home

setup.exe

File Setup LCC

This is the Softpulse installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe by File Setup LCC has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Softpulse SoftwareBundler installer. The file has been seen being downloaded from az845772.vo.msecnd.net and multiple other hosts.
Publisher:
File Setup LCC  (signed and verified)

MD5:
da9076b0334d2952b0b6befa397bcd2b

SHA-1:
53a16fc4919b7309d4170db85884b53339e91d0a

SHA-256:
eb080aac873d5f2f8353b635eaf239feccfabc3157ecb1eb735bd1c3c56b3ca1

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
5/2/2024 12:38:56 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Softpulse.FileSetupLCC.Bundler (M)
16.1.20.9

File size:
634.9 KB (650,104 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Softpulse SoftwareBundler

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
File Setup LCC

Authority:
COMODO CA Limited

Valid from:
2/15/2015 10:00:00 PM

Valid to:
2/16/2016 9:59:59 PM

Subject:
CN=File Setup LCC, O=File Setup LCC, STREET="501 Silverside Road, Suite 105", L=Wilmington, S=Delaware, PostalCode=19809, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0629F30DCECC62A8E72B47625BD36601

File PE Metadata
Compilation timestamp:
1/18/2016 7:02:20 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:dWHcZ3XIM8NFjtX9dJ+7gJSfrOQ9pCnz6THFcQqSYpz09jwCfN1BDBZx3IT6jJa:d+cZIMyNtX9d87USSAcnz67eQq3F09UL

Entry address:
0x1A4770

Entry point:
60, BE, 00, 10, 51, 00, 8D, BE, 00, 00, EF, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
592 KB (606,208 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://az845772.vo.msecnd.net/GetMPSing?dd=http://.../MTIzNDU2Nzg5MDEyMzQ1Nkf55l1rv-CurEGqZB-uY3Wm12IZ3u9CTbsbIMWL6HdCw_iIvP2zZ1etHX7q51ePdxAxI4dvFH93RDmXXcaZ2dLLVu_Dm0Vf1NLaCbZtkLN8QrBwXTjkqqoLtY-AQvB-t9FyJ5Vy38gMK63X-ue1-v6LRtywuL9ibdPM1p5pFQg2ywvNcJPwdwXwENemlv5ZnSV5s_yUPFGxljMFLkrEgshzaH1GpBSIV0vkJ5TqjdrA8MX6tk2QuMmNTn6eW6grhRSzpNbaH83d8y9_uJBCfaO7eJ1RBb45IuBrwM_fw8MlaDQRptc-HefdCPpkJPhAxfQkorl52gQ4ZENaIbXhsvlLD7Q0ceygxNHrrFu9o-1IBPrQRtMhFUOtp0nOq5EVgVeOTdVhy0bd2Fmi0zPWW2ORrTBdtcHxXfkpxe7zi2bvzQ8RIBASJQ_3pyY7QPBEe2W4-mFuBeldShlL5Z8gv74=

http://az852137.vo.msecnd.net/MTIzNDU2Nzg5MDEyMzQ1NpxHwFKAOiKh6Fm0ZBWiiJvfDnbN3m0oj1Lz5GN1wM9A2iEn6H8EfSigzpuNE_jNGyuOv6_gu1r5Vj9LBBBzJgD7UsOZWDyLUjUPflYx0WRUhoASHxZa6qGmIQvToxD8v64vZQcV1zSS2AYQDKvBWXYj9FQN7i36XyXb6kAWmEsOUvkYd72HdTfPPSkydVu6v2vr6lMGg6l8lUf1XZuQbyYcbyTbjUXpp7vOev0uVkB-Iw2a1qp3vFaa1g33R4UX_BoHkdnOB3n8ns-U2ydoU7bvjZFQSQvmClU0vlffp7HLZ7xX0PjWQJQVee1nJig2dj2tok7C3n1VkhP23vVunbyhJ64-EJ54IQmLOkGfH_oOhmF7kDRmYwLTmkvHWHFRuIDzZwa4fRDyzKdlGnm6DtG8rR8d1rqYTKEhSHZQtegUbiA7ZKial8a8DEggRELcOpar2Vt_G9W4do01m9KHS8o=

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.