746ff9d5-418e-4286-b903-2ced5ff1434f-1-7.exe

SavePass 1.1

OB

The application 746ff9d5-418e-4286-b903-2ced5ff1434f-1-7.exe has been detected as adware by 32 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. This file is typically installed with the program SavePass 1.1 by Morgan Enter Mode which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
OB

Product:
SavePass 1.1

Description:
SavePass 1.1 exe

Version:
1000.1000.1000.1000

MD5:
b4d8651db821d3e357c9049ab6300ebe

SHA-1:
98570730d04dda44f369450df7ce145cc28ee91f

SHA-256:
08f7180109afce7c8bbc79b06f7ab034673ad9265479361001b75a929e895ab0

Scanner detections:
32 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/23/2024 9:56:08 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Heur.cv0@mWseyLnO
586

Agnitum Outpost
PUA.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.22

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

Arcabit
Application.Heur.EF014A
1.0.0.425

avast!
Win32:Malware-gen
2014.9-150628

AVG
Crossrider
2016.0.3064

Baidu Antivirus
Adware.Win32.Agent
4.0.3.15628

Bitdefender
Gen:Application.Heur.cv0@mWseyLnO
1.0.20.895

Dr.Web
Trojan.Crossrider1.23120
9.0.1.0179

ESET NOD32
Win32/Toolbar.CrossRider.CD potentially unwanted (variant)
9.11823

Fortinet FortiGate
Riskware/CrossRider
6/28/2015

F-Prot
W32/S-dbad4651
v6.4.7.1.166

F-Secure
Gen:Application.Heur.cv0@mWseyLnO
11.2015-28-06_1

G Data
Gen:Application.Heur.cv0@mWseyLnO
15.6.25

IKARUS anti.virus
Gen.Application.Heur
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.205.16314

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.1817

Malwarebytes
PUP.Optional.SavePass.A
v2015.06.28.12

McAfee
Artemis!B4D8651DB821
5600.6720

MicroWorld eScan
Gen:Application.Heur.cv0@mWseyLnO
16.0.0.537

NANO AntiVirus
Trojan.Win32.Crossrider1.dpqnmn
0.30.24.2086

Panda Antivirus
Trj/Genetic.gen
15.06.28.12

Qihoo 360 Security
Win32/Virus.Adware.a87
1.0.0.1015

Reason Heuristics
Adware.Crossrider (M)
15.6.28.12

Rising Antivirus
PE:Trojan.GoogUpdate!6.1E39
23.00.65.15626

SUPERAntiSpyware
Adware.CrossRider/Variant
9786

Trend Micro House Call
TROJ_GEN.R021C0EDG15
7.2.179

Trend Micro
TROJ_GEN.R021C0EDG15
10.465.28

Vba32 AntiVirus
AdWare.Agent
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
41352

Zillya! Antivirus
Adware.Agent.Win32.54662
2.0.0.2242

File size:
1 MB (1,091,072 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
SavePass 1.1.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\savepass 1.1\746ff9d5-418e-4286-b903-2ced5ff1434f-1-7.exe

File PE Metadata
Compilation timestamp:
3/25/2015 3:50:28 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:nRLLbcgARkRJxGDZbVvIz+smnehkWPtazpSV4T5gTD:nR3wgGFB8mXzpSV4FgT

Entry address:
0x9D282

Entry point:
E8, CF, 00, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, 8B, 4C, 24, 0C, 57, 85, C9, 0F, 84, 92, 00, 00, 00, 56, 53, 8B, D9, 8B, 74, 24, 14, F7, C6, 03, 00, 00, 00, 8B, 7C, 24, 10, 75, 0B, C1, E9, 02, 0F, 85, 85, 00, 00, 00, EB, 27, 8A, 06, 83, C6, 01, 88, 07, 83, C7, 01, 83, E9, 01, 74, 2B, 84, C0, 74, 2F, F7, C6, 03, 00, 00, 00, 75, E5, 8B, D9, C1, E9, 02, 75, 61, 83, E3, 03, 74, 13, 8A, 06, 83, C6, 01, 88, 07, 83, C7, 01, 84, C0, 74, 37, 83, EB, 01, 75, ED, 8B, 44, 24, 10, 5B, 5E, 5F, C3, F7, C7, 03, 00...
 
[+]

Entropy:
6.5566

Code size:
782 KB (800,768 bytes)

Scheduled Task
Task name:
746ff9d5-418e-4286-b903-2ced5ff1434f-1-7

Trigger:
Logon (Runs on logon)


The file 746ff9d5-418e-4286-b903-2ced5ff1434f-1-7.exe has been discovered within the following program.

SavePass 1.1  by Morgan Enter Mode
SavePass distributed by Brightcircle is a web browser extension that injects display advertising in the user's browser.
83% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-184-168-221-59.ip.secureserver.net  (184.168.221.59:80)

TCP (HTTP):
Connects to ip-184-168-221-50.ip.secureserver.net  (184.168.221.50:80)

Remove 746ff9d5-418e-4286-b903-2ced5ff1434f-1-7.exe - Powered by Reason Core Security