nse7317.tmp

ClIck to StaRt

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The file nse7317.tmp by ClIck to StaRt has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from get.0140j.info.
Publisher:
VZEKO  (signed by ClIck to StaRt)

Product:
VZEKO

Version:
6447.15115.867.9903

MD5:
948189985796493055722fa1c2db431e

SHA-1:
bd237c3c0fec9641550cc967c13a545e15e5c45b

SHA-256:
8c7202b377b25a4fe85b0c541aee33321898b97e018c1efeff15305b6764f084

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 4:50:25 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse.ClIcktoStaRt.Bundler (M)
16.1.29.19

File size:
314.9 KB (322,504 bytes)

Product version:
6447.15115.867.9903

Copyright:
VZEKO

Trademarks:
VZEKO

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nse7317.tmp

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
10/29/2015 7:00:00 AM

Valid to:
12/18/2015 6:59:59 AM

Subject:
CN=ClIck to StaRt, O=ClIck to StaRt, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
37D9E505BF19699767562A9E46FA22AE

File PE Metadata
Compilation timestamp:
12/6/2009 5:52:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:UFJ0dpK8oEeUuCTXumGSQK7wyn+KUNuxbanIb:9pBcUuCzuLSB7wQ9I+b

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.6430

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nse7317.tmp has been seen being distributed by the following URL.

Remove nse7317.tmp - Powered by Reason Core Security