File name: | TinyUmbrella_8.2.0.60_Soft32.exe |
Full analysis: | https://app.any.run/tasks/090b159e-25cf-461a-bd7d-ae1b6ef320ff |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 23:56:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F21E68633E073F474ABA3582A1358CD3 |
SHA1: | A5B9E191C16D510466DF94324B4BBDEBA5598C7C |
SHA256: | 1EE8CBE9E88E6CCD61E469FB809EC852A86C6A561D9FB55012988493C81395A2 |
SSDEEP: | 49152:yG5UfgYdpruZ68j1eqCO++x5KqLyLixvhEYJ/4jzrSEPOMAOd00IF9J:yG5QgYdpM7ZB1++xgqLei3jdq+O/Q9J |
.exe | | | InstallShield setup (36.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
.exe | | | Win64 Executable (generic) (23.6) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
ProductVersion: | 1.0.3.3914 |
---|---|
ProductName: | Soft32 Downloader |
OriginalFileName: | GenericSetup.exe |
LegalCopyright: | ITNT SRL |
InternalName: | GenericSetup.exe |
FileVersion: | 1.0.3.3914 |
FileDescription: | Soft32 Downloader |
CompanyName: | ITNT SRL |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.3.3914 |
FileVersionNumber: | 1.0.3.3914 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x148d4 |
UninitializedDataSize: | - |
InitializedDataSize: | 36352 |
CodeSize: | 104448 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2011:04:18 20:54:06+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 18-Apr-2011 18:54:06 |
Detected languages: |
|
CompanyName: | ITNT SRL |
FileDescription: | Soft32 Downloader |
FileVersion: | 1.0.3.3914 |
InternalName: | GenericSetup.exe |
LegalCopyright: | ITNT SRL |
OriginalFilename: | GenericSetup.exe |
ProductName: | Soft32 Downloader |
ProductVersion: | 1.0.3.3914 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 18-Apr-2011 18:54:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000197C0 | 0x00019800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60823 |
.rdata | 0x0001B000 | 0x00004490 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.38378 |
.data | 0x00020000 | 0x00005A68 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.37934 |
.sxdata | 0x00026000 | 0x00000004 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x00027000 | 0x000012D0 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.93218 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.01523 | 1663 | Latin 1 / Western European | English - United States | RT_MANIFEST |
5 | 1.43775 | 52 | Latin 1 / Western European | English - United States | RT_STRING |
500 | 3.09294 | 184 | Latin 1 / Western European | English - United States | RT_DIALOG |
MAINICON | 2.01924 | 20 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2916 | "C:\Users\admin\AppData\Local\Temp\TinyUmbrella_8.2.0.60_Soft32.exe" | C:\Users\admin\AppData\Local\Temp\TinyUmbrella_8.2.0.60_Soft32.exe | explorer.exe | |
User: admin Company: ITNT SRL Integrity Level: MEDIUM Description: Soft32 Downloader Version: 1.0.3.3914 | ||||
1688 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\installer.exe | TinyUmbrella_8.2.0.60_Soft32.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: Software Installation Version: 6.0.1.3914 | ||||
2316 | "C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe" C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe hik=bf7f5da9-ac45-4a94-966d-e42fb67cd6cd hmk=05a78e0d-a137-25df-1d19-24406758f4c8 hut=Admin hpp="QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXFRpbnlVbWJyZWxsYV84LjIuMC42MF9Tb2Z0MzIuZXhl" hts=1606694183722 | C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe | installer.exe | |
User: admin Company: Adaware Integrity Level: HIGH Description: Soft32 Downloader Version: 1.0.3.3914 | ||||
2928 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\dehoyrr3.4mv.exe" --silent --homepage=11 --search=7 --partner=SFT180101" | C:\Windows\system32\cmd.exe | — | GenericSetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3652 | "C:\Users\admin\AppData\Local\Temp\dehoyrr3.4mv.exe" --silent --homepage=11 --search=7 --partner=SFT180101 | C:\Users\admin\AppData\Local\Temp\dehoyrr3.4mv.exe | cmd.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Installer Version: 7.0.2367.4198 | ||||
1916 | .\WebCompanionInstaller.exe --partner=SFT180101 --version=7.0.2367.4198 --prod --silent --homepage=11 --search=7 --partner=SFT180101 | C:\Users\admin\AppData\Local\Temp\7zS44E4A795\WebCompanionInstaller.exe | dehoyrr3.4mv.exe | |
User: admin Company: Lavasoft Integrity Level: HIGH Description: Web Companion Version: 7.0.2367.4198 |
(PID) Process: | (1688) installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1688) installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 |
Operation: | write | Name: | Blob |
Value: 040000000100000010000000ACB694A59C17E0D791529BB19706A6E40F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE4741D0000000100000010000000918AD43A9475F78BB5243DE886D8103C140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF062000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB0B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000009000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030853000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C019000000010000001000000068CB42B035EA773E52EF50ECF50EC52920000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9 | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_CURRENT_USER\Software\Opera Stable Offer |
Operation: | write | Name: | LastTimeOfferShown |
Value: 1606694206 | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 |
Operation: | write | Name: | Blob |
Value: 0400000001000000100000004BE2C99196650CF40E5A9392A00AFEB20F0000000100000020000000FDE5F2D9CE2026E1E10064C0A468C9F355B90ACF85BAF5CE6F52D4016837FD940300000001000000140000008CF427FD790C3AD166068DE81E57EFBB932272D41D0000000100000010000000521B5F4582C1DCAAE381B05E37CA2D341400000001000000140000006A72267AD01EEF7DE73B6951D46C8D9F901266AB0B000000010000001800000045006E00740072007500730074002E006E0065007400000062000000010000002000000043DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F33953000000010000002400000030223020060A6086480186FA6C0A010230123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308060A2B0601040182370A030406082B0601050507030606082B06010505070307190000000100000010000000FA46CE7CBB85CFB4310075313A09EE052000000001000000420400003082043E30820326A00302010202044A538C28300D06092A864886F70D01010B05003081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D204732301E170D3039303730373137323535345A170D3330313230373137353535345A3081BE310B300906035504061302555331163014060355040A130D456E74727573742C20496E632E31283026060355040B131F536565207777772E656E74727573742E6E65742F6C6567616C2D7465726D7331393037060355040B1330286329203230303920456E74727573742C20496E632E202D20666F7220617574686F72697A656420757365206F6E6C793132303006035504031329456E747275737420526F6F742043657274696669636174696F6E20417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BA84B672DB9E0C6BE299E93001A776EA32B895411AC9DA614E5872CFFEF68279BF7361060AA527D8B35FD3454E1C72D64E32F2728A0FF78319D06A808000451EB0C7E79ABF1257271CA3682F0A87BD6A6B0E5E65F31C77D5D4858D7021B4B332E78BA2D5863902B1B8D247CEE4C949C43BA7DEFB547D57BEF0E86EC279B23A0B55E250981632135C2F7856C1C294B3F25AE4279A9F24D7C6ECD09B2582E3CCC2C445C58C977A066B2A119FA90A6E483B6FDBD4111942F78F07BFF5535F9C3EF4172CE669AC4E324C6277EAB7E8E5BB34BC198BAE9C51E7B77EB553B13322E56DCF703C1AFAE29B67B683F48DA5AF624C4DE058AC64341203F8B68D946324A4710203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604146A72267AD01EEF7DE73B6951D46C8D9F901266AB300D06092A864886F70D01010B05000382010100799F1D96C6B6793F228D87D3870304606A6B9A2E59897311AC43D1F513FF8D392BC0F2BD4F708CA92FEA17C40B549ED41B9698333CA8AD62A20076AB59696E061D7EC4B9448D98AF12D461DB0A194647F3EBF763C1400540A5D2B7F4B59A36BFA98876880455042B9C877F1A373C7E2DA51AD8D4895ECABDAC3D6CD86DAFD5F3760FCD3B8838229D6C939AC43DBF821B653FA60F5DAAFCE5B215CAB5ADC6BC3DD084E8EA0672B04D393278BF3E119C0BA49D9A21F3F09B0B3078DBC1DC8743FEBC639ACAC5C21CC9C78DFF3B125808E6B63DEC7A2C4EFB8396CE0C3C69875473A473C293FF5110AC155401D8FC05B189A17F74839A49D7DC4E7B8A486F8B45F6 | |||
(PID) Process: | (2316) GenericSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 |
Operation: | write | Name: | Blob |
Value: 04000000010000001000000087CE0B7B2A0E4900E158719B37A893720F00000001000000140000006DCA5BD00DCF1C0F327059D374B29CA6E3C50AA60300000001000000140000000563B8630D62D75ABBC8AB1E4BDFB5A899B24D431D00000001000000100000004F5F106930398D09107B40C3C7CA8F1C0B000000010000001200000044006900670069004300650072007400000014000000010000001400000045EBA2AFF492CB82312D518BA7A7219DF36DC80F6200000001000000200000003E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C5300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308190000000100000010000000749966CECC95C1874194CA7203F9B6202000000001000000BB030000308203B73082029FA00302010202100CE7E0E517D846FE8FE560FC1BF03039300D06092A864886F70D01010505003065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F74204341301E170D3036313131303030303030305A170D3331313131303030303030305A3065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100AD0E15CEE443805CB187F3B760F97112A5AEDC269488AAF4CEF520392858600CF880DAA9159532613CB5B128848A8ADC9F0A0C83177A8F90AC8AE779535C31842AF60F98323676CCDEDD3CA8A2EF6AFB21F25261DF9F20D71FE2B1D9FE1864D2125B5FF9581835BC47CDA136F96B7FD4B0383EC11BC38C33D9D82F18FE280FB3A783D6C36E44C061359616FE599C8B766DD7F1A24B0D2BFF0B72DA9E60D08E9035C678558720A1CFE56D0AC8497C3198336C22E987D0325AA2BA138211ED39179D993A72A1E6FAA4D9D5173175AE857D22AE3F014686F62879C8B1DAE45717C47E1C0EB0B492A656B3BDB297EDAAA7F0B7C5A83F9516D0FFA196EB085F18774F0203010001A3633061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041445EBA2AFF492CB82312D518BA7A7219DF36DC80F301F0603551D2304183016801445EBA2AFF492CB82312D518BA7A7219DF36DC80F300D06092A864886F70D01010505000382010100A20EBCDFE2EDF0E372737A6494BFF77266D832E4427562AE87EBF2D5D9DE56B39FCCCE1428B90D97605C124C58E4D33D834945589735691AA847EA56C679AB12D8678184DF7F093C94E6B8262C20BD3DB32889F75FFF22E297841FE965EF87E0DFC16749B35DEBB2092AEB26ED78BE7D3F2BF3B726356D5F8901B6495B9F01059BAB3D25C1CCB67FC2F16F86C6FA6468EB812D94EB42B7FA8C1EDD62F1BE5067B76CBDF3F11F6B0C3607167F377CA95B6D7AF112466083D72704BE4BCE97BEC3672A6811DF80E70C3366BF130D146EF37F1F63101EFA8D1B256D6C8FA5B76101B1D2A326A110719DADE2C3F9C39951B72B0708CE2EE650B2A7FA0A452FA2F0F2 | |||
(PID) Process: | (1916) WebCompanionInstaller.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\tis\ViewStateLoader.tis | text | |
MD5:EF47B355F8A2E6AB49E31E93C587A987 | SHA256:E77239DBDCC6762F298CD5C216A4003CF2AA7B0EF45D364DD558A4BD7F3CDB25 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\Carrier.HTML | html | |
MD5:E7E3A52DB91527979011F51100539DC1 | SHA256:8D1728FFF0C53DA0D613A5231E9B468CCC4FA09C81D73294E82F239E90D93775 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\ScanningPage.html | html | |
MD5:5A9171F03D7CFD1495F889A6615D124E | SHA256:FD3A52D05644459CB751594AFD2109DC6E213CB6B75BB49BEC3FABD4CFC8B587 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe.config | xml | |
MD5:548295768DFBB17F815BBADDC637E086 | SHA256:FAC76E88FAA3675129DECB9045BECF11021A96C453A230F3A0F6AA970DABBA34 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\DevLib.dll | executable | |
MD5:39BECF235D06AF9B83A9F92020013844 | SHA256:93B0B5BBE87356C9BC2FEF0A4D34E2B4FA52A5424B4231C5AFF0B2A2C090FED3 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\ExternalResource.XML | text | |
MD5:D059B8508221E71E99D4984E3146CE09 | SHA256:F6ED426094AD172B61436FDE6C59EE4D9923FAC2C6E44DDFC62CD18F2360A23D | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\LaunchCarrierPage.html | html | |
MD5:1A820C6D824A96BB7BA39825534AAABD | SHA256:7298E88AF3FDA7BA7FD2ACE6665105F35B145C5FC8C5221A42143E1C593ACB50 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\tis\EventHandler.tis | text | |
MD5:E6535FD3DB483868FCBB4C0AE2C79A2D | SHA256:9B3B49EABC6BA12CCF6EEAAF31F795CC0BDA2DAF72426B8C7D05462752306438 | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\Resources\InstallingPage.html | html | |
MD5:454C0478743CC27ECD49531DC4B3CC24 | SHA256:0B6C500EEDCBF0C72FEB2C7BCE33642B46330A5AF66595CDCDEC752FB65318EF | |||
2916 | TinyUmbrella_8.2.0.60_Soft32.exe | C:\Users\admin\AppData\Local\Temp\7zS46B98665\BundleConfig.json | text | |
MD5:A24A92CC259163EC981C90CC42818C29 | SHA256:322FB913BA62BB1E83785844D86EEDFA3B0D42097ECA00613AA77BD2829BB8C5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2316 | GenericSetup.exe | GET | — | 104.17.177.102:80 | http://webcompanion.com/nano_download.php?partner=SFT180101 | US | — | — | malicious |
2316 | GenericSetup.exe | HEAD | 200 | 104.17.177.102:80 | http://webcompanion.com/nano_download.php?partner=SFT180101 | US | — | — | malicious |
2316 | GenericSetup.exe | GET | 206 | 104.17.177.102:80 | http://webcompanion.com/nano_download.php?partner=SFT180101 | US | binary | 247 Kb | malicious |
1916 | WebCompanionInstaller.exe | POST | — | 64.18.87.82:80 | http://wc-update-service.lavasoft.com/update.asmx | CA | — | — | whitelisted |
1916 | WebCompanionInstaller.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 | US | text | 29 b | whitelisted |
1916 | WebCompanionInstaller.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 | US | text | 29 b | whitelisted |
1916 | WebCompanionInstaller.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 | US | text | 29 b | whitelisted |
1916 | WebCompanionInstaller.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 | US | text | 29 b | whitelisted |
1688 | installer.exe | POST | 200 | 104.18.87.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart | US | text | 29 b | whitelisted |
1916 | WebCompanionInstaller.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat-wc?Type=ProgressInstall&ProductID=wc&EventVersion=1 | US | text | 29 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1688 | installer.exe | 104.18.87.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2316 | GenericSetup.exe | 104.18.88.101:443 | flow.lavasoft.com | Cloudflare Inc | US | shared |
1916 | WebCompanionInstaller.exe | 104.18.88.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2316 | GenericSetup.exe | 104.16.235.79:443 | h2oapi.adaware.com | Cloudflare Inc | US | shared |
2316 | GenericSetup.exe | 104.17.177.102:80 | webcompanion.com | Cloudflare Inc | US | shared |
1916 | WebCompanionInstaller.exe | 64.18.87.82:80 | wc-update-service.lavasoft.com | COGECODATA | CA | unknown |
Domain | IP | Reputation |
---|---|---|
flow.lavasoft.com |
| whitelisted |
h2oapi.adaware.com |
| malicious |
www.google.com |
| whitelisted |
sos.adaware.com |
| whitelisted |
webcompanion.com |
| malicious |
wc-update-service.lavasoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1688 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
2316 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2316 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2316 | GenericSetup.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
Process | Message |
---|---|
installer.exe | [debug][2020-11-29 23:56:20.597375][installer][wWinMain][223]: bundle config file path=C:\Users\admin\AppData\Local\Temp\7zS46B98665\BundleConfig.json
|
installer.exe | [debug][2020-11-29 23:56:20.597375][installer][ReadUACSetting][47]: UACSetting=UACOptional
|
installer.exe | [debug][2020-11-29 23:56:20.597375][installer][CreateBundleConfig][96]: DisableStubEvents=0
|
installer.exe | [debug][2020-11-29 23:56:20.597375][installer][wWinMain][230]: install id=bf7f5da9-ac45-4a94-966d-e42fb67cd6cd
|
installer.exe | [debug][2020-11-29 23:56:23.691125][installer][wWinMain][234]: machine Id id=05a78e0d-a137-25df-1d19-24406758f4c8
|
installer.exe | [debug][2020-11-29 23:56:23.722375][installer][wWinMain][386]: generic setup path=C:\Users\admin\AppData\Local\Temp\7zS46B98665\GenericSetup.exe
|
installer.exe | [debug][2020-11-29 23:56:23.722375][installer][EventService::SendEvent][29]: send event. event name=StubStart. disable stub events=0
|
installer.exe | [debug][2020-11-29 23:56:23.722375][installer][EventService::SendEvent][77]: StubStart data = {"Data":{"EventCategory":"Success","BundleId":"SFT002","DeltaMs":0,"MachineId":"05a78e0d-a137-25df-1d19-24406758f4c8","InstallId":"bf7f5da9-ac45-4a94-966d-e42fb67cd6cd","PartnerVersion":"1.0.3.3914","BundleVersion":"6.0.1.0","OsVersion":"Microsoft Windows 7 Professional Service Pack 1 (build 7601), 32-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2"}}
|
installer.exe | [debug][2020-11-29 23:56:23.722375][installer][ProcessService::GetProcessName][46]: Module filename is: C:\Users\admin\AppData\Local\Temp\TinyUmbrella_8.2.0.60_Soft32.exe
|
installer.exe | [debug][2020-11-29 23:56:23.722375][installer][EventService::SendEvent][86]: url=http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
|