» frameworkbho64.dll
Overview
Analysis
File Details
Behaviors (1)

frameworkbho64.dll

Framework

Exciting Apps

This file is a support library for an advertising-based software package (potentially unwanted/adware) distributed by 50onRed used to hijack the Internet browser search provider. The module frameworkbho64.dll by Exciting Apps has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is installed within the context of Internet Explore as a BHO (Browser Helper Object) under the name ‘Coupon Server BHO’. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links.

File name:

frameworkbho64.dll

Publisher:

Exciting Apps (signed and verified)

Product:

Framework

Description:

FrameworkBHO

Version:

1.1.0.0

MD5:

58c5d24419f154dd4611360ff2b8ad9a

SHA-1:

e036b92bc12ae0ef8262c754d30ed8212b8c0b73

SHA-256:

9666ac560a117d6f549e65dd4b4328187922e9db6b0c62b221d3043ba06515fa

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:

5/17/2024 1:12:08 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware.GamePlayLabs (M)

17.3.14.7

File size:

482.2 KB (493,800 bytes)

Product version:

1.1.0.0

File type:

Dynamic link library (Win64 DLL)

Language:

English (United States)

Common path:

C:\Program Files\coupon server\frameworkbho64.dll

Digital Signature

Signed by:

Exciting Apps

Authority:

Thawte, Inc.

Valid from:

3/17/2014 8:00:00 PM

Valid to:

3/25/2015 7:59:59 PM

Subject:

CN=Exciting Apps, O=Exciting Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

534682E2D442EC8EA3320856DF2214DC

Registration

CLSIDs:

{CACB139B-7C2C-4A99-A4EE-72449D0FF549}, {F791D8AE-47E8-40A5-A913-EB2D2AF29602}

COM registered:

Yes

File PE Metadata

Compilation timestamp:

4/21/2014 4:11:17 AM

OS version:

5.2

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

12.0

Entry address:

0x323C8

Entry point:

48, 89, 5C, 24, 08, 48, 89, 74, 24, 10, 57, 48, 83, EC, 20, 49, 8B, F8, 8B, DA, 48, 8B, F1, 83, FA, 01, 75, 05, E8, B7, 93, 00, 00, 4C, 8B, C7, 8B, D3, 48, 8B, CE, 48, 8B, 5C, 24, 30, 48, 8B, 74, 24, 38, 48, 83, C4, 20, 5F, E9, 03, 00, 00, 00, CC, CC, CC, 48, 8B, C4, 48, 89, 58, 20, 4C, 89, 40, 18, 89, 50, 10, 48, 89, 48, 08, 56, 57, 41, 56, 48, 83, EC, 50, 49, 8B, F0, 8B, DA, 4C, 8B, F1, BA, 01, 00, 00, 00, 89, 50, B8, 85, DB, 75, 0F, 39, 1D, FC, 04, 04, 00, 75, 07, 33, C0, E9, D2, 00, 00, 00, 8D, 43, FF... 
[+]

Entropy:

6.0118

Code size:

284.5 KB (291,328 bytes)

Internet Explorer BHO

Display name:

Coupon Server BHO

CLSID:

{F791D8AE-47E8-40A5-A913-EB2D2AF29602}

Remove frameworkbho64.dll - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.