home

updater12555.exe

Radyoos Media Ltd.

The application updater12555.exe by Radyoos Media has been detected as adware by 5 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. While running, it connects to the Internet address geoplugin.net on port 80 using the HTTP protocol.
Publisher:
JollyWallet  (signed by Radyoos Media Ltd.)

Product:
JollyWallet

Description:
JollyWallet exe

Version:
1000.1000.1000.1000

MD5:
b758d6176ac986fcb100b9f6ec85ce2f

SHA-1:
5e2b8fe63338e041c352608f53340892e1a4e4b0

SHA-256:
ad81770f348aaa1adf80ddb017c4c73b04e538cf9d87ef4d0628d92dc3974390

Scanner detections:
5 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
7/12/2025 6:59:46 AM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Adware.RadyoosMedia.M
2013.8.28.2

ESET NOD32
Win32/Toolbar.CrossRider (variant)
7.8631

herdProtect (fuzzy)
variant of updater26766.exe (Adware)
2013.12.20.16

Reason Heuristics
PUP.Task.RadyoosMedia.M
14.3.1.0

Trend Micro House Call
TROJ_GEN.F47V0302
7.2.240

File size:
203.6 KB (208,520 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
JollyWallet.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\updater12555\updater12555.exe

Digital Signature
Signed by:
Radyoos Media Ltd.

Authority:
VeriSign, Inc.

Valid from:
12/23/2012 4:00:00 PM

Valid to:
12/24/2013 3:59:59 PM

Subject:
CN=Radyoos Media Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Radyoos Media Ltd., L=Tel Aviv-Jaffa, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
49AC6CD3FC56DEFFDF28CC3D8009CFD8

File PE Metadata
Compilation timestamp:
1/15/2013 5:01:55 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:5/2e1jiykkaE5dKvKJZltWRkWTpJitu8xQAei7MxNEndGM/Odi:ge9iykqZvlt4k8Jkn+Aei7MxvMsi

Entry address:
0x15B31

Entry point:
E8, 95, 83, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 22, E2, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 26, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, 90, 42, 00...
 
[+]

Entropy:
6.4493

Code size:
158 KB (161,792 bytes)

Scheduled Task
Task name:
Updater12555.exe

Trigger:
Time (Next runs on 8/28/2013 at 5:08 AM)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to geoplugin.net  (178.237.36.10:80)

TCP (HTTP):
Connects to lb-212-222.above.com  (103.224.212.222:80)

Remove updater12555.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.