home

gplushda.exe

SqueakyChocolate

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application gplushda.exe by SqueakyChocolate has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address cdn.squeakychocolate.com on port 80 using the HTTP protocol.
Publisher:
SqueakyChocolate  (signed and verified)

MD5:
ed6b63696f1e0238078a0fba3e711ad0

SHA-1:
fea2dd8e10016f991dae7f7290d3b696a639dc89

SHA-256:
5536d71f40400fa5857d012ce2d427581a0f66c6d2ff0a64952eebfbfca28e39

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
5/9/2024 12:13:45 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.SqueakyChocolate (M)
16.2.15.17

File size:
202.9 KB (207,816 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\gplushda.exe

Digital Signature
Signed by:
SqueakyChocolate

Authority:
COMODO CA Limited

Valid from:
2/20/2012 1:00:00 AM

Valid to:
2/20/2015 12:59:59 AM

Subject:
CN=SqueakyChocolate, O=SqueakyChocolate, STREET=12902 Dorathea Terrace, L=Poway, S=CA, PostalCode=92064, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B696A8829DC1E0486236AF86C6DC0B70

File PE Metadata
Compilation timestamp:
7/26/2014 11:58:31 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:U/B462HWArYVBAANQqrFFuwxFXiq/9HLGnf:U/N2TgBnXv9FXxHGf

Entry address:
0x35B7

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, E0, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B4, 82, 40, 00, 6A, 08, A3, F8, 05, 47, 00, E8, 62, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, 00, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 24, 86, 40, 00, FF, 15, 84, 81, 40, 00, 68, 0C, 86, 40, 00, 68, 00, 85, 46, 00, E8, 32, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, 00, 10, 4C, 00, 57, E8, 20, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
26 KB (26,624 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to squeakychocolate.com  (74.208.110.68:80)

TCP (HTTP):
Connects to post-install-verification.conduit-data.com  (184.72.217.85:80)

TCP (HTTP):
Connects to cdn.squeakychocolate.com  (62.253.3.84:80)

Remove gplushda.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.