ProtectExtension.exe

ProtectExtension

The application ProtectExtension.exe has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “Protect your browser's extensions and plugins”. While running, it connects to the Internet address rack24u28.hispaweb.net on port 80 using the HTTP protocol.
Product:
ProtectExtension

Version:
1.0.2.4

MD5:
a272540d78c7f729d75c02ffa8560f14

SHA-1:
2a5218b980b7f2a62d26ff9ac9fe4fea3f5f7434

SHA-256:
2719d4168399e53e14ac95eb99e3b7159ced71bfaa20cb88e5ab3df67d91e139

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/26/2024 10:07:53 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Protect (M)
15.12.31.9

File size:
69 KB (70,656 bytes)

Product version:
1.0.2.4

Copyright:
Copyright © 2014

Original file name:
ProtectExtension.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\baseflash\protect\protectextension.exe

File PE Metadata
Compilation timestamp:
5/7/2014 4:39:34 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:vMDklJQIGsXu8SdnX5vQv5v96v4vQoXQvLQvQvJvwRSvvmvuvOVvQ/vvYqyvQbqU:kDklJQIGsXu8SdX5vQv5v96v4vQoXQvv

Entry address:
0x11F1E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
64 KB (65,536 bytes)

Service
Display name:
Protect your browser's extensions and plugins

Service name:
srvProtectExtension

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to rack24u28.hispaweb.net  (93.189.36.203:80)

Remove ProtectExtension.exe - Powered by Reason Core Security