twatpwrl.exe

Signor Sconto

Mein Gutscheincode GmbH

The application twatpwrl.exe, “Signor Sconto Installer” by Mein Gutscheincode GmbH has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory.
Publisher:
Mein Gutscheincode GmbH  (signed and verified)

Product:
Signor Sconto

Description:
Signor Sconto Installer

Version:
1.27.153.0

MD5:
dea1ac1f08040ab9d47726558d2c41d2

SHA-1:
89fed2699502b077d3e47ec265ce8f14946505ef

SHA-256:
2523bcfead678861d26df6a0219ecad39870d9b0785b688fd580aaa39661ac03

Scanner detections:
1 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/23/2024 11:27:04 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Crossrider (M)
16.9.20.7

File size:
2.9 MB (3,089,848 bytes)

Copyright:
Copyright Mein Gutscheincode GmbH

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\twatpwrl.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/25/2013 1:00:00 AM

Valid to:
3/26/2015 12:59:59 AM

Subject:
CN=Mein Gutscheincode GmbH, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Mein Gutscheincode GmbH, L=Berlin, S=Berlin, C=DE

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6DC967C1E9C4DBE86E88DB14D51147D4

File PE Metadata
Compilation timestamp:
1/5/2010 1:09:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
49152:8/o2H4yngupBsqn7K0pzYokH4On+Ud0q+3C1u10j8EHNH6Ha6qVgBBuxaOsXRyqE:ANYZOnhpE+evaqPu18lNHmRBuYOsXEAe

Entry address:
0x4044

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, E8, 97, 52, 00, 00, C7, 04, 24, 01, 80, 00, 00, E8, 43, 4F, 00, 00, 56, C7, 04, 24, 00, 00, 00, 00, E8, A6, 52, 00, 00, A3, 88, 5C, 42, 00, 53, C7, 04, 24, 08, 00, 00, 00, E8, 26, 32, 00, 00, A3, 38, 5D, 42, 00, 8D, 85, 84, FE, FF, FF, 51, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A4, B2, 40, 00, E8, D0, 51, 00, 00, 83, EC, 14, C7, 44, 24, 04, A5, B2, 40, 00, C7, 04, 24, 68, 5D...
 
[+]

Code size:
33 KB (33,792 bytes)

Remove twatpwrl.exe - Powered by Reason Core Security