uexphm0a.exe

Denzi App Store

SILICOM INTERNET, S.L.

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The file uexphm0a.exe by SILICOM INTERNET, S.L has been detected as adware by 2 anti-malware scanners. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from data.phpnuke.org and multiple other hosts.
Publisher:
Denzi  (signed by SILICOM INTERNET, S.L.)

Product:
Denzi App Store

Version:
1.0

MD5:
766ddb9d75f0675b5aae32152227b202

SHA-1:
1f1b6b0d1a28ffe32384aebf2055f50e6d14771e

SHA-256:
b7290558c5ca45f769bc6901e4f61f45e2a92b9fdb3cf3dc7e5084dc720420b5

Scanner detections:
2 / 68

Status:
Adware

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/6/2024 3:35:40 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SILICOMINTERNETSL.M
14.10.15.3

Trend Micro House Call
TROJ_GEN.F47V0825
7.2.288

File size:
1.2 MB (1,307,672 bytes)

Product version:
1.0

Bundler/Installer:
installCore (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\uexphm0a.exe.part

Digital Signature
Authority:
DigiCert Inc

Valid from:
8/7/2012 3:00:00 AM

Valid to:
10/11/2013 3:00:00 PM

Subject:
CN="SILICOM INTERNET, S.L.", O="SILICOM INTERNET, S.L.", L=Villaviciosa de Odon, C=ES

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
058A01C3E9A1F7F97F70E1CEA3006E5F

File PE Metadata
Compilation timestamp:
12/6/2009 1:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:3yRe/X3eHoVb1ijiwP495cX24NJZSCJlg4fpkSPsQznX+S0:3yRIXy21If2KM4OSP1znXc

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.5886

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file uexphm0a.exe has been seen being distributed by the following 4 URLs.

http://data.phpnuke.org/lv/software/downloadf/.../Microsoft_Office_2010_Professional.htm?lang=en&country=ae&sign=f5be8ee9

Remove uexphm0a.exe - Powered by Reason Core Security