windeskwinsearch_in063a.exe

PC Software

The application windeskwinsearch_in063a.exe by PC Software has been detected as a potentially unwanted program by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secured.cdnawbwest.us.
Publisher:
PC Software  (signed and verified)

MD5:
d3b37adb1a55b3bd588ee656926bd712

SHA-1:
85a8723081b090eca187bbbad54de63abb616646

SHA-256:
ebcdc7defe5515f892069213ca7fe5b63d96b1dce1645dbb1d7cb9532d78b8ea

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/6/2024 7:36:35 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.2901

Clam AntiVirus
Win.Adware.Outbrowse-1167
0.98/21511

Comodo Security
Application.Win32.InstallMonetizer.~AS
23566

Dr.Web
Adware.InstallMonetizer.19
9.0.1.05190

Malwarebytes
PUP.Optional.WindeskWinsearch
v2015.12.08.09

McAfee
Program.Artemis!D3B37ADB1A55
18.0.204.0

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1077

Sophos
PUA 'Winsearch'
5.21

SUPERAntiSpyware
PUP.InstallMonetizer/Variant
9459

VIPRE Antivirus
Threat.4786532
45686

ViRobot
Adware.Installmonetizer.1022808[h]
2014.3.20.0

File size:
998.8 KB (1,022,808 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\windeskwinsearch_in063a.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
10/9/2015 2:00:00 AM

Valid to:
10/9/2016 1:59:59 AM

Subject:
CN=PC Software, O=PC Software, STREET=5655 Silver Creek Valley Road, L=San Jose, S=CA, PostalCode=95138, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0094D260FFCC1D2D56E0DA163346897627

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:46p3cqCG/fVdSiQ3FtiSWDR5d+LnsqQiiMc:DpMqCGP/QWSWDnw7zQz

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file windeskwinsearch_in063a.exe has been seen being distributed by the following URL.

Remove windeskwinsearch_in063a.exe - Powered by Reason Core Security