» updatetask.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (10)

updatetask.exe

This is part of various InstallCore adware bundles and is designed to run daily and maintain the current state of the installed product(s) offeres (mostly unwanted adware) by connecting to a remote server for configuration instructions. The application updatetask.exe has been detected as adware by 13 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named SaveSense triggered daily at a specified time. This file is typically installed with the program SaveSense by savesense.com which is a potentially unwanted software program.

File name:

updatetask.exe

MD5:

092689149c24f71d74a3076ccf92132d

SHA-1:

d383a7a87ab3076147ea6c1ef4a98ee979670ac2

SHA-256:

81cc7114d1604c88d645a61b9113cfda606bfeb695f7cf7d3fc726b2279362da

Scanner detections:

13 / 68

Status:

Adware

Explanation:

The update task for the InstallCore download manager.

Analysis date:

4/26/2024 7:52:42 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Malware-gen

2014.9-140214

Baidu Antivirus

Adware.Win32.DealPly

4.0.3.14214

Boost by Reason

Optional.Task.K

188432

Dr.Web

Adware.Shopper.396

9.0.1.062

ESET NOD32

Win32/DealPly (variant)

8.9426

K7 AntiVirus

Trojan

13.176.11322

McAfee

Artemis!092689149C24

5600.7202

Qihoo 360 Security

HEUR/Malware.QVM05.Gen

1.0.0.1015

Reason Heuristics

PUP.UpdateProc.Task.K

14.3.3.16

Sophos

Generic PUA ND

4.98

Trend Micro House Call

ADW_SENSAVE

7.2.62

Trend Micro

ADW_SENSAVE

10.465.03

VIPRE Antivirus

Trojan-Downloader.Trojan

27044

File size:

190.5 KB (195,072 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\savesense\updateproc\updatetask.exe

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

3072:czPU1rP6+lsicSdFPInTTUNFqHiPLGGRbPQDFe51xQmVXK/o4FseccNMq9:cY1L6aNPMXUXxPHbPYODq/ZZ

Entry address:

0x15D18

Entry point:

55, 8B, EC, 83, C4, F0, B8, C0, 5C, 41, 00, E8, AC, EE, FE, FF, 6A, 01, 68, F8, 58, 41, 00, 68, 3C, 5A, 41, 00, 68, 70, 5A, 41, 00, B9, 5C, 5D, 41, 00, BA, 88, 5D, 41, 00, B8, 88, 5D, 41, 00, E8, 53, F7, FF, FF, E8, 96, DC, FE, FF, 00, 00, FF, FF, FF, FF, 22, 00, 00, 00, 71, 2D, 32, 2C, 61, 64, 70, 68, 6C, 6B, 6A, 2D, 33, 2D, 2B, 2C, 70, 74, 69, 64, 71, 61, 2D, 34, 2C, 76, 76, 2A, 6E, 6A, 68, 55, 2E, 4F, 00, 00, FF, FF, FF, FF, 09, 00, 00, 00, 53, 61, 76, 65, 53, 65, 6E, 73, 65, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

83.5 KB (85,504 bytes)

Scheduled Task

Task name:

SaveSense

Trigger:

Daily (Runs daily at 23:32)

Action:

updatetask.exe \check

The file updatetask.exe has been discovered within the following programs.

SaveSense by savesense.com

From the EULA: "SaveSense provides you with services which are intended to enhance your online shopping experience, showing you same products or different stores with cheaper prices and exposing you to coupons allowing you to enjoy exclusive discounts when checking out products ("Offers").

support.savesense.com

62% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to ec2-174-129-30-179.compute-1.amazonaws.com (174.129.30.179:443)

TCP (HTTP):

Connects to bits-lb.eqiad.wikimedia.org (208.80.154.234:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (54.231.15.49:80)

TCP (HTTP SSL):

Connects to geoip-zlb.vips.scl3.mozilla.com (63.245.215.82:443)

TCP (HTTP):

Connects to ec2-54-243-159-209.compute-1.amazonaws.com (54.243.159.209:80)

TCP (HTTP SSL):

Connects to ec2-54-225-175-0.compute-1.amazonaws.com (54.225.175.0:443)

TCP (HTTP):

Connects to ec2-23-23-137-245.compute-1.amazonaws.com (23.23.137.245:80)

TCP (HTTP):

Connects to ec2-23-21-92-35.compute-1.amazonaws.com (23.21.92.35:80)

TCP (HTTP):

Connects to bits-lb.ulsfo.wikimedia.org (198.35.26.106:80)

Remove updatetask.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.