home

yttkvu.exe

TheaterMax2.1V16.01

Berta Dress Apps (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application yttkvu.exe, “TheaterMax2.1V16.01 exe” by Berta Dress Apps (Bright Circle Investments) has been detected as adware by 24 anti-malware scanners. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
TheaterMaxV16.01  (signed by Berta Dress Apps (Bright Circle Investments Ltd))

Product:
TheaterMax2.1V16.01

Description:
TheaterMax2.1V16.01 exe

Version:
1000.1000.1000.1000

MD5:
0b99a747eadf8864e090aeda285bfdc0

SHA-1:
dd936858a20eea1a1754c415a42c9af3e571719c

SHA-256:
ca750593e40c2fd948964734a2137a62dfd54e9511703aff1e22abbc78196f50

Scanner detections:
24 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage). Distributed through the Brightcircle investments brand.

Analysis date:
4/18/2024 10:55:24 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Heur.7v1@m4yWRdeO
521

AhnLab V3 Security
PUP/Win32.CrossRider
2015.01.29

Avira AntiVirus
ADWARE/CrossRider.Gen4
7.11.205.184

avast!
Win32:Malware-gen
2014.9-150901

AVG
Generic
2016.0.2999

Bitdefender
Gen:Application.Heur.7v1@m4yWRdeO
1.0.20.1220

Comodo Security
Application.Win32.Plush.GRI
20880

ESET NOD32
Win32/Toolbar.CrossRider.BV (variant)
9.11088

Fortinet FortiGate
Riskware/CrossRider
9/1/2015

F-Secure
Gen:Application.Heur.7v1@m4yWRdeO
11.2015-01-09_3

G Data
Gen:Application.Heur.7v1@m4yWRdeO
15.9.25

K7 AntiVirus
Unwanted-Program
13.193.14789

Kaspersky
not-a-virus:AdWare.NSIS.Adwapper
14.0.0.1492

Malwarebytes
PUP.Optional.TheaterMax.A
v2015.09.01.04

McAfee
Artemis!0B99A747EADF
5600.6655

MicroWorld eScan
Gen:Application.Heur.7v1@m4yWRdeO
16.0.0.732

NANO AntiVirus
Riskware.Win32.CrossRider.dmmdwh
0.30.0.65070

Panda Antivirus
Trj/Genetic.gen
15.09.01.04

Reason Heuristics
Adware.BrightCircle.BertaDressAppsBrightCircleInvestments (M)
15.9.1.16

Sophos
AppRider
4.98

Trend Micro House Call
TROJ_GEN.F0C2C00AN15
7.2.244

Trend Micro
TROJ_GEN.F0C2C00AN15
10.465.01

VIPRE Antivirus
Crossrider
37050

Zillya! Antivirus
Adware.CrossRider.Win32.2143
2.0.0.2048

File size:
1.9 MB (2,030,560 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
TheaterMax2.1V16.01.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\yttkvu.exe

Digital Signature
Signed by:
Berta Dress Apps (Bright Circle Investments Ltd)

Authority:
COMODO CA Limited

Valid from:
12/16/2014 12:00:00 AM

Valid to:
12/16/2015 11:59:59 PM

Subject:
CN=Berta Dress Apps (Bright Circle Investments Ltd), O=Berta Dress Apps (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
009C113F566DE374D0EF1F22B0B717D3DC

File PE Metadata
Compilation timestamp:
1/16/2015 5:05:27 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:vv+iN8VqULPw15eHtObB7UQpSrx0TxdZ1V1Dzr:OiumEtObNYkJ

Entry address:
0xF8F91

Entry point:
E8, 5D, FD, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 90, FE, 00, 00, 3B, 30, 7C, 07, E8, 87, FE, 00, 00, 8B, 30, E8, 7A, FE, 00, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 83, 5C, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 30, 2E, 56, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 9D, 2E, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 30, 2E, 56, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, F4, EA...
 
[+]

Entropy:
6.8680

Code size:
1.1 MB (1,204,224 bytes)

Remove yttkvu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.