update.exe

Guangxi Nanning Qiwang Co. Ltd.

The application update.exe by Guangxi Nanning Qiwang Co has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. Additionally, the file is typically installed by a number of programs including Best Removal Tool by www.bestremovaltool.com and Best Uninstall Tool by www.bestremovaltool.com. While running, it connects to the Internet address li41-70.members.linode.com on port 80 using the HTTP protocol.
Publisher:
Guangxi Nanning Qiwang Co. Ltd.  (signed and verified)

MD5:
0e8d2aaa9bbb94ad558c633078dc5883

SHA-1:
cc669700403f7f04308b8d3852fdd8f574f773ae

SHA-256:
3b411741ef9036581308aa610cfe8c4c669aefbc3867602a0fbb49f626a3070c

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/27/2024 10:20:22 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GuangxiNanningQiwangCo.G
14.2.24.7

File size:
735.4 KB (753,016 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\perfect uninstaller\update.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
6/29/2011 3:00:00 AM

Valid to:
6/29/2014 2:59:59 AM

Subject:
CN=Guangxi Nanning Qiwang Co. Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Guangxi Nanning Qiwang Co. Ltd., L=Nanning, S=Guangxi, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
058EFD81CFC178B930CAA249710DE3B1

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:zt8rMMgZcb/xw6mPtmBGUsKT1GyGHWIIbrZYF:zczRZbEoH98HWIaFC

Entry address:
0x87100

Entry point:
55, 8B, EC, 83, C4, F0, B8, 90, 6D, 48, 00, E8, 6C, F1, F7, FF, A1, AC, 9C, 48, 00, 8B, 00, E8, EC, 39, FE, FF, 8B, 0D, 7C, 99, 48, 00, A1, AC, 9C, 48, 00, 8B, 00, 8B, 15, 60, 60, 48, 00, E8, EC, 39, FE, FF, A1, AC, 9C, 48, 00, 8B, 00, E8, 60, 3A, FE, FF, E8, 23, CE, F7, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.8030

Developed / compiled with:
Microsoft Visual C++

Code size:
536.5 KB (549,376 bytes)

The file update.exe has been discovered within the following programs.

Best Removal Tool  by www.bestremovaltool.com
www.bestremovaltool.com
About 1% of users remove it
Best Uninstall Tool  by www.bestremovaltool.com
www.bestuninstalltool.com
About 7% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to perfectuninstaller.net  (162.243.5.72:80)

TCP (HTTP):
Connects to li41-70.members.linode.com  (72.14.179.70:80)

Remove update.exe - Powered by Reason Core Security