ee513a64-3d36-4736-a294-f5f86c20414a-7.exe

App Lid

Lid

The application ee513a64-3d36-4736-a294-f5f86c20414a-7.exe has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Lid

Product:
App Lid

Description:
App Lid exe

Version:
1000.1000.1000.1000

MD5:
902dd85743d3516cde953d8a44ceb8d5

SHA-1:
cb10dfc4f466a99de12b64589d2d7baa553ed2d2

SHA-256:
d97dd1cacd9f029c5fbc579359c141105bc0c964d0f3171c8ea3cc36ee7abdf5

Scanner detections:
1 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/27/2024 9:28:29 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Crossrider.Lid (M)
16.1.13.21

File size:
1.1 MB (1,138,688 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
App Lid.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\app lid\ee513a64-3d36-4736-a294-f5f86c20414a-7.exe

File PE Metadata
Compilation timestamp:
3/12/2015 12:04:45 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:CdTnls/tvHbOxyWcd7sdwN7RESlPWS0sljqpS3nRTq:ChYteCd7TN70ojqpS3nRTq

Entry address:
0xA2692

Entry point:
E8, C5, 00, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, 8B, 4C, 24, 0C, 57, 85, C9, 0F, 84, 92, 00, 00, 00, 56, 53, 8B, D9, 8B, 74, 24, 14, F7, C6, 03, 00, 00, 00, 8B, 7C, 24, 10, 75, 0B, C1, E9, 02, 0F, 85, 85, 00, 00, 00, EB, 27, 8A, 06, 83, C6, 01, 88, 07, 83, C7, 01, 83, E9, 01, 74, 2B, 84, C0, 74, 2F, F7, C6, 03, 00, 00, 00, 75, E5, 8B, D9, C1, E9, 02, 75, 61, 83, E3, 03, 74, 13, 8A, 06, 83, C6, 01, 88, 07, 83, C7, 01, 84, C0, 74, 37, 83, EB, 01, 75, ED, 8B, 44, 24, 10, 5B, 5E, 5F, C3, F7, C7, 03, 00...
 
[+]

Code size:
825.5 KB (845,312 bytes)

Scheduled Task
Task name:
ee513a64-3d36-4736-a294-f5f86c20414a-7

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.120.161:80)

Remove ee513a64-3d36-4736-a294-f5f86c20414a-7.exe - Powered by Reason Core Security