home

Setup.exe

ANDREA VACONDIO

The file Setup.exe by ANDREA VACONDIO has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. This downloadble file is typically blocked through Google's Safe Browsing technology in Chrome web browser. The file has been seen being downloaded from www.pdfsam.org and multiple other hosts.
Publisher:
ANDREA VACONDIO  (signed and verified)

MD5:
772466133f1f345b0cbdbbc7d5b74313

SHA-1:
6cb72a9881fb7ea8c2024ccade4d47fb0da2f206

SHA-256:
2c47c42bcde213d7f89ad6fad0964a9626b797ff0dc60d8498ce94fd1ae1ea05

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/15/2024 12:48:33 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
NSIS:InstMonetizer-AU [PUP]
2014.9-150122

ESET NOD32
Win32/InstallMonetizer.AN
9.11053

K7 AntiVirus
Trojan
13.191.14711

McAfee
Artemis!772466133F1F
5600.6878

Sophos
Generic PUA GM
4.98

Trend Micro House Call
Suspicious_GEN.F47V0115
7.2.22

File size:
14.8 MB (15,563,880 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
ANDREA VACONDIO

Authority:
GoDaddy.com, Inc.

Valid from:
1/24/2014 8:42:08 AM

Valid to:
1/24/2015 8:42:08 AM

Subject:
CN=ANDREA VACONDIO, O=ANDREA VACONDIO, L=Bibbiano, S=Reggio Emilia, C=IT

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4EAF30FEEFE530

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
393216:QLYuQS20eFqPM/IWU0zN3mgkn9LDor+SP+8tYbRjT7QW:QsI20e7IwNe9LDorV+IyRf0W

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9999

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file Setup.exe has been seen being distributed by the following 3 URLs.

http://www.pdfsam.org/download_installer

https://s3.amazonaws.com/github-cloud/releases/.../63c82a68-9b56-11e4-8788-6874e675cce9.exe

https://github.com/torakiki/pdfsam-v2/releases/download/.../pdfsam-v2_2_4-with-offer.exe

Remove Setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.