home

9bc73a27-d8d4-4851-b272-34e3d4f0f2c3-2.exe

PlusSTotal-9.4

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application 9bc73a27-d8d4-4851-b272-34e3d4f0f2c3-2.exe, “PlusSTotal-9.4 exe” by Kimahri Software inc has been detected as adware by 16 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
PlusSHD  (signed by Kimahri Software inc.)

Product:
PlusSTotal-9.4

Description:
PlusSTotal-9.4 exe

Version:
1000.1000.1000.1000

MD5:
e1a89bc2296caa0c514d4f85405ad722

SHA-1:
bfd36e1cf31c24ee91e5005df15284f2b31d647f

SHA-256:
97ef1937e2d24b88d6e4765fec6aa11ff29d6f29c16d536815586415f53d84be

Scanner detections:
16 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/23/2024 7:44:05 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/CrossRider.Gen2
7.11.170.44

avast!
Win32:Crossrider-F [PUP]
140813-1

AVG
Adware Generic_r.OG
2014.0.4015

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.14831

Clam AntiVirus
Win.Adware.Plush-31
0.98/19317

ESET NOD32
Win32/Toolbar.CrossRider.AJ potentially unwanted application
7.0.302.0

F-Prot
W32/A-eb9ef301
v6.4.7.1.166

G Data
Win32.Application.Plush
14.8.24

Kaspersky
not-a-virus:WebToolbar.Win32.CroRi
15.0.0.463

Malwarebytes
PUP.Optional.PlusHD.A
v2014.08.31.06

NANO AntiVirus
Riskware.Win32.AdLoad.dbdvjz
0.28.2.61861

Panda Antivirus
PUP/PlusHD
14.08.31.06

Reason Heuristics
PUP.Crossrider.KimahriSoftwareinc.g
14.8.31.4

Sophos
AppRider
4.98

Vba32 AntiVirus
AdWare.AdLoad
3.12.26.3

VIPRE Antivirus
Threat.4789396
32210

File size:
358.4 KB (366,952 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
PlusSTotal-9.4.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\plusstotal-9.4\9bc73a27-d8d4-4851-b272-34e3d4f0f2c3-2.exe

Digital Signature
Signed by:
Kimahri Software inc.

Authority:
COMODO CA Limited

Valid from:
3/6/2013 6:00:00 PM

Valid to:
3/6/2016 5:59:59 PM

Subject:
CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata
Compilation timestamp:
6/14/2014 5:03:28 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:N8WJDMUHeZqBXOvTL984xENm15sdGpTBaQzbC:1DMxxTpxEm1ukpTYQ6

Entry address:
0x2CB71

Entry point:
E8, D7, 8E, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 00, 59, 45, 00, E8, 09, 25, 00, 00, E8, 89, 16, 00, 00, 0F, B7, F0, 6A, 02, E8, 6A, 8E, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 9B, 55, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.4608

Code size:
268.5 KB (274,944 bytes)

Scheduled Task
Task name:
9bc73a27-d8d4-4851-b272-34e3d4f0f2c3-2

Trigger:
Logon (Runs on logon)

Action:
9bc73a27-d8d4-4851-b272-34e3d4f0f2c3-2.exe \nweugvtk \lzaymjpoo='plusstotal-9.4' \gsfeap=5316


Remove 9bc73a27-d8d4-4851-b272-34e3d4f0f2c3-2.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.