home

ed the duck verified.exe

Rodion Veresev

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application ed the duck verified.exe by Rodion Veresev has been detected as adware by 19 anti-malware scanners. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from groupsetzipmyjob.org.
Publisher:
Rodion Veresev  (signed and verified)

MD5:
e0a04d5fdafed648d50328cf284fa28a

SHA-1:
0aefe54d1da1d67e5ef43986fa536de9465d27b2

SHA-256:
e13974b9b89be1832920ce580536c1b8ee93b56d1dbcd73c0c3ad52e7b2a6cc1

Scanner detections:
19 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/19/2024 4:27:32 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.MultiPlug.JM
5641927

AhnLab V3 Security
PUP/Win32.MultiPlug
2015.04.17

Avira AntiVirus
TR/Crypt.XPACK.Gen
3.6.1.96

avast!
Win32:Adware-gen [Adw]
2014.9-150417

AVG
Generic6
2016.0.3136

Bitdefender
Adware.MultiPlug.JM
1.0.20.535

Dr.Web
Trojan.Crossrider1.25958
9.0.1.05190

Emsisoft Anti-Malware
Adware.MultiPlug.JM
9.0.0.4799

ESET NOD32
Win32/Adware.MultiPlug.IW application
7.0.302.0

F-Secure
Adware.MultiPlug.JM
5.13.68

G Data
Adware.MultiPlug.JM
15.4.25

K7 AntiVirus
Unwanted-Program
13.202.15630

Malwarebytes
PUP.Optional.MultiPlug
v2015.04.17.12

McAfee
MultiPlug-FXR
5600.6792

MicroWorld eScan
Adware.MultiPlug.JM
16.0.0.321

nProtect
Adware.MultiPlug.JM
15.04.17.01

Reason Heuristics
Threat.WebPick.RodionVeresev
15.4.17.8

Sophos
PUA 'MultiPlug' (of type Adware)
5.13

Vba32 AntiVirus
suspected of Heur.Malware-Cryptor.Multiplug
3.12.26.3

File size:
371.4 KB (380,272 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\ed the duck verified.exe

Digital Signature
Signed by:
Rodion Veresev

Authority:
Unizeto Technologies S.A.

Valid from:
6/25/2014 11:22:58 AM

Valid to:
6/25/2015 11:22:58 AM

Subject:
E=rodion.veresev@yandex.ru, CN=Rodion Veresev, O=Rodion Veresev, C=UA

Issuer:
CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
715A33AE9117D0C2B07CE5B9C396152A

File PE Metadata
Compilation timestamp:
4/24/2012 8:56:29 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:B62PTvcUyNfHmDO39HLZ96VIvq7qivDbfrM9hpqHyQa5FySwN5MAjJiRQKyvwKIg:Bv7uvmDO3Zfi2afrMrgAIyGeg

Entry address:
0x1F04B

Entry point:
E8, 54, 12, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 30, B2, 43, 00, E8, 5F, 17, 00, 00, E8, 21, 14, 00, 00, 0F, B7, F0, 6A, 02, E8, E7, 11, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C8, 0B, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.0784

Code size:
144.5 KB (147,968 bytes)

The file ed the duck verified.exe has been seen being distributed by the following URL.

http://groupsetzipmyjob.org/hp/?q=z5aDYhOR19j1A789/XQJJHs01etDtZsaSAvqdqoPKzFNbKV49Tv6 SLMZ0d5p3SI06TnRq3ggkw1gO19J3c/EXCsrXtvjrZ6X4MngjlDwcSriSOOu2E0svI832Nndf94zWhrZUrZj2rmrUtXe4viTojq2zYIDg6XbKV3BBLpLz9cUbEga7Dqf9XeY7YZnUvIiC1FJ/.../aSK1B4P6c93eX3QO1f TsdDUFFXx1MosOQq5OA8xAN8BxvK0zh Miv1YLrFcFojZIu68BdRGHutJUmxSy8fdZ lBfqPajCVePrkljKdPTL1JL54UvllVSB0Mlta2ME&external_id=1429209758693086250

Remove ed the duck verified.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.