38ee02.exe

Calls And

Of Has

The application 38ee02.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. This is a setup program which is used to install the application. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from liversely.net.
Publisher:
Of Has

Product:
Calls And

Description:
Lamp Veinal

Version:
3.0.1.1

MD5:
e796976c674b9a983b9294992b2f76db

SHA-1:
373da572e5368e49fb78da15c8134b627cdf3986

SHA-256:
12787c5a93cbbda9d50107e5f513aaa8ce00b2cb6cb59a4c70cb3c37392eee24

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/23/2024 1:27:18 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/MultiPlug.Gen4
7.11.174.228

avast!
Win32:Agent-AYLT [PUP]
2014.9-150522

Dr.Web
Trojan.Crossrider.36840
9.0.1.0142

Emsisoft Anti-Malware
Gen:Variant.Adware.MPlug
8.15.05.22.11

ESET NOD32
Win32/AdWare.MultiPlug.CN application
7.0.302.0

F-Prot
W32/A-f6cb9900
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.MPlug
11.2015-22-05_6

K7 AntiVirus
Unwanted-Program
13.183.13504

Kaspersky
not-a-virus:AdWare.Win32.MultiPlug
14.0.0.2000

Malwarebytes
PUP.Optional.MultiPlug
v2015.05.22.11

McAfee
MultiPlug
5600.6995

NANO AntiVirus
Riskware.Win32.MultiPlug.dfjscb
0.28.2.62286

Norman
Gen:Variant.Adware.MPlug.8
11.20150522

Reason Heuristics
Threat.Win.Reputation.IMP
15.5.22.19

Sophos
PUA 'MultiPlug' (of type Adware)
5.14

File size:
816.5 KB (836,096 bytes)

Product version:
6.4.7.1

Copyright:
All rights reserved for Of Has LTD.

Original file name:
Platinum Hide IP 3.3.6.2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\38ee02.exe

File PE Metadata
Compilation timestamp:
6/16/2013 5:55:41 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:9WeD1qXAL9zpEKF9vz/8qMGXqMP8GLHU3YyhiL7R6jVCaAlR5oEkOXRVa5uP5P4M:Yez9znvzE+5kGoolV6RAZoJya5qwdiwY

Entry address:
0x19502

Entry point:
E8, 7C, 48, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 20, E4, 43, 00, E8, E8, 0D, 00, 00, E8, 49, 4A, 00, 00, 0F, B7, F0, 6A, 02, E8, 0F, 48, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, D5, 06, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.8520  (probably packed)

Code size:
134 KB (137,216 bytes)

The file 38ee02.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-183-158-170.us-west-1.compute.amazonaws.com  (54.183.158.170:80)

Remove 38ee02.exe - Powered by Reason Core Security