 104.18.87.101
  • 104.18.88.101
whitelisted
h2oapi.adaware.com
  • 104.16.235.79
  • 104.16.236.79
malicious
www.google.com
  • 142.250.74.196
whitelisted
sos.adaware.com
  • 104.16.235.79
  • 104.16.236.79
whitelisted
webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
wc-update-service.lavasoft.com
  • 64.18.87.82
  • 64.18.87.81
whitelisted

Threats

PID
Process
Class
Message
1688
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
2316
GenericSetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2316
GenericSetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2316
GenericSetup.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
installer.exe
[debug][2020-11-29 23:56:20.597375][installer][wWinMain][223]: bundle config file path=C:\Users\admin\AppData\Local\Temp\7zS46B98665\BundleConfig.json
installer.exe
[debug][2020-11-29 23:56:20.597375][installer][ReadUACSetting][47]: UACSetting=UACOptional
installer.exe
[debug][2020-11-29 23:56:20.597375][installer][CreateBundleConfig][96]: DisableStubEvents=0
installer.exe
[debug][2020-11-29 23:56:20.597375][installer][wWinMain][230]: install id=bf7f5da9-ac45-4a94-966d-e42fb67cd6cd
installer.exe
[debug][2020-11-29 23:56:23.691125][installer][wWinMain][234]: machine Id id=05a78e0d-a137-25df-1d19-24406758f4c8
installer.exe
[debug][2020-11-29 23:56:23.722375][installer][wWinMain][386]: generic setup path=C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe
installer.exe
[debug][2020-11-29 23:56:23.722375][installer][EventService::SendEvent][29]: send event. event name=StubStart. disable stub events=0
installer.exe
[debug][2020-11-29 23:56:23.722375][installer][EventService::SendEvent][77]: StubStart data = {"Data":{"EventCategory":"Success","BundleId":"SFT002","DeltaMs":0,"MachineId":"05a78e0d-a137-25df-1d19-24406758f4c8","InstallId":"bf7f5da9-ac45-4a94-966d-e42fb67cd6cd","PartnerVersion":"1.0.3.3914","BundleVersion":"6.0.1.0","OsVersion":"Microsoft Windows 7 Professional Service Pack 1 (build 7601), 32-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2"}}
installer.exe
[debug][2020-11-29 23:56:23.722375][installer][ProcessService::GetProcessName][46]: Module filename is: C:\Users\admin\AppData\Local\Temp\TinyUmbrella_8.2.0.60_Soft32.exe
installer.exe
[debug][2020-11-29 23:56:23.722375][installer][EventService::SendEvent][86]: url=http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TinyUmbrella_8.2.0.60_Soft32.exe