da1cbd75-84f6-4908-bec8-64d6e44d60bb-10.exe

Ge-Force

Webar

The application da1cbd75-84f6-4908-bec8-64d6e44d60bb-10.exe has been detected as adware by 8 anti-malware scanners. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address vip1.g5.cachefly.net on port 80 using the HTTP protocol.
Publisher:
Webar

Product:
Ge-Force

Description:
Ge-Force exe

Version:
1000.1000.1000.1000

MD5:
fe54120e6e92ef5039e9a4ed2bd551ad

SHA-1:
b8144018ebb6d2791686d09271a4c21a31c38e07

SHA-256:
bc06ecd33d8ac641c932bedae54379574ff7ece20fcb7231315d181fa9a23b77

Scanner detections:
8 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/18/2018 4:45:15 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

avast!
Win32:Adware-CMH [PUP]
2014.9-150520

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15520

ESET NOD32
Win32/Toolbar.CrossRider.CO potentially unwanted (variant)
9.11651

G Data
Win32.Adware.Crossrider
15.5.25

Malwarebytes
PUP.Optional.GeForce.A
v2015.05.20.02

Reason Heuristics
Adware.Crossrider.Webar
15.5.19.22

Sophos
AppRider
4.98

File size:
1.4 MB (1,510,912 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
Ge-Force.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\ge-force\da1cbd75-84f6-4908-bec8-64d6e44d60bb-10.exe

File PE Metadata
Compilation timestamp:
5/19/2015 10:06:28 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:xQBGNJPMHPytHvwW2gS1x9moP8hF8YIodIwTZpST+Wer/6AZJmzv2OqLdb:iBGNshko+FOwTZpSTBYlZJmzv2Okdb

Entry address:
0xC6B6D

Entry point:
E8, 49, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B8, 39, 54, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 58, 01, 54, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B8, 39, 54, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8...
 
[+]

Code size:
968 KB (991,232 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-216-158.mrs50.r.cloudfront.net  (54.230.216.158:80)

TCP (HTTP):
Connects to ec2-54-72-9-115.eu-west-1.compute.amazonaws.com  (54.72.9.115:80)

TCP (HTTP):
Connects to sage.parklogic.com  (69.39.236.56:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to vip1.g5.cachefly.net  (205.234.175.175:80)

Remove da1cbd75-84f6-4908-bec8-64d6e44d60bb-10.exe - Powered by Reason Core Security