home

npzhmah.exe

HQCinema Pro 2.1V24.01

Selecao Technologies (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application npzhmah.exe, “HQCinema Pro 2.1V24.01 exe” by Selecao Technologies (Bright Circle Investments) has been detected as adware by 22 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named NPZHMAH triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
HQ CinemaV24.01  (signed by Selecao Technologies (Bright Circle Investments Ltd))

Product:
HQCinema Pro 2.1V24.01

Description:
HQCinema Pro 2.1V24.01 exe

Version:
1000.1000.1000.1000

MD5:
6059de0bbb2e7de89db3bab1298be522

SHA-1:
6566b08afd5af7bcea94f1ad68c7db7e6ad3e464

SHA-256:
a8d2111962fe8638323f2fa44047e622bf1d96ad56e1c2dcae7e975a059e626a

Scanner detections:
22 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements. Distributed through the Brightcircle investments brand.

Analysis date:
4/26/2024 1:22:21 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Heur.3v1@maEo4!kO
741

AhnLab V3 Security
PUP/Win32.CrossRider
2015.01.25

Avira AntiVirus
ADWARE/CrossRider.Gen4
7.11.204.248

AVG
Generic
2016.0.3219

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.1523

Bitdefender
Gen:Application.Heur.3v1@maEo4!kO
1.0.20.120

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.Plush.GRI
20831

Dr.Web
Trojan.Crossrider1.9542
9.0.1.024

Emsisoft Anti-Malware
Gen:Application.Heur.3v1@mqfOfDiO
8.15.02.03.09

ESET NOD32
Win32/Toolbar.CrossRider.BV (variant)
9.11068

F-Secure
Gen:Application.Heur.3v1@maEo4!kO
11.2015-24-01_7

G Data
Gen:Application.Heur.3v1@maEo4!kO
15.1.24

Kaspersky
not-a-virus:WebToolbar.Win32.CrossRider
14.0.0.2590

Malwarebytes
PUP.Optional.CrossRider.A
v2015.01.24.10

MicroWorld eScan
Gen:Application.Heur.3v1@maEo4!kO
16.0.0.72

NANO AntiVirus
Trojan.Win32.Crossrider1.dmxenv
0.30.0.64812

Norman
Gen:Application.Heur.3v1@kqfOfDiO
11.20150203

Panda Antivirus
Trj/Genetic.gen
15.01.24.10

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Task.Brightcircle
15.1.26.11

VIPRE Antivirus
Crossrider
36944

File size:
1.9 MB (1,959,400 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HQCinema Pro 2.1V24.01.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\npzhmah.exe

Digital Signature
Signed by:
Selecao Technologies (Bright Circle Investments Ltd)

Authority:
COMODO CA Limited

Valid from:
12/15/2014 4:00:00 PM

Valid to:
12/16/2015 3:59:59 PM

Subject:
CN=Selecao Technologies (Bright Circle Investments Ltd), O=Selecao Technologies (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3F2791037D410A199539AA4A99F7DEB3

File PE Metadata
Compilation timestamp:
1/23/2015 9:05:27 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:jpsQK061VzFkqukDYBr1pSvYT+Z1V1Dz:m70w5FnpDYw

Entry address:
0xF00F1

Entry point:
E8, 5D, FD, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 90, FE, 00, 00, 3B, 30, 7C, 07, E8, 87, FE, 00, 00, 8B, 30, E8, 7A, FE, 00, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 83, 5C, 00, 00, 8B, F0, 85, F6, 75, 07, B8, E0, 1F, 55, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 9D, 2E, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, E0, 1F, 55, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, F4, EA...
 
[+]

Entropy:
6.8631

Code size:
1.1 MB (1,137,152 bytes)

Scheduled Task
Task name:
NPZHMAH

Trigger:
Logon (Runs on logon)


Remove npzhmah.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.