Malware analysis Hola-Setup-C-HPE.exe Malicious activity

Add for printing

File name:	Hola-Setup-C-HPE.exe
Full analysis:	https://app.any.run/tasks/532f0f42-d70f-4613-aa9d-1c233b70333f
Verdict:	Malicious activity
Analysis date:	September 01, 2024, 21:11:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	203ACCDF587DD38B24A1A5021F3F46DA
SHA1:	FC8F3E96A67C8A92313C9987B7F7C8E7CFC3810F
SHA256:	9E65B85E4E33AACA1A3BD8AA5E2C5F67D9EC82224386B5B713479B4073FDA32D
SSDEEP:	98304:7UINMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM/:gf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Actions looks like stealing of personal data
  - 7zr.exe (PID: 4068)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 1124)
- Reads the date of Windows installation
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
- Application launched itself
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - hola_svc.exe (PID: 964)
- Executable content was dropped or overwritten
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Drops the executable file immediately after the start
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Creates a software uninstall entry
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Drops a system driver (possible attempt to evade defenses)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Checks Windows Trust Settings
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- The process drops C-runtime libraries
  - net_updater64.exe (PID: 2136)
- Process drops legitimate windows executable
  - net_updater64.exe (PID: 2136)
- Drops 7-zip archiver for unpacking
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Executes as Windows Service
  - net_updater64.exe (PID: 3980)
  - hola_svc.exe (PID: 964)
  - WmiApSrv.exe (PID: 4020)
- Detected use of alternative data streams (AltDS)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Creates file in the systems drive root
  - hola_svc.exe (PID: 964)
- The process checks if it is being run in the virtual environment
  - net_updater64.exe (PID: 3980)
- Potential Corporate Privacy Violation
  - net_updater64.exe (PID: 3980)
- Checks for external IP
  - net_updater64.exe (PID: 3980)
- Connects to unusual port
  - hola_svc.exe (PID: 964)
INFO
- Create files in a temporary directory
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
- Reads the machine GUID from the registry
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
  - test_wpf.exe (PID: 6372)
  - test_wpf.exe (PID: 3176)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - test_wpf.exe (PID: 6156)
  - idle_report.exe (PID: 1944)
  - hola_svc.exe (PID: 964)
  - net_updater64.exe (PID: 1964)
  - test_wpf.exe (PID: 7020)
- Reads the computer name
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - test_wpf.exe (PID: 6372)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - test_wpf.exe (PID: 6156)
  - test_wpf.exe (PID: 3176)
  - hola_svc.exe (PID: 964)
  - idle_report.exe (PID: 1944)
  - net_updater64.exe (PID: 1964)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
  - test_wpf.exe (PID: 7020)
  - 7zr.exe (PID: 4068)
- Disables trace logs
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 3980)
  - rasdial.exe (PID: 5284)
  - hola_svc.exe (PID: 964)
- Reads Environment values
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1964)
- Checks supported languages
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - test_wpf.exe (PID: 6372)
  - net_updater64.exe (PID: 3980)
  - test_wpf.exe (PID: 3176)
  - net_updater64.exe (PID: 1124)
  - test_wpf.exe (PID: 6156)
  - hola_svc.exe (PID: 964)
  - idle_report.exe (PID: 1944)
  - net_updater64.exe (PID: 1964)
  - hola_svc.exe (PID: 6396)
  - test_wpf.exe (PID: 7020)
  - hola_svc.exe (PID: 6704)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
  - 7zr.exe (PID: 4068)
- Checks proxy server information
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
- Reads the software policy settings
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
- Process checks computer location settings
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- The process uses the downloaded file
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
- Creates files in the program directory
  - net_updater64.exe (PID: 2136)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - hola_svc.exe (PID: 964)
  - net_updater64.exe (PID: 1964)
  - 7zr.exe (PID: 4068)
- Creates files or folders in the user directory
  - net_updater64.exe (PID: 2136)
- Reads the time zone
  - net_updater64.exe (PID: 3980)
- Reads CPU info
  - net_updater64.exe (PID: 3980)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2094:07:16 03:28:36+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	2917888
InitializedDataSize:	414208
UninitializedDataSize:	-
EntryPoint:	0x2ca596
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.227.226.0
ProductVersionNumber:	1.227.226.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Hola VPN Ltd.
FileDescription:	Hola VPN App Setup
FileVersion:	1.227.226.0
InternalName:	hola_setup.exe
LegalCopyright:	Copyright © 2023 Hola VPN Ltd.
LegalTrademarks:	-
OriginalFileName:	hola_setup.exe
ProductName:	Hola Setup
ProductVersion:	1.227.226.0
AssemblyVersion:	1.227.226.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

964

"C:\Program Files\Hola\app\hola_svc.exe" --service

C:\Program Files\Hola\app\hola_svc.exe

services.exe

User:

SYSTEM

Company:

Hola Networks Ltd.

Integrity Level:

SYSTEM

Description:

Hola VPN Service

Version:

1.228.101

Modules

Images
c:\program files\hola\app\hola_svc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

1124

"C:\Program Files\Hola\app\net_updater64.exe" --uuid

C:\Program Files\Hola\app\net_updater64.exe

Hola-Setup-x64-1.228.101.exe

User:

admin

Company:

BrightData Ltd. (certified)

Integrity Level:

HIGH

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.474.630

Modules

Images
c:\program files\hola\app\net_updater64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

1140

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net_updater64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1944

C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\idle_report.exe --id 79515 --screen

C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\idle_report.exe

—

net_updater64.exe

User:

admin

Company:

BrightData Ltd.

Integrity Level:

MEDIUM

Description:

idle_report

Exit code:

Version:

1.474.630

Modules

Images
c:\programdata\brightdata\108a47921d08860d64656218998ab66204caf497\idle_report.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

1964

"C:\Program Files\Hola\app\net_updater64.exe" --uuid

C:\Program Files\Hola\app\net_updater64.exe

hola_svc.exe

User:

SYSTEM

Company:

BrightData Ltd. (certified)

Integrity Level:

SYSTEM

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.474.630

Modules

Images
c:\program files\hola\app\net_updater64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll

1964

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

7zr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2008

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net_updater64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2080

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net_updater64.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2136

"C:\Program Files\Hola\app\net_updater64.exe" --install win_hola.org --campaign hpe

C:\Program Files\Hola\app\net_updater64.exe

Hola-Setup-x64-1.228.101.exe

User:

admin

Company:

BrightData Ltd. (certified)

Integrity Level:

HIGH

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.474.630

Modules

Images
c:\program files\hola\app\net_updater64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2232

"C:\Users\admin\AppData\Local\Temp\Hola-Setup-C-HPE.exe" --monitor 1988

C:\Users\admin\AppData\Local\Temp\Hola-Setup-C-HPE.exe

Hola-Setup-C-HPE.exe

User:

admin

Company:

Hola VPN Ltd.

Integrity Level:

HIGH

Description:

Hola VPN App Setup

Version:

1.227.226.0

Modules

Images
c:\users\admin\appdata\local\temp\hola-setup-c-hpe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

39 197

Read events

39 070

Write events

126

Delete events

Modification events


(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

104

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\image\Hola-Setup-x64-1.228.101.exe		executable
		MD5:BDEE13595B11279D1FB40EC0FCF543CB	SHA256:731211B7F5DB3B3E13BADDE77CEA9FAC97DBC1F6B8E5BF9C5EC69BE4C268D3DF
3316	Hola-Setup-x64-1.228.101.exe	C:\Users\admin\AppData\Local\Temp\install.log		binary
		MD5:8816ED3D5B193B24247ABC0B9EE7E9A8	SHA256:E7336087162D223A8F44381131DE211CCDF29FA24B57889BC175797C348CB50D
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\7zr.exe		executable
		MD5:5E2A8DAFA15134DAC9D682C890F3EA33	SHA256:9E28272320ED98A2F70E2E67984A8EBD416F3237075E2F2B07971CB0BDBE9F13
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\hola.exe		executable
		MD5:9112BEA314BB9692FFBCFDEA07BB21CF	SHA256:A3BC9F44FFF837B5DD1D74E033C054D31699AE31CE256F7FFC03F8367A0DF098
2136	net_updater64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:7327332A7FF3290684FEBF9728F937CF	SHA256:BC1BF7D60E813F1741B7CDB35FE0B74F8495E3D5066649B0705FF06808D25432
2136	net_updater64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:2CE3D39222D618BF5596652E33E58BAF	SHA256:C5A5D9F55EEE596175BF6BAFF15C9D2D6A45248E18ECB2EF465A44BD7E753289
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\hola_split_tunnel.sys		executable
		MD5:1BDD058F388F4C1DC78880ED07AD2851	SHA256:5CF70B46DF400C4F082747989C4C1B13C38781E990643526340512CCC7B918C0
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\net_updater64.exe		executable
		MD5:E1D7A11A2539BCA27F44324C176377FA	SHA256:FDE758AA0E1DBFC47164AD518056E66D30A38012A1D60A103F97ABA7CA1C3382
2136	net_updater64.exe	C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\20240901_211154_01_install_1.474.630.log		binary
		MD5:68B329DA9893E34099C7D8AD5CB9C940	SHA256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
2136	net_updater64.exe	C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\20240901_211154_once_02_sent_cleanup_1.474.630.log		binary
		MD5:68B329DA9893E34099C7D8AD5CB9C940	SHA256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

146

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1764	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3980	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
2136	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
2136	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
2136	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAdTF0YC22Gdh8cnyPwWxE0%3D	unknown	—	—	whitelisted
3980	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
3980	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAdTF0YC22Gdh8cnyPwWxE0%3D	unknown	—	—	whitelisted
964	hola_svc.exe	GET	301	23.35.237.160:80	http://i.s-microsoft.com/library/svy/close.gif	unknown	—	—	whitelisted
964	hola_svc.exe	GET	200	142.250.186.164:80	http://142.250.186.164:80/blank.html	unknown	—	—	unknown
964	hola_svc.exe	GET	200	142.250.186.164:80	http://www.google.com/blank.html	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6856	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
892	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7140	Hola-Setup-C-HPE.exe	23.22.252.240:443	perr.hola.org	AMAZON-AES	US	whitelisted
7140	Hola-Setup-C-HPE.exe	54.225.121.9:443	hola.org	AMAZON-AES	US	whitelisted
4980	Hola-Setup-C-HPE.exe	54.225.121.9:443	hola.org	AMAZON-AES	US	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2232	Hola-Setup-C-HPE.exe	54.225.121.9:443	hola.org	AMAZON-AES	US	whitelisted
4980	Hola-Setup-C-HPE.exe	23.22.252.240:443	perr.hola.org	AMAZON-AES	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 20.73.194.208	whitelisted
google.com	142.250.184.206	whitelisted
perr.hola.org	23.22.252.240 34.237.179.253	whitelisted
hola.org	54.225.121.9 107.22.193.119	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
hola-rmt-update.b-cdn.net	89.187.169.39	whitelisted
login.live.com	20.190.159.71 20.190.159.68 20.190.159.0 20.190.159.64 40.126.31.71 20.190.159.75 20.190.159.2 20.190.159.4	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.hola.org	54.243.128.120 54.225.227.202	whitelisted
perr.lum-sdk.io	192.81.214.145 159.223.133.120 206.189.231.23 161.35.48.195	unknown

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3980	net_updater64.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Hola-Setup-C-HPE.exe

203ACCDF587DD38B24A1A5021F3F46DA

FC8F3E96A67C8A92313C9987B7F7C8E7CFC3810F

9E65B85E4E33AACA1A3BD8AA5E2C5F67D9EC82224386B5B713479B4073FDA32D

98304:7UINMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM/:gf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Creates a software uninstall entry

Drops a system driver (possible attempt to evade defenses)

Checks Windows Trust Settings

The process drops C-runtime libraries

Process drops legitimate windows executable

Drops 7-zip archiver for unpacking

Executes as Windows Service

Detected use of alternative data streams (AltDS)

Creates file in the systems drive root

The process checks if it is being run in the virtual environment

Potential Corporate Privacy Violation

Checks for external IP

Connects to unusual port

INFO

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Disables trace logs

Reads Environment values

Checks supported languages

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

The process uses the downloaded file

Creates files in the program directory

Creates files or folders in the user directory

Reads the time zone

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events