home

ae58d9bf-2c29-47d2-9aa6-7dfc60a559a7-11.exe

HD+V1.0

Motoko Group

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application ae58d9bf-2c29-47d2-9aa6-7dfc60a559a7-11.exe by Motoko Group has been detected as adware by 22 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
HDPlusPro  (signed by Motoko Group)

Product:
HD+V1.0

Description:
HD+V1.0 exe

Version:
1000.1000.1000.1000

MD5:
5482c09b68a8473d8707aebe92e05aa8

SHA-1:
e21a87dfc7f0462fccaf7c177c26ce269a4bbec4

SHA-256:
18c351d65e74b5220ad2b13e19d026374e11888b43773e2c6cd99a61299dd9f5

Scanner detections:
22 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/26/2024 12:09:09 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.374062
912

Avira AntiVirus
ADWARE/CrossRider.Gen2
7.11.165.22

avast!
Win32:Adware-gen [Adw]
2014.9-140806

AVG
Generic
2015.0.3390

Baidu Antivirus
Trojan.Win32.GoogUpdate
4.0.3.14928

Bitdefender
Gen:Variant.Adware.Kazy.374062
1.0.20.1090

Dr.Web
Trojan.Crossrider.27055
9.0.1.0271

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.374062
8.14.08.06.10

ESET NOD32
Win32/Toolbar.CrossRider.AK (variant)
8.10196

Fortinet FortiGate
W32/GoogUpdate.AK!tr
9/28/2014

F-Secure
Gen:Variant.Adware.Kazy.374062
11.2014-06-08_4

G Data
Gen:Variant.Adware.Kazy.374062
14.8.24

herdProtect (fuzzy)
variant of 93edee84-d68d-4cee-a4a1-9f25a81f7fbe-11.exe (Adware)
2014.9.28.22

IKARUS anti.virus
not-a-virus:WebToolbar.CrossRider
t3scan.1.6.1.0

Kaspersky
Trojan.NSIS.GoogUpdate
14.0.0.3445

McAfee
Artemis!AA29EE8A5439
5600.7046

MicroWorld eScan
Gen:Variant.Adware.Kazy.374062
15.0.0.654

Panda Antivirus
Trj/Genetic.gen
14.08.06.10

Qihoo 360 Security
Win32/Trojan.fb4
1.0.0.1015

Reason Heuristics
PUP.MotokoGroup.h
14.8.6.22

Sophos
Generic PUA FD
4.98

VIPRE Antivirus
Crossrider
31880

File size:
1.9 MB (1,954,664 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HD+V1.0.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\hd+v1.0\ae58d9bf-2c29-47d2-9aa6-7dfc60a559a7-11.exe

Digital Signature
Signed by:
Motoko Group

Authority:
COMODO CA Limited

Valid from:
7/18/2014 5:30:00 AM

Valid to:
7/19/2015 5:29:59 AM

Subject:
CN=Motoko Group, O=Motoko Group, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AAFC4F8011F7FD7C00748C990950D28A

File PE Metadata
Compilation timestamp:
7/23/2014 6:22:32 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:vpn752Wl0xe3Kgsu/tKuipSOZT6Uzn+nPRx+:vpd12xCJKwS

Entry address:
0xE9C94

Entry point:
E8, 42, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 75, 01, 01, 00, 3B, 30, 7C, 07, E8, 6C, 01, 01, 00, 8B, 30, E8, 5F, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 60, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 50, EF, 54, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7A, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 50, EF, 54, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, D9, ED...
 
[+]

Entropy:
6.8605

Code size:
1.1 MB (1,129,984 bytes)

Scheduled Task
Task name:
ae58d9bf-2c29-47d2-9aa6-7dfc60a559a7-11

Trigger:
Logon (Runs on logon)

Action:
ae58d9bf-2c29-47d2-9aa6-7dfc60a559a7-11.exe \jvnrpv=oa8hb6hkw568ji4skg8wkb8bjr3zykvr7f\+zq6fft


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-50-63-202-55.ip.secureserver.net  (50.63.202.55:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.40.209:80)

Remove ae58d9bf-2c29-47d2-9aa6-7dfc60a559a7-11.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.