» installer_run.exe
Overview
Analysis
File Details
Downloads (1)

installer_run.exe

The application installer_run.exe has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secured.atouristwest.us.

File name:

installer_run.exe

MD5:

16a3e230650c5faab26d1a7e8ae4f961

SHA-1:

dec49feaac201924de69a39e6f9eca120fba4d7b

SHA-256:

ebcaef10f8ef6154037ca968a7f190d6a775c4a6cba959f888e483adc1ba0ee2

Scanner detections:

9 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:

4/26/2024 4:13:44 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

PUA/InstallMonetizer.Gen

8.3.1.6

Baidu Antivirus

PUA.Win32.InstallMonetizer

4.0.3.15822

ESET NOD32

Win32/InstallMonetizer.BG potentially unwanted

9.12133

herdProtect (fuzzy)

variant of installmanager.exe

2015.10.10.22

Malwarebytes

PUP.Optional.CheckOffer

v2015.08.22.02

NANO AntiVirus

Trojan.Nsis.Downloader.djhpgw

0.30.24.3079

Qihoo 360 Security

HEUR/QVM42.1.Malware.Gen

1.0.0.1015

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF[F1]

23.00.65.15820

SUPERAntiSpyware

Adware.InstallMonetizer/Variant

9677

File size:

224.6 KB (229,996 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\installer_run.exe

File PE Metadata

Compilation timestamp:

12/6/2009 12:52:12 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:OFJ0qHmJFVQDT07pJ59E6rTUadigTZyt5q2pd5A8Ww1:MH80I7pBxddZybJd5A8l

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.8401

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file installer_run.exe has been seen being distributed by the following URL.

http://secured.atouristwest.us/Bing_Real_Bar_195.exe

Remove installer_run.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.