zfytzaqkhn32.exe

Coupoon

Part of an Adpeak program that shows ads in the browser without providing information about the ad's origin. Ads are injected as banners or text-links in random web pages. The application zfytzaqkhn32.exe by Coupoon has been detected as adware by 14 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “zfytzaqkhn32”.
Publisher:
Coupoon  (signed and verified)

MD5:
4df26509f51b58373f9a4006bcdf5217

SHA-1:
c53b671c2d7f4b6a22432fa52b2bed928516f0d8

SHA-256:
a93d60e52e93ecf872502f53f1b83288ef0030d5b33ed9fd0705d12395eed019

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Injects advertisements in the web browser in the form or banner ads and popups.

Analysis date:
12/24/2024 3:43:09 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.AdPeak.Y
562

Baidu Antivirus
Adware.Win32.Adpeak
4.0.3.15723

Bitdefender
Adware.AdPeak.Y
1.0.20.1020

Emsisoft Anti-Malware
Adware.AdPeak.Y
8.15.07.17.05

ESET NOD32
Win32/Adware.Adpeak (variant)
9.11710

F-Secure
Adware.AdPeak.Y
11.2015-17-07_6

herdProtect (fuzzy)
2015.7.23.2

K7 AntiVirus
Adware
13.204.16086

Malwarebytes
PUP.Optional.Coupoon.A
v2015.07.17.05

MicroWorld eScan
Adware.AdPeak.Y
16.0.0.612

nProtect
Adware.AdPeak.Y
15.05.29.01

Reason Heuristics
PUP.AdPeak.Coupoon
15.5.8.23

Sophos
Generic PUA FE
4.98

VIPRE Antivirus
Trojan.Win32.Generic
40692

File size:
607.8 KB (622,392 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\015\zfytzaqkhn32.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
11/21/2014 9:35:57 AM

Valid to:
11/22/2015 9:35:57 AM

Subject:
E=support@coupoon.org, CN=Coupoon, O=Coupoon, L=Tallahassee, S=FL, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121400C47EC899C3BA485785E2CAB2D79C3

File PE Metadata
Compilation timestamp:
3/22/2015 4:30:51 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
8.0

CTPH (ssdeep):
12288:f1f4iPIGWji/SJZSLhOOvtMkJGTLqMIB0EcF9DMf:f1wseZSLPFMsa+6ZMf

Entry address:
0x12931

Entry point:
E8, 96, 0D, 01, 00, E9, 41, FE, FF, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, F0, 10, 49, 00, 89, 0D, EC, 10, 49, 00, 89, 15, E8, 10, 49, 00, 89, 1D, E4, 10, 49, 00, 89, 35, E0, 10, 49, 00, 89, 3D, DC, 10, 49, 00, 66, 8C, 15, 08, 11, 49, 00, 66, 8C, 0D, FC, 10, 49, 00, 66, 8C, 1D, D8, 10, 49, 00, 66, 8C, 05, D4, 10, 49, 00, 66, 8C, 25, D0, 10, 49, 00, 66, 8C, 2D, CC, 10, 49, 00, 9C, 8F, 05, 00, 11, 49, 00, 8B, 45, 00, A3, F4, 10, 49, 00, 8B, 45, 04, A3, F8, 10, 49, 00, 8D, 45, 08, A3, 04, 11, 49, 00, 8B...
 
[+]

Entropy:
6.3576

Code size:
380 KB (389,120 bytes)

Service
Display name:
zfytzaqkhn32

Type:
Win32OwnProcess


Remove zfytzaqkhn32.exe - Powered by Reason Core Security