home

airfoil_3.6.exe

Kanchana Khiandee

The application airfoil_3.6.exe by Kanchana Khiandee has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from www.smarterdl.com and multiple other hosts.
Publisher:
Kanchana Khiandee  (signed and verified)

MD5:
e460b71b68395eccb747dc7be231c68c

SHA-1:
c9d3cbc7ed97e34e20e32dfe4fa806ca19ca5025

SHA-256:
9a3d13d07e0b35dfa88c00ecb4d65b2630760fb15dbb7e2a588333695d04dc4e

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Bundles a number of adware programs in the installer.

Analysis date:
4/19/2025 11:53:39 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/CoolMirage.Gen
7.11.174.118

Comodo Security
Application.Win32.CoolMirage.AS
19620

Dr.Web
Adware.Downware.8319
9.0.1.0268

Malwarebytes
PUP.Optional.OneClickDownloader.A
v2014.09.25.01

NANO AntiVirus
Trojan.Nsis.Yotoon.deckrr
0.28.2.62286

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.KanchanaKhiandee.K
14.10.8.13

File size:
368.7 KB (377,584 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\airfoil_3.6.exe

Digital Signature
Signed by:
Kanchana Khiandee

Authority:
Thawte, Inc.

Valid from:
9/8/2014 2:00:00 AM

Valid to:
9/9/2015 1:59:59 AM

Subject:
CN=Kanchana Khiandee, OU=Individual Developer, O=No Organization Affiliation, L=Phuket, S=Phuket, C=TH

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C0F6CB32F77CACE96D7BF647840EEF4

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:fsA7za24yDk921d/+ZR3BWx/lVwX3s9zDIXxJXsb+fvm52uMK1:pza/Uk0mjWx/CsRDIjs6fvm5iA

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file airfoil_3.6.exe has been seen being distributed by the following 4 URLs.

https://www.smarterdl.com/.../microsoft_office_2013.exe

https://www.smarterdl.com/.../D.E.I.2014.1CD.DVDScr.XviD.By.Rj.Rabasha.avi.exe

https://www.smarterdl.com/.../c99.exe

https://www.smarterdl.com/.../CompuPic_Pro_6.23.exe

Remove airfoil_3.6.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.