home

popservice.exe

PopService

Installmatic, LLC

This is part of the Installmatic installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application popservice.exe by Installmatic has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the Installmatic Setup installer. It runs as a separate (within the context of its own process) windows Service named “PopDeals Service Watcher”. While running, it connects to the Internet address sage.parklogic.com on port 8888.
Publisher:
Installmatic, LLC  (signed and verified)

Product:
PopService

Version:
1.0.3.0

MD5:
1a1f0d4c79a74477361a51c9acef88d4

SHA-1:
de8f3f2532c1c1052e117ab4e9696ccc5eafdb0b

SHA-256:
5a1682035488b7c50d108368c8f80de326bb470b5dcd59bb0d4bfedcccb4ac48

Scanner detections:
12 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
5/17/2024 1:14:19 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
DealApp
2016.0.3010

Baidu Antivirus
Adware.MSIL.Popdeals
4.0.3.15822

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
TrojWare.Win32.Fsysna.CLJ
22283

ESET NOD32
MSIL/Adware.Popdeals (variant)
9.11821

IKARUS anti.virus
AdWare.MSIL.Popdeals
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.205.16309

Malwarebytes
PUP.Optional.PopDeals
v2015.08.22.12

Reason Heuristics
PUP.Installmatic (M)
15.8.22.0

Sophos
Virus 'Mal/MSIL-LL'
5.12

Trend Micro House Call
Suspicious_GEN.F47V0614
7.2.234

VIPRE Antivirus
MSIL.Adware.Popdeals
41338

File size:
96.6 KB (98,880 bytes)

Product version:
1.0.3.0

Copyright:
Copyright © 2015

Original file name:
popservice3.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Installmatic Setup

Language:
Language Neutral

Common path:
C:\Program Files\popservice\popservice.exe

Digital Signature
Signed by:
Installmatic, LLC

Authority:
COMODO CA Limited

Valid from:
7/22/2015 9:00:00 PM

Valid to:
7/22/2016 8:59:59 PM

Subject:
CN="Installmatic, LLC", O="Installmatic, LLC", STREET="80 SW 8th St #2000", L=Miami, S=FL, PostalCode=33130, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2D13291AEE51B2226F83396FCD33C1F1

File PE Metadata
Compilation timestamp:
8/20/2015 7:11:57 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:ysaLkt1RieRas8b6IfycL8TQ/vZRl1ViP6qTi2lUtUri/gg:bMu1bQb6IfycL8TQ/vZRl1ViPpL+r

Entry address:
0x17DBE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
87.5 KB (89,600 bytes)

Service
Display name:
PopDeals Service Watcher

Service name:
PopService

Description:
Watchdog service for PopDeals

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to sage.parklogic.com  (69.39.236.56:8888)

Remove popservice.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.