» howcodec_update.exe
Overview
Analysis
File Details
Behaviors (1)

howcodec_update.exe

yessign

The executable howcodec_update.exe has been detected as malware by 13 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘howcodec’. According to AVG, this software downloads additional adware offers during setup.

File name:

howcodec_update.exe

Publisher:

yessign (signed and verified)

MD5:

ca4943da6965491fee5dc0b7680d68d4

SHA-1:

451bd41971f7b6440672ec1cce72747dd6006ab0

SHA-256:

92bcd52220090b495c08826a45d0a93f629b38c8ea46dd0701c3399fbb3c60fe

Scanner detections:

13 / 68

Status:

Malware

Analysis date:

4/24/2024 11:29:47 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

AhnLab V3 Security

Downloader/Win32.Genome

2010.06.30

avast!

Win32:Malware-gen

2014.9-160922

AVG

Downloader.Generic9

2017.0.2612

Bitdefender

Trojan.Generic.4090051

1.0.20.1330

F-Prot

W32/Downldr2.IMRR

v6.4.6.1.107

F-Secure

Trojan.Generic.4090051

11.2016-22-09_5

G Data

Trojan.Generic.4090051

16.9.21

IKARUS anti.virus

Trojan.Delf

t3scan.1.1.84.0

Kaspersky

Trojan-Downloader.Win32.Genome

14.0.0.-444

McAfee

Generic Downloader.x!cxs

5600.6268

nProtect

Trojan.Generic.4090051

10.06.30.01

Sophos

Sus/Uddo-B

4.54

Vba32 AntiVirus

Trojan-Downloader.Win32.Genome.aaoj

3.12.12.5

File size:

301.6 KB (308,832 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\howcodec\howcodec_update.exe

Digital Signature

Signed by:

yessign

Authority:

yessign

Valid from:

7/16/2009 12:00:00 AM

Valid to:

7/16/2010 11:59:59 PM

Subject:

CN=FIRST I, OU=20090716000001, OU=code-sign, O=yessign, C=kr

Issuer:

CN=yessignCA General Class 1, OU=AccreditedCA, O=yessign, C=kr

Serial number:

018A

File PE Metadata

Compilation timestamp:

6/20/1992 7:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

6144:Apd2+UcB4GusgNYI+QBRCWNi9dSF5Qoahw0cT/DEwjGqBBL6L33roo63HEs:a5B4GuFNYomSQoNEEGqBBq37oP3Es

Entry address:

0xF0020

Entry point:

60, BE, 00, 80, 4A, 00, 8D, BE, 00, 90, F5, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 19, 8B, 1E, 83, EE, FC, 11, DB, 72, 10, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 78, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11... 
[+]

Entropy:

7.8780

Packer / compiler:

UPX 2.90LZMA

Code size:

292 KB (299,008 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

howcodec

Command:

"C:\Program Files\howcodec\howcodec_update.exe"

Remove howcodec_update.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.