» {blocked}.exe
Overview
Analysis
File Details
Downloads (1)

{blocked}.exe

Windows Internet Explorer

Spektr AITI, TOV

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application {blocked}.exe, “Установщик надстроек Internet Explorer” by Spektr AITI, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from downloader.disk.yandex.ru.

File name:

{blocked}.exe

Publisher:

Microsoft Corporation (signed by Spektr AITI, TOV)

Product:

Windows® Internet Explorer

Description:

Установщик надстроек Internet Explorer

Version:

8.00.7600.16385 (win7_rtm.090713-1255)

MD5:

19978e899a993e80a171c913fb258031

SHA-1:

8dcb9e67032d7bc4d3f3682c6829f932225fa751

SHA-256:

b354feae9e66409ef4b9f13d8d9047f7ccd3e8ea18627a378a3e368918cbe785

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

6/15/2024 9:24:06 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.InstallCube (M)

17.1.13.16

File size:

3.5 MB (3,655,736 bytes)

Product version:

8.00.7600.16385

Original file name:

ieinstal.exe.mui

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\downloads\reshebnik_po_rodnomu_yaziku_6_klass_sayahov_21_noyabrya_2014.exe

Digital Signature

Signed by:

Spektr AITI, TOV

Authority:

COMODO CA Limited

Valid from:

12/24/2015 5:00:00 AM

Valid to:

12/24/2016 4:59:59 AM

Subject:

CN="Spektr AITI, TOV", OU=IT, O="Spektr AITI, TOV", STREET="Bud. 30 kv. 292, prospekt Vatutina", L=Kiev, S=Kiev, PostalCode=02189, C=UA

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

3694697EDF9F6EF8FF786FBBAD3234DF

File PE Metadata

Compilation timestamp:

1/13/2016 3:18:22 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.10

Entry address:

0x3521F0

Entry point:

55, 8B, EC, 6A, FF, 68, 98, 9A, 75, 00, 68, 70, 33, 75, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, E4, 70, 75, 00, 33, D2, 8A, D4, 89, 15, 88, A7, 75, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 84, A7, 75, 00, C1, E1, 08, 03, CA, 89, 0D, 80, A7, 75, 00, C1, E8, 10, A3, 7C, A7, 75, 00, 33, F6, 56, E8, CA, 0F, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 95, 0C, 00, 00, FF, 15, 18, 70, 75, 00, A3, B4, AC, 75, 00, E8... 
[+]

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

3.3 MB (3,497,984 bytes)

The file {blocked}.exe has been seen being distributed by the following URL.

https://downloader.disk.yandex.ru/disk/9f8eb0b6c181ae90aaa958eda0027d097ff7b77a311da81ecfbe08dc6457775a/5696a125/.../x-msdownload&fsize=3655736&hid=2fa6a99ea2dc697d96dc1ea7d38a35b3&media_type=executable&tknv=v2

Remove {blocked}.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.