1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe by Bright circle investments has been detected as adware by 23 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address ip-184-168-221-53.ip.secureserver.net on port 80 using the HTTP protocol. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Plus-HD-V1.5  (signed by Bright circle investments Ltd.)

Product:
Plus-HD-V1.5

Description:
Plus-HD-V1.5 exe

Version:
1000.1000.1000.1000

MD5:
0b13c2941482032329588898cabc1d31

SHA-1:
6f062002fd4c5d02f5cfa40e9d24638a394f954f

SHA-256:
857412d30a58936160aab9e8d7c32ff14854644ef8cea6b441e4329f393d032b

Scanner detections:
23 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
11/2/2024 9:26:11 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.374062
925

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

Avira AntiVirus
Adware/CrossRider.A.11433
7.11.158.50

Bitdefender
Gen:Variant.Adware.Kazy.374062
1.0.20.1025

Clam AntiVirus
Win.Adware.Agent-7312
0.98/19185

Comodo Security
ApplicUnwnt
18744

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.374062
8.14.07.24.02

ESET NOD32
Win32/Toolbar.CrossRider.AK potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/Toolbar_CrossRider
7/24/2014

F-Secure
Gen:Variant.Adware.Kazy.374062
11.2014-24-07_5

G Data
Gen:Variant.Adware.Kazy.374062
14.7.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.180.12598

McAfee
Artemis!0B13C2941482
5600.7059

MicroWorld eScan
Gen:Variant.Adware.Kazy.374062
15.0.0.615

NANO AntiVirus
Riskware.Win32.AdLoad.dbjxuu
0.28.0.60577

Panda Antivirus
Trj/OCJ.F
14.07.24.02

Qihoo 360 Security
Win32/Virus.Adware.c3a
1.0.0.1015

Reason Heuristics
PUP.Task.Brightcircleinvestments.h
14.7.17.9

Sophos
Generic PUA GP
4.98

Trend Micro House Call
ADW_CROSSRID
7.2.205

Trend Micro
ADW_CROSSRID
10.465.24

VIPRE Antivirus
Threat.4789396
31208

File size:
1.9 MB (1,968,112 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
Plus-HD-V1.5.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\plus-hd-v1.5\1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/19/2014 10:00:00 AM

Valid to:
6/20/2015 9:59:59 AM

Subject:
CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EF90FEF9AC8E258E5D30D0E08C84D37E

File PE Metadata
Compilation timestamp:
6/20/2014 8:07:13 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:v+/wG5Ngg0flrHdQJQCcJb6pMuuEPcopSRp+TgUzn+nPRxt:2oqjklrHdQJ36b6pMbh

Entry address:
0xEBF64

Entry point:
E8, 44, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 77, 01, 01, 00, 3B, 30, 7C, 07, E8, 6E, 01, 01, 00, 8B, 30, E8, 61, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 60, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, C0, 30, 55, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7A, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, C0, 30, 55, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, DB, ED...
 
[+]

Entropy:
6.8698

Code size:
1.1 MB (1,143,296 bytes)

Scheduled Task
Task name:
1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11

Trigger:
Logon (Runs on logon)

Action:
1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe \xwfcmrok=ogbkyu+m+xlrpnzfaad9anbptqfadtiy3el8fx4j


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-184-168-221-53.ip.secureserver.net  (184.168.221.53:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.1.42:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

Remove 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe - Powered by Reason Core Security