home

38ee02.exe

Calls And

Of Has

The application 38ee02.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. This is a setup program which is used to install the application. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from liversely.net.
Publisher:
Of Has

Product:
Calls And

Description:
Lamp Veinal

Version:
3.0.1.1

MD5:
e796976c674b9a983b9294992b2f76db

SHA-1:
373da572e5368e49fb78da15c8134b627cdf3986

SHA-256:
12787c5a93cbbda9d50107e5f513aaa8ce00b2cb6cb59a4c70cb3c37392eee24

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/25/2024 1:04:24 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/MultiPlug.Gen4
7.11.174.228

avast!
Win32:Agent-AYLT [PUP]
2014.9-150522

Dr.Web
Trojan.Crossrider.36840
9.0.1.0142

Emsisoft Anti-Malware
Gen:Variant.Adware.MPlug
8.15.05.22.11

ESET NOD32
Win32/AdWare.MultiPlug.CN application
7.0.302.0

F-Prot
W32/A-f6cb9900
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.MPlug
11.2015-22-05_6

K7 AntiVirus
Unwanted-Program
13.183.13504

Kaspersky
not-a-virus:AdWare.Win32.MultiPlug
14.0.0.2000

Malwarebytes
PUP.Optional.MultiPlug
v2015.05.22.11

McAfee
MultiPlug
5600.6995

NANO AntiVirus
Riskware.Win32.MultiPlug.dfjscb
0.28.2.62286

Norman
Gen:Variant.Adware.MPlug.8
11.20150522

Reason Heuristics
Threat.Win.Reputation.IMP
15.5.22.19

Sophos
PUA 'MultiPlug' (of type Adware)
5.14

File size:
816.5 KB (836,096 bytes)

Product version:
6.4.7.1

Copyright:
All rights reserved for Of Has LTD.

Original file name:
Platinum Hide IP 3.3.6.2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\38ee02.exe

File PE Metadata
Compilation timestamp:
6/16/2013 5:55:41 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:9WeD1qXAL9zpEKF9vz/8qMGXqMP8GLHU3YyhiL7R6jVCaAlR5oEkOXRVa5uP5P4M:Yez9znvzE+5kGoolV6RAZoJya5qwdiwY

Entry address:
0x19502

Entry point:
E8, 7C, 48, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 20, E4, 43, 00, E8, E8, 0D, 00, 00, E8, 49, 4A, 00, 00, 0F, B7, F0, 6A, 02, E8, 0F, 48, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, D5, 06, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.8520  (probably packed)

Code size:
134 KB (137,216 bytes)

The file 38ee02.exe has been seen being distributed by the following URL.

http://liversely.net/1db0151b12b6c985934f1c155b80cb49/aq_b/dl.php?id=1411757573335670773&r=http://newpoints.info/v2145/lp/?q=HRLnk/tnVG 4DWYSUMFuSx6kDTvBlZmNEDBuPlpnMqGRpUwvlLaornS/zDYOB3Lh8tVGgJMEX FwMg6N clfweK21V/.../A1ixmiuBrCOwMIfxefPlw4zKRJwli3JqPxsF0 gCGjD5JD5Aq6c2PUGilGVvsnN3burkcsKTK81tpzeXOgyWLnnQv6EulxdkIcGDwvjlRqGhI3MFzZ08NRDLaKZoOXyLx4udWFjcp2OQWkkbKP9Rl8nv8QUR3S2j6mIk&__rnd=ddd959e862711348f523028c70efbb21

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-183-158-170.us-west-1.compute.amazonaws.com  (54.183.158.170:80)

Remove 38ee02.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.