home

ms4973.tmp.exe

Finance Alert

Valid Applications

The software will display additional offers (such as adware) during installation including a browser toolbar/extension as well as advertising injection software (part of the Injekt brand). The application ms4973.tmp.exe by Valid Applications has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from champs5x.tinyboxarcade.com.
Publisher:
Valid Applications  (signed and verified)

Product:
Finance Alert

Version:
3.0.91.1

MD5:
4d33892c223c15f80f49820db420e89d

SHA-1:
118b81e87994c8b5ca5bf7ef42f70d34e8f28f56

SHA-256:
d1b8228b8b3a9d0235ea2eef937bce1b3fd494f760659c8fa1d7ec1e21541cde

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
12/26/2024 4:20:40 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Injekt.ValidApplications.Installer (M)
16.2.11.8

File size:
5 MB (5,292,984 bytes)

Product version:
3.0.91.1

Copyright:
Copyright (C) 2015 Valid Applications

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\ms4973.tmp.exe

Digital Signature
Signed by:
Valid Applications

Authority:
Symantec Corporation

Valid from:
9/21/2015 8:00:00 PM

Valid to:
11/20/2016 6:59:59 PM

Subject:
CN=Valid Applications, O=Valid Applications, L=St. James, S=St. James, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
5AF15E58D032F4F8F6AA6B3990AF0257

File PE Metadata
Compilation timestamp:
2/9/2016 12:59:41 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
98304:dVTgS2A8Cxxp181elTpTnr2kV3gnvGi9q9VXtxS8maP37RTdxpW1c+o9b9:dVspA1x3184pTnikevGiYXtsadpyfo9R

Entry address:
0x6FD7

Entry point:
E8, CF, 7D, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 00, 36, 42, 00, E8, D3, 55, 00, 00, E8, 54, 2A, 00, 00, 0F, B7, F0, 6A, 02, E8, 62, 7D, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 76, 53, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.8057  (probably packed)

Code size:
107 KB (109,568 bytes)

The file ms4973.tmp.exe has been seen being distributed by the following URL.

http://champs5x.tinyboxarcade.com/fa/.../Setup.exe

Remove ms4973.tmp.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.