backtofile-deinstallation.exe

Tesecukaf

UpdateStar GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application backtofile-deinstallation.exe, “Tesecukaf Setup ” by UpdateStar GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from www.presentbitsshare.com.
Publisher:
Kupogo   (signed by UpdateStar GmbH)

Product:
Tesecukaf

Description:
Tesecukaf Setup

Version:
5.0.2.1

MD5:
0984de3fe2ed3114c3c392a441debd44

SHA-1:
bf319a4c1bb853c0128a9186539f3b77e276f104

SHA-256:
56a80f1238f679ff1a40c75b330d50c258c06ca4f549772cd90c6011d7a3ddfc

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/23/2024 2:46:16 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.3.15.12

File size:
1000.8 KB (1,024,840 bytes)

Product version:
2.6.0

Copyright:
Web Installer Wizard

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\backtofile-deinstallation.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
1/8/2016 1:34:15 PM

Valid to:
3/6/2017 2:10:42 PM

Subject:
CN=UpdateStar GmbH, O=UpdateStar GmbH, L=Berlin, S=Berlin, C=DE

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121206405ACDAB5906908B3939BD86EF916

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file backtofile-deinstallation.exe has been seen being distributed by the following URL.

http://www.presentbitsshare.com/RV9EYVVDUtZANYoGZ09L7KgYRFnwQByiJ 0S_A1mz9nhXsQo9aaMqR5Vluo2jmdU_OwBhBLkq5b6GJm6X7xeYnFe0WxBmrg6ZyoVdgpwsodqW9U2ed52SbPZVve0Z s2cKkji5oZI7yKX2KEPdUesqC0iCBuSivEKbdnbn8BqL09D85TBUBF2k_znF6CDuxzlipHTgq7SCPV7ZM0sNRsm6Zib8iRfApTWzwNq3kSnHtVNm0hK0248t5VNR5ZypiSuyLTosdYOOUWt_UU80e28nDQDWoNgNsBLmd0Uqv7xJvpsto5ztF81oMqj6QneOAhD7BlEYkvqB3zBBl3v8rFUhFZhnmAFbfGoa8FNtAyuogdHzQTYJ_SeiF8w21pJWBRsmYKKei9cP9p0kYJK2fpjn1RzaKMdyzpqHqdbPWnsgT7rzSHvGpMAYtDBUaLdi98 QxT 1jyJEeMRIIKU6ESRn2g60W 5NQ1f3nW4biga14SSJW3yQTgpojZxbvazt6kAZY8lobRw4oAoytWWDMeKmzZ5 P0_WdsKMywNMPzyZRCZWlrpPpcifqNxl6iNL6iv2EmI3YuG0BiPBgK89vxvO44NR_qIA==-GyYAAASacWiFXLcf0GAwkQP2tsACvsCTw0BvDH4pyDQ4fO6teAA=

Remove backtofile-deinstallation.exe - Powered by Reason Core Security