ProtectExtension.exe

ProtectExtension

The application ProtectExtension.exe has been detected as adware by 10 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Protect your browser's extensions and plugins”. While running, it connects to the Internet address rack24u28.hispaweb.net on port 443.
Product:
ProtectExtension

Version:
1.0.2.4

MD5:
c4c113c89fb282d8876f8f516959f0d7

SHA-1:
a6eacd14d80e70daa9327cab631e4e8eea038f21

SHA-256:
e7180796e2f63d140fb7d345e413544b9ba08ac65e55793493404153b17d64b0

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
12/23/2024 11:51:35 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AhnLab V3 Security
Malware/Win32.Generic
2014.06.17

Avira AntiVirus
TR/Dropper.Gen7
7.11.155.52

avast!
MSIL:Spacekito-A [Trj]
2014.9-141104

Baidu Antivirus
Adware.MSIL.Vittalia
4.0.3.14114

ESET NOD32
MSIL/Vittalia (variant)
8.9953

IKARUS anti.virus
Trojan.Msil
t3scan.1.6.1.0

Malwarebytes
PUP.Optional.BProtector
v2014.11.04.03

McAfee
Artemis!C4C113C89FB2
5600.6956

Microsoft Security Essentials
Trojan:MSIL/Spacekito.C
1.10600

Reason Heuristics
PUP.Protect.Service.Q
14.11.4.15

File size:
69.5 KB (71,168 bytes)

Product version:
1.0.2.4

Copyright:
Copyright © 2014

Original file name:
ProtectExtension.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\baseflash\protect\protectextension.exe

File PE Metadata
Compilation timestamp:
6/16/2014 10:20:56 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:hsZPw+20OoSv1VDHgoPYBoh7gSzQf23l4:+ZPw+2FoSv15goPY87gSy23i

Entry address:
0x1214E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
64.5 KB (66,048 bytes)

Service
Display name:
Protect your browser's extensions and plugins

Service name:
srvProtectExtension

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to rack24u28.hispaweb.net  (93.189.36.203:80)

Remove ProtectExtension.exe - Powered by Reason Core Security