» fgshce.exe
Overview
Analysis
File Details
Behaviors (1)

fgshce.exe

CinPlusHQ01-2.5cV16.09

Airwaves Moves

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application fgshce.exe, “CinPlusHQ01-2.5cV16.09 exe” by Airwaves Moves has been detected as adware by 29 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named FGSHCE triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

fgshce.exe

Publisher:

CinemaHQ01Video PlusV16.09 (signed by Airwaves Moves)

Product:

CinPlusHQ01-2.5cV16.09

Description:

CinPlusHQ01-2.5cV16.09 exe

Version:

1000.1000.1000.1000

MD5:

c98192812836f4d9d3a15118dc00dfcf

SHA-1:

3088bee9dac98c9f4b2fbeeba6a07a3cecd898c9

SHA-256:

86bcc18fcd8da98654995961a636e4918ed0299829d02b77f467f95886e4b1cc

Scanner detections:

29 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements. Distributed through the Brightcircle investments brand.

Analysis date:

4/19/2024 9:43:31 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Application.Heur.Cv1@mSgPHZdO

6266345

AhnLab V3 Security

PUP/Win32.CrossRider

2014.09.16

Avira AntiVirus

ADWARE/CrossRider.Gen7

7.11.172.148

avast!

Win32:Crossrider-AI [PUP]

150319-0

AVG

Generic

2016.0.3154

Baidu Antivirus

Adware.Win32.GoogUpdate

4.0.3.15331

Bitdefender

Gen:Application.Heur.Cv1@mSgPHZdO

1.0.20.450

Bkav FE

W32.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Crossrider-29

0.98/21511

Dr.Web

Trojan.Crossrider.31451

9.0.1.090

Emsisoft Anti-Malware

Gen:Application.Heur.Cv1@mSgPHZdO

9.0.0.4799

ESET NOD32

Win32/Toolbar.CrossRider.AQ (variant)

9.10424

F-Prot

W32/A-1a27c920

v6.4.7.1.166

F-Secure

Riskware.Gen:Application.Heur.Cv1@mSgPHZdO

5.13.68

G Data

Gen:Application.Heur.Cv1@mSgPHZdO

15.3.25

herdProtect (fuzzy)

variant of 9421e8df-7f08-46b8-b2d2-257cd9921ebf-4.exe (Adware)

2015.7.4.23

K7 AntiVirus

Unwanted-Program

13.202.15432

Kaspersky

not-a-virus:AdWare.NSIS.Adwapper

14.0.0.2264

Malwarebytes

PUP.Optional.BrowserApps.A

v2015.03.31.02

MicroWorld eScan

Gen:Application.Heur.Cv1@mSgPHZdO

16.0.0.270

NANO AntiVirus

Riskware.Win32.Crossrider.dfeucb

0.30.8.659

Norman

Gen:Application.Heur.Cv1@kSgPHZdO

03.12.2014 13:20:04

nProtect

Trojan/W32.Agent.1513880

15.03.30.01

Panda Antivirus

Trj/Genetic.gen

15.03.31.02

Quick Heal

PUA.BrightCircle.OD6

3.15.14.00

Reason Heuristics

PUP.Task.Brightcircle

15.3.31.2

Rising Antivirus

PE:Trojan.GoogUpdate!6.205F

23.00.65.15329

VIPRE Antivirus

Crossrider

33162

Zillya! Antivirus

Adware.Adwapper.Win32.335

2.0.0.2122

File size:

1.4 MB (1,513,880 bytes)

Product version:

1000.1000.1000.1000

Original file name:

CinPlusHQ01-2.5cV16.09.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\fgshce.exe

Digital Signature

Signed by:

Airwaves Moves

Authority:

COMODO CA Limited

Valid from:

8/14/2014 2:00:00 AM

Valid to:

8/15/2015 1:59:59 AM

Subject:

CN=Airwaves Moves, O=Airwaves Moves, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

1B38D9E53AEB06C578CCDBFFEAA46567

File PE Metadata

Compilation timestamp:

9/16/2014 12:04:39 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:rvjOZoJ9KF+g4BRpaox7tbnDY19q59JVmaiUstCAyfeUpkm251dKKc+pxEILIe0M:zz28tLtbDY19q59JVmaiUstCAyfeUpkL

Entry address:

0xED600

Entry point:

E8, C1, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, F4, 01, 01, 00, 3B, 30, 7C, 07, E8, EB, 01, 01, 00, 8B, 30, E8, DE, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 34, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, B0, 0E, 55, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7E, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, B0, 0E, 55, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, 3D, EE... 
[+]

Code size:

1.1 MB (1,138,176 bytes)

Scheduled Task

Task name:

FGSHCE

Trigger:

Logon (Runs on logon)

Action:

fgshce.exe \infocmdline=p0kax+9fdos2c6uzk2brw4hzs0c4mmsiymyff

Remove fgshce.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.