windows.7.codec.pack.v4.1.5.setup.exe

Cole Williams Software Limited

The application windows.7.codec.pack.v4.1.5.setup.exe by Cole Williams Software Limited has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from dl.cdn.chip.de and multiple other hosts. While running, it connects to the Internet address 14.d7.24ae.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Windows 7 - Codec Pack  (signed by Cole Williams Software Limited)

Product:
Windows 7 - Codec Pack

Version:
4.1.5.1007

MD5:
16eef99607a3c121476ccba400a2ed05

SHA-1:
319c26fc145109f4e2966a87e40edb10715266be

SHA-256:
df3e609a5763d22950c6f0f371b727405f461500a5824e556374728570492b0c

Scanner detections:
7 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 11:17:17 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Agent
7.1.1

Dr.Web
Adware.Spigot.76
9.0.1.0293

Fortinet FortiGate
Adware/Agent
10/20/2015

K7 AntiVirus
Riskware
13.211.17593

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.1246

VIPRE Antivirus
Spigot
44682

Zillya! Antivirus
Trojan.Packed.Win32.73976
2.0.0.2461

File size:
30.9 MB (32,372,144 bytes)

Copyright:
© 2015 Cole Williams

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\windows.7.codec.pack.v4.1.5.setup.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
10/7/2014 2:00:00 AM

Valid to:
10/7/2017 1:59:59 AM

Subject:
CN=Cole Williams Software Limited, O=Cole Williams Software Limited, STREET=36 HIGH STREET, L=CLEETHORPES, S=North East Lincolnshire, PostalCode=DN35 8JN, C=GB

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
7B34F7BF986A7A767AD50C2534671750

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
786432:00u38pXCqiEieWgGYb2VtoXJhPKUQYyLmwDF9xL:ms00ieneofpnwx9xL

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file windows.7.codec.pack.v4.1.5.setup.exe has been seen being distributed by the following 8 URLs.

http://dl.cdn.chip.de/downloads/.../windows.7.codec.pack.v4.1.5.setup.exe

https://www.kaldata.com/modules.php?modid=1&action=download&id=1623

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 14.d7.24ae.ip4.static.sl-reverse.com  (174.36.215.20:80)

Remove windows.7.codec.pack.v4.1.5.setup.exe - Powered by Reason Core Security