» 352b67e9-3bf9-4f83-a87b-c0be81546ea6-4.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

352b67e9-3bf9-4f83-a87b-c0be81546ea6-4.exe

GoHD

City Road labs (Extreme White Limited)

The application 352b67e9-3bf9-4f83-a87b-c0be81546ea6-4.exe by City Road labs (Extreme White Limited) has been detected as adware by 24 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address hwcdn.net on port 80 using the HTTP protocol.

File name:

Publisher:

InstallMoon (signed by City Road labs (Extreme White Limited))

Product:

GoHD

Description:

GoHD exe

Version:

1000.1000.1000.1000

MD5:

4c8599de3683fc88dd2f5b8bd6369c19

SHA-1:

62a203a7bb58c9e825ee080aaabbe6eec7e6361e

SHA-256:

a50162766ea3864bfb23829448a08d5974ce22445bdfd9cc52c29ecb2992a7c2

Scanner detections:

24 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/25/2024 10:58:03 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Application.Heur.rv1@mqvvBVkO

484

AhnLab V3 Security

PUP/Win32.CrossRider

2015.10.07

Avira AntiVirus

ADWARE/CrossRider.Gen7

8.3.2.2

Arcabit

Application.Heur.ECD159B

1.0.0.576

AVG

Luhe.Fiha.A

2016.0.2962

Bitdefender

Gen:Application.Heur.rv1@mqvvBVkO

1.0.20.1410

Bkav FE

W32.HfsAdware

1.3.0.7237

Comodo Security

Application.Win32.CrossRider.AQQ

23366

Dr.Web

Trojan.Crossrider1.42769

9.0.1.0282

ESET NOD32

Win32/Toolbar.CrossRider.CV potentially unwanted (variant)

9.12366

F-Prot

W32/S-56035608

v6.4.7.1.166

F-Secure

Gen:Application.Heur.rv1@mqvvBVkO

11.2015-09-10_6

G Data

Gen:Application.Heur.rv1@mqvvBVkO

15.10.25

K7 AntiVirus

Unwanted-Program

13.210.17446

Kaspersky

not-a-virus:HEUR:WebToolbar.Win32.CrossRider

14.0.0.1303

Malwarebytes

PUP.Optional.GoHD

v2015.10.09.09

McAfee

PUP-FNR

5600.6618

MicroWorld eScan

Gen:Application.Heur.rv1@mqvvBVkO

16.0.0.846

Panda Antivirus

Trj/Genetic.gen

15.10.09.09

Quick Heal

Trojan.GoogUpdate.013003

10.15.14.00

Reason Heuristics

Adware.Crossrider.ExtremeWhite (M)

15.10.9.9

Rising Antivirus

PE:PUF.CrossRider!1.A157[F1]

23.00.65.151007

SUPERAntiSpyware

Adware.CrossRider/Variant

9580

VIPRE Antivirus

Crossrider

44352

File size:

1.3 MB (1,339,984 bytes)

Product version:

1000.1000.1000.1000

Original file name:

GoHD.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\gohd\352b67e9-3bf9-4f83-a87b-c0be81546ea6-4.exe

Digital Signature

Signed by:

City Road labs (Extreme White Limited)

Authority:

COMODO CA Limited

Valid from:

4/15/2015 2:00:00 AM

Valid to:

4/15/2016 1:59:59 AM

Subject:

CN=City Road labs (Extreme White Limited), O=City Road labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00AE3B988EFE11AFE67F31C19E83D194B6

File PE Metadata

Compilation timestamp:

10/7/2015 3:04:08 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:Fmp1LjQUfBtj83nru2Xu4peVDxb4w6pSd3XrPa6GzSCpox1pSNITnr:Fmp1LjQQtQbu4eDEwWI39Bx1pSNITnr

Entry address:

0xCD2DA

Entry point:

E8, C8, E4, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, FB, E5, 00, 00, 3B, 30, 7C, 07, E8, F2, E5, 00, 00, 8B, 30, E8, E5, E5, 00, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 9A, 43, 00, 00, 8B, F0, 85, F6, 75, 07, B8, F0, D4, 52, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 73, 2D, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, F0, D4, 52, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, 9D, D2... 
[+]

Entropy:

6.6573

Code size:

968 KB (991,232 bytes)

Scheduled Task

Task name:

352b67e9-3bf9-4f83-a87b-c0be81546ea6-4

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to hwcdn.net (69.16.175.42:80)

Remove 352b67e9-3bf9-4f83-a87b-c0be81546ea6-4.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.