» winplugin.exe
Overview
Analysis
File Details
Behaviors (1)

winplugin.exe

AVPlugin Sofware

FC Group Corporation LTDA

The executable winplugin.exe, “This software protect your PC Computer” has been detected as malware by 30 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WinPlugin’.

File name:

winplugin.exe

Publisher:

AV Plugin Service (signed by FC Group Corporation LTDA)

Product:

AVPlugin Sofware

Description:

This software protect your PC Computer

Version:

3.0.7.1

MD5:

e8a07a07dc8a441065f955e4caf7fde3

SHA-1:

eb7f453d373e7f5828cc46c517d5866a1283f03f

SHA-256:

214899a94d26ad06d45d619bee7f07c0952925b8517a0786b4c9914e17c4e84c

Scanner detections:

30 / 68

Status:

Malware

Analysis date:

11/29/2024 9:23:48 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Zusy.173236

333

AegisLab AV Signature

Troj.Downloader.W32.Gen

2.1.4+

Agnitum Outpost

Trojan.PWS.BestaFera

7.1.1

Arcabit

Trojan.Zusy.D2A4B4

1.0.0.646

avast!

Win32:Malware-gen

2014.9-160307

AVG

PSW.Banker7

2017.0.2811

Baidu Antivirus

Trojan.Win32.Banker

4.0.3.1637

Bitdefender

Gen:Variant.Zusy.173236

1.0.20.335

Dr.Web

Trojan.DownLoader18.18831

9.0.1.067

Emsisoft Anti-Malware

Gen:Variant.Zusy.173236

8.16.03.07.09

ESET NOD32

Win32/Spy.Banker.ABMV (variant)

10.12921

Fortinet FortiGate

W32/BestaFera.ABMV!tr

3/7/2016

F-Secure

Gen:Variant.Zusy.173236

11.2016-07-03_2

G Data

Gen:Variant.Zusy.173236

16.3.25

IKARUS anti.virus

Trojan-Spy.Agent

t3scan.2.0.3.0

K7 AntiVirus

Spyware

13.212.18523

Kaspersky

Trojan-Banker.Win32.BestaFera

14.0.0.551

Malwarebytes

Trojan.Banker.WP

v2016.03.07.09

McAfee

Artemis!E8A07A07DC8A

5600.6467

Microsoft Security Essentials

TrojanSpy:Win32/Banker!rfn

1.1.12400.0

MicroWorld eScan

Gen:Variant.Zusy.173236

17.0.0.201

NANO AntiVirus

Trojan.Win32.DownLoader18.dztxyl

1.0.14.5380

Panda Antivirus

Trj/CI.A

16.03.07.09

Qihoo 360 Security

HEUR/QVM41.2.Malware.Gen

1.0.0.1077

Rising Antivirus

PE:Malware.Generic(Thunder)!1.A1C4 [F]

23.00.65.16305

Sophos

Mal/Generic-S

4.98

Trend Micro

TROJ_GEN.R0EAC0DLK15

10.465.07

VIPRE Antivirus

Trojan.Win32.Generic

46748

ViRobot

Trojan.Win32.A.BestaFera.5729576[h]

2014.3.20.0

Zillya! Antivirus

Downloader.Banload.Win32.70120

2.0.0.2628

File size:

5.5 MB (5,729,576 bytes)

Product version:

3.0.7.1

Original file name:

AVPlugin

File type:

Executable application (Win32 EXE)

Language:

Portuguese (Brazil)

Common path:

C:\users\{user}\appdata\roaming\winplugin.exe

Digital Signature

Signed by:

FC Group Corporation LTDA

Authority:

FC Group Corporation LTDA

Valid from:

12/7/2015 2:28:06 PM

Valid to:

12/4/2025 2:28:06 PM

Subject:

E=carlosant30@hotmail.com, CN=Carlos B, OU=FC Group LTDA, O=FC Group Corporation LTDA, L=Sao Paulo, S=Sao Paulo, C=BR

Issuer:

E=carlosant30@hotmail.com, CN=Carlos B, OU=FC Group LTDA, O=FC Group Corporation LTDA, L=Sao Paulo, S=Sao Paulo, C=BR

Serial number:

009E743FF5EAF0B266

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

98304:lCxOQsSSpY5T0SPapAara/PapAara/PapAara/PapqaPa/PapAara/PapAara/Pl:lhSPapAara/PapAara/PapAara/Papq/

Entry address:

0xF2238

Entry point:

55, 8B, EC, 83, C4, F0, 53, 56, B8, 88, 1D, 01, 08, E8, 02, 46, F1, FF, 68, 60, 23, 01, 08, E8, 84, 52, F1, FF, 8B, F0, 68, 60, 23, 01, 08, 6A, FF, 6A, 00, E8, F4, 48, F1, FF, 8B, D8, 85, DB, 74, 0C, E8, F1, 49, F1, FF, 3D, B7, 00, 00, 00, 75, 14, 6A, 00, 6A, 00, 56, 68, FF, FF, 00, 00, E8, 8B, 52, F1, FF, E9, CE, 00, 00, 00, A1, 18, B0, 01, 08, 8B, 00, E8, 12, 3F, F8, FF, A1, 18, B0, 01, 08, 8B, 00, BA, 74, 23, 01, 08, E8, F9, 3A, F8, FF, A1, 18, B0, 01, 08, 8B, 00, C6, 40, 5B, 00, 8B, 0D, E0, B1, 01, 08... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

965 KB (988,160 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

WinPlugin

Command:

C:\users\{user}\appdata\roaming\winplugin.exe

Remove winplugin.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.