a4bc936c-5e01-43ed-9315-bef9a4ae2675-10.exe

SavePass 1.1

OB

The application a4bc936c-5e01-43ed-9315-bef9a4ae2675-10.exe has been detected as adware by 13 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address sage.parklogic.com on port 80 using the HTTP protocol.
Publisher:
OB

Product:
SavePass 1.1

Description:
SavePass 1.1 exe

Version:
1000.1000.1000.1000

MD5:
72e9b2ebb41daa944919346ecdb88f69

SHA-1:
181bb66e838cf83397bbb63def902d973bd59cfa

SHA-256:
c5c973d3144475b9689988a9a95121003dc7e3d23bb520e5d3479da11a47a67e

Scanner detections:
13 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/22/2024 7:17:30 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.CrossRider
2015.05.22

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

avast!
Win32:Adware-CMH [PUP]
150520-1

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15521

Emsisoft Anti-Malware
Gen:Variant.Adware.Graftor.188636
8.15.06.05.04

ESET NOD32
Win32/Toolbar.CrossRider.CO potentially unwanted application
7.0.302.0

F-Secure
Gen:Variant.Adware.Graftor
11.2015-05-06_6

G Data
Win32.Adware.Crossrider
15.5.25

Malwarebytes
PUP.Optional.SavePass.A
v2015.05.21.01

Norman
Gen:Variant.Adware.Graftor.188636
11.20150605

Reason Heuristics
Adware.Crossrider
15.5.21.13

Sophos
PUA 'AppRider' (of type Adware)
5.14

SUPERAntiSpyware
Adware.CrossRider/Variant
9862

File size:
1.4 MB (1,476,096 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
SavePass 1.1.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\savepass 1.1\a4bc936c-5e01-43ed-9315-bef9a4ae2675-10.exe

File PE Metadata
Compilation timestamp:
5/21/2015 1:35:47 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:4LKVoygPRfPDzWts+JxhEt1BCjQTzqYT6V+T7pS+72Ran1YO73qLdb:jVMVaa1YQttT7pS+CM1YO73kdb

Entry address:
0xC24DD

Entry point:
E8, 49, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B8, B9, 53, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 58, 81, 53, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B8, B9, 53, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8...
 
[+]

Entropy:
6.3280

Code size:
938.5 KB (961,024 bytes)

Scheduled Task
Task name:
a4bc936c-5e01-43ed-9315-bef9a4ae2675-10_user

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to sage.parklogic.com  (69.39.236.56:80)

Remove a4bc936c-5e01-43ed-9315-bef9a4ae2675-10.exe - Powered by Reason Core Security