» hd+v2.1-codedownloader.exe
Overview
Analysis
File Details
Behaviors (1)
Network (3)

hd+v2.1-codedownloader.exe

Vegeta Pop

The application hd+v2.1-codedownloader.exe by Vegeta Pop has been detected as adware by 18 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. Built using the Crossrider web brower toolkit the CodeDownloader component will automatically connnect to the remote API server and download additional code/components for HD+v2.1 extension/toolbar. The component makes a number of requests to the host app-static.crossrider.com/plugins/.../monetization/monetizationLoader.js.

File name:

Publisher:

HD+v2.1 (signed by Vegeta Pop)

Product:

HD+v2.1

Description:

HD+v2.1 exe

Version:

1000.1000.1000.1000

MD5:

6841df27251d468494b762b315dd8f10

SHA-1:

b9206e6be5d459c15001775d6a3f421366b6a72f

SHA-256:

7f32972f086d1b013ed253308d9cd56c04dc1cb62de628206f8e56c1d7bd20e0

Scanner detections:

18 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Note:

Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application. The owner/publisher of this file is Vegeta Pop.

Analysis date:

4/26/2024 2:46:37 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

AhnLab V3 Security

PUP/Win32.CrossRider

2014.09.01

Avira AntiVirus

ADWARE/CrossRider.Gen2

7.11.170.52

avast!

Win32:Malware-gen

2014.9-140901

AVG

Vegetapop

2015.0.3365

Baidu Antivirus

PUA.Win32.CrossRider

4.0.3.1491

ESET NOD32

Win32/Toolbar.CrossRider.AJ potentially unwanted application

7.0.302.0

Fortinet FortiGate

Riskware/CrossRider

9/1/2014

K7 AntiVirus

Trojan

13.183.13098

Kaspersky

not-a-virus:WebToolbar.Win32.CrossRider

15.0.0.494

McAfee

Artemis!57E253DE8658

5600.7021

Panda Antivirus

Trj/Chgt.B

14.09.01.02

Qihoo 360 Security

Win32/Virus.WebToolbar.85b

1.0.0.1015

Reason Heuristics

PUP.Crossrider.VegetaPop.V

14.9.1.2

Sophos

Generic PUA CA

4.98

Trend Micro House Call

Suspicious_GEN.F47V0812

7.2.244

VIPRE Antivirus

Crossrider

32358

Zillya! Antivirus

Adware.CrossRider.Win32.49

2.0.0.1899

File size:

557.3 KB (570,696 bytes)

Product version:

1000.1000.1000.1000

Original file name:

HD+v2.1.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\hd+v2.1\hd+v2.1-codedownloader.exe

Digital Signature

Signed by:

Vegeta Pop

Authority:

COMODO CA Limited

Valid from:

7/16/2014 2:00:00 AM

Valid to:

7/17/2015 1:59:59 AM

Subject:

CN=Vegeta Pop, O=Vegeta Pop, STREET=Athinodorou 3, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

3E0BEA30569A284917F6F65BF0F056A6

File PE Metadata

Compilation timestamp:

8/6/2014 12:05:17 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

12288:D2b9LYOccPSIdmy+4NxboIeYicT3pTqA:c9PccaIVfxPHTZT

Entry address:

0x4803A

Entry point:

E8, 73, DE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1... 
[+]

Entropy:

6.4320

Code size:

439 KB (449,536 bytes)

Scheduled Task

Task name:

f7143494-4cbf-4207-a935-64bdec2eb3c2-1

Trigger:

Logon (Runs on logon)

Action:

hd+v2.1-codedownloader.exe \hvqttcr \ercwz=task \jmpsi='hd+v2.1' \oqskpg=6284

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to update.srvstatsdata.com (69.16.175.42:80)

http://update.srvstatsdata.com/installer_updates/006292/update.json

TCP (HTTP):

Connects to stats.srvstatsdata.com (176.32.99.41:80)

TCP (HTTP):

Connects to app-static.crossrider.com (69.16.175.10:80)

Remove hd+v2.1-codedownloader.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.