hq-v1.4-nova.exe

HQ-V1.4

SIMONA-VIORICA MARIN

The application hq-v1.4-nova.exe by SIMONA-VIORICA MARIN has been detected as adware by 5 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
HQV1.4  (signed by SIMONA-VIORICA MARIN)

Product:
HQ-V1.4

Description:
HQ-V1.4 exe

Version:
1000.1000.1000.1000

MD5:
58bfb208b6f58beacd20d88945a7a786

SHA-1:
466816ac92f087bdb833cc161083a8328bb2da53

SHA-256:
09d8f223ba44b9421a88efe8f3b534a5d3b9a2b5dabb869119371314001e4c1e

Scanner detections:
5 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
11/28/2024 9:35:40 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
140617-1

AVG
Generic
2015.0.3436

ESET NOD32
Win32/Toolbar.CrossRider.AE potentially unwanted application
7.0.302.0

Reason Heuristics
PUP.SIMONAVIORICAMARIN.L
14.6.21.22

VIPRE Antivirus
Threat.4789396
29708

File size:
614.8 KB (629,568 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2016

Original file name:
HQ-V1.4.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\hq-v1.4\hq-v1.4-nova.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
5/29/2014 8:00:00 AM

Valid to:
5/30/2015 7:59:59 AM

Subject:
CN=SIMONA-VIORICA MARIN, OU=Individual Developer, O=No Organization Affiliation, L=Bucuresti, S=Bucuresti, C=RO

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4E4B7DC7EC2F3CC5CB6ACBE68E3870F5

File PE Metadata
Compilation timestamp:
6/21/2014 6:05:24 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:595aYjJDaTfq5CKFTnMODSHKD+/i483l8e6Y91zECpTwV7Xd1AfWU:b5aYjJWTfq5C2Sq/H33z9TaByfWU

Entry address:
0x49359

Entry point:
E8, 57, DF, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B8, 03, 48, 00, E8, E1, 4E, 00, 00, E8, 9D, 29, 00, 00, 0F, B7, F0, 6A, 02, E8, EA, DE, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, B4, 67, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.3443

Code size:
436.5 KB (446,976 bytes)

Scheduled Task
Task name:
01c899f5-1119-4dd3-9840-d504eeae3f07-7

Trigger:
Logon (Runs on logon)

Action:
hq-v1.4-nova.exe \jqezqsup='hq-v1.4' \zebie=58362 \bwyqn='001553' \


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (176.32.97.228:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.10:80)

Remove hq-v1.4-nova.exe - Powered by Reason Core Security