Malware analysis Hola-Setup-C-HPE.exe Malicious activity

Add for printing

File name:	Hola-Setup-C-HPE.exe
Full analysis:	https://app.any.run/tasks/532f0f42-d70f-4613-aa9d-1c233b70333f
Verdict:	Malicious activity
Analysis date:	September 01, 2024, 21:11:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	203ACCDF587DD38B24A1A5021F3F46DA
SHA1:	FC8F3E96A67C8A92313C9987B7F7C8E7CFC3810F
SHA256:	9E65B85E4E33AACA1A3BD8AA5E2C5F67D9EC82224386B5B713479B4073FDA32D
SSDEEP:	98304:7UINMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM/:gf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Actions looks like stealing of personal data
  - 7zr.exe (PID: 4068)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 1124)
- Reads the date of Windows installation
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
- Application launched itself
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - hola_svc.exe (PID: 964)
- Executable content was dropped or overwritten
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Drops the executable file immediately after the start
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Drops 7-zip archiver for unpacking
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Drops a system driver (possible attempt to evade defenses)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Creates a software uninstall entry
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
- Checks Windows Trust Settings
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Process drops legitimate windows executable
  - net_updater64.exe (PID: 2136)
- The process drops C-runtime libraries
  - net_updater64.exe (PID: 2136)
- Executes as Windows Service
  - net_updater64.exe (PID: 3980)
  - hola_svc.exe (PID: 964)
  - WmiApSrv.exe (PID: 4020)
- Detected use of alternative data streams (AltDS)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Creates file in the systems drive root
  - hola_svc.exe (PID: 964)
- The process checks if it is being run in the virtual environment
  - net_updater64.exe (PID: 3980)
- Checks for external IP
  - net_updater64.exe (PID: 3980)
- Potential Corporate Privacy Violation
  - net_updater64.exe (PID: 3980)
- Connects to unusual port
  - hola_svc.exe (PID: 964)
INFO
- Reads the computer name
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - test_wpf.exe (PID: 6372)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - test_wpf.exe (PID: 6156)
  - hola_svc.exe (PID: 964)
  - idle_report.exe (PID: 1944)
  - net_updater64.exe (PID: 1964)
  - test_wpf.exe (PID: 3176)
  - test_wpf.exe (PID: 7020)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
  - 7zr.exe (PID: 4068)
- Reads the machine GUID from the registry
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
  - test_wpf.exe (PID: 6372)
  - net_updater64.exe (PID: 3980)
  - test_wpf.exe (PID: 3176)
  - net_updater64.exe (PID: 1124)
  - hola_svc.exe (PID: 964)
  - idle_report.exe (PID: 1944)
  - net_updater64.exe (PID: 1964)
  - test_wpf.exe (PID: 7020)
  - test_wpf.exe (PID: 6156)
- Reads Environment values
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
- Disables trace logs
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 3980)
  - rasdial.exe (PID: 5284)
  - hola_svc.exe (PID: 964)
- Checks proxy server information
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
- Create files in a temporary directory
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
- Reads the software policy settings
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 1964)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
- The process uses the downloaded file
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
- Process checks computer location settings
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 1124)
  - net_updater64.exe (PID: 1964)
  - net_updater64.exe (PID: 3980)
- Checks supported languages
  - Hola-Setup-C-HPE.exe (PID: 4980)
  - Hola-Setup-C-HPE.exe (PID: 2232)
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - Hola-Setup-C-HPE.exe (PID: 7140)
  - test_wpf.exe (PID: 6372)
  - net_updater64.exe (PID: 3980)
  - test_wpf.exe (PID: 3176)
  - net_updater64.exe (PID: 1124)
  - test_wpf.exe (PID: 6156)
  - idle_report.exe (PID: 1944)
  - hola_svc.exe (PID: 6396)
  - net_updater64.exe (PID: 1964)
  - test_wpf.exe (PID: 7020)
  - Hola-Setup-x64-1.228.101.exe (PID: 6460)
  - hola_svc.exe (PID: 6704)
  - 7zr.exe (PID: 4068)
  - hola_svc.exe (PID: 964)
- Creates files in the program directory
  - Hola-Setup-x64-1.228.101.exe (PID: 3316)
  - net_updater64.exe (PID: 2136)
  - net_updater64.exe (PID: 3980)
  - net_updater64.exe (PID: 1124)
  - hola_svc.exe (PID: 964)
  - net_updater64.exe (PID: 1964)
  - 7zr.exe (PID: 4068)
- Creates files or folders in the user directory
  - net_updater64.exe (PID: 2136)
- Reads CPU info
  - net_updater64.exe (PID: 3980)
- Reads the time zone
  - net_updater64.exe (PID: 3980)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2094:07:16 03:28:36+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	2917888
InitializedDataSize:	414208
UninitializedDataSize:	-
EntryPoint:	0x2ca596
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.227.226.0
ProductVersionNumber:	1.227.226.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Hola VPN Ltd.
FileDescription:	Hola VPN App Setup
FileVersion:	1.227.226.0
InternalName:	hola_setup.exe
LegalCopyright:	Copyright © 2023 Hola VPN Ltd.
LegalTrademarks:	-
OriginalFileName:	hola_setup.exe
ProductName:	Hola Setup
ProductVersion:	1.227.226.0
AssemblyVersion:	1.227.226.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

964

"C:\Program Files\Hola\app\hola_svc.exe" --service

C:\Program Files\Hola\app\hola_svc.exe

services.exe

User:

SYSTEM

Company:

Hola Networks Ltd.

Integrity Level:

SYSTEM

Description:

Hola VPN Service

Version:

1.228.101

Modules

Images
c:\program files\hola\app\hola_svc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

1124

"C:\Program Files\Hola\app\net_updater64.exe" --uuid

C:\Program Files\Hola\app\net_updater64.exe

Hola-Setup-x64-1.228.101.exe

User:

admin

Company:

BrightData Ltd. (certified)

Integrity Level:

HIGH

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.474.630

Modules

Images
c:\program files\hola\app\net_updater64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

1140

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net_updater64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1944

C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\idle_report.exe --id 79515 --screen

C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\idle_report.exe

—

net_updater64.exe

User:

admin

Company:

BrightData Ltd.

Integrity Level:

MEDIUM

Description:

idle_report

Exit code:

Version:

1.474.630

Modules

Images
c:\programdata\brightdata\108a47921d08860d64656218998ab66204caf497\idle_report.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

1964

"C:\Program Files\Hola\app\net_updater64.exe" --uuid

C:\Program Files\Hola\app\net_updater64.exe

hola_svc.exe

User:

SYSTEM

Company:

BrightData Ltd. (certified)

Integrity Level:

SYSTEM

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.474.630

Modules

Images
c:\program files\hola\app\net_updater64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll

1964

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

7zr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2008

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net_updater64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2080

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net_updater64.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2136

"C:\Program Files\Hola\app\net_updater64.exe" --install win_hola.org --campaign hpe

C:\Program Files\Hola\app\net_updater64.exe

Hola-Setup-x64-1.228.101.exe

User:

admin

Company:

BrightData Ltd. (certified)

Integrity Level:

HIGH

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.474.630

Modules

Images
c:\program files\hola\app\net_updater64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2232

"C:\Users\admin\AppData\Local\Temp\Hola-Setup-C-HPE.exe" --monitor 1988

C:\Users\admin\AppData\Local\Temp\Hola-Setup-C-HPE.exe

Hola-Setup-C-HPE.exe

User:

admin

Company:

Hola VPN Ltd.

Integrity Level:

HIGH

Description:

Hola VPN App Setup

Version:

1.227.226.0

Modules

Images
c:\users\admin\appdata\local\temp\hola-setup-c-hpe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

39 197

Read events

39 070

Write events

126

Delete events

Modification events


(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7140) Hola-Setup-C-HPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Hola-Setup-C-HPE_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

104

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3316	Hola-Setup-x64-1.228.101.exe	C:\Users\admin\AppData\Local\Temp\install.log		binary
		MD5:8816ED3D5B193B24247ABC0B9EE7E9A8	SHA256:E7336087162D223A8F44381131DE211CCDF29FA24B57889BC175797C348CB50D
7140	Hola-Setup-C-HPE.exe	C:\Users\admin\AppData\Local\Temp\hola_setup.log		binary
		MD5:FDC896A1BC41C185B243C8A81B3B47EE	SHA256:93909261E351FA68F7B792B2D28E56DFA5B79D542B5C0D87972002C01DA14DF3
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\hola.exe		executable
		MD5:9112BEA314BB9692FFBCFDEA07BB21CF	SHA256:A3BC9F44FFF837B5DD1D74E033C054D31699AE31CE256F7FFC03F8367A0DF098
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\lum_sdk64.dll		executable
		MD5:B0D95A0B3D9DA0F1A053E5461A387849	SHA256:24347DE0C339F3E635CC9FF4C07EE60D3E6908D282D7AEE20F3545A7C330932C
3316	Hola-Setup-x64-1.228.101.exe	C:\Program Files\Hola\app\README.txt		text
		MD5:E2F387B53A340A507BBB2A28D7917484	SHA256:A2B79E73F4F317AD3F44A383722F05E739CF260C49E54AD6B7001CB7AF6BD252
2136	net_updater64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:1DC693C3D88DB65500DE62B9143630BF	SHA256:CA1B351EF51C31419E805DB90EAFB14E953F49E7DFB02E0BD0B12771AB866005
2136	net_updater64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_7BC6BAD757FCD9C147D141E8A9D5A2A0		binary
		MD5:64D49D48911EE76D59C46C91B31004A7	SHA256:34B3F64FEF357F78FBBD31ECE5EF643221BEB6BDA2DA5B2A535F8D62A8094C6C
2136	net_updater64.exe	C:\ProgramData\BrightData\108a47921d08860d64656218998ab66204caf497\20240901_211154_01_install_1.474.630.log		binary
		MD5:68B329DA9893E34099C7D8AD5CB9C940	SHA256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
2136	net_updater64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:0F8911F4878D271F3A8367F5F448F586	SHA256:6CAB4D125EB47091CA9F77194F35EC6A1A563E11CBCFF921B584057AE55924A8
2136	net_updater64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:7327332A7FF3290684FEBF9728F937CF	SHA256:BC1BF7D60E813F1741B7CDB35FE0B74F8495E3D5066649B0705FF06808D25432

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

146

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1764	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2136	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
2136	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAdTF0YC22Gdh8cnyPwWxE0%3D	unknown	—	—	whitelisted
2136	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
3980	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
3980	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
3980	net_updater64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAdTF0YC22Gdh8cnyPwWxE0%3D	unknown	—	—	whitelisted
964	hola_svc.exe	GET	200	142.250.186.164:80	http://142.250.186.164:80/blank.html	unknown	—	—	unknown
964	hola_svc.exe	GET	301	23.35.237.160:80	http://i.s-microsoft.com/library/svy/close.gif	unknown	—	—	whitelisted
6204	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6856	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
892	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7140	Hola-Setup-C-HPE.exe	23.22.252.240:443	perr.hola.org	AMAZON-AES	US	whitelisted
7140	Hola-Setup-C-HPE.exe	54.225.121.9:443	hola.org	AMAZON-AES	US	whitelisted
4980	Hola-Setup-C-HPE.exe	54.225.121.9:443	hola.org	AMAZON-AES	US	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2232	Hola-Setup-C-HPE.exe	54.225.121.9:443	hola.org	AMAZON-AES	US	whitelisted
4980	Hola-Setup-C-HPE.exe	23.22.252.240:443	perr.hola.org	AMAZON-AES	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 20.73.194.208	whitelisted
google.com	142.250.184.206	whitelisted
perr.hola.org	23.22.252.240 34.237.179.253	whitelisted
hola.org	54.225.121.9 107.22.193.119	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
hola-rmt-update.b-cdn.net	89.187.169.39	whitelisted
login.live.com	20.190.159.71 20.190.159.68 20.190.159.0 20.190.159.64 40.126.31.71 20.190.159.75 20.190.159.2 20.190.159.4	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.hola.org	54.243.128.120 54.225.227.202	whitelisted
perr.lum-sdk.io	192.81.214.145 159.223.133.120 206.189.231.23 161.35.48.195	unknown

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3980	net_updater64.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Hola-Setup-C-HPE.exe

203ACCDF587DD38B24A1A5021F3F46DA

FC8F3E96A67C8A92313C9987B7F7C8E7CFC3810F

9E65B85E4E33AACA1A3BD8AA5E2C5F67D9EC82224386B5B713479B4073FDA32D

98304:7UINMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM/:gf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Drops 7-zip archiver for unpacking

Drops a system driver (possible attempt to evade defenses)

Creates a software uninstall entry

Checks Windows Trust Settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Executes as Windows Service

Detected use of alternative data streams (AltDS)

Creates file in the systems drive root

The process checks if it is being run in the virtual environment

Checks for external IP

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Checks proxy server information

Create files in a temporary directory

Reads the software policy settings

The process uses the downloaded file

Process checks computer location settings

Checks supported languages

Creates files in the program directory

Creates files or folders in the user directory

Reads CPU info

Reads the time zone

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events