awh5852.tmp

IMedia Holdings Ltd.

The file awh5852.tmp by IMedia Holdings has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cached.dataurls.com.
Publisher:
IMedia Holdings Ltd.  (signed and verified)

Description:
Install

Version:
2.06.24.0

MD5:
057cb7413d004976721a696c9ca6ea88

SHA-1:
7dc822847cae68792ff7bdb32a16fbcfe70269e5

SHA-256:
5d7d8a259228282e072cdd808bb466d113bee8abdfbe371de77647cad090a30c

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
11/5/2024 4:37:19 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Salus
2015.06.24

avast!
NSIS:Adware-RD [Adw]
2014.9-150624

AVG
Generic
2016.0.3068

Bkav FE
W32.HfsAdware
1.3.0.6597

Dr.Web
Adware.Salus.11
9.0.1.0175

ESET NOD32
Win32/Adware.Salus.E.Gen
9.11834

K7 AntiVirus
Adware
13.205.16334

Malwarebytes
PUP.Optional.PrxySvrRST
v2015.06.24.04

Reason Heuristics
PUP.iMedia.IMediaHoldings.Installer (M)
15.6.24.16

File size:
3.9 MB (4,069,504 bytes)

Copyright:
© 2015

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awh5852.tmp

Digital Signature
Authority:
COMODO CA Limited

Valid from:
5/18/2015 5:00:00 PM

Valid to:
12/25/2015 3:59:59 PM

Subject:
CN=IMedia Holdings Ltd., OU=IMedia Holdings Ltd., O=IMedia Holdings Ltd., STREET=63 Hoi Yuen Road Kwun Tong, L="Kwun Tong, Kowloon", S=Kowloon, PostalCode=000000, C=HK

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4CCDC952B43D5F4E4C9E99C70634ACF1

File PE Metadata
Compilation timestamp:
12/24/2013 9:01:35 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:Gik2nYSiSl461A3vCMOpzY9LMkF1hzuzZvSM5gBhogIr86A:GtOiCE5tMkFzz6aM5aG86A

Entry address:
0x3219

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 08, A3, 98, 37, 42, 00, E8, AD, 2D, 00, 00, A3, E4, 36, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, A0, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, E0, 2E, 42, 00, E8, 57, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 45, 2A...
 
[+]

Entropy:
7.9994

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file awh5852.tmp has been seen being distributed by the following URL.

Remove awh5852.tmp - Powered by Reason Core Security