» {blocked}.exe
Overview
Analysis
File Details
Programs (1)
Network (5)

{blocked}.exe

SavePass

OutBrowse

The application {blocked}.exe has been detected as a potentially unwanted program by 5 anti-malware scanners. This file is typically installed with the program SavePass by Kimahri Software inc. which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address ip-50-63-202-55.ip.secureserver.net on port 80 using the HTTP protocol.

File name:

{blocked}.exe

Publisher:

OutBrowse

Product:

SavePass

Description:

SavePass exe

Version:

1000.1000.1000.1000

MD5:

73e501757ff88bc338db1f1dc78a528d

SHA-1:

6e1ca9c52691847a9b4f05deb6e0de1937238c41

SHA-256:

e1b04e71d32e1884e072e6e52424a77af6247dedce470ba7dd9bceb72cf3dad7

Scanner detections:

5 / 68

Status:

Potentially unwanted

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

4/27/2024 3:41:45 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

Adware/CrossRider.A.6271

7.11.152.20

Baidu Antivirus

Adware.Win32.CrossRider

4.0.3.14531

ESET NOD32

Win32/Toolbar.CrossRider.AE (variant)

8.9867

Malwarebytes

PUP.Optional.SavePass.A

v2014.05.31.06

VIPRE Antivirus

Crossrider

29746

File size:

571.5 KB (585,216 bytes)

Product version:

1000.1000.1000.1000

Original file name:

SavePass.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\savepass\savepass-nova.exe

File PE Metadata

Compilation timestamp:

5/15/2014 5:46:51 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

12288:RNYXYt6qHetlKZ8brelzCuON5RdK5pTCM1/N0YL:RoBpuEaTpHVL

Entry address:

0x42599

Entry point:

E8, C1, AA, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B0, 6E, 47, 00, E8, 91, 09, 00, 00, E8, BD, 99, 00, 00, 0F, B7, F0, 6A, 02, E8, 54, AA, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, B0, 1A, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

6.3014

Code size:

403 KB (412,672 bytes)

The file {blocked}.exe has been discovered within the following programs.

SavePass by Kimahri Software inc.

SavePass is an adware web browser application that displays banner ads as well as contextual link ads that are injected in the web page.

84% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to hwcdn.net (69.16.175.42:80)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.49.42:80)

TCP (HTTP):

Connects to ip-50-63-202-55.ip.secureserver.net (50.63.202.55:80)

Remove {blocked}.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.