» update.exe
Overview
Analysis
File Details
Programs (2)
Network (2)

update.exe

Guangxi Nanning Qiwang Co. Ltd.

The application update.exe by Guangxi Nanning Qiwang Co has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. Additionally, the file is typically installed by a number of programs including Best Removal Tool by www.bestremovaltool.com and Best Uninstall Tool by www.bestremovaltool.com. While running, it connects to the Internet address li41-70.members.linode.com on port 80 using the HTTP protocol.

File name:

update.exe

Publisher:

Guangxi Nanning Qiwang Co. Ltd. (signed and verified)

MD5:

0e8d2aaa9bbb94ad558c633078dc5883

SHA-1:

cc669700403f7f04308b8d3852fdd8f574f773ae

SHA-256:

3b411741ef9036581308aa610cfe8c4c669aefbc3867602a0fbb49f626a3070c

Scanner detections:

1 / 68

Status:

Potentially unwanted

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

11/15/2024 6:33:47 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.GuangxiNanningQiwangCo.G

14.2.24.7

File size:

735.4 KB (753,016 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\perfect uninstaller\update.exe

Digital Signature

Signed by:

Guangxi Nanning Qiwang Co. Ltd.

Authority:

VeriSign, Inc.

Valid from:

6/29/2011 3:00:00 AM

Valid to:

6/29/2014 2:59:59 AM

Subject:

CN=Guangxi Nanning Qiwang Co. Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Guangxi Nanning Qiwang Co. Ltd., L=Nanning, S=Guangxi, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

058EFD81CFC178B930CAA249710DE3B1

File PE Metadata

Compilation timestamp:

6/20/1992 1:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:zt8rMMgZcb/xw6mPtmBGUsKT1GyGHWIIbrZYF:zczRZbEoH98HWIaFC

Entry address:

0x87100

Entry point:

55, 8B, EC, 83, C4, F0, B8, 90, 6D, 48, 00, E8, 6C, F1, F7, FF, A1, AC, 9C, 48, 00, 8B, 00, E8, EC, 39, FE, FF, 8B, 0D, 7C, 99, 48, 00, A1, AC, 9C, 48, 00, 8B, 00, 8B, 15, 60, 60, 48, 00, E8, EC, 39, FE, FF, A1, AC, 9C, 48, 00, 8B, 00, E8, 60, 3A, FE, FF, E8, 23, CE, F7, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.8030

Developed / compiled with:

Microsoft Visual C++

Code size:

536.5 KB (549,376 bytes)

The file update.exe has been discovered within the following programs.

Best Removal Tool by www.bestremovaltool.com

www.bestremovaltool.com

About 1% of users remove it

Best Uninstall Tool by www.bestremovaltool.com

www.bestuninstalltool.com

About 7% of users remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to perfectuninstaller.net (162.243.5.72:80)

TCP (HTTP):

Connects to li41-70.members.linode.com (72.14.179.70:80)

Remove update.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.