Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs Save Video Ads

Save Video Ads

By GoldSparrow in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 19,437
Threat Level: 80 % (High)
Infected Computers: 67
First Seen: March 9, 2015
Last Seen: December 12, 2025
OS(es) Affected: Windows

The Save Video browser tool may interest you by offering you the ability to save on your PC any online video material, but you might wish to know that it is adware. Security experts note that the Save Video adware is programmed to display numerous marketing materials in the web browser of infected users. The Save Video adware travels incorporated with freeware setup files that are best to be handled via the 'Advance' or 'Custom' option. The Save Video adware is deployed to show banners, pop-ups, and ad boxes, and monetize clicks on the commercials for its developers. You may want to check your installed web browsers for extensions, Browser Helper Objects and add-ons by Save Video that can be used to propel ads. Moreover, ads by adware such as the Save Video program may not be safe as its primary objective is to monetize clicks on ads. The Save Video adware can be efficiently removed from your PC by using a reliable anti-spyware tool.

Analysis Report

General information

Family Name: Trojan.Zegost.GA
Signature status: No Signature

Known Samples

MD5: 0d4fccd0c8cfe1c3b75a344990c381ab
SHA1: 5044cd6e44704df89ccbc18338f10de57ecd4aaa
SHA256: D6B4778A444F1A532F809673E48851ADDADCF118A0D9BC2CEE59153992B50001
File Size: 406.02 KB, 406016 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • HighEntropy
  • No Version Info
  • x86

Block Information

Total Blocks: 117
Potentially Malicious Blocks: 13
Whitelisted Blocks: 104
Unknown Blocks: 0

Visual Map

x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\users\user\downloads\5044cd6e44704df89ccbc18338f10de57ecd4aaa_0000406016 Synchronize,Write Attributes
c:\windows\syswow64\meume.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\syswow64\meume.exe Generic Write,Read Attributes
c:\windows\syswow64\meume.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\select::marktime 2025-12-14 18:16 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ո쩚浨ǜ RegNtPreCreateKey

Windows API Usage

Category API
Service Control
  • OpenSCManager
  • OpenService
  • StartService
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess

Shell Command Execution

C:\WINDOWS\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del c:\users\user\DOWNLO~1\5044CD~1 > nul
WriteConsole: 'ping' is not re

Trending

Most Viewed

Loading...