home

rdwz.exe

HQCinema Pro 2.1V15.02

Clash Project (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application rdwz.exe, “HQCinema Pro 2.1V15.02 exe” by Clash Project (Bright Circle Investments) has been detected as adware by 26 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
HQ CinemaV15.02  (signed by Clash Project (Bright Circle Investments Ltd))

Product:
HQCinema Pro 2.1V15.02

Description:
HQCinema Pro 2.1V15.02 exe

Version:
1000.1000.1000.1000

MD5:
619272a2d9376e998a3637885246efbb

SHA-1:
1e6e7c71e55262da40fa50246de2064b571d8b03

SHA-256:
95a1706c847bc63ce49118225ddfd7cada081080faa80c5a2f4313097ce3f8fd

Scanner detections:
26 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements. Distributed through the Brightcircle investments brand.

Analysis date:
4/16/2024 9:19:54 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Heur.3v1@mOuBH6pO
6383959

AhnLab V3 Security
PUP/Win32.CrossRider
2015.02.16

Avira AntiVirus
ADWARE/CrossRider.Gen7
7.11.210.88

avast!
Win32:Malware-gen
150203-1

AVG
Generic
2016.0.3197

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.1536

Bitdefender
Gen:Application.Heur.3v1@mOuBH6pO
1.0.20.230

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.Plush.GRI
21093

Dr.Web
Trojan.Crossrider1.18493
9.0.1.05190

Emsisoft Anti-Malware
Gen:Application.Heur.3v1@mOuBH6pO
9.0.0.4799

ESET NOD32
Win32/Toolbar.CrossRider.CB potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/CrossRider
3/6/2015

F-Secure
Riskware.Gen:Application.Heur.3v1@mOuBH6pO
5.13.68

G Data
Gen:Application.Heur.3v1@mOuBH6pO
15.2.25

K7 AntiVirus
Unwanted-Program
13.196.14997

Kaspersky
not-a-virus:WebToolbar.Win32.CrossRider
14.0.0.2390

Malwarebytes
PUP.Optional.CrossRider.A
v2015.02.15.06

MicroWorld eScan
Gen:Application.Heur.3v1@mOuBH6pO
16.0.0.138

Norman
Gen:Application.Heur.3v1@kOuBH6pO
03.12.2014 13:20:04

Panda Antivirus
Trj/Genetic.gen
15.02.15.06

Qihoo 360 Security
Win32/Virus.WebToolbar.cf0
1.0.0.1015

Quick Heal
PUA.BrightCircle.OD6
2.15.14.00

Reason Heuristics
Adware.BrightCircle.Task
15.2.15.17

Sophos
Generic PUA LB
4.98

VIPRE Antivirus
Threat.4789396
36694

File size:
1.9 MB (1,953,752 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HQCinema Pro 2.1V15.02.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rdwz.exe

Digital Signature
Signed by:
Clash Project (Bright Circle Investments Ltd)

Authority:
COMODO CA Limited

Valid from:
12/16/2014 1:00:00 AM

Valid to:
12/17/2015 12:59:59 AM

Subject:
CN=Clash Project (Bright Circle Investments Ltd), O=Clash Project (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
75DD4745F68AF8221A12839F4A4F8FE1

File PE Metadata
Compilation timestamp:
2/15/2015 6:05:47 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:I32nO7Q1aQ6K8hOAatH9BcpSs+T6Z1V1DzW:TsImKMpcHxt

Entry address:
0xEEFA1

Entry point:
E8, 5F, FD, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 92, FE, 00, 00, 3B, 30, 7C, 07, E8, 89, FE, 00, 00, 8B, 30, E8, 7C, FE, 00, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 83, 5C, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 30, 0F, 55, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 9D, 2E, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 30, 0F, 55, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, F6, EA...
 
[+]

Code size:
1.1 MB (1,131,520 bytes)

Scheduled Task
Task name:
RDWZ

Trigger:
Logon (Runs on logon)

Action:
rdwz.exe \infocmdline=u0c4pcysef0lc54zt\wicwh1ancgvnflsjy62


Remove rdwz.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.