home

em.exe

Event Monitor

SUPER TUNEUP TECHNOLOGIES LLP

The application em.exe by SUPER TUNEUP TECHNOLOGIES LLP has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘EMReminder’. While running, it connects to the Internet address 97.47.37a9.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
SUPER TUNEUP TECHNOLOGIES LLP  (signed and verified)

Product:
Event Monitor

Version:
1.18.81.16808

MD5:
31e9ea80ddf1ef1bf6e2f8ce41f89908

SHA-1:
42f333dfdbaedea16c817c72c8e010f615fa45e6

SHA-256:
e3dcb5a125817b38541901582bc00432aadc1ac595b3e94f61deaca75ee2a58e

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/19/2024 11:35:49 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SecurePCCleaner (M)
16.9.21.14

File size:
3.2 MB (3,323,856 bytes)

Product version:
1.18.81.16808

Copyright:
Copyright (C) 2016. All rights reserved.

Trademarks:
Event Monitor

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Application data\event monitor\em.exe

Digital Signature
Signed by:
SUPER TUNEUP TECHNOLOGIES LLP

Authority:
Symantec Corporation

Valid from:
11/26/2015 1:00:00 AM

Valid to:
12/26/2016 12:59:59 AM

Subject:
CN=SUPER TUNEUP TECHNOLOGIES LLP, O=SUPER TUNEUP TECHNOLOGIES LLP, L=Jaipur, S=Rajasthan, C=IN

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
58FEBEB38F02A497B484D16ACC28799C

File PE Metadata
Compilation timestamp:
9/21/2016 4:04:54 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:T1LtV1x0yEsPAUA0FjFUz4y7lYeesV0zRWyh1MI1K3STXUZrxrmPmezMGsOUoDN2:T1Zbmvst7szd7lYYqzMyhCI1RKTjekJ

Entry address:
0x113A57

Entry point:
E8, 14, 7E, 00, 00, E9, 79, FE, FF, FF, 3B, 0D, 54, 17, 63, 00, 75, 02, F3, C3, E9, 96, 7E, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 57, 33, FF, 3B, F7, 75, 04, 33, C0, EB, 65, 39, 7D, 08, 75, 1B, E8, 66, 30, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, A6, 80, 00, 00, 83, C4, 14, 8B, C6, EB, 45, 39, 7D, 10, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, D6, 54, 00, 00, 83, C4, 0C, EB, C1, FF, 75, 0C, 57, FF, 75, 08, E8, A5, 30, 00, 00, 83, C4, 0C, 39, 7D, 10, 74, B6, 39, 75, 0C, 73...
 
[+]

Entropy:
5.6841

Code size:
1.8 MB (1,915,904 bytes)

Scheduled Task
Task name:
RunAtStartup

Trigger:
Logon (Runs on logon)


Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
EMReminder

Command:
C:\Documents and Settings\{user}\Application data\event monitor\em.exe -rem


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 97.47.37a9.ip4.static.sl-reverse.com  (169.55.71.151:80)

TCP (HTTP):
Connects to cdn-68-142-101-7.mia1.llnw.net  (68.142.101.7:80)

TCP (HTTP):
Connects to cdn-87-248-221-254.par.llnw.net  (87.248.221.254:80)

TCP (HTTP):
Connects to cdn-68-142-101-254-mia1.llnw.net  (68.142.101.254:80)

TCP (HTTP):
Connects to server-54-192-135-75.syd1.r.cloudfront.net  (54.192.135.75:80)

TCP (HTTP):
Connects to cdn-87-248-221-253.par.llnw.net  (87.248.221.253:80)

TCP (HTTP):
Connects to cdn-87-248-205-253.mad.llnw.net  (87.248.205.253:80)

TCP (HTTP):
Connects to cdn-117-121-249-253.sin.llnw.net  (117.121.249.253:80)

Remove em.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.