× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1c6ae84ef65fc3c437248662ad910b71770dab7a564618779d0a9f91d3f2d3e4
File name: Setup.exe
Detection ratio: 26 / 54
Analysis date: 2014-10-16 07:04:14 UTC ( 4 years, 4 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Adware.Graftor.153852 20141016
AegisLab AdWare.MSIL.DomaIQ 20141016
Yandex PUA.AirAd! 20141015
AhnLab-V3 PUP/Win32.Installer 20141016
Antiy-AVL GrayWare[AdWare:not-a-virus]/Win32.AirAdInstaller.gacx 20141016
Avast Win32:Adware-gen [Adw] 20141016
AVG Generic.C14 20141016
Avira (no cloud) ADWARE/Adware.Gen 20141016
AVware Iminent (fs) 20141016
BitDefender Gen:Variant.Adware.Graftor.153852 20141016
DrWeb Trojan.SMSSend.5548 20141016
Emsisoft Gen:Variant.Adware.Graftor.153852 (B) 20141016
ESET-NOD32 a variant of Win32/AirAdInstaller.A 20141016
F-Prot W32/A-9a53b681!Eldorado 20141016
F-Secure Gen:Variant.Adware.Graftor.153852 20141016
GData Gen:Variant.Adware.Graftor.153852 20141016
K7AntiVirus Unwanted-Program ( 0040f9231 ) 20141016
K7GW Unwanted-Program ( 0040f9231 ) 20141015
Kaspersky not-a-virus:AdWare.Win32.AirAdInstaller.gacx 20141016
Malwarebytes PUP.Optional.AirInstaller 20141016
McAfee-GW-Edition BehavesLike.Win32.LiveSoftAction.dc 20141015
eScan Gen:Variant.Adware.Graftor.153852 20141016
NANO-Antivirus Riskware.Win32.AirAdInstaller.dglhok 20141016
Rising PE:PUF.Airinstall!1.9C4C 20141015
Sophos AV AirInstaller 20141016
VIPRE Iminent (fs) 20141016
Baidu-International 20141015
Bkav 20141015
ByteHero 20141016
CAT-QuickHeal 20141016
ClamAV 20141016
CMC 20141013
Comodo 20141016
Cyren 20141016
Fortinet 20141016
Ikarus 20141016
Jiangmin 20141015
Kingsoft 20141016
McAfee 20141016
Microsoft 20141016
Norman 20141016
nProtect 20141015
Qihoo-360 20141016
SUPERAntiSpyware 20141016
Symantec 20141016
Tencent 20141016
TheHacker 20141013
TotalDefense 20141015
TrendMicro 20141016
TrendMicro-HouseCall 20141016
VBA32 20141015
ViRobot 20141016
Zillya 20141015
Zoner 20141014
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
(c) Install Manager

Publisher Install Manager
Product Download Manager
Original name setup.exe
Internal name setup.exe
File version 2.0.87.0
Description Download Manager
Signature verification Signed file, verified signature
Signers
[+] Install Manager
Status Valid
Issuer None
Valid from 1:00 AM 8/7/2013
Valid to 1:00 PM 8/11/2015
Valid usage Code Signing
Algorithm SHA1
Thumbprint 334BCEB712F187F182FC5398AD7F7523BE51537A
Serial number 06 C0 BB B9 09 99 72 9C 33 56 0E C1 8A 20 32 61
[+] DigiCert Assured ID Code Signing CA-1
Status Valid
Issuer None
Valid from 1:00 PM 2/11/2011
Valid to 1:00 PM 2/10/2026
Valid usage Code Signing
Algorithm SHA1
Thumbprint 409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875
Serial number 0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD
[+] DigiCert
Status Valid
Issuer None
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm SHA1
Thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-10-09 20:48:29
Entry Point 0x002A53A0
Number of sections 3
PE sections
PE imports
InitCommonControlsEx
GetFileTitleW
LPtoDP
ImmGetContext
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
AlphaBlend
LresultFromObject
SysFreeString
Ord(190)
PathIsUNCW
InternetOpenW
PlaySoundW
OpenPrinterW
GdipFree
DoDragDrop
OleUIBusyW
IsValidURL
Number of PE resources by type
RT_STRING 17
RT_CURSOR 16
RT_GROUP_CURSOR 15
RT_DIALOG 13
RT_BITMAP 5
RT_HTML 4
RT_ICON 4
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 65
ENGLISH CAN 12
PE resources
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.87.0

UninitializedDataSize
1900544

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
65536

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
(c) Install Manager

FileVersion
2.0.87.0

TimeStamp
2014:10:09 21:48:29+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
setup.exe

FileAccessDate
2014:10:16 08:04:20+01:00

ProductVersion
2.0.87.0

FileDescription
Download Manager

OSVersion
5.1

FileCreateDate
2014:10:16 08:04:20+01:00

OriginalFilename
setup.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Install Manager

CodeSize
872448

ProductName
Download Manager

ProductVersionNumber
2.0.87.0

EntryPoint
0x2a53a0

ObjectFileType
Executable application

File identification
MD5 e82c52d0a0784e820f6f5b498be03be2
SHA1 d492af3533f5393d3aaf756fa6abe060019877d4
SHA256 1c6ae84ef65fc3c437248662ad910b71770dab7a564618779d0a9f91d3f2d3e4
ssdeep
12288:6MIZvzTZ/bED/SPHfBQWdt6zMHH59gVTXKIV+rakzekHX/IX+DVxxRkzJsyfNCP/:6Mczo/SHPt4inlqiQXYxRkzNCfXiTmFT

authentihash df1cb1472b91abc65779fbc41c9d003e1ff81bf00b9dcf0b40402563ed505984
imphash 2c1dc413ec946e3d6254ac62e641bdf1
File size 915.9 KB ( 937880 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe signed upx

VirusTotal metadata
First submission 2014-10-16 07:02:53 UTC ( 4 years, 4 months ago )
Last submission 2014-10-16 07:04:14 UTC ( 4 years, 4 months ago )
File names Setup.exe
setup.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.