» freeocrtoword.exe
Overview
Analysis
File Details
Downloads (7)

freeocrtoword.exe

Nopumalifo

Huaxinwantong Beijing Technology Ltd

The application freeocrtoword.exe, “Nopumalifo Setup ” by Huaxinwantong Beijing Technology has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.taggiftflash.com and multiple other hosts.

File name:

freeocrtoword.exe

Publisher:

Purek (signed by Huaxinwantong Beijing Technology Ltd)

Product:

Nopumalifo

Description:

Nopumalifo Setup

Version:

1.4.2.6

MD5:

147051b1de9199b6827acd8f3b66f812

SHA-1:

7aa6f32ead0e1f79a286783f74723f4417987f9d

SHA-256:

4fa582977b01fcea8ca6237e8efee98c85577ace08b41abc874cef750af44151

Scanner detections:

1 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:

11/6/2024 6:26:57 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.InstallCore.Huaxinwa.Installer.Meta (M)

16.6.30.12

File size:

906.5 KB (928,248 bytes)

Product version:

2.0.9

Fast Software

File type:

Executable application (Win32 EXE)

Installer:

Inno Setup

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\freeocrtoword.exe

Digital Signature

Signed by:

Huaxinwantong Beijing Technology Ltd

Authority:

COMODO CA Limited

Valid from:

3/24/2016 7:00:00 AM

Valid to:

3/25/2017 6:59:59 AM

Subject:

CN=Huaxinwantong Beijing Technology Ltd, O=Huaxinwantong Beijing Technology Ltd, STREET="Dong Balizhuang 54, Building 2", L=BeiJing, S=BeiJing, PostalCode=100025, C=CN

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00C31292C6449E082B3FBF99E310243E2E

File PE Metadata

Compilation timestamp:

6/20/1992 5:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:Dti0NiGXIAR5v3nWi+dZKEUQq3p9UdRC+8Y4:DEcbXV/t+dZKEVq5b+81

Entry address:

0xA5F8

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55... 
[+]

Entropy:

7.9345

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

39.5 KB (40,448 bytes)

The file freeocrtoword.exe has been seen being distributed by the following 7 URLs.

http://www.taggiftflash.com/i oiWj04wPHt59b6w3d8ZTS8z27P C1d8YeClk8mAygfs1Zz31KuEyoUhE0xd8pYMt5g7sB1Xnm_gYYgBzoxZxnxXWUhrDUj4bpCCY5DBminHxgq_ghX51QJtPbsEUpyg3Nrl4dL824MGFCoMUJymlbz0KMWUOtzu8H9CWJ6x3 oAY_3AkfmZDCW8Wr2r VsjEsPDWAubTxHPKoHQLbmk9yJUkZqzpXrHCrh7wYIn0qydhfPVx8nMZahXLHIB2GQ_DpGmHxdL glsljmJSoojMIxsg2j MY7oWwR6Q5 EUMa nJajjriTujo1VK88aiYnWhizMd8avNuk5OMTDX5aetxkQI9fuZRkhgO_izzl1yrwLXnnOIs5Rt_hZ78PBjtUsEgua3sxn3PMY_fnv615ZEpdaY0RzaZIHyrjv5txX0DDRAgVSlnyqpNif3yOk7WqwvbzY1y-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB-e

http://www.factorycapitalstock.com/0w0Wioim3aKUqCEt5g6vCtqIkMPpYzLNQHZ_u9gjkd7 esnTxBxU0lt_pIIHtQXU3Bl7KdWkZ GGvqJevw4e66plnM5U0eHYB95WJgfPsOEA0aLFgzCxCd_xpqCHzCzipIb1nlYh0kPXB5XEg8fHU54c5jtJD70JDobFZpnBj_3HOW_xf4uQW3C z 0w_ rwF_4IEnuh7EEnHzRUcR0OeGrAyYwCQw==-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB

http://www.factorycapitalstock.com/OYduRRhGqiOHLhMe0WzmmXMhGMfdKrYp_fCbV0tygsHtQaGIh8_500xr92owRxiK7vgVnxsPuyW TBpM84VnjyntYmavG_3mUoQWUTwwb6dxA0yjU STyiZVMhtfRBzJdWlkZf4D2crXTNXPjEEwD_sImnp7ksCMZqJYLRGok1JB3SgnOAe9CKySU7Mpw654DwU7_mXejrRUVNLLcE8sCHn_KHbwng==-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB

http://www.giftbundlesfactory.com/at1OTg7bD3_TU7dNyFHGgl1LWSUZavfRKlCFY7M2SZakWn4OKZQ_4wbPuMoLqvFNIz2XRfnTsQtkpEGhcPi5C7xQ6eSQKW6 7QWz66Hs9nQXxvA4owRx9wwpNnCfCerqrEhtfnqAre8g1NI6m7epG_tv vfGwA9KpcnfZd9R7d0zxpCpmrufxOTTqCjJTKbsuwOG_TA5tG4YpAfmwtmzeMBP_mQ6w==-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB

http://www.factorycapitalstock.com/H6UKjdGCrSUNyeTqucqJxQ9TEI14y1k7FrAlzusdZc zT 3dFLpgylLbbehlGNfSaN4AZ15yEK6yFXuSO1w3EyCC7IO4dBkSWOACufTD9rTNYx59pVOwsy8rcVrx3Fluv97HqLsOa4WXpGn_CGzSLr68r40KsXFtrXQ_ 00pZpN BB_3MC1AATONa_1baex smwJjXj3wldXHUNn8ivpRS_PAnfOELg9KKIWTmo2hP8GTWwvYPfdutJpNaSTCJycjfAGiJRTihuQubrmkta0dV54SRR1S13eXxytASqzf6lu2gMSBJ9k6sWnCQz0JywHqIdFroSo4_18TfXVeVTq9N3fYhFchxowHogcFVIBWlUmQy58vUuuZorvaoNZlgDph6_87jENgQ 9O3gsdM7EAYHozjp1A9JzzTWfENkMs98IXv20Oi6yU7OkWvy Ol3QUcoaSAC-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB-e

http://www.factorycapitalstock.com/InAS6zU6r8YGeYb YunNMduym4e15K81cxZQOtJUnzvwH0MSEd20Y42g5et4_H9_BZYN_aiKdMk_Ao0GmamW04LFTgejFRsyRBra7BLQtlvWkgq9YiPDDDqAU6Dtpw1SmHnFxHSpzGH_t3rENiIONzvD1WjYG MtIfpnwIkuGjBkd4FNVP1U4bDU24nPXheAckAIDPDD0bw WfIPh0B_r1kkxjR7vA==-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB

http://www.funtourbundle.com/6nUQgk1xayHhDbZtNdDQkh0DrEm7EcK1tyzRt9ErV5h0sst UJ227js0XU3HxWMXqEcPW1LGaTjGVM2trKNvzzHvDu2_EezPeoKDH2ySooClNQ_8dL3 rhGjEqeHygK6V7Fc0B1QP_qgQZUEdrYaTDXHSk0qZTFnYTt3zL6ZVNjElwUj5G2LuxfwAQWQ PRO1mZb13Cdjt8HynGSLGS0dEUTtj6ENA==-G0sAAETdFttfgiCYBA1Gw12wOBgPgkMO2PuKJAzMAg9ZiJrZLmi8xio_YeW7wTSGkocCBHR8n1cBvYzkos5u0_AB

Remove freeocrtoword.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.