» protectorpackagerr2016x64.exe
Overview
Analysis
File Details
Downloads (6)
Network (1)

protectorpackagerr2016x64.exe

Reimage Protector

Reimage Limited

The application protectorpackagerr2016x64.exe, “Reimage Protector Installation Package” by Reimage Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from 41.223.201.246 and multiple other hosts. While running, it connects to the Internet address vip080.ssl.hwcdn.net on port 80 using the HTTP protocol.

File name:

Publisher:

Reimage (signed by Reimage Limited)

Product:

Reimage Protector

Description:

Reimage Protector Installation Package

Version:

2.016

MD5:

782da72ac8ce4ebfe31406af63970578

SHA-1:

e48b565798c9b9ecf854af44fe00c615db7fc02f

SHA-256:

8334dd4057313f06c967de39adde27282254d36153ad47ab5df3ecaad3c68ddb

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

4/18/2024 10:59:24 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Reimage (L)

17.1.23.15

File size:

5.4 MB (5,692,384 bytes)

Product version:

2.016

Trademarks:

Reimage

Original file name:

ProtectorPackage.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\protectorpackagerr2016x64.exe

Digital Signature

Signed by:

Reimage Limited

Authority:

Symantec Corporation

Valid from:

5/17/2016 2:00:00 AM

Valid to:

8/17/2019 1:59:59 AM

Subject:

CN=Reimage Limited, O=Reimage Limited, L=Dasoupoli, S=Nicosia, C=CY

Issuer:

CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:

4320101ADF7A07C7405BC4433AE31FFD

File PE Metadata

Compilation timestamp:

2/24/2012 8:19:59 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file protectorpackagerr2016x64.exe has been seen being distributed by the following 6 URLs.

http://41.223.201.246:801/.../ProtectorPackageRR2016x64.exe

http://172.19.66.40/.../ProtectorPackageRR2016x64.exe

http://113.171.224.170/.../ProtectorPackageRR2016x64.exe

http://172.19.66.103/.../ProtectorPackageRR2016x64.exe

http://ukrep.reimage.com/.../ProtectorPackageRR2016x64.exe

http://cdnrep.reimage.com/.../ProtectorPackageRR2016x64.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to vip080.ssl.hwcdn.net (205.185.208.80:80)

Remove protectorpackagerr2016x64.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.