8hmedint.exe

Mindspark Toolbar Platform for Internet Explorer

Mindspark

The application 8hmedint.exe, “Mindspark Toolbar Platform” has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Allin1Convert EPM Support’. This version of the file will bundle a Mindspark/MyWebSearch Toolbar, a potentially unwanted web browser extension. While running, it connects to the Internet address ns8914.dotvndns.vn on port 80 using the HTTP protocol.
Publisher:
Mindspark

Product:
Mindspark Toolbar Platform for Internet Explorer

Description:
Mindspark Toolbar Platform

Version:
1.0.7.262

MD5:
48d7f2691783be85e3a8fe77e7c24341

SHA-1:
54a15dd388deedd49eea1c02211615fc8f44c74a

SHA-256:
45e4a5e23ae33f6d0b33584f898b755d71ea2e50b1ff1439930516b6e94d0408

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 5:05:55 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.MyWebSearch (M)
17.2.6.17

File size:
87.3 KB (89,424 bytes)

Product version:
2.5.15.30

Copyright:
Copyright © 2009-2015 Mindspark Interactive Network, Inc.

Original file name:
t8MedInt.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\allin1convert_8h\bar\1.bin\8hmedint.exe

File PE Metadata
Compilation timestamp:
8/4/2015 7:16:14 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x103B

Entry point:
60, 86, C2, 89, CE, 88, C8, 68, 49, 2B, 95, 00, 55, 0F, AB, D7, 3A, F8, 0F, AF, CB, 0F, AC, D3, 3B, 05, F3, 57, 77, 41, 8D, 3D, 2C, 03, A8, 64, 01, CE, 80, F0, 27, D2, C2, 33, CA, D2, FA, F6, DA, 0F, A4, E8, 1C, F2, F7, C7, 5D, 66, 97, D7, 0F, AC, D3, D4, 43, 85, CE, 8A, DF, E8, 29, 00, 00, 00, 8B, CE, 3A, FA, 19, EA, 0F, BA, FB, 87, 8D, 0D, AA, FB, DC, 09, 0F, BC, D5, 0F, C1, E9, 2D, 9F, 64, 00, 00, 81, FE, 02, 16, 00, 00, 70, 01, F2, 2D, 76, 8B, 00, 00, 0F, BA, FE, 03, C0, EF, 48, 3D, 2F, F2, 00, 00, 72...
 
[+]

Code size:
1024 Bytes (1,024 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Allin1Convert EPM Support

Command:
"C:\Program Files1\allin1~1\bar\1.bin\8hmedint.exe" t8epmsup.dll,s


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 147.62.236.23.bc.googleusercontent.com  (23.236.62.147:80)

TCP (HTTP):
Connects to ns8914.dotvndns.vn  (112.213.89.14:80)

TCP (HTTP SSL):
Connects to ec2-52-200-104-185.compute-1.amazonaws.com  (52.200.104.185:443)

TCP (HTTP):
Connects to s11.linuxpl.com  (88.198.8.17:80)

TCP (HTTP):
Connects to sinkhole.fitsec.com  (193.166.255.171:80)

TCP (HTTP SSL):
Connects to ec2-52-5-117-1.compute-1.amazonaws.com  (52.5.117.1:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to ec2-52-0-227-11.compute-1.amazonaws.com  (52.0.227.11:443)

TCP (HTTP):
Connects to web140.extendcp.co.uk  (79.170.44.140:80)

TCP (HTTP):
Connects to cluster005.ovh.net  (213.186.33.16:80)

TCP (HTTP):
Connects to HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com  (68.168.222.206:80)

TCP (HTTP SSL):
Connects to ec2-34-196-160-231.compute-1.amazonaws.com  (34.196.160.231:443)

Remove 8hmedint.exe - Powered by Reason Core Security