installer_photoscape_english.exe

Astro Delivery (Fried Cookie Ltd.)

The Fried Cookie installer utilizes the InstallCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application installer_photoscape_english.exe by Astro Delivery (Fried Cookie) has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from id.filewon.com.
Publisher:
Astro Delivery (Fried Cookie Ltd.)  (signed and verified)

MD5:
ebca9a080d727c5b7f7d5626a5ac97d8

SHA-1:
4325cf5db67d360b998731cc246e3cbf614ac1fa

SHA-256:
d50de13b1766c790b9e66048735567ad089e2cae1c7947554c308f34ec84bd65

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/5/2024 6:46:48 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/InstallCo.ewbs
7.11.202.226

AVG
Generic
2016.0.3225

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.15119

Comodo Security
Application.Win32.InstallCore.AKL
20765

Dr.Web
Trojan.InstallCore.15
9.0.1.05190

ESET NOD32
Win32/InstallCore.QW potentially unwanted application
7.0.302.0

G Data
Win32.Application.InstallCore.DI
15.1.24

K7 AntiVirus
Unwanted-Program
13.191.14683

Malwarebytes
PUP.Optional.FriedCookie
v2015.01.19.08

NANO AntiVirus
Riskware.Win32.InstallCore.dmkfqf
0.30.0.64448

Qihoo 360 Security
Win32/Virus.Adware.f22
1.0.0.1015

Reason Heuristics
PUP.ironSource.AstroDeliveryFriedCookie
15.1.19.8

Sophos
PUA 'InstallCore ToDownload'
5.09

VIPRE Antivirus
Threat.4150696
36666

File size:
793.1 KB (812,104 bytes)

Product version:
1.5

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installer_photoscape_english.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/21/2014 3:11:59 PM

Valid to:
10/22/2015 3:11:59 PM

Subject:
CN=Astro Delivery (Fried Cookie Ltd.), O=Astro Delivery (Fried Cookie Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121A99E73962365DC8A4A1F35AD57C59E60

File PE Metadata
Compilation timestamp:
6/20/1992 5:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:JTvhrCuix4LRoXWzBGz1cmv75PqQb8pwLrEzO:Jr9+x7mzIzGaPq0b8a

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8906

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file installer_photoscape_english.exe has been seen being distributed by the following URL.

Remove installer_photoscape_english.exe - Powered by Reason Core Security