home

38d3.tmp.exe

Buffallo Bill

Buffallo GMBH

The application 38d3.tmp.exe, “Buffallo Sabes daemon” has been detected as a potentially unwanted program by 3 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from cdn4.downloadsoup.com and multiple other hosts.
Publisher:
Buffallo GMBH

Product:
Buffallo Bill

Description:
Buffallo Sabes daemon

Version:
6.7.8.10

MD5:
66977a460d31671a0aab641b31c8797f

SHA-1:
2771dd8d4b03593d210f0938c9a6e6ecc802ea64

SHA-256:
c02eb68e7e64b97533d9585504649b78403a07ccf0872f14bf5e78d2ba9577e0

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
5/21/2024 9:08:04 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Amonetize.TJ potentially unwanted application
8.0.319.0

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Amonetize
15.0.0.562

Reason Heuristics
Adware.Amonetize.Buffallo.Meta (M)
16.5.19.7

File size:
260.5 KB (266,752 bytes)

Product version:
6.7.8.0

Original file name:
bufy.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\38d3.tmp.exe

File PE Metadata
Compilation timestamp:
5/19/2016 9:41:11 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:a/ZwZRos8jawbwb0xMdSwLGiDkXjDDMLu5Rp8RnE:axU2CT4oDDkXtoE

Entry address:
0x1988

Entry point:
E8, 01, 18, 00, 00, E9, 70, FE, FF, FF, E8, FB, 08, 00, 00, 85, C0, 75, 06, B8, AC, 21, 41, 00, C3, 83, C0, 0C, C3, 55, 8B, EC, 56, E8, E4, FF, FF, FF, 8B, 4D, 08, 51, 89, 08, E8, 20, 00, 00, 00, 59, 8B, F0, E8, 05, 00, 00, 00, 89, 30, 5E, 5D, C3, E8, C7, 08, 00, 00, 85, C0, 75, 06, B8, A8, 21, 41, 00, C3, 83, C0, 08, C3, 55, 8B, EC, 8B, 4D, 08, 33, C0, 3B, 0C, C5, 40, 20, 41, 00, 74, 27, 40, 83, F8, 2D, 72, F1, 8D, 41, ED, 83, F8, 11, 77, 05, 6A, 0D, 58, 5D, C3, 8D, 81, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8...
 
[+]

Entropy:
7.1979

Code size:
40 KB (40,960 bytes)

The file 38d3.tmp.exe has been seen being distributed by the following 4 URLs.

http://cdn4.downloadsoup.com/.../Bundle.exe

http://cdn4.nonstopdownload.com/.../Bundle.exe

http://cdn4.downloadcrest.com/.../Bundle.exe

http://cdn4.continuumdownload.com/.../Bundle.exe

Remove 38d3.tmp.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.