main.exe

Participatory Culture Foundation

The application main.exe by Participatory Culture Foundation has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from win7soft.ru and multiple other hosts.
Publisher:
Participatory Culture Foundation  (signed and verified)

MD5:
eee3d30f423e4370ac9ee378717116ba

SHA-1:
892ba5cee3b294e36200cad8ffb22d7808d9c17e

SHA-256:
55bb00f6dc0792f26e3e69d50569e50d1d5579a751cfea8b4801105ba4d23045

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 5:16:51 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ParticipatoryCultureFoundation.Installer (M)
15.7.25.15

File size:
45.8 MB (48,057,520 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\main.exe

Digital Signature
Authority:
Starfield Technologies, Inc.

Valid from:
12/10/2012 6:53:33 AM

Valid to:
11/12/2014 12:11:52 PM

Subject:
CN=Participatory Culture Foundation, O=Participatory Culture Foundation, L=Boston, S=MA, C=US

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4B7A89C3505610

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
786432:J1fgiKbj42K5u/lhIwYeBYCBaCvWm6tj7JSLOTAHKyERkNX9TQ5hWWF:ngzP49ghTYeBvamWmsj7JS8A0kXc58y

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9999

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file main.exe has been seen being distributed by the following 14 URLs.

http://win7soft.ru/.../2534.zip

http://filehippo.com/download/file/.../

http://filehippo.com/download/file/.../

http://filehippo.com/download/file/.../

http://filehippo.com/download/file/.../

http://www.programmigratis.org/.../download.ashx?id=1615&sb=0

http://www.videohelp.com/.../Miro-6.0.exe

Remove main.exe - Powered by Reason Core Security