» 5aba926d-25d2-4a2f-9c93-178df6a11891-6.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (10)
Network (11)

5aba926d-25d2-4a2f-9c93-178df6a11891-6.exe

FileProperties_ProductName

FileProperties_CompanyName

The application 5aba926d-25d2-4a2f-9c93-178df6a11891-6.exe, “FileProperties_FileDescription” has been detected as adware by 14 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. Additionally, the file is typically installed by a number of programs including videos MediaPlayer+ by Derzany Network and SavePass 1.1 by Morgan Enter Mode, both potentially unwanted software. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.

File name:

Publisher:

FileProperties_CompanyName

Product:

FileProperties_ProductName

Description:

FileProperties_FileDescription

Version:

1000.1000.1000.1000

MD5:

423b358206ccfd4d5a17e05a193dca05

SHA-1:

f32837ed6b082429d4e9497bb4a2e62df755f168

SHA-256:

488f7b252531d546e12a175b60d0fb9c8b4aa5e54880eb387d20ffe7a715baad

Scanner detections:

14 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/18/2024 11:56:43 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

AegisLab AV Signature

Troj.W32.Gen

2.1.4+

Avira AntiVirus

ADWARE/CrossRider.Gen4

7.11.177.224

avast!

Win32:Adware-gen [Adw]

2014.9-141011

AVG

Generic

2015.0.3275

Baidu Antivirus

PUA.Win32.CrossRider

4.0.3.141011

ESET NOD32

Win32/Toolbar.CrossRider.AV (variant)

8.10544

Fortinet FortiGate

Riskware/CrossRider

11/29/2014

Kaspersky

not-a-virus:WebToolbar.Win32.CroRi

14.0.0.2870

McAfee

Artemis!423B358206CC

5600.6981

Panda Antivirus

Trj/Genetic.gen

14.11.29.10

Qihoo 360 Security

HEUR/Malware.QVM10.Gen

1.0.0.1015

Reason Heuristics

PUP.Crossrider.Task.g

14.10.11.5

Sophos

Generic PUA PD

4.98

VIPRE Antivirus

Crossrider

33808

File size:

1.2 MB (1,256,448 bytes)

Product version:

1000.1000.1000.1000

Original file name:

FileProperties_OriginalFilename.dll

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\winservice86\5aba926d-25d2-4a2f-9c93-178df6a11891-6.exe

File PE Metadata

Compilation timestamp:

10/6/2014 10:37:30 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:3H2O1/qdM8y5EVxVARcUh2UuolgmZVHfTvpSntJRrwgXxjv:HqDVKczUrPTvpSntJRcgXxjv

Entry address:

0xA2A80

Entry point:

E8, D7, 03, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 70, 63, 50, 00, E8, 2A, 79, 00, 00, E8, FC, 55, 00, 00, 0F, B7, F0, 6A, 02, E8, 6A, 03, 01, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 58, 8D, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

814 KB (833,536 bytes)

Scheduled Task

Task name:

5aba926d-25d2-4a2f-9c93-178df6a11891-6

Trigger:

Logon (Runs on logon)

The file 5aba926d-25d2-4a2f-9c93-178df6a11891-6.exe has been discovered within the following programs.

Browsers Apps + by Bohr-ium Group

Browsers Apps + (Freeven) is an advertising supported browser extension also known as adware and is designed to deliver ads to the user's Internet browser as banners, context text-links and transitionals ads.

crossrider.com/install/61787-browsers-app

82% remove it

Clip-High_D_06 by Kimahri Software inc.

Clip-High is an adware web browser application that displays banner ads as well as contextual link ads that are injected in the web page.

82% remove it

HD+v2.1 by Vegeta Pop

HD+ is an adware Internet toolbar/extension that will deliver ads to the browser on web pages that are not affiliated with the ads or the extension.

83% remove it

PlusVid by Kimahri Software inc.

This adware injects itself into the user's web browser (IE, Chrome and Firefox) and will display out-of context advertising on web sites that are not associated with the software or its affiliate partners.

crossrider.com/install/57020-plusvid

83% remove it

SavePass by Kimahri Software inc.

SavePass is an adware web browser application that displays banner ads as well as contextual link ads that are injected in the web page.

84% remove it

SavePass 1.1 by Morgan Enter Mode

SavePass distributed by Brightcircle is a web browser extension that injects display advertising in the user's browser.

83% remove it

Sense by Object Browser

Sense is a potentially unwanted web browser extension that will attempt to modify the user's home and search page settings as well as display advertisements in the browser. The software will attach to IE, Chrome and Firefox.

85% remove it

Senses by Krance Development

Senses is a web browser extension that uses the CrossRider toolbar framework in order to inject display advertising in the user's browser.

83% remove it

The weDownloads Manager+ by Berta Brid Eco

This is a Brightcircle web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.

87% remove it

Torntv V9.0 by InstallDaddy Services Ltd.

This is a potentially unwanted program (PUP) that bundles various additional offers during setup, typically ad-supported (adware) in functionality.

88% remove it

Latest 20 of 16 programs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-50-63-202-55.ip.secureserver.net (50.63.202.55:80)

TCP (HTTP):

Connects to ip-184-168-221-35.ip.secureserver.net (184.168.221.35:80)

TCP (HTTP):

Connects to ip-50-63-202-33.ip.secureserver.net (50.63.202.33:80)

TCP (HTTP):

Connects to hwcdn.net (69.16.175.10:80)

TCP (HTTP SSL):

Connects to ec2-54-76-152-192.eu-west-1.compute.amazonaws.com (54.76.152.192:443)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.49.10:80)

TCP (HTTP):

Connects to ip-50-63-202-59.ip.secureserver.net (50.63.202.59:80)

TCP (HTTP):

Connects to ip-184-168-221-46.ip.secureserver.net (184.168.221.46:80)

TCP (HTTP):

Connects to ip-184-168-221-33.ip.secureserver.net (184.168.221.33:80)

TCP (HTTP SSL):

Connects to ec2-54-235-244-28.compute-1.amazonaws.com (54.235.244.28:443)

TCP (HTTP SSL):

Connects to ec2-52-211-123-168.eu-west-1.compute.amazonaws.com (52.211.123.168:443)

Remove 5aba926d-25d2-4a2f-9c93-178df6a11891-6.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.