home

setup.exe

The application setup.exe has been detected as a potentially unwanted program by 16 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from d1jpj265kni4hm.cloudfront.net.
MD5:
50f8c875d7026949895a35c1cbf3a7f5

SHA-1:
6a6e4228ae00ea203a4455acbaa27edb3a03d81f

SHA-256:
86efbedf3c9d4f357f00b2236b34634d038812a60a4a07a246140bb192e774da

Scanner detections:
16 / 68

Status:
Potentially unwanted

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
6/29/2025 6:19:57 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.252429
5744357

AhnLab V3 Security
PUP/Win32.CrossRider
2015.10.21

Arcabit
Trojan.Graftor.D3DA0D
1.0.0.585

AVG
Crossrider
2016.0.2950

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.151021

Bitdefender
Gen:Variant.Graftor.252429
1.0.20.1470

Bkav FE
W32.GenericPealsC.Trojan
1.3.0.7237

Emsisoft Anti-Malware
Gen:Variant.Graftor.252429
10.0.0.5366

ESET NOD32
Win32/Toolbar.CrossRider.DC potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/CrossRider
10/21/2015

F-Secure
Gen:Variant.Graftor.252429
5.14.151

G Data
Gen:Variant.Graftor.252429
15.10.25

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.9.5.0

MicroWorld eScan
Gen:Variant.Graftor.252429
16.0.0.882

Norman
Gen:Variant.Graftor.252429
10.10.2015 03:41:45

Zillya! Antivirus
Downloader.LMN.Win32.386253
2.0.0.2462

File size:
10.5 KB (10,752 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\setup.exe

File PE Metadata
Compilation timestamp:
10/20/2015 8:49:28 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
192:AZB79OiMkKkVHzk7KduSPXGUtgYGo8CDZpyDr8q916ADk:qoiMkdlu6B84pyDr/iAD

Entry address:
0x1000

Entry point:
6A, 70, 68, 58, 23, 40, 00, E8, F8, 01, 00, 00, 33, DB, 89, 5D, FC, 8D, 45, 80, 50, FF, 15, 00, 20, 40, 00, 83, CF, FF, 89, 7D, FC, 66, 81, 3D, 00, 00, 40, 00, 4D, 5A, 75, 28, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, 17, 0F, B7, 88, 18, 00, 40, 00, 81, F9, 0B, 01, 00, 00, 74, 20, 81, F9, 0B, 02, 00, 00, 74, 05, 89, 5D, E4, EB, 2A, 83, B8, 84, 00, 40, 00, 0E, 76, F2, 33, C9, 39, 98, F8, 00, 40, 00, EB, 11, 83, B8, 74, 00, 40, 00, 0E, 76, DF, 33, C9, 39, 98, E8, 00, 40, 00, 0F, 95, C1...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
3 KB (3,072 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://d1jpj265kni4hm.cloudfront.net/setup.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.