» 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe
Overview
Analysis
File Details
Behaviors (1)
Network (3)

1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe by Bright circle investments has been detected as adware by 17 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address ip-184-168-221-53.ip.secureserver.net on port 80 using the HTTP protocol. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

Publisher:

Plus-HD-V1.5 (signed by Bright circle investments Ltd.)

Product:

Plus-HD-V1.5

Description:

Plus-HD-V1.5 exe

Version:

1000.1000.1000.1000

MD5:

45a566edcab8fee7468f6dbebfbbbe61

SHA-1:

bfdaf7fd6781e41c605ba76e2e79d5c23b325e44

SHA-256:

761ea90bb59c887a781bb9b50451e21acf4054b8c5864d2b82337caf52c27922

Scanner detections:

17 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

4/18/2024 7:07:16 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

Avira AntiVirus

Adware/CrossRider.A.11496

7.11.158.214

avast!

Win32:Adware-gen [Adw]

140617-1

Comodo Security

ApplicUnwnt

18804

ESET NOD32

Win32/Toolbar.CrossRider.AK potentially unwanted application

7.0.302.0

Fortinet FortiGate

Riskware/Toolbar_CrossRider

7/24/2014

K7 AntiVirus

Trojan

13.180.12643

McAfee

RDN/Generic PUP.x!cgr

5600.7059

NANO AntiVirus

Riskware.Win32.CrossRider.dbkpsg

0.28.0.60698

Panda Antivirus

Trj/OCJ.F

14.07.24.03

Qihoo 360 Security

Win32/Virus.Adware.440

1.0.0.1015

Reason Heuristics

PUP.Task.Brightcircleinvestments.g

14.7.17.9

Sophos

Generic PUA LP

4.98

Trend Micro House Call

ADW_CROSSRID

7.2.205

Trend Micro

ADW_CROSSRID

10.465.24

VIPRE Antivirus

Threat.4789396

31208

Zillya! Antivirus

Adware.AdLoad.Win32.94

2.0.0.1850

File size:

876.5 KB (897,520 bytes)

Product version:

1000.1000.1000.1000

Original file name:

Plus-HD-V1.5.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\plus-hd-v1.5\1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe

Digital Signature

Signed by:

Bright circle investments Ltd.

Authority:

COMODO CA Limited

Valid from:

6/19/2014 10:00:00 AM

Valid to:

6/20/2015 9:59:59 AM

Subject:

CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00EF90FEF9AC8E258E5D30D0E08C84D37E

File PE Metadata

Compilation timestamp:

6/20/2014 8:06:25 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

12288:Pv7BHCyQ1oXvYCI6Yk6hUtHVhVxLH8fKLh3YPJXDgJ+kU64bFzCvdwXpTnFK:Pv7BHCbonr96UHVhVxLH8uPeP+QTw

Entry address:

0x8F28F

Entry point:

E8, 77, E3, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41... 
[+]

Entropy:

6.5533

Code size:

723.5 KB (740,864 bytes)

Scheduled Task

Task name:

1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4

Trigger:

Logon (Runs on logon)

Action:

1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe \nnpqzal \tslqtz='plus-hd-v1.5' \pscfjxwe='C:\prog

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.10:80)

TCP (HTTP):

Connects to hwcdn.net (69.16.175.42:80)

TCP (HTTP):

Connects to ip-184-168-221-53.ip.secureserver.net (184.168.221.53:80)

Remove 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.