» frameworkbho64.dll
Overview
Analysis
File Details
Behaviors (1)

frameworkbho64.dll

Framework

Engaging Apps

This file is a support library for an advertising-based software package (potentially unwanted/adware) distributed by 50onRed used to hijack the Internet browser search provider. The module frameworkbho64.dll by Engaging Apps has been detected as adware by 5 anti-malware scanners. It is installed within the context of Internet Explore as a BHO (Browser Helper Object) under the name ‘Coupon Server BHO’. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links.

File name:

frameworkbho64.dll

Publisher:

Engaging Apps (signed and verified)

Product:

Framework

Description:

FrameworkBHO

Version:

1.1.0.0

MD5:

1a8ef19efc76e5756d0dc0c196b75291

SHA-1:

f190c2096874678505f13478ad996d6a5d5fc3dc

SHA-256:

93e04ef57d968fdee75c543f6482800d70616c20f4b9cc8d162f4812ddfd55b7

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:

4/25/2024 3:18:32 AM UTC (today)

Scan engine

Detection

Engine version

AVG

Adware AdPlugin

2017.0.2859

ESET NOD32

Win64/Adware.SmartApps.B application

10.7.0.302.0

IKARUS anti.virus

AdWare.AdPlugin

t3scan.1.6.1.0

Reason Heuristics

Adware.GamePlayLabs.50OnRed (M)

16.1.19.14

VIPRE Antivirus

GamePlayLabs

27460

File size:

337.5 KB (345,648 bytes)

Product version:

1.1.0.0

File type:

Dynamic link library (Win64 DLL)

Language:

English (United States)

Common path:

C:\Program Files\coupon server\frameworkbho64.dll

Digital Signature

Signed by:

Engaging Apps

Authority:

Thawte, Inc.

Valid from:

6/3/2013 9:00:00 PM

Valid to:

6/4/2014 8:59:59 PM

Subject:

CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

632EEBD9B987BC680D444D8675A26545

Registration

CLSIDs:

{CACB139B-7C2C-4A99-A4EE-72449D0FF549}, {F791D8AE-47E8-40A5-A913-EB2D2AF29602}

COM registered:

Yes

File PE Metadata

Compilation timestamp:

3/6/2014 5:04:48 AM

OS version:

5.2

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:B6uMVK6T9vWyU8Dvd7b/TFALHyyih7iLXGr/IN:cNh+FqdPP

Entry address:

0x237C0

Entry point:

48, 89, 5C, 24, 08, 48, 89, 74, 24, 10, 57, 48, 83, EC, 20, 49, 8B, F8, 8B, DA, 48, 8B, F1, 83, FA, 01, 75, 05, E8, DF, 64, 00, 00, 4C, 8B, C7, 8B, D3, 48, 8B, CE, 48, 8B, 5C, 24, 30, 48, 8B, 74, 24, 38, 48, 83, C4, 20, 5F, E9, A7, FE, FF, FF, CC, CC, CC, 4C, 8D, 0D, D9, A2, 02, 00, 33, C0, 49, 8B, D1, 44, 8D, 40, 08, 3B, 0A, 74, 2B, FF, C0, 49, 03, D0, 83, F8, 2D, 72, F2, 8D, 41, ED, 83, F8, 11, 77, 06, B8, 0D, 00, 00, 00, C3, 81, C1, 44, FF, FF, FF, B8, 16, 00, 00, 00, 83, F9, 0E, 41, 0F, 46, C0, C3, 48... 
[+]

Code size:

197.5 KB (202,240 bytes)

Internet Explorer BHO

Display name:

Coupon Server BHO

CLSID:

{F791D8AE-47E8-40A5-A913-EB2D2AF29602}

Remove frameworkbho64.dll - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.