home

InstantSupport.exe

InstantSupport

Installer Technology Co.

The executable InstantSupport.exe, “InstantSupport Tray Window” has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstantSupport’. While running, it connects to the Internet address 172-245-127-102-host.colocrossing.com on port 80 using the HTTP protocol.
Publisher:
Installer Technology  (signed by Installer Technology Co.)

Product:
InstantSupport

Description:
InstantSupport Tray Window

Version:
1.0.30.1

MD5:
19941744cb1888465fe4e14048853c7e

SHA-1:
5895c858ad4577f9912861110edbc7c7231cf210

SHA-256:
cf1ace9b9e8902d7f3f945163e39482b24ac2defed80e308002a0027e0a19836

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/26/2024 6:09:02 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.3.3.16

File size:
5 MB (5,195,920 bytes)

Product version:
1.0.30.1

Copyright:
Copyright Installer Technology 2015

Original file name:
InstantSupport.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\instantsupport\instantsupport.exe

Digital Signature
Signed by:
Installer Technology Co.

Authority:
COMODO CA Limited

Valid from:
9/27/2016 8:00:00 PM

Valid to:
9/28/2017 7:59:59 PM

Subject:
CN=Installer Technology Co., O=Installer Technology Co., STREET=407 lincoln road, L=miami beach, S=florida, PostalCode=33139, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
1B58BBA81BB22C023967D6D579B294FC

File PE Metadata
Compilation timestamp:
2/28/2017 7:22:50 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

Entry address:
0x140241

Entry point:
E8, 4B, 8F, 00, 00, E9, 7F, FE, FF, FF, 3B, 0D, 50, E4, 5C, 00, 75, 02, F3, C3, E9, 37, 0B, 00, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, C3, 8B, 4D, F0, 33, CD, E8, D3, FF, FF, FF, E9, DD, FF, FF, FF, 8B, 4D, EC, 33, CD, E8, C4, FF, FF, FF, E9, CE, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 50, E4, 5C, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64...
 
[+]

Entropy:
5.6395

Code size:
1.4 MB (1,488,384 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstantSupport

Command:
"C:\Program Files\instantsupport\instantsupport.exe" -startup


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 172-245-127-102-host.colocrossing.com  (172.245.127.102:80)

TCP (HTTP SSL):
Connects to mail.ecosmartfilter.com  (88.150.240.82:443)

TCP (HTTP):
Connects to 172-245-127-171-host.colocrossing.com  (172.245.127.171:80)

TCP (HTTP):
Connects to proxy-txn.austin.hp.com  (15.85.199.199:8080)

Remove InstantSupport.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.