hd+v1.0-codedownloader.exe

HD+V1.0

Motoko Group

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application hd+v1.0-codedownloader.exe by Motoko Group has been detected as adware by 15 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. Built using the Crossrider web brower toolkit the CodeDownloader component will automatically connnect to the remote API server and download additional code/components for HDPlusPro extension/toolbar. The component makes a number of requests to the host app-static.crossrider.com/plugins/.../monetization/monetizationLoader.js. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
HDPlusPro  (signed by Motoko Group)

Product:
HD+V1.0

Description:
HD+V1.0 exe

Version:
1000.1000.1000.1000

MD5:
7ba3df3c20c871121f2071e0c05f0e9b

SHA-1:
ae5c5f5731b120c4355a2e6b20b3f8cdab4ffd22

SHA-256:
3a5dbf9542f88ae15630fa4ad6bcf664c9dcb56c1728f85f6b12a35e477d19d2

Scanner detections:
15 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application. The owner/publisher of this file is Motoko Group.

Analysis date:
12/25/2024 4:50:47 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.374109
924

Avira AntiVirus
ADWARE/CrossRider.Gen2
7.11.163.246

avast!
Win32:Adware-gen [Adw]
140617-1

Bitdefender
Gen:Variant.Adware.Kazy.374109
1.0.20.1030

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.374109
8.14.07.25.12

ESET NOD32
Win32/Toolbar.CrossRider.AG potentially unwanted application
7.0.302.0

F-Secure
Gen:Variant.Adware.Kazy.374109
11.2014-25-07_6

G Data
Gen:Variant.Adware.Kazy.374109
14.7.24

IKARUS anti.virus
not-a-virus:WebToolbar.CrossRider
t3scan.1.6.1.0

Kaspersky
not-a-virus:WebToolbar.Win32.CrossRider
15.0.0.494

MicroWorld eScan
Gen:Variant.Adware.Kazy.374109
15.0.0.618

Panda Antivirus
Trj/Genetic.gen
14.07.25.12

Reason Heuristics
PUP.Crossrider.Task.V
14.7.27.13

Sophos
Generic PUA KO
4.98

VIPRE Antivirus
Threat.4789396
31208

File size:
554.4 KB (567,656 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HD+V1.0.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\hd+v1.0\hd+v1.0-codedownloader.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/17/2014 9:00:00 PM

Valid to:
7/18/2015 8:59:59 PM

Subject:
CN=Motoko Group, O=Motoko Group, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AAFC4F8011F7FD7C00748C990950D28A

File PE Metadata
Compilation timestamp:
7/23/2014 9:52:07 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:sjpf8V3vpgT62ZHvD8du+biNjqrVu31Sz7BcuS54SpTBs3NFWuXfRho:sev2T62ZH3jsu3oz7+4SpTm3k

Entry address:
0x48133

Entry point:
E8, C0, DD, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB, 75, F4...
 
[+]

Code size:
436.5 KB (446,976 bytes)

Scheduled Task
Task name:
69292938-2d26-4bd9-a091-99576ab8366a-1

Trigger:
Logon (Runs on logon)

Action:
hd+v1.0-codedownloader.exe \kiivlqhw \tkecmz=task \ncpnjnq='hd+v1.0' \meoxlfb


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-50-63-202-55.ip.secureserver.net  (50.63.202.55:80)

Remove hd+v1.0-codedownloader.exe - Powered by Reason Core Security