votprx.exe

VOTPrx.exe

ArcadeTwist

The application votprx.exe by ArcadeTwist has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “VOTPrx”.
Publisher:
VentureOmni Technologies  (signed by ArcadeTwist)

Product:
VOTPrx.exe

Version:
2.3.5.2

MD5:
37398c8e17e366cf6b6a87d6321853db

SHA-1:
1c21d79f2d1d20ea3d6da4181ff453da7d0f3a16

SHA-256:
57779fb9b1c358a06a83e49949af873e8695e4c36865a4469d662ed42e4ae456

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/25/2024 4:20:50 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GameVance.ArcadeTwist (M)
15.7.14.23

File size:
1.6 MB (1,726,880 bytes)

Product version:
2.3.5.2

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\arcadetwist\cat\votprx.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/19/2015 7:00:00 PM

Valid to:
1/19/2017 6:59:59 PM

Subject:
CN=ArcadeTwist, O=ArcadeTwist, L=Irvine, S=California, C=US

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
285C56079C0C7E91CD8726B42C0AF1B6

File PE Metadata
Compilation timestamp:
7/9/2015 5:51:12 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
49152:tfamGZFbS8sba57f7Z3k6jkKk5cJVZdmFgaasmEpX3R:AXF/sb+Z1jkmVSeaasNz

Entry address:
0x2BFB

Entry point:
E8, 00, 23, 00, 00, E9, 7B, FE, FF, FF, E9, 7E, 00, 00, 00, CC, CC, CC, CC, CC, CC, 53, 56, 8B, 4C, 24, 0C, 8B, 54, 24, 10, 8B, 5C, 24, 14, F7, C3, FF, FF, FF, FF, 74, 51, 2B, CA, F7, C2, 03, 00, 00, 00, 74, 18, 0F, B6, 04, 0A, 3A, 02, 75, 48, 85, C0, 0F, 44, D8, 42, 83, EB, 01, 76, 34, F6, C2, 03, 75, E8, 8D, 04, 0A, 25, FF, 0F, 00, 00, 3D, FC, 0F, 00, 00, 77, D9, 8B, 04, 0A, 3B, 02, 75, D2, 83, EB, 04, 76, 14, 8D, B0, FF, FE, FE, FE, 83, C2, 04, F7, D0, 23, C6, A9, 80, 80, 80, 80, 74, D1, 33, C0, 5E, 5B...
 
[+]

Entropy:
7.9863  (probably packed)

Code size:
37 KB (37,888 bytes)

Service
Display name:
VOTPrx

Description:
VentureOmni Web Services

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-lht6.fbcdn.net  (157.240.1.23:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-ams3.facebook.com  (31.13.91.36:443)

TCP (HTTP SSL):
Connects to ec2-52-2-10-61.compute-1.amazonaws.com  (52.2.10.61:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-ams3.fbcdn.net  (31.13.91.6:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-ams3.facebook.com  (31.13.91.2:443)

TCP (HTTP SSL):
Connects to ec2-52-73-109-231.compute-1.amazonaws.com  (52.73.109.231:443)

TCP (HTTP):
Connects to ec2-54-225-184-218.compute-1.amazonaws.com  (54.225.184.218:80)

TCP (HTTP SSL):
Connects to edge-video-shv-01-lht6.fbcdn.net  (157.240.1.19:443)

TCP (HTTP):
Connects to ec2-52-41-182-208.us-west-2.compute.amazonaws.com  (52.41.182.208:80)

TCP (HTTP):
Connects to cds20002.stn.llnw.net  (154.51.146.42:80)

TCP (HTTP SSL):
Connects to server-52-84-64-81.ord51.r.cloudfront.net  (52.84.64.81:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.gq1.yahoo.com  (208.71.45.11:443)

TCP:
Connects to jn-in-f188.1e100.net  (209.85.234.188:5228)

TCP (HTTP):
Connects to hosted-by.reliablesite.net  (206.221.178.170:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lhr3.facebook.com  (31.13.90.36:443)

TCP (HTTP SSL):
Connects to ec2-54-68-119-170.us-west-2.compute.amazonaws.com  (54.68.119.170:443)

TCP (HTTP):
Connects to ec2-54-225-183-233.compute-1.amazonaws.com  (54.225.183.233:80)

TCP (HTTP):
Connects to ec2-50-112-255-27.us-west-2.compute.amazonaws.com  (50.112.255.27:80)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.sja.yahoo.com  (69.147.88.7:443)

TCP (HTTP SSL):
Connects to dm2305-c.1drv.com  (134.170.110.48:443)

Remove votprx.exe - Powered by Reason Core Security