» winplugin.exe
Overview
Analysis
File Details
Behaviors (1)

winplugin.exe

AVPlugin Sofware

FC Group Corporation LTDA

The executable winplugin.exe, “This software protect your PC Computer” has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WinPlugin’.

File name:

winplugin.exe

Publisher:

AV Plugin Service (signed by FC Group Corporation LTDA)

Product:

AVPlugin Sofware

Description:

This software protect your PC Computer

Version:

3.0.7.1

MD5:

5af81d49fbe69d80f36261b02a56bd2e

SHA-1:

aaefd66041c3ec307846d0c9f45a8eebab8d1160

SHA-256:

aa4e065ef6ac2a0247b851d69982bc1f09efa325a7c699a3ebf70e1aaa5868c6

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

11/29/2024 9:33:43 AM UTC (today)

Scan engine

Detection

Engine version

AegisLab AV Signature

Troj.Downloader.W32.Gen

2.1.4+

Avira AntiVirus

TR/Spy.Banker.Gen

8.3.2.4

ESET NOD32

Win32/Spy.Banker.ABMV (variant)

10.12716

File size:

5.4 MB (5,712,680 bytes)

Product version:

3.0.7.1

Original file name:

AVPlugin

File type:

Executable application (Win32 EXE)

Language:

Brazilian Portuguese

Common path:

C:\users\{user}\appdata\roaming\winplugin.exe

Digital Signature

Signed by:

FC Group Corporation LTDA

Authority:

FC Group Corporation LTDA

Valid from:

12/7/2015 2:28:06 PM

Valid to:

12/4/2025 2:28:06 PM

Subject:

E=carlosant30@hotmail.com, CN=Carlos B, OU=FC Group LTDA, O=FC Group Corporation LTDA, L=Sao Paulo, S=Sao Paulo, C=BR

Issuer:

E=carlosant30@hotmail.com, CN=Carlos B, OU=FC Group LTDA, O=FC Group Corporation LTDA, L=Sao Paulo, S=Sao Paulo, C=BR

Serial number:

009E743FF5EAF0B266

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

98304:lB1Cq8JvSSpY5p0SPapAara/PapAara/PapAara/PapqaPa/PapAara/PapAaraF:ldQSPapAara/PapAara/PapAara/Papk

Entry address:

0xF1CD8

Entry point:

55, 8B, EC, 83, C4, F0, 53, 56, B8, 30, 18, 01, 08, E8, 62, 4B, F1, FF, 68, 00, 1E, 01, 08, E8, E4, 57, F1, FF, 8B, F0, 68, 00, 1E, 01, 08, 6A, FF, 6A, 00, E8, 54, 4E, F1, FF, 8B, D8, 85, DB, 74, 0C, E8, 51, 4F, F1, FF, 3D, B7, 00, 00, 00, 75, 14, 6A, 00, 6A, 00, 56, 68, FF, FF, 00, 00, E8, EB, 57, F1, FF, E9, CE, 00, 00, 00, A1, 0C, A0, 01, 08, 8B, 00, E8, 72, 44, F8, FF, A1, 0C, A0, 01, 08, 8B, 00, BA, 14, 1E, 01, 08, E8, 59, 40, F8, FF, A1, 0C, A0, 01, 08, 8B, 00, C6, 40, 5B, 00, 8B, 0D, D4, A1, 01, 08... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

964 KB (987,136 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

WinPlugin

Command:

C:\users\{user}\appdata\roaming\winplugin.exe

Remove winplugin.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.