» plus-hd-2.3-updater.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

plus-hd-2.3-updater.exe

Plus-HD-2.3

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application plus-hd-2.3-updater.exe by Kimahri Software inc has been detected as adware by 33 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider browser extension toolkit; the Updater component is used to dynamically connects to the Crossrider API (update.srvstatsdata.com/.../{CAMP_ID}/update.json) and download additional code in order to automatically update Plus HD extension/toolbar. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

Publisher:

Plus HD (signed by Kimahri Software inc.)

Product:

Plus-HD-2.3

Description:

Plus-HD-2.3 exe

Version:

1000.1000.1000.1000

MD5:

0cbc4533652083eb4b3710df3a5d8cfa

SHA-1:

70ee052c3bafd15fbcb133f8eea628b592275dea

SHA-256:

cd8ebf99c618e54cca9a1251c68603c56ab7aa656a3663a62b079ed9742b65c1

Scanner detections:

33 / 68

Status:

Adware

Explanation:

Part of the Crossrider toolbar platform. This is the updater mechanism that runs in the background as a scheduled task. Distributed through the Brightcircle investments brand.

Note:

Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application. The owner/publisher of this file is Kimahri Software inc..

Analysis date:

5/18/2024 4:22:39 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Adware.Plush.1

390

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

AhnLab V3 Security

Win-PUP/CrossRider

2014.11.04

Avira AntiVirus

Adware/CrossRider.A.13596

7.11.182.236

avast!

Win32:Adware-BMP [PUP]

2014.9-160111

AVG

Generic_r

2017.0.2868

Baidu Antivirus

Adware.Win32.CrossAd

4.0.3.16111

Bitdefender

Gen:Adware.Plush.1

1.0.20.55

Bkav FE

W32.Clodc63.Trojan

1.3.0.4613

Clam AntiVirus

Win.Adware.Addlyrics-2

0.98/19360

Dr.Web

Trojan.Crossrider.12167

9.0.1.011

Emsisoft Anti-Malware

Gen:Adware.Plush

8.16.01.11.03

ESET NOD32

Win32/Toolbar.CrossRider (variant)

10.10664

Fortinet FortiGate

Riskware/Toolbar_CrossRider

1/11/2016

F-Prot

W32/A-eb9ef301

v6.4.7.1.166

F-Secure

Gen:Adware.Plush.1

11.2016-11-01_2

G Data

Gen:Adware.Plush

16.1.24

IKARUS anti.virus

AdWare.AddLyrics

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.185.13888

Kaspersky

not-a-virus:WebToolbar.Win32.CroRi

14.0.0.834

Malwarebytes

PUP.Optional.HDPlus.A

v2016.01.11.03

McAfee

Artemis!C32038A55431

5600.6524

MicroWorld eScan

Gen:Adware.Plush.1

17.0.0.33

NANO AntiVirus

Trojan.Win32.Crossrider.cwsaki

0.28.6.62995

nProtect

Adware.AddLyrics.AK

14.02.02.01

Panda Antivirus

PUP/PlusHD

16.01.11.03

Qihoo 360 Security

HEUR/Malware.QVM10.Gen

1.0.0.1015

Reason Heuristics

Adware.Crossrider.Brightcircle (M)

16.1.11.3

Sophos

AppRider

4.98

Trend Micro House Call

ADW_CROSSRIDER

7.2.11

Trend Micro

ADW_CROSSRIDER

10.465.11

VIPRE Antivirus

Crossrider

34480

Zillya! Antivirus

Adware.CroRi.Win32.392

2.0.0.1975

File size:

358.9 KB (367,464 bytes)

Product version:

1000.1000.1000.1000

Original file name:

Plus-HD-2.3.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\plus-hd-2.3\plus-hd-2.3-updater.exe

Digital Signature

Signed by:

Kimahri Software inc.

Authority:

COMODO CA Limited

Valid from:

3/7/2013 1:00:00 AM

Valid to:

3/7/2016 12:59:59 AM

Subject:

CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata

Compilation timestamp:

7/11/2013 5:22:00 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:lIbVvIAWk5wD5JEHuRgUe1mHAMlxi3mSlPK3WRfHe6echpTBJfhC5:+ZvIvk5wD7EH/Ue1mHAMlx5SdK3WRfHQ

Entry address:

0x2E174

Entry point:

E8, 2F, AA, 00, 00, E9, 89, FE, FF, FF, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB, 75, F4, F7... 
[+]

Code size:

275.5 KB (282,112 bytes)

Scheduled Task

Task name:

Plus-HD-2.3-updater

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to lb-212-222.above.com (103.224.212.222:80)

TCP (HTTP):

Connects to ip-70.32.1.32.hosted.by.gigenet.com (70.32.1.32:80)

Remove plus-hd-2.3-updater.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.