air71d8.exe

Wwnurzguptr

The application air71d8.exe has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.datagenserv.com.
Publisher:
Wwnurzguptr

Description:
Oiboyy

Version:
13.20.21.4

MD5:
e3da5f7ca8182edd45959627d8c9bef0

SHA-1:
f2ebeafe8a51ceb37fde41f0eef976846435e1ad

SHA-256:
57c25c8c4590e11c0f1d2987c4fca297cb358b4f0f4cb0eae66d6fa6bd67e75d

Scanner detections:
5 / 68

Status:
Adware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
10/30/2020 1:00:24 AM UTC  (today)

Scan engine
Detection
Engine version

Clam AntiVirus
Win.Adware.Agent-6597
0.98/19168

Dr.Web
infected with Trojan.Crossrider.24543
9.0.1.05190

Malwarebytes
PUP.Optional.ScramblePacker.A
v2014.07.12.11

NANO AntiVirus
Trojan.Win32.Generic.dbxnnd
0.28.0.60698

Reason Heuristics
PUP.Downloader.Wwnurzguptr.H
14.7.12.11

File size:
7.7 MB (8,074,037 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\air71d8.exe

File PE Metadata
Compilation timestamp:
12/4/2012 1:55:02 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:cRr6TB/5OAE8F/OHzkjhJHBhi65uiF6V584IRf5fXV34f/:MWvPUTsHBhi6BoV5afXM/

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9984  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file air71d8.exe has been seen being distributed by the following URL.

Remove air71d8.exe - Powered by Reason Core Security