home

ywxkpjqtodo.exe

SavePass 1.1

OB

The application ywxkpjqtodo.exe, “SavePass 1.1 Installer” has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address hwcdn.net on port 80 using the HTTP protocol.
Publisher:
OB

Product:
SavePass 1.1

Description:
SavePass 1.1 Installer

Version:
1.36.01.22

MD5:
1fd8e16cd81336dd049fc173c093637e

SHA-1:
73ddc9150c8b2a973be9b8a81df1f46eb0631cf7

SHA-256:
57d107420b9fc217089b066c4aeb2c19491892524faaae90625992d625c3fff2

Scanner detections:
18 / 68

Status:
Adware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
4/26/2024 3:24:51 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.JS.Crossrider.B
5678793

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.05

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

avast!
Crossrider-ES [PUP]
150602-1

Dr.Web
infected with Trojan.Crossrider.46916
9.0.1.05190

ESET NOD32
Win32/Toolbar.CrossRider.CM potentially unwanted application
7.0.302.0

G Data
Script.Application.Plush
15.6.25

Malwarebytes
PUP.Optional.SavePass.A
v2015.06.05.05

McAfee
Trojan.Artemis!F02C5744DAE0
17.6.569.0

MicroWorld eScan
Adware.JS.Crossrider.B
16.0.0.468

Panda Antivirus
Trj/Genetic.gen
15.06.05.05

Qihoo 360 Security
Win32/Virus.Adware.a87
1.0.0.1015

Reason Heuristics
PUP.Downloader.Installer
15.6.5.13

Rising Antivirus
PE:Malware.Obscure!1.9C59
23.00.65.15603

Trend Micro House Call
ADW_CROSSRIDER
7.2.156

Trend Micro
ADW_CROSSRIDER
10.465.05

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

Zillya! Antivirus
Trojan.BlackGen.Win32.11
2.0.0.2207

File size:
11.2 MB (11,793,400 bytes)

Copyright:
Copyright OB

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ywxkpjqtodo.exe

File PE Metadata
Compilation timestamp:
12/4/2012 5:55:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:VZW8swFTzMBSbgm+sf50R4TYPlIldB9HEstTsn6h+Zx2XTWZp1:EwVMBSMA0R4jLHLTsn68ZkjW5

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9986  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.12.236:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ec2-107-21-208-134.compute-1.amazonaws.com  (107.21.208.134:80)

Remove ywxkpjqtodo.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.