home

highcloud.exe

plusmat

PioneerSoft

The application highcloud.exe by PioneerSoft has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler named highcloud triggered to execute each time a user logs in.
Publisher:
PioneerSoft  (signed and verified)

Product:
plusmat

Version:
1, 0, 0, 1

MD5:
fab0dd357bffcc689d190eaaea775a05

SHA-1:
94cca25739dc7e18bee84538b5d9b4ab4c046c30

SHA-256:
72c3aec7c4c85fad00aba06458ee5b861edd0938537c5d568742158154ea5ff3

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/28/2024 5:29:48 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.12.30.7

File size:
15.3 KB (15,664 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright (C) 2014

Original file name:
plusmat.EXE

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\highcloud\highcloud.exe

Digital Signature
Signed by:
PioneerSoft

Authority:
GlobalSign nv-sa

Valid from:
6/13/2016 1:29:13 PM

Valid to:
7/16/2017 5:50:18 PM

Subject:
CN=PioneerSoft, O=PioneerSoft, L=Yongin-si, S=Gyeonggi-do, C=KR

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121239E0D9C33AA6594ADCD0ACB2FADC025

File PE Metadata
Compilation timestamp:
12/21/2016 12:05:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x9770

Entry point:
60, BE, 00, 80, 40, 00, 8D, BE, 00, 90, FF, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Entropy:
6.9579

Packer / compiler:
UPX 2.90LZMA

Code size:
8 KB (8,192 bytes)

Scheduled Task
Task name:
highcloud

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-13-124-21-149.ap-northeast-2.compute.amazonaws.com  (13.124.21.149:80)

TCP (HTTP):
Connects to unknown.telstraglobal.net  (210.176.156.25:80)

TCP (HTTP):
Connects to ec2-52-79-124-201.ap-northeast-2.compute.amazonaws.com  (52.79.124.201:80)

TCP (HTTP SSL):
Connects to ec2-52-193-34-224.ap-northeast-1.compute.amazonaws.com  (52.193.34.224:443)

TCP (HTTP SSL):
Connects to a23-53-224-74.deploy.static.akamaitechnologies.com  (23.53.224.74:443)

TCP (HTTP):
Connects to a184-25-24-81.deploy.static.akamaitechnologies.com  (184.25.24.81:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-icn1.fbcdn.net  (31.13.68.16:443)

TCP (HTTP):
Connects to server-52-85-119-205.icn51.r.cloudfront.net  (52.85.119.205:80)

TCP (HTTP):
Connects to server-52-85-119-194.icn51.r.cloudfront.net  (52.85.119.194:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-icn1.facebook.com  (31.13.68.35:443)

TCP (HTTP SSL):
Connects to ec2-52-78-59-67.ap-northeast-2.compute.amazonaws.com  (52.78.59.67:443)

TCP (HTTP SSL):
Connects to ec2-52-199-98-179.ap-northeast-1.compute.amazonaws.com  (52.199.98.179:443)

TCP (HTTP SSL):
Connects to ec2-52-196-170-251.ap-northeast-1.compute.amazonaws.com  (52.196.170.251:443)

TCP (HTTP):
Connects to a23-74-19-27.deploy.static.akamaitechnologies.com  (23.74.19.27:80)

TCP (HTTP):
Connects to a23-53-227-135.deploy.static.akamaitechnologies.com  (23.53.227.135:80)

TCP (HTTP):
Connects to a23-43-11-27.deploy.static.akamaitechnologies.com  (23.43.11.27:80)

TCP (HTTP SSL):
Connects to 185.14.211.130.bc.googleusercontent.com  (130.211.14.185:443)

TCP (HTTP SSL):
Connects to 174.bm-nginx-loadbalancer.mgmt.sin1.adnexus.net  (103.243.221.109:443)

TCP (HTTP):
Connects to ec2-52-69-38-9.ap-northeast-1.compute.amazonaws.com  (52.69.38.9:80)

TCP (HTTP SSL):
Connects to cache.google.com  (59.18.49.157:443)

Remove highcloud.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.