{blocked}.exe

Windows Internet Explorer

Spektr AITI, TOV

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application {blocked}.exe, “Установщик надстроек Internet Explorer” by Spektr AITI, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from downloader.disk.yandex.ru.
Publisher:
Microsoft Corporation  (signed by Spektr AITI, TOV)

Product:
Windows® Internet Explorer

Description:
Установщик надстроек Internet Explorer

Version:
8.00.7600.16385 (win7_rtm.090713-1255)

MD5:
19978e899a993e80a171c913fb258031

SHA-1:
8dcb9e67032d7bc4d3f3682c6829f932225fa751

SHA-256:
b354feae9e66409ef4b9f13d8d9047f7ccd3e8ea18627a378a3e368918cbe785

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 6:05:23 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCube (M)
17.1.13.16

File size:
3.5 MB (3,655,736 bytes)

Product version:
8.00.7600.16385

Copyright:
© Корпорация Майкрософт. Все права защищены.

Original file name:
ieinstal.exe.mui

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\reshebnik_po_rodnomu_yaziku_6_klass_sayahov_21_noyabrya_2014.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/24/2015 5:00:00 AM

Valid to:
12/24/2016 4:59:59 AM

Subject:
CN="Spektr AITI, TOV", OU=IT, O="Spektr AITI, TOV", STREET="Bud. 30 kv. 292, prospekt Vatutina", L=Kiev, S=Kiev, PostalCode=02189, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3694697EDF9F6EF8FF786FBBAD3234DF

File PE Metadata
Compilation timestamp:
1/13/2016 3:18:22 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

Entry address:
0x3521F0

Entry point:
55, 8B, EC, 6A, FF, 68, 98, 9A, 75, 00, 68, 70, 33, 75, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, E4, 70, 75, 00, 33, D2, 8A, D4, 89, 15, 88, A7, 75, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 84, A7, 75, 00, C1, E1, 08, 03, CA, 89, 0D, 80, A7, 75, 00, C1, E8, 10, A3, 7C, A7, 75, 00, 33, F6, 56, E8, CA, 0F, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 95, 0C, 00, 00, FF, 15, 18, 70, 75, 00, A3, B4, AC, 75, 00, E8...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
3.3 MB (3,497,984 bytes)

The file {blocked}.exe has been seen being distributed by the following URL.

https://downloader.disk.yandex.ru/disk/9f8eb0b6c181ae90aaa958eda0027d097ff7b77a311da81ecfbe08dc6457775a/5696a125/.../x-msdownload&fsize=3655736&hid=2fa6a99ea2dc697d96dc1ea7d38a35b3&media_type=executable&tknv=v2

Remove {blocked}.exe - Powered by Reason Core Security