update.exe

Power Play Media

The application update.exe by Power Play Media has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Tomorrow Software Installer installer. The file has been seen being downloaded from files4.fastdownload6.com.
Publisher:
Power Play Media  (signed and verified)

Product:
Power Play Media

Version:
84.9.1.3220

MD5:
76293c3fdfadeadf8121c71c30486bca

SHA-1:
5da58c18fa66380fb2f4e3d0dbd470988c88d981

SHA-256:
6d99b97b57a751a4e702615fc4f49132b7c5e395c7d3c5267535d5dd2679e0a2

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 12:25:03 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TomorrowSoftware (M)
17.2.3.8

File size:
882.2 KB (903,360 bytes)

Product version:
84.9.1.3220

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Tomorrow Software Installer

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\update.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
10/31/2015 3:29:38 AM

Valid to:
10/14/2016 6:17:38 AM

Subject:
CN=Power Play Media, O=Power Play Media, L=San Francisco, S=California, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00CB772AFDE1772CC3

File PE Metadata
Compilation timestamp:
10/28/2014 1:03:55 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x4100

Entry point:
E8, 1B, 94, 00, 00, E9, 27, 8D, 00, 00, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 83, E4, C0, 83, EC, 34, 53, 56, 57, E8, 0F, 11, 00, 00, 8B, F0, A3, C0, C1, 44, 00, 85, F6, 75, 15, 68, A0, BF, 44, 00, E8, 2A, 01, 00, 00, 83, C4, 04, 6A, 37, FF, 15, 38, F0, 40, 00, 68, 00, 01, 00, 00, 6A, 00, 56, E8, 82, 12, 00, 00, 56, E8, DC, 0F, 00, 00, 8B, 5D, 08, 6A, 00, 53, 56, E8, E0, 0F, 00, 00, 33, FF, 83, C4, 1C, 89, 7C, 24, 3C, 85, DB, 7E, 34, 8D, 49, 00, DB, 44, 24, 3C, 83, EC, 08, DD, 1C, 24, 56, E8, D0, 11, 00, 00...
 
[+]

Code size:
53.5 KB (54,784 bytes)

The file update.exe has been seen being distributed by the following URL.

http://files4.fastdownload6.com/download/.../dl?bc=1126566&pid=updateadmin&brand=updateadmin.com&aid=080915&s=adknowledge&c=Mozilla_Firefox&country=ID&cb=-509173179&filename=Update.exe&productKey=ohx44as6nwpdmwjhyjscv5m3y7ebdtim&osName=Windows&osVersion=8.1&browserName=IE&browserVersion=7&zTmp=1&executable=1196807

Remove update.exe - Powered by Reason Core Security