home

30ff1081c40b5d07b75e2c5863df151d.exe

The application 30ff1081c40b5d07b75e2c5863df151d.exe has been detected as a potentially unwanted program by 26 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
MD5:
077e367cf310cfb07e76637501355431

SHA-1:
2cc331ec76cd731582105dffad74f2a1888ab5d0

SHA-256:
5c42b6538b9b30e86b9be5026061ee41d780b6a515a6027f8513b7f409fc0cd6

Scanner detections:
26 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
5/7/2024 7:30:08 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.KJ
5743552

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Downware
2015.06.18

Avira AntiVirus
ADWARE/Adware.Gen
7.11.30.172

Arcabit
Application.Bundler.KJ
1.0.0.425

avast!
Win32:Adware-CIX [PUP]
150602-1

AVG
Generic
2016.0.3075

Bitdefender
Application.Bundler.KJ
1.0.20.845

Clam AntiVirus
Win.Adware.Downloadadmin
0.98/20576

Comodo Security
Application.Win32.DownloadAdmin.ANGL
22485

Dr.Web
Trojan.Vittalia.36
9.0.1.05190

Emsisoft Anti-Malware
Application.Bundler.KJ
10.0.0.5366

ESET NOD32
Win32/DownloadAdmin.H potentially unwanted application
7.0.302.0

F-Prot
W32/S-4234b123
v6.4.7.1.166

F-Secure
Riskware.Application.Bundler.KJ
5.14.151

G Data
Application.Bundler.KJ
15.6.25

K7 AntiVirus
Unwanted-Program
13.205.16279

Malwarebytes
PUP.Optional.DownloadAdmin
v2015.06.18.12

MicroWorld eScan
Application.Bundler.KJ
16.0.0.507

NANO AntiVirus
Riskware.Win32.Downware.djahkt
0.30.24.2086

Norman
Application.Bundler.KJ
02.06.2015 14:23:46

Sophos
PUA 'DownloadAdmin' (of type Adware)
5.15

Total Defense
Win32/Tnega.IQCCUAC
37.1.62.1

Vba32 AntiVirus
Downloader.Agent
3.12.26.4

VIPRE Antivirus
Threat.4783369
40828

Zillya! Antivirus
Backdoor.PePatch.Win32.66832
2.0.0.2233

File size:
884.2 KB (905,466 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\30ff1081c40b5d07b75e2c5863df151d.exe

File PE Metadata
Compilation timestamp:
7/15/2014 5:29:31 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:JxpJfslZtuaVd9lpmhwQbift489IVGD4xJFl6Xqb5Kbmkg8S:bp9sVuaVdvgVbmgGDijyikg5

Entry address:
0x3345

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, B0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, C0, 70, 40, 00, 53, FF, 15, 88, 72, 40, 00, 6A, 08, A3, B8, 3C, 42, 00, E8, 2E, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 3B, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 43, 74, 40, 00, FF, 15, 64, 71, 40, 00, 68, 38, 74, 40, 00, 68, C0, 33, 42, 00, E8, 1F, 24, 00, 00, FF, 15, BC, 70, 40, 00, 50, BF, 00, 90, 42, 00, 57, E8, 0D, 24, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to st-sh-us-dc1-001.s.dss.vg  (208.91.197.27:80)

TCP (HTTP):
Connects to server-54-230-55-199.jfk6.r.cloudfront.net  (54.230.55.199:80)

TCP (HTTP):
Connects to server-54-230-52-97.jfk6.r.cloudfront.net  (54.230.52.97:80)

TCP (HTTP):
Connects to server-54-230-52-248.jfk6.r.cloudfront.net  (54.230.52.248:80)

TCP (HTTP):
Connects to server-54-230-52-170.jfk6.r.cloudfront.net  (54.230.52.170:80)

TCP (HTTP):
Connects to server-54-192-55-183.jfk6.r.cloudfront.net  (54.192.55.183:80)

TCP (HTTP):
Connects to ns237133.ovh.net  (37.59.34.142:80)

TCP (HTTP):
Connects to ec2-54-208-23-129.compute-1.amazonaws.com  (54.208.23.129:80)

TCP (HTTP):
Connects to a72-246-43-24.deploy.akamaitechnologies.com  (72.246.43.24:80)

TCP (HTTP):
Connects to a23-67-243-96.deploy.static.akamaitechnologies.com  (23.67.243.96:80)

TCP (HTTP):
Connects to a23-67-243-81.deploy.static.akamaitechnologies.com  (23.67.243.81:80)

TCP (HTTP):
Connects to a1plpkivs-v03.any.prod.ash1.secureserver.net  (72.167.239.239:80)

TCP (HTTP):
Connects to 50.22.63.138-static.reverse.softlayer.com  (50.22.63.138:80)

Remove 30ff1081c40b5d07b75e2c5863df151d.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.