home

e2f1932a-e9a8-4a36-aae7-f929882d3925-11.exe

HQPureV1.8

Evangelion Group

This potentially unwanted Internet browser extension is built upon and distributed using the free Crossrider platform and will deliver advertisements to the web browser in various formats such as banner, text hyper-links, inline text and transitional ads. The application e2f1932a-e9a8-4a36-aae7-f929882d3925-11.exe by Evangelion Group has been detected as adware by 17 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
HQPure  (signed by Evangelion Group)

Product:
HQPureV1.8

Description:
HQPureV1.8 exe

Version:
1000.1000.1000.1000

MD5:
f368ea2f3c1b9e42b54b9cb74fc9763b

SHA-1:
3d592a26439db0fcd7e54ee7c244128d2e7fa6e8

SHA-256:
a65e596228d9c7fff6ed78fd22e28781362a2bd6407f7a4084021bffd544f277

Scanner detections:
17 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements. Distributed through the Brightcircle investments brand.

Analysis date:
5/10/2024 7:29:58 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.374062
914

avast!
Win32:Adware-gen [Adw]
2014.9-140805

AVG
Generic
2015.0.3392

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.14912

Bitdefender
Gen:Variant.Adware.Kazy.374062
1.0.20.1085

Dr.Web
Trojan.Crossrider.27302
9.0.1.0217

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.374062
8.14.08.05.10

ESET NOD32
Win32/Toolbar.CrossRider.AK potentially unwanted application
8.7.0.302.0

F-Secure
Gen:Variant.Adware.Kazy.374062
11.2014-05-08_3

G Data
Gen:Variant.Adware.Kazy.374062
14.8.24

herdProtect (fuzzy)
variant of 70557c3e-9071-49c6-8bda-e40609980bc3-11.exe (Adware)
2014.9.12.15

IKARUS anti.virus
not-a-virus:WebToolbar.CrossRider
t3scan.1.6.1.0

Malwarebytes
PUP.Optional.HQPure.A
v2014.08.05.10

McAfee
Artemis!25BF3BF50480
5600.7010

MicroWorld eScan
Gen:Variant.Adware.Kazy.374062
15.0.0.651

Reason Heuristics
PUP.Task.EvangelionGroup.h
14.8.5.22

VIPRE Antivirus
Threat.4789396
31208

File size:
1.8 MB (1,898,864 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HQPureV1.8.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\hqpurev1.8\e2f1932a-e9a8-4a36-aae7-f929882d3925-11.exe

Digital Signature
Signed by:
Evangelion Group

Authority:
COMODO CA Limited

Valid from:
7/28/2014 4:30:00 AM

Valid to:
7/29/2015 4:29:59 AM

Subject:
CN=Evangelion Group, O=Evangelion Group, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0095E2A1168FF10F1D56CF5FFE4ABC7450

File PE Metadata
Compilation timestamp:
8/1/2014 2:34:58 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:HVROVe5zVNxSF3EAAesVu/MpSDCTMjUzn+nPRx/:1Rh5j40AZdjn

Entry address:
0xE2564

Entry point:
E8, 44, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 77, 01, 01, 00, 3B, 30, 7C, 07, E8, 6E, 01, 01, 00, 8B, 30, E8, 61, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 60, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 10, 1F, 54, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7A, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 10, 1F, 54, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, DB, ED...
 
[+]

Entropy:
6.8679

Code size:
1 MB (1,079,808 bytes)

Scheduled Task
Task name:
e2f1932a-e9a8-4a36-aae7-f929882d3925-11

Trigger:
Logon (Runs on logon)

Action:
e2f1932a-e9a8-4a36-aae7-f929882d3925-11.exe \xzojad=gjq8alpwv7c7hww\qssmd3d8ptoksabnunw1uggkyt


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-50-63-202-32.ip.secureserver.net  (50.63.202.32:80)

Remove e2f1932a-e9a8-4a36-aae7-f929882d3925-11.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.