updater3915.exe

AutoComplete+ Personal

Cloud Power LLC

The application updater3915.exe, “AutoComplete+ Personal exe” by Cloud Power has been detected as adware by 7 anti-malware scanners. While running, it connects to the Internet address lb-212-222.above.com on port 80 using the HTTP protocol.
Publisher:
AutoComplete+  (signed by Cloud Power LLC)

Product:
AutoComplete+ Personal

Description:
AutoComplete+ Personal exe

Version:
1000.1000.1000.1000

MD5:
99833db9ec11619cfe7bf4a409ec598c

SHA-1:
5eee4343131f70702db2e842c43187e5ba65aa2f

SHA-256:
64afe617ea4cbfad1743a5abd62f89e5e9b0ed6a0f7b9c99546ee4cae51f6abc

Scanner detections:
7 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
11/23/2024 7:53:04 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
SmartShopper.G
2015.0.3481

Baidu Antivirus
Trojan.Win32.Toolbar
4.0.3.1457

Dr.Web
Adware.Plugin.88
9.0.1.0127

ESET NOD32
Win32/Toolbar.CrossRider (variant)
8.9179

NANO AntiVirus
Trojan.Win32.Plugin.cqzpgj
0.28.0.56692

Reason Heuristics
PUP.CloudPower.L
14.9.11.21

VIPRE Antivirus
Adware.Crossid
24430

File size:
203.5 KB (208,384 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
AutoComplete+ Personal.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\updater3915\updater3915.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
5/29/2012 2:00:00 AM

Valid to:
5/30/2015 1:59:59 AM

Subject:
CN=Cloud Power LLC, O=Cloud Power LLC, STREET=5375 Beechwood Ln, L=Los Altos, S=CA, PostalCode=94024, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
444FE815BC180B87BEEC9346E8588153

File PE Metadata
Compilation timestamp:
1/15/2013 2:01:55 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:B/2e1jiykkaE5dKvKJZltWRkWTpJitu8xQAei7MxNEndGM/kl:Ye9iykqZvlt4k8Jkn+Aei7MxvMU

Entry address:
0x15B31

Entry point:
E8, 95, 83, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 22, E2, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 26, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, 90, 42, 00...
 
[+]

Code size:
158 KB (161,792 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to geoplugin.net  (178.237.36.10:80)

TCP (HTTP):
Connects to lb-212-222.above.com  (103.224.212.222:80)

Remove updater3915.exe - Powered by Reason Core Security