- Overview
- Analysis
- File Details
- Downloads (1)
setup.exe
</h4>
<h3>Air Software</h3>
<div style="margin-top: 15px; margin-bottom: 25px;" id="summary">This is part of the Air Installer, a download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe by Air Software has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the AirInstaller Download Manager installer. The file has been seen being downloaded from files.downloadwiz.com.</div>
<div class="keyvaluepairs">
<div id="sectnav-overview" data-nav="nav-overview" class="keyvaluepair navsection" style="margin-top: 15px;"><div class="key">File name:</div><div class="value">setup.exe</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Publisher:</div><div class="value">AirInstaller Inc. (<span class="arevnounder" onclick="$('html,body').animate({scrollTop: $('#kvp-Signer').offset().top - 68}, 'normal');">signed by Air Software</span>)</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Product:</div><div class="value"><TITLE> </div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Version:</div><div class="value">2.0.3.15</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">MD5:</div><div class="value">d98e945a2b2b20c7a525844cc76fb1e7</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">SHA-1:</div><div class="value">72bb4cc73e7489a1502564b816e03fb947e03a82</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="key">SHA-256:</div><div class="value">c5e213d66d3a0479ffd49641dd55fe6e647f31510c467739575f127922a58c99</div><br style="clear:both;"></div>
<div id="sectnav-analysis" data-nav="nav-analysis" class="header navsection">Analysis</div>
<div class="keyvaluepair"><div class="key">Scanner detections:</div><div class="value"><span class="text-red">1 / 68</span></div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Status:</div><div class="value"><span class="text-red text-bold">Adware</span></div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Note:</div><div class="value" style="color: #777777;">Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Description:</div><div class="value" style="color: #777777;">This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="key">Analysis date:</div><div class="value">4/19/2024 4:43:58 AM UTC <span style="color: #999999;">(today)</span></div><br style="clear:both;"></div>
<div class="keyvaluepair" style="font-size: 11px; color: #999999;"><div class="analysis-engine">Scan engine</div><div class="analysis-result">Detection</div><div class="analysis-engineversion">Engine version</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="analysis-engine engineicon engineicon-reason">Reason Heuristics</div><div class="analysis-result text-red">PUP.Air Software.AirSoftw.Bundler (M)</div><div class="analysis-engineversion">16.4.5.19</div><br style="clear:both;"></div>
<div id="sectnav-details" data-nav="nav-details" class="header navsection">File Details</div>
<div class="keyvaluepair"><div class="key">File size:</div><div class="value">2.1 MB (2,155,160 bytes)</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Product version:</div><div class="value">2.0.3.15</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Copyright:</div><div class="value">(c) AirInstaller. All rights reserved.</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Original file name:</div><div class="value">AirInstaller.exe</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">File type:</div><div class="value">Executable application (Win32 EXE)</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Bundler/Installer:</div><div class="value">AirInstaller Download Manager</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Language:</div><div class="value">English (United States)</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="key">Common path:</div><div class="value" style="word-wrap: break-word;">C:\users\{user}\downloads\setup.exe</div><br style="clear:both;"></div>
<div id="kvp-Signer" class="subheader">Digital Signature</div>
<div class="keyvaluepair"><div class="key">Signed by:</div><div class="value"><a href="/signer-air-software-36d5aa8967e82240d5afec2f301b54ed.aspx">Air Software</a></div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Authority:</div><div class="value">VeriSign, Inc.</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Valid from:</div><div class="value">3/1/2012 8:00:00 AM</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Valid to:</div><div class="value">3/2/2013 7:59:59 AM</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Subject:</div><div class="value">CN=Air Software, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Air Software, L=Victoria, S=British Columbia, C=CA</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Issuer:</div><div class="value">CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="key">Serial number:</div><div class="value">36D5AA8967E82240D5AFEC2F301B54ED</div><br style="clear:both;"></div>
<div class="subheader">File PE Metadata</div>
<div class="keyvaluepair"><div class="key">Compilation timestamp:</div><div class="value">11/15/2012 5:54:16 AM</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">OS version:</div><div class="value">5.1</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">OS bitness:</div><div class="value">Win32</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Subsystem:</div><div class="value">Windows GUI</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Linker version:</div><div class="value">10.0</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">CTPH (ssdeep):</div><div class="value" style="word-wrap: break-word;">49152:wbFrg6pjhfvQ+sjZ9dKWcM9Xvm/NRTB3OLb2m7t7hgebOIuvxhkwlfUqLQs:wbqmjhfvlsjZGWcym/NRTB3O2m7tdgeC</div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Entry address:</div><div class="value">0x14301E</div><br style="clear:both;"></div>
<div id="divPEEntryPointBuffer" class="keyvaluepair" style="height: 20px; overflow: hidden;"><div class="key">Entry point:</div><div class="value" style="font-family: Monospace; color: #666666; font-size: 12px; position: relative;">E8, E3, 93, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, B0, 9D, 5D, 00, 75, 02, F3, C3, E9, 6A, 94, 00, 00, 8B, FF, 55, 8B, EC, 8B, 45, 14, 56, 85, C0, 74, 41, 83, 7D, 08, 00, 75, 13, E8, F1, 22, 00, 00, 6A, 16, 5E, 89, 30, E8, D8, 96, 00, 00, 8B, C6, EB, 2A, 83, 7D, 10, 00, 74, E7, 39, 45, 0C, 73, 0E, E8, D3, 22, 00, 00, 6A, 22, 59, 89, 08, 8B, F1, EB, DE, 50, FF, 75, 10, FF, 75, 08, E8, EE, 11, 00, 00, 83, C4, 0C, 33, C0, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 8B, 45, 08, 56, 8B, F1, C6, 46, 0C, 00, 85, C0, 75, 63, E8...<div id="overlayPEEntryPointBuffer" style="width: 580px; height: 33px; box-shadow: inset 0 -30px 11px -18px #ffffff; position: absolute; top: 0px;"> </div><span id="togglePEEntryPointBuffer" class="arevnounder" style="position: absolute; top: -1px; right: -10px;" onclick="$('#overlayPEEntryPointBuffer').hide(); $('#divPEEntryPointBuffer').css({ 'height': '' }); $(this).fadeOut('fast');">[+]</span></div><br style="clear:both;"></div>
<div class="keyvaluepair"><div class="key">Entropy:</div><div class="value">6.4871</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="key">Code size:</div><div class="value">1.5 MB (1,538,048 bytes)</div><br style="clear:both;"></div>
<div id="sectnav-resourceurls" data-nav="nav-resourceurls" class="header navsection">Downloads</div>
<div class="keyvaluepair"><div class="descr">The file setup.exe has been seen being distributed by the following URL.</div><br style="clear:both;"></div>
<div class="keyvaluepair keyvaluepair-last"><div class="keyvalue nowrap""><a href="/domain-files.downloadwiz.com.aspx">http://files.downloadwiz.com/get/.../?sid=man3&b=154903c7&filename=Setup</a></div><br style="clear:both;"></div>
</div>
<div style="margin-top: 40px;">
<div style="background-image: url('/images/download24.png'); background-repeat: no-repeat; text-indent: 30px; height: 32px; text-align: left;"><a href="https://www.reasoncoresecurity.com/download-thank-you.aspx?dl=1&utm_source=hp&utm_medium=link&utm_campaign=resource" style="font-weight: bold; color: #075cae; font-size: 16px; text-decoration: underline;" title="Download Reason Core Security (free)...">Remove setup.exe</a> <span style="font-size: 11px; color: #999999;">- Powered by Reason Core Security</span></div>
</div>
<div style="margin-top: 40px;"><img src="images/disclaimer.png" style="height: 110px; width: 765px;"></div>
</div>
</div>
</div>
<div class="sectionsignature"></div>
</div>
<div class="sectionfooter">
<div class="sectionfooter-top">
<div class="container">
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.
</div>
</div>
<div class="sectionfooter-bottom">
<div class="container" style="padding: 10px 0px 80px 0px;">
<ul style="float: left; padding: 0px; margin: 0px;">
<li>© 2024 herdProtect</li>
<li><a href="/">Home</a></li>
<li><a href="/community.aspx">Community</a></li>
<li><a href="/terms.aspx">Terms of Service</a></li>
<li><a href="/privacy.aspx">Privacy Policy</a></li>
<li><a href="/about.aspx">About</a></li>
<li><a href="/contact.aspx">Contact</a></li>
</ul>
</div>
</div>
</div>
</div>
<div id="backgroundModal" style="position: fixed; left: 0; top: 0; width: 100%; height: 100%; z-index: 990; display: none; background-color: #ffffff; opacity: 0.7;"></div>
<div id="windowModalGeneric" class="windowModal" style="display: none; z-index:1000; position:absolute; background:#ffffff; padding: 8px; border: solid 1px #999999; -webkit-box-shadow: 0px 0px 10px 1px rgba(0, 0, 0, 0.15); box-shadow: 0px 0px 10px 1px rgba(0, 0, 0, 0.15);">
<div class="arevnounder" style="position: absolute; top: 1px; right: 1px;width: 26px; height: 22px; cursor: pointer; z-index: 8040; text-align: center; padding-top: 2px; font-weight: bold;" onclick="toggleModal('windowModalGeneric');">X</div>
<div class="windowModalInner" style="height: 200px; width: 500px; padding: 10px 15px; position: relative; background:#FFFFFF; overflow: auto;">
<div id="windowModalContent"></div>
</div>
</div>
<script>(function(t,e){t[e]=t[e]||function(){(t[e].q=t[e].q||[]).push(arguments)},t[e].t=1*new Date;var n=document.createElement("script");n.type="text/javascript",n.async=!0,n.src="//static.queit.in/sdk.js";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(n,a)})(window,"uncl");uncl('create', 'dceb5ac5-4708-475d-a99e-48ce404f5184', {config: {apiUrl: '//reason.queit.in/api'}});uncl('set', 'session-id', aa15e11b-9181-4371-8e32-9997d41899e4);</script>
</form>
</body>
</html>