99af.tmp.exe

The application 99af.tmp.exe has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup program which is used to install the application. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.osdsoft.com and multiple other hosts.
MD5:
60bc83dc7815fc3ecac487f012fe99ea

SHA-1:
e02394c4792d861974f6e6fdde67b77b07605e5c

SHA-256:
904eb7e18902e12b3ea7d765ac18aedfecea1d8aee1b50eea904eadefe7dc3b6

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 8:52:00 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/TrojanDownloader.Adload.NPQ trojan
7.0.302.0

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
15.0.0.562

Norman
Gen:Variant.Mikey.31545
13.02.2016 01:47:07

Reason Heuristics
Adware.Downloader.Meta (M)
16.2.16.7

File size:
292 KB (299,008 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\99af.tmp.exe

File PE Metadata
Compilation timestamp:
2/15/2016 1:21:34 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:AhVtvFOknTVxoSfDHWnF1n54Zqiyf24i2hOppplmc4EFz3TQhd5C5:G7OUoSfKrRf24i2IT/j4EFjofC5

Entry address:
0x14977

Entry point:
E8, FD, 62, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 21, 0C, 00, 00, 3B, 0D, A4, 53, 44, 00, 75, 02, F3, C3, E9, 79, 63, 00, 00, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 9C, 04, 43, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, A4, 04, 43, 00, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 57, 8B, F9, 74, 2D, 56, FF, 75, 08, E8, 64, 31, 00, 00, 8D, 70, 01, 56, E8, C5, 0D, 00, 00, 59, 59, 89, 47, 04, 85, C0, 74, 11, FF, 75, 08, 56, 50, E8, 22, 64, 00...
 
[+]

Code size:
186.5 KB (190,976 bytes)

The file 99af.tmp.exe has been seen being distributed by the following 4 URLs.

Remove 99af.tmp.exe - Powered by Reason Core Security