» Downandsave.exe
Overview
Analysis
File Details
Programs (1)
Network (2)

Downandsave.exe

Downandsave

Savings group

The application Downandsave.exe has been detected as a potentially unwanted program by 10 anti-malware scanners. This file is typically installed with the program Downandsave by Savings Group which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address 67-20-66-236.unifiedlayer.com on port 80 using the HTTP protocol.

File name:

Downandsave.exe

Publisher:

Savings group

Product:

Downandsave

Description:

Downandsave exe

Version:

1.1.149.8

MD5:

31c6eca8aee042b06fe763c82d7a4a74

SHA-1:

79f05b1e209b3c5383eec7ecd166cdfe32478ff0

SHA-256:

c050278e23e8ec1642a2fb7e70f2bc2f7c351fa3c4294b624f2344ba3fe290f2

Scanner detections:

10 / 68

Status:

Potentially unwanted

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/25/2024 1:45:01 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

Baidu Antivirus

PUA.Win32.CrossRider

4.0.3.15319

Clam AntiVirus

Win.Adware.553765

0.98/21511

Dr.Web

Adware.Plugin.24

9.0.1.078

ESET NOD32

Win32/Toolbar.CrossRider.E potentially unwanted (variant)

9.11341

G Data

Win32.Adware.Crossrider

15.3.25

Reason Heuristics

Threat.Win.Reputation.IMP

15.2.20.23

Trend Micro House Call

TROJ_GEN.R0C1H05L414

7.2.78

VIPRE Antivirus

Crossrider

38548

ViRobot

Adware.Agent.437760[h]

2014.3.20.0

File size:

427.5 KB (437,760 bytes)

Product version:

1.1.149.8

Original file name:

Downandsave.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\downandsave\downandsave.exe

File PE Metadata

Compilation timestamp:

6/5/2012 4:16:10 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:LI4T2INIZUzY22w3RNKyK9wMV4I4/MdfH8FUllbo63uql1zd4:LfQ8FD6rl1+

Entry address:

0x42283

Entry point:

E8, BA, 90, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 74, D0, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 40, 96, 46, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 44, A0, 45, 00... 
[+]

Code size:

353.5 KB (361,984 bytes)

The file Downandsave.exe has been discovered within the following program.

Downandsave by Savings Group

Downandsave is an adware style application that runs in the web browser as a toolbar and web extension.

77% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.98.138:80)

TCP (HTTP):

Connects to 67-20-66-236.unifiedlayer.com (67.20.66.236:80)

Remove Downandsave.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.