Malware analysis mHotspot_setup_latest_2.exe Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	mHotspot_setup_latest_2.exe
Full analysis:	https://app.any.run/tasks/0c02f848-be87-4025-92f1-e4360703edca
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 27, 2019, 05:01:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	installer adware pua lavasoft loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	67303E6191E0D251D7FBACE129E7BA62
SHA1:	1F6890B0CF4D6497C3A352E8ED033D44B8396D4A
SHA256:	4E8BC297E8BBB7F2D818B55234A82E198667AA25D2C69785D121396108A7D08C
SSDEEP:	24576:XG50ZfFK84agNXQ1g5JruMCapWPTFHic3wxqhade3e6FMoAmEkeEzFvlqOoP54jS:XG5UfgnZ5XWapKTX3phade3Fj3E6zF7Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - GenericSetup.exe (PID: 1740)
  - WebCompanionInstaller.exe (PID: 2920)
  - SpareioInstaller.exe (PID: 2068)
  - SpareioWinService.exe (PID: 876)
  - WebCompanion.exe (PID: 3524)
  - Spareio.exe (PID: 2456)
  - Spareio.exe (PID: 3884)
  - Lavasoft.WCAssistant.WinService.exe (PID: 2228)
  - WebCompanion.exe (PID: 1648)
  - instup.exe (PID: 2460)
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2180)
  - AvEmUpdate.exe (PID: 3952)
  - AvEmUpdate.exe (PID: 2584)
  - AvEmUpdate.exe (PID: 2688)
  - avBugReport.exe (PID: 3160)
  - RegSvr.exe (PID: 184)
  - RegSvr.exe (PID: 1212)
  - aswRunDll.exe (PID: 776)
  - engsup.exe (PID: 1256)
  - engsup.exe (PID: 1688)
  - AvastSvc.exe (PID: 2624)
  - aswEngSrv.exe (PID: 2116)
- Application was dropped or rewritten from another process
  - GenericSetup.exe (PID: 1740)
  - installer.exe (PID: 948)
  - Carrier.exe (PID: 3932)
  - wwqbmdhq.ctz.exe (PID: 1972)
  - WebCompanionInstaller.exe (PID: 2920)
  - SpareioInstaller.exe (PID: 1832)
  - c4c554lp.hmc.exe (PID: 2820)
  - SpareioInstaller.exe (PID: 2068)
  - Spareio.exe (PID: 2456)
  - Spareio.exe (PID: 3884)
  - WebCompanion.exe (PID: 3524)
  - Lavasoft.WCAssistant.WinService.exe (PID: 2228)
  - SpareioWinService.exe (PID: 876)
  - WebCompanion.exe (PID: 1648)
  - Ad-Aware Web Companion.exe (PID: 3188)
  - 0gbxa5iq.0v3.exe (PID: 3956)
  - avast_free_antivirus_setup_online.exe (PID: 2448)
  - instup.exe (PID: 2460)
  - instup.exe (PID: 2156)
  - sbr.exe (PID: 4080)
  - SetupInf.exe (PID: 3984)
  - SetupInf.exe (PID: 3712)
  - SetupInf.exe (PID: 3936)
  - SetupInf.exe (PID: 3172)
  - AvEmUpdate.exe (PID: 2688)
  - AvEmUpdate.exe (PID: 2180)
  - mHotspot.exe (PID: 3764)
  - AvEmUpdate.exe (PID: 2584)
  - AvEmUpdate.exe (PID: 3952)
  - CCUpdate.exe (PID: 460)
  - avBugReport.exe (PID: 3160)
  - CCUpdate.exe (PID: 3664)
  - CCUpdate.exe (PID: 1524)
  - CCUpdate.exe (PID: 3812)
  - overseer.exe (PID: 2988)
  - AvastNM.exe (PID: 2428)
  - AvastSvc.exe (PID: 2624)
  - aswEngSrv.exe (PID: 2116)
  - wsc_proxy.exe (PID: 836)
- LAVASOFT was detected
  - installer.exe (PID: 948)
- Changes settings of System certificates
  - GenericSetup.exe (PID: 1740)
  - wwqbmdhq.ctz.exe (PID: 1972)
  - AvastSvc.exe (PID: 2624)
- Downloads executable files from the Internet
  - GenericSetup.exe (PID: 1740)
  - 0gbxa5iq.0v3.exe (PID: 3956)
  - AvEmUpdate.exe (PID: 2688)
  - CCUpdate.exe (PID: 3664)
- Changes internet zones settings
  - WebCompanionInstaller.exe (PID: 2920)
- Changes the autorun value in the registry
  - Spareio.exe (PID: 2456)
  - WebCompanion.exe (PID: 3524)
  - instup.exe (PID: 2156)
- Loads the Task Scheduler COM API
  - AvEmUpdate.exe (PID: 2180)
  - AvEmUpdate.exe (PID: 2688)
  - CCUpdate.exe (PID: 3664)
  - CCUpdate.exe (PID: 920)
  - overseer.exe (PID: 2988)
SUSPICIOUS
- Adds / modifies Windows certificates
  - GenericSetup.exe (PID: 1740)
  - wwqbmdhq.ctz.exe (PID: 1972)
- Reads the Windows organization settings
  - GenericSetup.exe (PID: 1740)
- Executable content was dropped or overwritten
  - mHotspot_setup_latest_2.exe (PID: 2408)
  - Carrier.tmp (PID: 2828)
  - Carrier.exe (PID: 3932)
  - GenericSetup.exe (PID: 1740)
  - c4c554lp.hmc.exe (PID: 2820)
  - SpareioInstaller.exe (PID: 1832)
  - wwqbmdhq.ctz.exe (PID: 1972)
  - SpareioInstaller.exe (PID: 2068)
  - WebCompanionInstaller.exe (PID: 2920)
  - instup.exe (PID: 2460)
  - 0gbxa5iq.0v3.exe (PID: 3956)
  - avast_free_antivirus_setup_online.exe (PID: 2448)
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2688)
  - SpareioWinService.exe (PID: 876)
  - AvEmUpdate.exe (PID: 2584)
  - CCUpdate.exe (PID: 460)
  - CCUpdate.exe (PID: 3812)
  - AvastSvc.exe (PID: 2624)
- Reads Windows owner or organization settings
  - GenericSetup.exe (PID: 1740)
- Reads Environment values
  - GenericSetup.exe (PID: 1740)
  - SpareioInstaller.exe (PID: 2068)
  - SpareioWinService.exe (PID: 876)
  - Spareio.exe (PID: 2456)
  - Spareio.exe (PID: 3884)
  - AvastSvc.exe (PID: 2624)
- Starts CMD.EXE for commands execution
  - GenericSetup.exe (PID: 1740)
  - WebCompanionInstaller.exe (PID: 2920)
  - SpareioWinService.exe (PID: 876)
  - Lavasoft.WCAssistant.WinService.exe (PID: 2228)
- Starts Internet Explorer
  - Carrier.tmp (PID: 2828)
- Creates files in the program directory
  - SpareioInstaller.exe (PID: 2068)
  - WebCompanionInstaller.exe (PID: 2920)
  - Spareio.exe (PID: 2456)
  - WebCompanion.exe (PID: 3524)
  - SpareioWinService.exe (PID: 876)
  - WebCompanion.exe (PID: 1648)
  - Lavasoft.WCAssistant.WinService.exe (PID: 2228)
  - instup.exe (PID: 2460)
  - avast_free_antivirus_setup_online.exe (PID: 2448)
  - AvEmUpdate.exe (PID: 2180)
  - AvEmUpdate.exe (PID: 2688)
  - CCUpdate.exe (PID: 460)
  - CCUpdate.exe (PID: 3812)
  - CCUpdate.exe (PID: 3664)
  - CCUpdate.exe (PID: 920)
  - avBugReport.exe (PID: 3160)
  - instup.exe (PID: 2156)
  - AvastNM.exe (PID: 2428)
  - dw20.exe (PID: 1464)
  - engsup.exe (PID: 1256)
  - engsup.exe (PID: 1688)
  - AvastSvc.exe (PID: 2624)
  - wsc_proxy.exe (PID: 836)
- Starts SC.EXE for service management
  - WebCompanionInstaller.exe (PID: 2920)
  - SpareioInstaller.exe (PID: 2068)
- Creates a software uninstall entry
  - WebCompanionInstaller.exe (PID: 2920)
  - SpareioInstaller.exe (PID: 2068)
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2584)
- Creates files in the user directory
  - WebCompanionInstaller.exe (PID: 2920)
  - Spareio.exe (PID: 2456)
  - SpareioWinService.exe (PID: 876)
  - Spareio.exe (PID: 3884)
  - WebCompanion.exe (PID: 3524)
- Uses NETSH.EXE for network configuration
  - cmd.exe (PID: 3404)
  - cmd.exe (PID: 4008)
  - cmd.exe (PID: 2148)
- Searches for installed software
  - SpareioWinService.exe (PID: 876)
  - SpareioInstaller.exe (PID: 2068)
  - GenericSetup.exe (PID: 1740)
- Creates files in the Windows directory
  - Lavasoft.WCAssistant.WinService.exe (PID: 2228)
  - 0gbxa5iq.0v3.exe (PID: 3956)
  - WebCompanion.exe (PID: 3524)
  - WebCompanionInstaller.exe (PID: 2920)
  - avast_free_antivirus_setup_online.exe (PID: 2448)
  - instup.exe (PID: 2460)
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2688)
  - AvastSvc.exe (PID: 2624)
- Reads Internet Cache Settings
  - Spareio.exe (PID: 3884)
  - instup.exe (PID: 2156)
- Removes files from Windows directory
  - Lavasoft.WCAssistant.WinService.exe (PID: 2228)
  - WebCompanionInstaller.exe (PID: 2920)
  - instup.exe (PID: 2460)
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2688)
  - avast_free_antivirus_setup_online.exe (PID: 2448)
- Low-level read access rights to disk partition
  - 0gbxa5iq.0v3.exe (PID: 3956)
  - instup.exe (PID: 2460)
  - avast_free_antivirus_setup_online.exe (PID: 2448)
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2688)
  - AvEmUpdate.exe (PID: 2584)
  - AvEmUpdate.exe (PID: 3952)
  - CCUpdate.exe (PID: 460)
  - CCUpdate.exe (PID: 3812)
  - CCUpdate.exe (PID: 1524)
  - CCUpdate.exe (PID: 920)
  - CCUpdate.exe (PID: 3664)
  - avBugReport.exe (PID: 3160)
  - overseer.exe (PID: 2988)
  - AvastSvc.exe (PID: 2624)
- Changes the started page of IE
  - WebCompanion.exe (PID: 3524)
- Starts itself from another location
  - instup.exe (PID: 2460)
  - CCUpdate.exe (PID: 3812)
- Modifies the open verb of a shell class
  - instup.exe (PID: 2156)
- Creates COM task schedule object
  - instup.exe (PID: 2156)
  - RegSvr.exe (PID: 184)
  - RegSvr.exe (PID: 1212)
- Creates files in the driver directory
  - instup.exe (PID: 2156)
  - AvEmUpdate.exe (PID: 2688)
- Application launched itself
  - AvEmUpdate.exe (PID: 2688)
  - CCUpdate.exe (PID: 3664)
- Creates or modifies windows services
  - instup.exe (PID: 2156)
  - AvastSvc.exe (PID: 2624)
- Reads the cookies of Mozilla Firefox
  - engsup.exe (PID: 1688)
- Reads the cookies of Google Chrome
  - engsup.exe (PID: 1688)
INFO
- Application was dropped or rewritten from another process
  - Carrier.tmp (PID: 2828)
- Creates files in the program directory
  - Carrier.tmp (PID: 2828)
- Changes internet zones settings
  - iexplore.exe (PID: 3120)
- Loads dropped or rewritten executable
  - Carrier.tmp (PID: 2828)
- Creates a software uninstall entry
  - Carrier.tmp (PID: 2828)
- Changes settings of System certificates
  - iexplore.exe (PID: 2452)
- Reads internet explorer settings
  - iexplore.exe (PID: 2452)
  - iexplore.exe (PID: 916)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2452)
  - iexplore.exe (PID: 916)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 2452)
- Dropped object may contain Bitcoin addresses
  - WebCompanionInstaller.exe (PID: 2920)
  - SpareioInstaller.exe (PID: 2068)
  - WebCompanion.exe (PID: 3524)
  - instup.exe (PID: 2156)
- Reads settings of System Certificates
  - SpareioInstaller.exe (PID: 2068)
  - Spareio.exe (PID: 2456)
  - Spareio.exe (PID: 3884)
  - SpareioWinService.exe (PID: 876)
- Creates files in the user directory
  - iexplore.exe (PID: 3120)
  - iexplore.exe (PID: 916)
- Application launched itself
  - iexplore.exe (PID: 3120)
- Application was crashed
  - mHotspot.exe (PID: 3764)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

EXIF

EXE

ProductName:	mHotspot
OriginalFileName:	-
LegalCopyright:	-
InternalName:	-
FileDescription:	mHotspot Setup
CompanyName:	1BN Software & IT Solutions Pvt. Ltd.
ProductVersion:	7.8.8.9
FileVersion:	7.8.8.9
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	7.8.8.9
FileVersionNumber:	7.8.8.9
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x148d4
UninitializedDataSize:	-
InitializedDataSize:	83968
CodeSize:	104448
LinkerVersion:	6
PEType:	PE32
TimeStamp:	2011:04:18 20:54:06+02:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

129

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2592	"C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe"	C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe	—	explorer.exe
User: admin Company: 1BN Software & IT Solutions Pvt. Ltd. Integrity Level: MEDIUM Description: mHotspot Setup Exit code: 3221226540 Version: 7.8.8.9
2408	"C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe"	C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe		explorer.exe
User: admin Company: 1BN Software & IT Solutions Pvt. Ltd. Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 7.8.8.9
948	.\installer.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\installer.exe		mHotspot_setup_latest_2.exe
User: admin Company: adaware Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 2.7.2.1576
1740	C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe		installer.exe
User: admin Company: adaware Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 2.7.2.1576
3976	"C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe" /VERYSILENT /DIR="C:\Program Files\mHotspot" /GROUP="mHotspot" "	C:\Windows\system32\cmd.exe	—	GenericSetup.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3932	"C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe" /VERYSILENT /DIR="C:\Program Files\mHotspot" /GROUP="mHotspot"	C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe		cmd.exe
User: admin Company: 1BN Software & IT Solutions Pvt. Ltd. Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 7.8.8.9
2828	"C:\Users\admin\AppData\Local\Temp\is-F9MM5.tmp\Carrier.tmp" /SL5="$102B4,278796,56832,C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe" /VERYSILENT /DIR="C:\Program Files\mHotspot" /GROUP="mHotspot"	C:\Users\admin\AppData\Local\Temp\is-F9MM5.tmp\Carrier.tmp		Carrier.exe
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0
3700	"C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\wwqbmdhq.ctz.exe" --dealId=3DG6OyV --campaignId=h200818"	C:\Windows\system32\cmd.exe	—	GenericSetup.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1972	"C:\Users\admin\AppData\Local\Temp\wwqbmdhq.ctz.exe" --dealId=3DG6OyV --campaignId=h200818	C:\Users\admin\AppData\Local\Temp\wwqbmdhq.ctz.exe		cmd.exe
User: admin Integrity Level: HIGH Description: XRewardSDK Exit code: 0 Version: 1.0.0.0
3120	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		Carrier.tmp
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

16 535

Read events

10 522

Write events

Delete events

Modification events

No data

Add for printing

Executable files

543

Suspicious files

128

Text files

673

Unknown types

Dropped files

PID	Process	Filename		Type
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe		executable
		MD5:93DD8ED10D8A096255C73F93F8A5893B	SHA256:52E054CF6079584A875A63C6DA060EF31ED1ACCF5E596B7833F6D692D597E28C
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\it\DevLib.resources.dll		executable
		MD5:CFE49BBD64B4EE1793D9DBED4FEF3470	SHA256:10DD3F30A8A527B63D83DF450EAED7FD8B9B5619CB07D5CD448F9D0A7B64B2F8
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\en\DevLib.resources.dll		executable
		MD5:1DDE7D32EB87B5EAC33BE5BD2930270F	SHA256:3B3216E27F5813CAC1AAA7F901E16E354624B91355B982D4C0BBD4ECCC32CCF5
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\DevLib.dll		executable
		MD5:A0D1EB07731F50059040D1868E42E3DC	SHA256:2C010964509765586BB036034E0A0B63FD561EF3CA24328B0F6E3AAD39F9D03C
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\pt\DevLib.resources.dll		executable
		MD5:ACAE5D9AD6659EF4E7A37D86E03CB679	SHA256:3CB89DB8C8F861E956971D0C3E836DEEDCDC1DEA069C9C15644D7E2354A84C05
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\Microsoft.Win32.TaskScheduler.dll		executable
		MD5:DD7F40BFA1B5D88C1B95A896ADE39909	SHA256:6D3AB13D023628F12B8DFDAE5137131048CDD80CA1B8ED40C90C7CA6B6530C63
1740	GenericSetup.exe	C:\Users\admin\AppData\Local\Temp\mHotspot.log		text
		MD5:CBB004057726BF047B562E42436C6FBB	SHA256:6AA3D76BAF7ACD2E2FE0EAA640AA9EA8CB6BC0C56B13BD321D92AFA7F49826FE
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\es\DevLib.resources.dll		executable
		MD5:6A8E6344DFD017C9D6361A8C84DEB383	SHA256:9B09255026A9DC5556E0CA8EB7631E354E093FF72A2460B2FBBDF565F38E9D57
2408	mHotspot_setup_latest_2.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\ru\DevLib.resources.dll		executable
		MD5:CA2507B3CC8E898B4FD8C0483457E9DC	SHA256:FF8AE806A00CD50B17252B40E36C01968874B34D0FE37058BAD396DA97340998
948	installer.exe	C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe.config		xml
		MD5:84DE2583B776B336964D80697D3352BF	SHA256:39F8D720A6AC4722A62681EBA0BBFE7CC5E04DD676ECC0F10001185CF22D832B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

192

TCP/UDP connections

173

DNS requests

145

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1740	GenericSetup.exe	GET	200	104.17.178.102:80	http://rt.webcompanion.com/notifications/download/rt/Installer/SpareioSDK.exe	US	executable	44.6 Kb	malicious
1972	wwqbmdhq.ctz.exe	GET	200	8.248.131.254:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	55.6 Kb	whitelisted
2920	WebCompanionInstaller.exe	POST	200	64.18.87.81:80	http://wc-tracking.lavasoft.com/Install.asmx	CA	xml	294 b	whitelisted
1972	wwqbmdhq.ctz.exe	GET	200	8.248.131.254:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8CF427FD790C3AD166068DE81E57EFBB932272D4.crt	US	der	1.06 Kb	whitelisted
948	installer.exe	POST	200	104.17.61.19:80	http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart	US	text	29 b	whitelisted
2452	iexplore.exe	GET	301	68.183.82.64:80	http://mhotspot.com/scripts/go_thankyou.html	US	html	331 b	malicious
2920	WebCompanionInstaller.exe	POST	200	64.18.87.81:80	http://wc-tracking.lavasoft.com/Install.asmx	CA	xml	294 b	whitelisted
2920	WebCompanionInstaller.exe	POST	200	64.18.87.81:80	http://wc-tracking.lavasoft.com/Install.asmx	CA	xml	294 b	whitelisted
2920	WebCompanionInstaller.exe	POST	200	64.18.87.81:80	http://wc-tracking.lavasoft.com/Install.asmx	CA	xml	294 b	whitelisted
1740	GenericSetup.exe	GET	200	104.17.177.102:80	http://webcompanion.com/nano_download.php?partner=MH170601	US	executable	347 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
948	installer.exe	104.17.61.19:80	flow.lavasoft.com	Cloudflare Inc	US	shared
2920	WebCompanionInstaller.exe	64.18.87.82:80	wc-tracking.lavasoft.com	COGECODATA	CA	unknown
1740	GenericSetup.exe	104.17.60.19:443	flow.lavasoft.com	Cloudflare Inc	US	shared
1740	GenericSetup.exe	104.16.236.79:443	sos.adaware.com	Cloudflare Inc	US	shared
3120	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2452	iexplore.exe	68.183.82.64:443	mhotspot.com	DSL Extreme	US	unknown
2920	WebCompanionInstaller.exe	64.18.87.81:80	wc-tracking.lavasoft.com	COGECODATA	CA	unknown
1740	GenericSetup.exe	104.17.178.102:80	webcompanion.com	Cloudflare Inc	US	shared
1972	wwqbmdhq.ctz.exe	35.227.19.75:80	api.spare.io	—	US	unknown
2920	WebCompanionInstaller.exe	104.17.61.19:80	flow.lavasoft.com	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
flow.lavasoft.com	104.17.61.19 104.17.60.19	whitelisted
www.google.com	172.217.21.196	whitelisted
sos.adaware.com	104.16.236.79 104.16.235.79	whitelisted
webcompanion.com	104.17.177.102 104.17.178.102	malicious
rt.webcompanion.com	104.17.178.102 104.17.177.102	malicious
www.download.windowsupdate.com	8.248.131.254 67.27.157.254 67.27.235.254 8.248.117.254 67.27.233.254	whitelisted
mhotspot.com	68.183.82.64	malicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
wc-tracking.lavasoft.com	64.18.87.81 64.18.87.82	whitelisted
wc-update-service.lavasoft.com	64.18.87.82 64.18.87.81	whitelisted

Threats

PID	Process	Class	Message
948	installer.exe	A Network Trojan was detected	ET MALWARE Lavasoft PUA/Adware Client Install
1740	GenericSetup.exe	Generic Protocol Command Decode	SURICATA STREAM excessive retransmissions
1740	GenericSetup.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1740	GenericSetup.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1740	GenericSetup.exe	Misc activity	ET INFO EXE - Served Attached HTTP
1740	GenericSetup.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1740	GenericSetup.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3956	0gbxa5iq.0v3.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3956	0gbxa5iq.0v3.exe	Generic Protocol Command Decode	SURICATA STREAM excessive retransmissions
2156	instup.exe	Generic Protocol Command Decode	SURICATA STREAM excessive retransmissions

Add for printing

Process	Message
wwqbmdhq.ctz.exe	Register
WebCompanionInstaller.exe	Detecting windows culture
wwqbmdhq.ctz.exe	Machine ID fingerPrint -- > CPU >> 1F8BFBFF000506E3 BIOS >> DELLDELL20110101000000.000000+000DELL - 1 BASE >> DISK >> WDC WD20EARS ATA Device(Standard disk drives)1660034144255 VIDEO >> 6.1.7600.16385Standard VGA Graphics Adapter MAC >> 52:54:00:4A:04:AF WCID >> WCID20
wwqbmdhq.ctz.exe	Machine ID hash UUID -- > 735550BB-0FAF-AAB3-C4F6-BBAC563DACB9
wwqbmdhq.ctz.exe	Getting SysInfo
wwqbmdhq.ctz.exe	cpuInfo
WebCompanionInstaller.exe	4/27/2019 6:02:46 AM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --partner=MH170601 --version=4.6.1974.3869 --prod --silent --homepage=1 --search=1 --partner=MH170601, Run as admin: True
WebCompanionInstaller.exe	Preparing for installing Web Companion
wwqbmdhq.ctz.exe	gpuInfo
wwqbmdhq.ctz.exe	uptimePct

General Info

mHotspot_setup_latest_2.exe

67303E6191E0D251D7FBACE129E7BA62

1F6890B0CF4D6497C3A352E8ED033D44B8396D4A

4E8BC297E8BBB7F2D818B55234A82E198667AA25D2C69785D121396108A7D08C

24576:XG50ZfFK84agNXQ1g5JruMCapWPTFHic3wxqhade3e6FMoAmEkeEzFvlqOoP54jS:XG5UfgnZ5XWapKTX3phade3Fj3E6zF7Y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

LAVASOFT was detected

Changes settings of System certificates

Downloads executable files from the Internet

Changes internet zones settings

Changes the autorun value in the registry

Loads the Task Scheduler COM API

SUSPICIOUS

Adds / modifies Windows certificates

Reads the Windows organization settings

Executable content was dropped or overwritten

Reads Windows owner or organization settings

Reads Environment values

Starts CMD.EXE for commands execution

Starts Internet Explorer

Creates files in the program directory

Starts SC.EXE for service management

Creates a software uninstall entry

Creates files in the user directory

Uses NETSH.EXE for network configuration

Searches for installed software

Creates files in the Windows directory

Reads Internet Cache Settings

Removes files from Windows directory

Low-level read access rights to disk partition

Changes the started page of IE

Starts itself from another location

Modifies the open verb of a shell class

Creates COM task schedule object

Creates files in the driver directory

Application launched itself

Creates or modifies windows services

Reads the cookies of Mozilla Firefox

Reads the cookies of Google Chrome

INFO

Application was dropped or rewritten from another process

Creates files in the program directory

Changes internet zones settings

Loads dropped or rewritten executable

Creates a software uninstall entry

Changes settings of System certificates

Reads internet explorer settings

Reads Internet Cache Settings

Adds / modifies Windows certificates

Dropped object may contain Bitcoin addresses

Reads settings of System Certificates

Creates files in the user directory

Application launched itself

Application was crashed

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information