home

706467f0-c73a-4265-9740-834f67bfec79-4.exe

videos MediaPlay-Air

Sailor Project

This potentially unwanted Internet browser extension is built upon and distributed using the free Crossrider platform and will deliver advertisements to the web browser in various formats such as banner, text hyper-links, inline text and transitional ads. The application 706467f0-c73a-4265-9740-834f67bfec79-4.exe, “videos MediaPlay-Air exe” by Sailor Project has been detected as adware by 11 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
enter  (signed by Sailor Project)

Product:
videos MediaPlay-Air

Description:
videos MediaPlay-Air exe

Version:
1000.1000.1000.1000

MD5:
d1c1009c1cfb4f96f021ea0e02c414f9

SHA-1:
85632a577e2f18ae2bc1374e993e099b94d50b99

SHA-256:
977b10b194684ba92ee38450ac45f563c96015b2cb98b7bd2e5d3f59725f4057

Scanner detections:
11 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements. Distributed through the Brightcircle investments brand.

Analysis date:
4/19/2024 2:04:30 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-140810

AVG
Generic
2015.0.3386

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.14810

Dr.Web
Trojan.Crossrider.27911
9.0.1.0286

ESET NOD32
Win32/Toolbar.CrossRider.AK potentially unwanted application
8.7.0.302.0

herdProtect (fuzzy)
variant of e37adf8e-6b8b-4ed1-bc9b-9ea56e97fd24-4.exe (Adware)
2014.10.13.20

Kaspersky
Trojan.NSIS.GoogUpdate
14.0.0.3107

Malwarebytes
PUP.Optional.HDPlus.A
v2014.08.10.12

Panda Antivirus
Trj/Genetic.gen
14.10.13.04

Reason Heuristics
PUP.SailorProject.g
14.8.10.12

VIPRE Antivirus
Threat.4789396
31208

File size:
1.4 MB (1,493,352 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
videos MediaPlay-Air.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\videos mediaplay-air\706467f0-c73a-4265-9740-834f67bfec79-4.exe

Digital Signature
Signed by:
Sailor Project

Authority:
COMODO CA Limited

Valid from:
7/17/2014 8:00:00 PM

Valid to:
7/18/2015 7:59:59 PM

Subject:
CN=Sailor Project, O=Sailor Project, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
47C5F145C734CD3D086C0A102176F0A1

File PE Metadata
Compilation timestamp:
8/9/2014 6:07:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:JGgQuTvO7N7SLB1gBxSccsgPgaxP//r3o5UXcdNtAncofBspShNjT6Z:8gFTqwLLPcgHfrY2XjcofBspShtT8

Entry address:
0xE8060

Entry point:
E8, 5B, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 8E, 01, 01, 00, 3B, 30, 7C, 07, E8, 85, 01, 01, 00, 8B, 30, E8, 78, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, D4, 5E, 00, 00, 8B, F0, 85, F6, 75, 07, B8, E0, D8, 54, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7E, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, E0, D8, 54, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, D7, ED...
 
[+]

Entropy:
6.6136

Code size:
1.1 MB (1,123,840 bytes)

Scheduled Task
Task name:
21ba9693-ae02-485d-98b9-6d1940eb4d8d

Trigger:
Logon (Runs on logon)

Action:
706467f0-c73a-4265-9740-834f67bfec79-4.exe \ifszcniia=su\4hbk6xp+1sxn02xb0s6rnthg05ng5giciwqo


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-50-63-202-46.ip.secureserver.net  (50.63.202.46:80)

Remove 706467f0-c73a-4265-9740-834f67bfec79-4.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.