» goforfiles.exe
Overview
Analysis
File Details
Downloads (2)

goforfiles.exe

UpdateStar GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application goforfiles.exe by UpdateStar GmbH has been detected as a potentially unwanted program by 24 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from client.updatestar.com and multiple other hosts.

File name:

goforfiles.exe

Publisher:

UpdateStar GmbH (signed and verified)

MD5:

d1e2463c434853befba9ca208a165393

SHA-1:

3a89069ee9694abde68f6e1aab760139d9a0bbe8

SHA-256:

0a70f78e39e3dc0c19369c63c5940338819777ee6bec20d33b16565774e6eb77

Scanner detections:

24 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 2:58:01 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.InstallCore

7.1.1

Avira AntiVirus

ADWARE/InstallCore.Gen7

7.11.129.130

avast!

Win32:Adware-gen [Adw]

2014.9-140524

AVG

MalSign.InstallC

2015.0.3464

Baidu Antivirus

Adware.Win32.InstallCore

4.0.3.14524

Comodo Security

Application.Win32.Installcore.UPT

18186

Dr.Web

Trojan.KillProc.30849

9.0.1.0144

Emsisoft Anti-Malware

Adware.Generic.552604

8.14.05.24.07

ESET NOD32

Win32/InstallCore.JE.gen (variant)

8.9383

Fortinet FortiGate

Riskware/InstallCore_JE

5/24/2014

IKARUS anti.virus

Win32.AdWare

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.176.11913

Malwarebytes

PUP.Optional.Installcore

v2014.05.24.07

McAfee

Artemis!D1E2463C4348

5600.7120

nProtect

Adware/W32.Agent.685056

14.03.05.01

Panda Antivirus

Trj/dtcontx.L

14.05.24.07

Qihoo 360 Security

Win32/Virus.Adware.94c

1.0.0.1015

Reason Heuristics

PUP.UpdateStarGmbH.K

14.5.24.19

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14522

Sophos

Install Core

4.97

Trend Micro House Call

TROJ_GEN.F47V0131

7.2.144

Trend Micro

ADW_INSTALLCORE

10.465.24

Vba32 AntiVirus

Downware.InstallCore

3.12.24.3

VIPRE Antivirus

Adware.Win32.InstallCore.ba

26158

File size:

669 KB (685,056 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\goforfiles.exe

Digital Signature

Signed by:

UpdateStar GmbH

Authority:

COMODO CA Limited

Valid from:

1/2/2013 3:00:00 AM

Valid to:

1/3/2016 2:59:59 AM

Subject:

CN=UpdateStar GmbH, O=UpdateStar GmbH, STREET=Hauptstraße 20, L=Berlin, S=Berlin, PostalCode=10827, C=DE

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

009ED227324380B40DDE36C8D31A33831F

File PE Metadata

Compilation timestamp:

6/20/1992 1:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:7vptvVqpPXo+HrdkNuX3MmmJalSXGUhjvmWLVGozhj/OuP/th:7vXvV0ddkz82vJGozhj/3h

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Entropy:

7.7956

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

The file goforfiles.exe has been seen being distributed by the following 2 URLs.

http://client.updatestar.com/files/.../7-zipws_EN.exe

http://www.updatestar.com/.../2035959

Remove goforfiles.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.