» updater26278.exe
Overview
Analysis
File Details
Behaviors (1)
Network (7)

updater26278.exe

Solid Savings

Engaging Apps

This is part of a distribution package that is classified as adware distributed by 50onRed. This adware is used to interact with the installed web browsers and inject ads and modify the default search and homepages. The application updater26278.exe, “Solid Savings exe” by Engaging Apps has been detected as adware by 9 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links.

File name:

updater26278.exe

Publisher:

Innovative Apps (signed by Engaging Apps)

Product:

Solid Savings

Description:

Solid Savings exe

Version:

1000.1000.1000.1000

MD5:

d27b4cc30d71555aabda54fccd7e678e

SHA-1:

0648b720f127b3654635154236b16f5d3337d63f

SHA-256:

661c98ab635c19a8618a9fed27ec6ae7570351755a53dcfdc260a4300833fc8a

Scanner detections:

9 / 68

Status:

Adware

Explanation:

Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:

6/22/2025 10:20:43 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/Toolbar.CrossRider (variant)

7.9313

herdProtect (fuzzy)

variant of updater21804.exe (Adware)

2013.12.20.18

K7 AntiVirus

Unwanted-Program

13.176.11755

Malwarebytes

PUP.Optional.SolidSavings.A

v2014.01.20.12

McAfee

Artemis!04132ACAED2B

5600.7074

Reason Heuristics

PUP.Task.EngagingApps.M

14.8.7.21

Sophos

AppRider

4.96

Trend Micro House Call

TROJ_GEN.F47V1231

7.2.20

VIPRE Antivirus

GamePlayLabs

25616

File size:

214.4 KB (219,528 bytes)

Product version:

1000.1000.1000.1000

Original file name:

Solid Savings.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\updater26278\updater26278.exe

Digital Signature

Signed by:

Engaging Apps

Authority:

Thawte, Inc.

Valid from:

6/3/2013 8:00:00 PM

Valid to:

6/4/2014 7:59:59 PM

Subject:

CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

632EEBD9B987BC680D444D8675A26545

File PE Metadata

Compilation timestamp:

10/14/2013 6:52:04 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:8eGE+NVQ18CsQ08QD4UA4TuRIUhUei6JMqJCsfDnGnmG/os5:zGPNtCt0X4UA4TuBhUei6JMqdmws

Entry address:

0x16881

Entry point:

E8, D5, 8F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 92, E0, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 46, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, E0, B0, 42, 00... 
[+]

Entropy:

6.4598

Code size:

166 KB (169,984 bytes)

Scheduled Task

Task name:

Updater26278.exe

Trigger:

Time (Next runs on 11/25/2013 at 11:41 PM)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to geoplugin.net (178.237.36.10:80)

TCP (HTTP):

Connects to lb-212-222.above.com (103.224.212.222:80)

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.42:80)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.120.185:80)

Remove updater26278.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.