setup.exe

Google Chrome

Download Assistant

This is part of the Air Installer, a download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe, “Google Chrome ” by Download Assistant has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the AirInstaller Download Manager installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address useast.gtdlrfwd.com on port 80 using the HTTP protocol.
Publisher:
Download Assistant   (signed by Download Assistant)

Product:
Google Chrome

Description:
Google Chrome

Version:
3.0.0.42

MD5:
45b122cd07c6e658dad757c4bce8e34c

SHA-1:
d5d76125758c6bdf4f872cd6537be8cfa45b0d48

SHA-256:
ab17d87f0f6adcee99730dffa7f73316b2af46d70efa0f516066a9a6dc864e2f

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 12:13:53 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.FX
825

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:Adware-gen [Adw]
2014.9-141101

Bitdefender
Application.Bundler.FX
1.0.20.1525

Dr.Web
Adware.Conduit.170
9.0.1.0305

ESET NOD32
Win32/DownloadAssistant (variant)
8.10581

F-Secure
Application.Bundler.FX
11.2014-01-11_7

G Data
Application.Bundler.FX
14.11.24

IKARUS anti.virus
PUA.DownloadAssistant
t3scan.1.7.8.0

Malwarebytes
PUP.Optional.DownloadAssistant
v2014.11.01.04

Reason Heuristics
PUP.Installer.DownloadAssistant.F
14.11.1.16

VIPRE Antivirus
Threat.4782985
33706

File size:
922.3 KB (944,480 bytes)

Product version:
3.0.0.42

Copyright:
(c) Download Assistant

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
AirInstaller Download Manager

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\llywivmt\setup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
8/12/2014 8:00:00 PM

Valid to:
8/12/2016 7:59:59 PM

Subject:
CN=Download Assistant, O=Download Assistant, L=Victoria, S=British Columbia, C=CA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6BC405E8AC962C676F54816BCC4D4311

File PE Metadata
Compilation timestamp:
10/30/2014 11:55:53 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:Fl60qMA5canSPzXdIBAp8AF1Loe8yjoFUt0A/PtDzr:FNqMWcaWIO8AFmioFKf/PZzr

Entry address:
0x4CCED

Entry point:
E8, F0, 08, 01, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 20, 4D, 4A, 00, 00, 74, 05, E9, 51, 09, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA, 01...
 
[+]

Entropy:
7.2091

Code size:
468.5 KB (479,744 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to useast.gtdlrfwd.com  (104.131.2.201:80)

Remove setup.exe - Powered by Reason Core Security