home

installer.exe.downloading

The file installer.exe.downloading has been detected as a potentially unwanted program by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from sonia.cachefly.net and multiple other hosts.
MD5:
d7c996a994cd26fb7eb937ffd40298d7

SHA-1:
e0e7f52b3e58cdf9689dbeb9dc3d79cdbd287d87

SHA-256:
ca92e2745985f5dffea090a1561fbc30f45462418df8b393aa3ff23d6753f1be

Scanner detections:
8 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/24/2024 1:37:58 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Downloader
2016.02.29

avast!
Win32:Malware-gen
2014.9-160301

ESET NOD32
Win32/InstallCore.AFV potentially unwanted application
8.0.319.0

McAfee
Artemis!D7C996A994CD
5600.6474

Qihoo 360 Security
QVM20.1.Malware.Gen
1.0.0.1120

Reason Heuristics
Adware.Bundler (M)
16.3.7.0

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.16228

Vba32 AntiVirus
Malware-Cryptor.InstallCore.gen
3.12.26.4

File size:
486.7 KB (498,405 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installer.exe.downloading

File PE Metadata
Compilation timestamp:
12/27/2015 5:38:55 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Fbo6M6gr5b/hYu7wFz1B3i2u7ttVl2AmhOJ1SCA:Fbo6Wb/udC2uxxtmhMICA

Entry address:
0x310D

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 57, 33, DB, 68, 01, 80, 00, 00, 89, 5C, 24, 1C, C7, 44, 24, 14, 88, 91, 40, 00, 33, F6, C6, 44, 24, 18, 20, FF, 15, B4, 70, 40, 00, FF, 15, B0, 70, 40, 00, 66, 3D, 06, 00, 74, 11, 53, E8, E4, 2D, 00, 00, 3B, C3, 74, 07, 68, 00, 0C, 00, 00, FF, D0, 68, 7C, 91, 40, 00, E8, 65, 2D, 00, 00, 68, 74, 91, 40, 00, E8, 5B, 2D, 00, 00, 68, 68, 91, 40, 00, E8, 51, 2D, 00, 00, 6A, 0D, E8, B4, 2D, 00, 00, 6A, 0B, E8, AD, 2D, 00, 00, A3, 44, EC, 42, 00, FF, 15, 34, 70, 40, 00, 53, FF...
 
[+]

Entropy:
7.9726

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file installer.exe.downloading has been seen being distributed by the following 5 URLs.

http://sonia.cachefly.net/.../installer.exe

http://www.giftdownloadscycle.com/.../installer.exe

http://www.bitstourhosting.com/.../installer.exe

http://www.citymetatour.com/.../installer.exe

http://www.presentheartdelivery.com/.../installer.exe

Remove installer.exe.downloading - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.