home

pdfreadersetup.exe

The application pdfreadersetup.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.coolpdfreader.com.
MD5:
cee7fe43c0b6be3a2d02bdb03c47ee84

SHA-1:
b30a673adf8baa2d47fe68db3741be160a7537cb

SHA-256:
4e23897d9c470d4e1eaff4677a9b28b4d2c1903afddd9a0f911184803214205f

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/16/2024 2:56:53 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Adware/Win32.InstallCore
2012.08.04

Avira AntiVirus
ADWARE/InstallCore.Gen
7.11.38.196

avast!
Win32:InstallCore-AN [PUP]
2014.9-151102

Bitdefender
Application.InstallCore.AC
1.0.20.1530

Comodo Security
ApplicUnwnt.Win32.AdWare.InstallCore.3
13137

Dr.Web
Adware.InstallCore.45
9.0.1.0306

Emsisoft Anti-Malware
Packed.Win32.InstallCore.AMN!A2
8.15.11.02.11

ESET NOD32
Win32/InstallCore (variant)
9.7353

Fortinet FortiGate
W32/InstallCore.A
11/2/2015

F-Secure
Application.InstallCore.AC
11.2015-02-11_2

G Data
Application.InstallCore.AC
15.11.22

K7 AntiVirus
Trojan
13.145.7426

Kaspersky
Packed.Win32.InstallCore
14.0.0.1180

nProtect
Application.InstallCore.AC
12.08.03.01

Trend Micro House Call
TROJ_GEN.F47V0731
7.2.306

File size:
529.3 KB (541,968 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\pdfreadersetup.exe

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:NZSBMtCzWzDn8yVPWAkh4XaiJEHmYH4n8NDqRZVrqNrkA1Scz:LSa1zDuAkhEeBYndRZVmuAx

Entry address:
0x106490

Entry point:
60, BE, 00, A0, 48, 00, 8D, BE, 00, 70, F7, FF, C7, 87, 10, B7, 0C, 00, 8E, E8, BA, 12, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.8921

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
500 KB (512,000 bytes)

The file pdfreadersetup.exe has been seen being distributed by the following URL.

http://www.coolpdfreader.com/default/ga/.../?dl=1

Remove pdfreadersetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.