james_newton_howard.exe

Windows Internet Explorer

Spektr AITI, TOV

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application james_newton_howard.exe, “Instalator dodatków programu Internet Explorer” by Spektr AITI, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from a7948037c1da5fb03f02c74a.downfastoloaders.net.
Publisher:
Microsoft Corporation  (signed by Spektr AITI, TOV)

Product:
Windows® Internet Explorer

Description:
Instalator dodatków programu Internet Explorer

Version:
8.00.7600.16385 (win7_rtm.090713-1255)

MD5:
4e26f758df9f39682af1442b101e63d2

SHA-1:
9d28fd3c7cc017433697f76957334823b48c3cc1

SHA-256:
e7b9f81dd47e336ba51a0437cf89bdcd4141759baf2b503de97fa5d0b4d4fce0

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 5:50:11 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCube (M)
17.2.27.16

File size:
3.5 MB (3,655,208 bytes)

Product version:
8.00.7600.16385

Copyright:
© Microsoft Corporation. Wszelkie prawa zastrzeżone.

Original file name:
ieinstal.exe.mui

File type:
Executable application (Win64 EXE)

Language:
Polish (Poland)

Common path:
C:\users\{user}\downloads\james_newton_howard.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/24/2015 1:00:00 AM

Valid to:
12/24/2016 12:59:59 AM

Subject:
CN="Spektr AITI, TOV", OU=IT, O="Spektr AITI, TOV", STREET="Bud. 30 kv. 292, prospekt Vatutina", L=Kiev, S=Kiev, PostalCode=02189, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3694697EDF9F6EF8FF786FBBAD3234DF

File PE Metadata
Compilation timestamp:
1/11/2016 4:18:38 PM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x3520B0

Entry point:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D8, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
3.3 MB (3,497,984 bytes)

The file james_newton_howard.exe has been seen being distributed by the following URL.

http://a7948037c1da5fb03f02c74a.downfastoloaders.net/.../?f=99540d7c127fba00a8b411449d1ca7ea32138e13cce6e3c3671bf97e3504ed59e11e5beed6c43491a7db9e3868ebc56ff0ab5a8c4742087ed49891cba85c28a510406c426cd8350f19049e1d358c39e568edde8a7c033ec8de07c4cab4e7bd99c2109c54654472c1a1cc5e045372cd5c1907046732cb9208e445c83711cc36f86b2c037c5a2a161bb78c59c57f9fac777cb1a4e31ff1c7036b8b1032f65b994282f028f1f53e4a9c1ddd753f42f9864c0dcd18f73167fc3620e274c0e8f70e97992a8746b95961bdf906aa57544a327fbc24df49a04d3dce82a02b994de7d1fadbf2c05333caed64d66876612b945cd5cf5e98aad315da526977965f553e6fe1005494ffa51e52749cc6a1cb9daeb9434e16a437e6758e7043facc537d33b2e382ac9002989980587b95ab7c1a00c6c5f320f778d01e9478199717b3ca392878ecd7e46707b3015c759beda529c2a96ec200f5ddf2ec00a961049afe624876221c6e2df26471ec82ddc7e8728d30580a2ecd8d97e70ce35c4fdf6dc18ba75dd9d66a104de59cc2b764f5d1ce404491282b333050b3b76d9f9f53b1b88158387e80054f7fbe61abde63eed99a3b16524b3268962a263e48c0bb188d1d27394f3bc82376b8499017b3ab90069bc69118e77452fe3b285

Remove james_newton_howard.exe - Powered by Reason Core Security