× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 28196d41b2fb6f2e3f0d8b04bc87aa5706fabe2cf36846cc0114dbf4017c0102
File name: setup.exe
Detection ratio: 34 / 54
Analysis date: 2014-10-26 14:59:53 UTC ( 9 months, 1 week ago )
Antivirus Result Update
AVG Generic_r.IT 20141026
AVware Amonetize (fs) 20141026
Ad-Aware Gen:Variant.Application.Bundler.Amonetize.14 20141026
Agnitum PUA.Amonetize! 20141025
AhnLab-V3 PUP/Win32.Amonetiz 20141026
Antiy-AVL GrayWare[AdWare:not-a-virus,HEUR]/Win32.Amonetize 20141026
Avast Win32:Amonetize-N [PUP] 20141026
Avira ADWARE/Adware.Gen2 20141026
Baidu-International Adware.Win32.Amonetize.BAJ 20141026
BitDefender Gen:Variant.Application.Bundler.Amonetize.14 20141026
CAT-QuickHeal AdWare.Amonetize.r5 (Not a Virus) 20141025
Comodo ApplicUnwnt 20141026
DrWeb Adware.Downware.2250 20141026
ESET-NOD32 a variant of Win32/Amonetize.AJ 20141026
F-Prot W32/Amonetize.A.gen!Eldorado 20141026
F-Secure Gen:Variant.Application.Bundler 20141026
Fortinet Riskware/Amonetize 20141026
GData Gen:Variant.Application.Bundler.Amonetize.14 20141026
K7AntiVirus Trojan ( 004a80311 ) 20141025
K7GW Trojan ( 004a80311 ) 20141025
Kaspersky not-a-virus:AdWare.Win32.Amonetize.eu 20141026
Malwarebytes PUP.Optional.Amonetize 20141026
McAfee Adware-Amonetize 20141026
McAfee-GW-Edition BehavesLike.Win32.AdwareAmonetize.fh 20141026
MicroWorld-eScan Gen:Variant.Application.Bundler.Amonetize.14 20141025
NANO-Antivirus Riskware.Win32.Amonetize.cvowxs 20141026
Qihoo-360 Trojan.Generic 20141026
Sophos Amonetize 20141026
Symantec Trojan.ADH.2 20141026
TrendMicro TROJ_GEN.R0CBC0EEM14 20141026
TrendMicro-HouseCall TROJ_GEN.R0CBC0EEM14 20141026
VBA32 AdWare.Amonetize 20141023
VIPRE Amonetize (fs) 20141026
Zillya Adware.Amonetize.Win32.798 20141025
AegisLab 20141026
Bkav 20141024
ByteHero 20141026
CMC 20141026
ClamAV 20141026
Cyren 20141026
Emsisoft 20141026
Ikarus 20141026
Jiangmin 20141025
Kingsoft 20141026
Microsoft 20141026
Norman 20141026
Rising 20141026
SUPERAntiSpyware 20141025
Tencent 20141026
TheHacker 20141022
TotalDefense 20141026
ViRobot 20141026
Zoner 20141024
nProtect 20141026
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Publisher Amonetize ltd.
Original name setup.exe
Internal name setup.exe
File version 1.1.5.26
Signature verification Signed file, verified signature
Signing date 8:41 AM 3/20/2014
Signers
[+] Amonetize ltd.
Status Valid
Valid from 1:00 AM 3/19/2013
Valid to 12:59 AM 6/19/2015
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm SHA1
Thumbprint C3A44E7B669942F4410BDC052438C598C0832B22
Serial number 23 5E 7B 2F 1D 4E 01 52 18 9F 63 81 E2 BA 8C 97
[+] Thawte Code Signing CA - G2
Status Valid
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm SHA1
Thumbprint 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Serial number 47 97 4D 78 73 A5 BC AB 0D 2F B3 70 19 2F CE 5E
[+] thawte
Status Valid
Valid from 1:00 AM 11/17/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm SHA1
Thumbprint 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm MD5
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-03-20 07:41:55
Entry Point 0x00027314
Number of sections 5
PE sections
PE imports
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
RegSetValueExW
RegQueryInfoKeyW
RegQueryValueExA
RegEnumKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegOpenKeyExA
RegQueryValueExW
GetDeviceCaps
DeleteDC
SelectObject
GetStockObject
CreateSolidBrush
GetObjectW
BitBlt
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
GetStdHandle
ReleaseMutex
InterlockedPopEntrySList
WaitForSingleObject
EncodePointer
GetProcessId
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
GetTempPathW
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetExitCodeProcess
LocalFree
InterlockedPushEntrySList
InitializeCriticalSection
LoadResource
GlobalHandle
FindClose
TlsGetValue
MoveFileW
OutputDebugStringA
SetLastError
InterlockedDecrement
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
HeapSetInformation
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
FlushInstructionCache
GetPrivateProfileStringW
CreateThread
SetUnhandledExceptionFilter
CreateMutexW
MulDiv
IsProcessorFeaturePresent
DecodePointer
TerminateProcess
CreateSemaphoreW
GlobalAlloc
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
LoadLibraryW
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
lstrcmpiW
RtlUnwind
FreeLibrary
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GlobalLock
GetProcessHeap
GetTempFileNameW
WriteFile
lstrcpyW
ExpandEnvironmentStringsW
FindFirstFileW
lstrcmpW
GetProcAddress
CreateEventW
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
InterlockedIncrement
GetLastError
LCMapStringW
lstrlenA
GlobalFree
GetConsoleCP
GetEnvironmentStringsW
GlobalUnlock
lstrlenW
SizeofResource
GetCurrentProcessId
LockResource
GetCommandLineW
WideCharToMultiByte
HeapSize
InterlockedCompareExchange
WritePrivateProfileStringW
RaiseException
ReleaseSemaphore
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FreeResource
IsValidCodePage
HeapCreate
FindResourceW
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
LoadRegTypeLib
OleCreateFontIndirect
SafeArrayAccessData
SysStringLen
UnRegisterTypeLib
RegisterTypeLib
SysAllocStringLen
SafeArrayUnaccessData
VariantClear
SysAllocString
DispCallFunc
VariantCopy
SafeArrayCreateVector
SafeArrayGetVartype
LoadTypeLib
SysFreeString
SafeArrayCopy
VariantInit
VarUI4FromStr
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
ExtractIconW
SHGetSpecialFolderPathW
CommandLineToArgvW
StrStrIW
SetFocus
RedrawWindow
GetForegroundWindow
GetParent
MapDialogRect
EndPaint
EndDialog
RegisterClassExW
GetFocus
DefWindowProcW
ReleaseCapture
KillTimer
CreateAcceleratorTableW
DestroyAcceleratorTable
GetMessageW
RegisterWindowMessageW
SetWindowPos
GetClassInfoExW
GetWindowThreadProcessId
SetWindowLongW
MessageBoxW
ClientToScreen
SetCapture
MoveWindow
TranslateMessage
GetWindow
PostMessageW
GetSysColor
SetActiveWindow
DispatchMessageW
CreateWindowExW
ReleaseDC
BeginPaint
SendMessageW
UnregisterClassA
wsprintfW
PtInRect
SendDlgItemMessageW
SetWindowTextW
SetWindowContextHelpId
GetDlgItem
IsWindow
ScreenToClient
InvalidateRect
CallWindowProcW
GetClassNameW
PostThreadMessageW
FillRect
IsDlgButtonChecked
GetClientRect
GetWindowTextW
CheckDlgButton
GetDesktopWindow
DialogBoxIndirectParamW
LoadCursorW
LoadIconW
GetWindowTextLengthW
GetDC
GetWindowLongW
InvalidateRgn
CharNextW
IsChild
DestroyWindow
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
WinHttpSetOption
WinHttpConnect
WinHttpQueryHeaders
WinHttpReadData
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpGetProxyForUrl
WinHttpSetStatusCallback
WinHttpReceiveResponse
WinHttpOpen
WinHttpOpenRequest
WinHttpSendRequest
ProgIDFromCLSID
OleUninitialize
CoUninitialize
CoInitialize
OleInitialize
CoRevokeClassObject
CreateStreamOnHGlobal
CoCreateInstance
CLSIDFromProgID
CoTaskMemRealloc
OleLockRunning
CoAddRefServerProcess
CoRegisterClassObject
CoReleaseServerProcess
CoTaskMemAlloc
CLSIDFromString
CoTaskMemFree
StringFromGUID2
CoGetClassObject
Number of PE resources by type
RT_DIALOG 4
RT_STRING 2
REGISTRY 2
RT_ICON 1
TYPELIB 1
Struct(240) 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 14
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
10.0

ImageVersion
0.0

FileVersionNumber
1.1.5.26

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
103936

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

FileVersion
1.1.5.26

TimeStamp
2014:03:20 08:41:55+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
setup.exe

FileAccessDate
2014:10:26 16:00:07+01:00

ProductVersion
1.1.5.26

SubsystemVersion
5.1

OSVersion
5.1

FileCreateDate
2014:10:26 16:00:07+01:00

OriginalFilename
setup.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
235008

FileSubtype
0

ProductVersionNumber
1.1.5.26

EntryPoint
0x27314

ObjectFileType
Executable application

Execution parents
Compressed bundles
File identification
MD5 2e20e446943ecd01d3a668083d81d1fc
SHA1 7caff295636abd10b69d392c240b5156050490fa
SHA256 28196d41b2fb6f2e3f0d8b04bc87aa5706fabe2cf36846cc0114dbf4017c0102
ssdeep
6144:H9zGLSLhKY35sGot5iQBgMl3b6Me3GMvZMUo+MaooAy/UZCjz7jAGijw8Eon:H9zGusY3+Gg5iYgMVaZ++tooAOwCjfVy

authentihash ade535252448c11939c131baf7491c19b631c87ce41522760f0e5b68303a12b3
imphash 1f43b615e9a3d10811da41e15942e6d4
File size 328.5 KB ( 336424 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe signed

VirusTotal metadata
First submission 2014-03-20 07:46:15 UTC ( 1 year, 4 months ago )
Last submission 2014-03-23 09:31:24 UTC ( 1 year, 4 months ago )
File names DownloadSetup__2299_i465318329_il3.exe
DownloadSetup__2299_i465318270_il3.exe
The Palestine Israel Conflict Downloader__3687_i465117495_il3646208.exe
DownloadSetup__2299_i465318327_il3.exe
Canli.Mac.izle.ve.Ucretsiz.Yetiskin.Kanalla__2299_il33.exe
23104434
23104433
23104432
Free.Premium.Download__2299_i465610277_il306.exe
Launcher__3687_il3714493.exe
Launcher__2299_i466083271_il245.exe
Grave Robber from quot Repo the Genetic Opera quot Zydrate Anatomy__3055_il3228117.exe
DownloadSetup__2299_i465318272_il3.exe
Grave Robber from quot Repo the Genetic Opera quot Zydrate Anatomy__3055_il3228561.exe
Launcher__2299_il8540.exe
Launcher.exe
setup.exe
output.23104432.txt
Launcher__3818_il3191792.exe
Launcher__2299_i465596167_il245.exe
DownloadSetup__2299_i465318357_il3.exe
Launcher__3931_il3711053.exe
output.23110996.txt
Launcher__2299_i465613587_il245.exe
WinActivarorKMS__2299_i465809060_il1736715.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections