» productupdate.exe
Overview
Analysis
File Details
Behaviors (2)
Network (32)

productupdate.exe

The application productupdate.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. This is the uninstaller utility registered in the Windows Control Panel for the program Yahoo! Powered.

File name:

productupdate.exe

MD5:

5fe6435e0916ce99fa3fc588ba7a02e9

SHA-1:

ca64bfad2169557de1c85284438e4fd818c51d6a

SHA-256:

72c4516cac0238da37c7b4a7d03be3790f6059b52cabd835195874b53a83e422

Scanner detections:

14 / 68

Status:

Potentially unwanted

Analysis date:

11/27/2024 11:37:42 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

AegisLab AV Signature

Ml.Attribute.Gen!c

2.1.4+

AhnLab V3 Security

PUP/Win32.DealPly.C1755509

3.8.3.16

Avira AntiVirus

ADWARE/DealPly.ekyxw

8.3.3.4

Fortinet FortiGate

Riskware/PUP

2/12/2017

G Data

Win32.Trojan.Agent.QQFOO2

17.2.25

IKARUS anti.virus

Trojan-Ransom.Win32.Gimemo

0.1.3.4

McAfee

PUP-FPD

5600.6131

Panda Antivirus

Trj/Genetic.gen

17.02.06.07

Qihoo 360 Security

HEUR/QVM05.1.0000.Malware.Gen

1.0.0.1120

Reason Heuristics

PUP.Downloader.ICDP (L)

17.2.12.0

Rising Antivirus

Malware.Heuristic!ET#97% (rdm+)

23.00.65.17204

Trend Micro House Call

TROJ_GEN.R047C0EBB17

7.2.43

Trend Micro

TROJ_GEN.R047C0EBB17

10.465.12

VIPRE Antivirus

Trojan.Win32.Generic

55898

File size:

2.7 MB (2,815,488 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

8/16/2014 4:02:21 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x27628C

Entry point:

55, 8B, EC, 83, C4, F0, B8, 54, E4, 66, 00, E8, 78, 7C, D9, FF, A1, C0, BD, 67, 00, 8B, 00, E8, 0C, 5A, F3, FF, 8B, 0D, 38, BB, 67, 00, A1, C0, BD, 67, 00, 8B, 00, 8B, 15, 98, 44, 5B, 00, E8, 0C, 5A, F3, FF, A1, C0, BD, 67, 00, 8B, 00, E8, 64, 5B, F3, FF, E8, 0F, 2D, D9, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

2.5 MB (2,575,872 bytes)

Program Uninstaller

Program name:

Yahoo! Powered

Uninstall string:

"C:\users\{user}\appdata\local\{d7f9e1a5-f351-8d1d-9ec9-a8f5baa1546d}\uninstall.exe" \uninstall \s \noun \delselfdir

Scheduled Task

Task name:

{6C4D94B7-A275-4777-8F7B-9E5983BA3118}

Trigger:

Daily (Runs daily at 17:17)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-107-20-201-65.compute-1.amazonaws.com (107.20.201.65:80)

TCP (HTTP):

Connects to ec2-54-225-212-5.compute-1.amazonaws.com (54.225.212.5:80)

TCP (HTTP):

Connects to ec2-23-21-246-202.compute-1.amazonaws.com (23.21.246.202:80)

TCP (HTTP SSL):

Connects to geoip-zlb.vips.scl3.mozilla.com (63.245.215.82:443)

TCP (HTTP):

Connects to ec2-54-243-162-184.compute-1.amazonaws.com (54.243.162.184:80)

TCP (HTTP):

Connects to server-54-230-81-192.mia50.r.cloudfront.net (54.230.81.192:80)

TCP (HTTP):

Connects to server-54-230-206-14.atl50.r.cloudfront.net (54.230.206.14:80)

TCP (HTTP):

Connects to server-54-230-11-106.lhr3.r.cloudfront.net (54.230.11.106:80)

TCP (HTTP):

Connects to server-54-192-3-153.lhr5.r.cloudfront.net (54.192.3.153:80)

TCP (HTTP):

Connects to server-54-192-123-212.dfw50.r.cloudfront.net (54.192.123.212:80)

TCP (HTTP):

Connects to server-52-84-132-135.atl52.r.cloudfront.net (52.84.132.135:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (54.231.33.203:80)

TCP (HTTP):

Connects to ec2-54-83-207-70.compute-1.amazonaws.com (54.83.207.70:80)

TCP (HTTP):

Connects to ec2-54-243-75-224.compute-1.amazonaws.com (54.243.75.224:80)

TCP (HTTP):

Connects to ec2-54-221-234-215.compute-1.amazonaws.com (54.221.234.215:80)

TCP (HTTP):

Connects to ec2-23-23-110-40.compute-1.amazonaws.com (23.23.110.40:80)

TCP (HTTP):

Connects to ec2-23-21-200-178.compute-1.amazonaws.com (23.21.200.178:80)

TCP (HTTP):

Connects to ec2-184-73-230-77.compute-1.amazonaws.com (184.73.230.77:80)

Remove productupdate.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.