» plushd_1007_en-55887af6.exe
Overview
Analysis
File Details

plushd_1007_en-55887af6.exe

Yjvfkrqdsksl

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application plushd_1007_en-55887af6.exe by Kimahri Software inc has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is also typically executed from the user's temporary directory. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

Publisher:

Yviujzolcpz (signed by Kimahri Software inc.)

Product:

Yjvfkrqdsksl

Description:

Dckbrgo

Version:

1.1.1.1

MD5:

477d3d136aa4f93efb2eaabd86d5af55

SHA-1:

9ef498f30ae7b9551895dca8e0f20a989e95b9fb

SHA-256:

b222980606dab7f7368c9e9ff33edccee986a8811c9d7994adc8f6f5c1426a27

Scanner detections:

7 / 68

Status:

Adware

Analysis date:

4/24/2024 8:35:20 PM UTC (today)

Scan engine

Detection

Engine version

Bkav FE

HW32.CDB

1.3.0.4246

Dr.Web

Adware.Plugin.73

9.0.1.0331

ESET NOD32

Win32/Packed.ScrambleWrapper

9.8844

Fortinet FortiGate

Adware/Lyckriks

11/27/2015

Malwarebytes

Adware.Packed.Ranver

v2015.11.27.08

Reason Heuristics

PUP.Brightcicrle.Brightcircle.Installer (M)

15.11.27.8

Vba32 AntiVirus

AdWare.Lyckriks

3.12.24.3

File size:

4.7 MB (4,903,744 bytes)

Zaxtgboheos

File type:

Executable application (Win32 EXE)

Installer:

Nullsoft Install System

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\plushd_1007_en-55887af6.exe

Digital Signature

Signed by:

Kimahri Software inc.

Authority:

COMODO CA Limited

Valid from:

3/6/2013 7:00:00 PM

Valid to:

3/6/2016 6:59:59 PM

Subject:

CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata

Compilation timestamp:

2/19/2012 10:01:49 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.22

CTPH (ssdeep):

98304:S3Pww+8KGeECgN8ko5sB7MbvY7BmB6LYwft1oVGkaoUidoeKC+nf:SYw+4exhGAB6LZv+Gjzlf

Entry address:

0x4327

Entry point:

55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7... 
[+]

Entropy:

7.9979 (probably packed)

Code size:

34.5 KB (35,328 bytes)

Remove plushd_1007_en-55887af6.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.