home

cffhook warface - installer.exe

Windows Media Player Folder Sharing Executable

Strong Media

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable cffhook warface - installer.exe, “Windows Media Player Folder Sharing Executable” has been detected as malware by 1 anti-virus scanner. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from rufile.net.
Publisher:
Microsoft Corporation  (signed by Strong Media)

Product:
Microsoft® Windows® Operating System

Description:
Windows Media Player Folder Sharing Executable

Version:
11.0.5721.5262 (WMP_11.090130-1421)

MD5:
eb7a54c4fa6704755ea35474d77d2a7b

SHA-1:
ae2880ff474d5aa8d3493986f8a99c5b439b980a

SHA-256:
de13dded0948b95a5e244ca14797c1b739fe4eb210a90ef434a656e186b4feaa

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/6/2024 2:12:50 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.7.25.23

File size:
916 KB (937,960 bytes)

Product version:
11.0.5721.5262

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
wmpshare.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\cffhook warface - installer.exe

Digital Signature
Signed by:
Strong Media

Authority:
COMODO CA Limited

Valid from:
6/14/2016 3:00:00 AM

Valid to:
6/15/2017 2:59:59 AM

Subject:
CN=Strong Media, O=Strong Media, STREET="Sokolniki Square, 4 A", L=Moscow, S=Moscow, PostalCode=107113, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DE80B6BBB2E40F5F7B3C2F4B76F141D9

File PE Metadata
Compilation timestamp:
7/14/2016 11:13:16 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:cDLd8EwaMpRqGM/Qfy6sGCxd1GQRE6pbKATREb9:cDWaYRc/J1uQDpbHTREb9

Entry address:
0x1030

Entry point:
55, 8B, EC, 81, EC, 20, 04, 00, 00, 8B, 45, EC, 2B, 45, F0, 89, 45, F8, 8B, 4D, F4, 0F, AF, 4D, F0, 89, 4D, F0, FF, 15, F4, 63, 4B, 00, 8B, 55, F8, 2B, 55, F0, 89, 55, F4, FF, 15, F4, 63, 4B, 00, 68, 4C, 30, 4D, 00, FF, 15, F8, 63, 4B, 00, 8B, 45, EC, 69, C0, 56, A0, EC, 11, 89, 45, F8, 68, 54, 30, 4D, 00, FF, 15, FC, 63, 4B, 00, 8B, 55, F8, 8B, 4D, EC, D3, E2, 89, 55, F8, 8B, 45, CC, 05, DD, 56, 00, 12, 89, 45, B8, 8B, 55, E0, 8B, 4D, C8, D3, EA, 89, 55, E4, FF, 15, F4, 63, 4B, 00, 8B, 45, B8, 50, FF, 15...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
722 KB (739,328 bytes)

The file cffhook warface - installer.exe has been seen being distributed by the following URL.

http://rufile.net/-zVG

Remove cffhook warface - installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.