home

dc0p1i9lkpusw==2.exe

BrowserAir (GOOBZO LTD)

The application dc0p1i9lkpusw==2.exe by BrowserAir (GOOBZO) has been detected as adware by 11 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address server-54-230-38-19.jfk1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
BrowserAir (GOOBZO LTD)  (signed and verified)

Version:
2.11.0.999

MD5:
8f059f52a3785423ef849b256a60485f

SHA-1:
e1c708f0b9bb49be8144072759ad4ae7774881e1

SHA-256:
29f14d7b147e39e3ae224814b7dbabb1a62a8859dd74ac3f68071e35e371178b

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
11/24/2024 11:54:43 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.54708
543

Arcabit
Trojan.Symmi.DD5B4
1.0.0.425

Bitdefender
Gen:Variant.Symmi.54708
1.0.20.1115

Bkav FE
HW32.Packed
1.3.0.7062

Emsisoft Anti-Malware
Gen:Variant.Symmi.54708
8.15.08.11.01

F-Secure
Gen:Variant.Symmi.54708
11.2015-11-08_3

G Data
Gen:Variant.Symmi.54708
15.8.25

Malwarebytes
PUP.Optional.BrowserAir.C
v2015.08.11.01

MicroWorld eScan
Gen:Variant.Symmi.54708
16.0.0.669

Panda Antivirus
Adware/Goobzo
15.08.11.01

Reason Heuristics
PUP.Goobzo (M)
15.8.11.1

File size:
2.2 MB (2,320,280 bytes)

Product version:
2.11.0.999

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\installer\installbrowserair_16008\dc0p1i9lkpusw==2.exe

Digital Signature
Signed by:
BrowserAir (GOOBZO LTD)

Authority:
COMODO CA Limited

Valid from:
2/10/2015 6:00:00 PM

Valid to:
2/11/2016 5:59:59 PM

Subject:
CN=BrowserAir (GOOBZO LTD), O=BrowserAir (GOOBZO LTD), STREET="Bldg #15 Matam", L=Haifa, S=Haifa, PostalCode=31905, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3B4F9A8B40F303C8AAD1D77B2A2B4674

File PE Metadata
Compilation timestamp:
8/10/2015 8:50:54 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:yAY0OxiH6UNZD3QSN148pNXtvelzS66+prJ0CJJUGJxvNPwjQZjZq9oJ3oz8:yv8pjpNXtce66+prJVJUzQZj09oJ

Entry address:
0x322B76

Entry point:
9C, 60, 60, E8, 3C, 87, 00, 00, 3C, 79, 76, 02, C1, C5, 5E, 62, 31, A2, 4B, 36, 2C, 64, 33, EB, 2C, 98, 5B, 2B, 60, 04, 17, A3, B0, A0, 93, CB, 8C, 2C, D3, D8, A2, AD, 4C, A4, 71, 22, D6, E1, 41, 06, FE, 19, 3C, 65, D9, 9A, E2, 95, 1D, 36, E2, A9, FD, E2, 08, 47, B7, 92, 81, 64, A2, 98, 87, DF, 91, 7F, A0, 84, 8B, 6E, BF, B4, 80, 4D, 52, 28, 57, 7A, DC, 50, 44, 4F, E3, 2C, AB, 0F, A6, 6D, 70, 5B, 57, 86, 2E, 09, 67, 08, 82, 5D, 34, 3B, 64, 5C, A4, C5, 80, 17, 7B, 74, B2, C1, 22, 79, C7, A4, CA, 89, 0F, 64...
 
[+]

Entropy:
7.9008  (probably packed)

Code size:
549.5 KB (562,688 bytes)

Scheduled Task
Task name:
Installer_browserAir

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-19.jfk1.r.cloudfront.net  (54.230.38.19:80)

TCP (HTTP):
Connects to server-205-251-251-196.jfk5.r.cloudfront.net  (205.251.251.196:80)

Remove dc0p1i9lkpusw==2.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.