home

gimp.exe

XENIUM

The application gimp.exe by XENIUM has been detected as adware by 4 anti-malware scanners. This is a setup program which is used to install the application. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from storage.dobreprogramy.pl.
Publisher:
XENIUM  (signed and verified)

MD5:
4aa63442616e7d0230516cdf1915b9b9

SHA-1:
1922dd801126ed6d1cf63c2ec7d9e8a94dea46ec

SHA-256:
c8788d899a6c6f05dff3a5fbd94ab9039a6d6ffac2ec2b86e204f274ca2463c7

Scanner detections:
4 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/24/2024 2:06:54 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/DobreProgramy (variant)
9.7966

herdProtect (fuzzy)
variant of bestplayer(12658).exe (Adware)
2015.7.3.13

Reason Heuristics
PUP.XENIUM
15.3.29.6

Rising Antivirus
AdWare.Win32.InstallCore.i
23.00.65.15701

File size:
567.6 KB (581,224 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\gimp.exe

Digital Signature
Signed by:
XENIUM

Authority:
COMODO CA Limited

Valid from:
8/21/2012 2:00:00 AM

Valid to:
8/22/2013 1:59:59 AM

Subject:
CN=XENIUM, O=XENIUM, STREET=Al. Jana Kasprowicza 94, L=Wrocław, S=dolnośląskie, PostalCode=51-145, C=PL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0086EFAB0F9A06ED62A2D7D81BF3D251DF

File PE Metadata
Compilation timestamp:
1/31/2013 12:17:30 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:e21XWL5+LI+DSrinWuoypbbzoBtFg0BGWM9Hi19A:NXUgLIi9pbbyii19A

Entry address:
0x150D30

Entry point:
60, BE, 00, B0, 4C, 00, 8D, BE, 00, 60, F3, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
536 KB (548,864 bytes)

The file gimp.exe has been seen being distributed by the following URL.

http://storage.dobreprogramy.pl/.../GIMP(13219).exe

Remove gimp.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.