home

java.exe

Payments Interactive sl

This is the Tuguu DomaIQ download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application java.exe by Payments Interactive sl has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The installer is marketed through download protals and search ads as the free Oracle Java Runtime but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Payments Interactive sl  (signed and verified)

MD5:
054889e82ef18369cab5c5634a9a076d

SHA-1:
5ed78f1e22adb5afe39b299de31d66fdf3481a4b

SHA-256:
d265761a2edabc7c29f0f44d0b2671a37edebe964681946145c93e747f24fb27

Scanner detections:
24 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
2/25/2025 2:38:53 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Generic.901697
939

Agnitum Outpost
PUA.DomaIQ
7.1.1

Avira AntiVirus
APPL/DomaIQ.Gen
7.11.160.42

avast!
PUP-gen [PUP]
140617-1

AVG
Adware DomaIQ.BK
2014.0.3986

Bitdefender
Adware.Generic.901697
1.0.20.955

Clam AntiVirus
Win.Trojan.Agent-751031
0.98/19086

Comodo Security
Application.Win32.DomaIQ.~LKO
18836

Dr.Web
Trojan.Packed.24553
9.0.1.05190

Emsisoft Anti-Malware
Adware.Generic.901697
8.14.07.10.10

ESET NOD32
Win32/DomaIQ.AH potentially unwanted application
7.0.302.0

F-Secure
Adware.Generic.901697
11.2014-10-07_5

G Data
Adware.Generic.901697
14.7.24

IKARUS anti.virus
AdWare.SuspectCRC
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.180.12683

Malwarebytes
PUP.OptionalBundleInstaller.A
v2014.07.10.10

McAfee
Artemis!A877A3467C58
5600.7073

MicroWorld eScan
Adware.Generic.901697
15.0.0.573

NANO AntiVirus
Riskware.Win32.DomaIQ.cvkxrw
0.28.0.60698

Norman
Obfuscated.gen!r
11.20140710

Panda Antivirus
PUP/MultiToolbar.A
14.07.10.10

Reason Heuristics
PUP.PaymentsInteractivesl.E
14.8.7.23

SUPERAntiSpyware
PUP.BundleInstaller/Variant
10491

VIPRE Antivirus
Threat.4783235
31088

File size:
561.7 KB (575,136 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\java.exe

Digital Signature
Signed by:
Payments Interactive sl

Authority:
GoDaddy.com, Inc.

Valid from:
10/9/2012 12:27:23 PM

Valid to:
10/9/2013 7:10:38 AM

Subject:
CN=Payments Interactive sl, O=Payments Interactive sl, L=Puntagorda, S=S.C Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
277606F12C2592

File PE Metadata
Compilation timestamp:
12/5/2009 2:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:t8XxtCWqEHmgDae/x1xbFH/+2b8FtV9D6t/HhK21:t4YWqym6hDHFotalD

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9511

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file java.exe has been seen being distributed by the following URL.

http://dlp.123mediaplayer.com/o/259/Java/446/.../V.TK4dLTmAb

Remove java.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.