qvreaap.exe

Movie Master Service

Green Fire Software

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser. Part of the Injekt brand of unwanted programs. The application qvreaap.exe by Green Fire Software has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “qvrEaAP”.
Publisher:
Green Fire Software  (signed and verified)

Product:
Movie Master Service

Version:
1.0.0.0

MD5:
0089f29416fe889cbfa2ffad76d32ddc

SHA-1:
4ea12a09b3cb9eca5548b1ba0f91211cc61143de

SHA-256:
baae74a0bf31687c7e04bb3e6e030b6b0f3ed23f4ef69ca580db139591c7cee2

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
12/25/2024 1:04:15 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Injekt.GreenFir (M)
16.7.10.17

File size:
2.2 MB (2,298,224 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Green Fire Software 2014

Original file name:
MovieMasterService.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\yfbjkavshy\qvreaap.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
9/20/2013 1:00:00 AM

Valid to:
9/21/2014 12:59:59 AM

Subject:
CN=Green Fire Software, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Green Fire Software, L=La Jolla, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
38E34FCC0FDD5E91FD5048A198AAABF1

File PE Metadata
Compilation timestamp:
6/10/2014 1:37:04 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:ptGUpSL+zYuAsUu6oXKIZ0Kf7/22mNfxyPr0hOcp2OmoXIVqzWk:pUUpS6FL/0KfT2WIhOc4OmoXIi

Entry address:
0x230A7E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9826

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.2 MB (2,288,640 bytes)

Service
Display name:
qvrEaAP

Type:
Win32OwnProcess


Remove qvreaap.exe - Powered by Reason Core Security