» pmmw.exe
Overview
Analysis
File Details
Network (1)

pmmw.exe

ProfitServis LLC

This is a bundle installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application pmmw.exe by ProfitServis has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the ProfitServis Downloader installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address hosted-by.leaseweb.com on port 9001.

File name:

pmmw.exe

Publisher:

ProfitServis LLC (signed and verified)

Version:

1.0.0.0

MD5:

ed848f78cae3b13e558cdd2ea1a1c581

SHA-1:

f90aa639248431a7dee843b02f82d2176cc9ca0a

SHA-256:

ad240b535ee6b2a3583348f68126ae08e22add9e3cc2ba827f3e00efef1066ef

Scanner detections:

10 / 68

Status:

Adware

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/25/2024 10:01:04 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

APPL/InstallMon.enib

7.11.206.68

avast!

Win32:InstallMonstr-GC [PUP]

150129-1

AVG

Generic

2016.0.3212

Dr.Web

Trojan.InstallMonster.953

9.0.1.05190

ESET NOD32

Win32/InstallMonstr.HI potentially unwanted application

7.0.302.0

Kaspersky

not-a-virus:AdWare.Win32.InstallMonster

15.0.0.543

Norman

InstallMonstr.S

11.20150201

Reason Heuristics

PUP.ProfitServis

15.2.1.4

Sophos

PUA 'Install Monster'

5.09

Vba32 AntiVirus

Signed-Downware.InstallMonstr

3.12.26.3

File size:

4.3 MB (4,477,280 bytes)

Product version:

1.0.0.0

File type:

Executable application (Win32 EXE)

Bundler/Installer:

ProfitServis Downloader

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\pmmw.exe

Digital Signature

Signed by:

ProfitServis LLC

Authority:

Thawte, Inc.

Valid from:

5/21/2014 3:00:00 AM

Valid to:

5/22/2015 2:59:59 AM

Subject:

CN=ProfitServis LLC, O=ProfitServis LLC, L=Village of Kommunar, S="Kharkiv District, Kharkiv Region", C=UA

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

259670E42586FCE460513727E39AB7DF

File PE Metadata

Compilation timestamp:

6/20/1992 1:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

98304:Ob8orIyv5ks14DImjMMt46pNh8EEaMpekkg/AnS6xcAA0BKPN0ftq/tn:Ob5Iqf14DImbi/8CA9+sBKV0fAtn

Entry address:

0x17FED80

Entry point:

60, BE, 00, D0, 87, 01, 8D, BE, 00, 40, B8, FE, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Entropy:

7.9364

Packer / compiler:

UPX 2.90LZMA

Code size:

3.5 MB (3,682,304 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP:

Connects to hosted-by.leaseweb.com (95.211.184.82:9001)

Remove pmmw.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.