» setup.exe
Overview
Analysis
File Details
Downloads (19)
Network (2)

setup.exe

WinZip Computing

The application setup.exe by WinZip Computing has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from dl.cleverbridge.com and multiple other hosts. While running, it connects to the Internet address inst.avg.com on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

WinZip Computing (signed and verified)

MD5:

2a14e4e4523fe39719a0efb0b49f0d8a

SHA-1:

81512abe1f97f253598202be4fba184627932ecc

SHA-256:

3f831240579d8bb83a110f24008cbc186f4d3e7598aab43d6b6273a05a9ec314

Scanner detections:

2 / 68

Status:

Potentially unwanted

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/19/2024 3:53:57 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/OpenCandy

8.8917

Reason Heuristics

PUP.OpenCandy.Installer (L)

16.11.29.6

File size:

34.3 MB (35,919,760 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\winzip_system_utilities_suite_v2.0.648.13214_[www.patoghu.com]\winzip system utilities suite v2.0.648.13214 final.softarchive.net\setup.exe

Digital Signature

Signed by:

WinZip Computing

Authority:

VeriSign, Inc.

Valid from:

3/16/2012 3:30:00 AM

Valid to:

4/14/2014 4:29:59 AM

Subject:

CN=WinZip Computing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5E4842AC9691630B45F8266C0ADB1206

File PE Metadata

Compilation timestamp:

11/2/2009 11:54:29 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

786432:DlH26Q8HriRVDazMyRFL6TPcxSGqhuNWtoxH4K7vemknq8:pWeriHDaIeR6TPOSBY0oxH4K7v7wf

Entry address:

0x1479F

Entry point:

E8, 02, 67, 00, 00, E9, 17, FE, FF, FF, 3B, 0D, D8, C9, 42, 00, 75, 02, F3, C3, E9, 82, 67, 00, 00, 55, 8B, EC, 51, 53, 8B, 45, 0C, 83, C0, 0C, 89, 45, FC, 64, 8B, 1D, 00, 00, 00, 00, 8B, 03, 64, A3, 00, 00, 00, 00, 8B, 45, 08, 8B, 5D, 0C, 8B, 6D, FC, 8B, 63, FC, FF, E0, 5B, C9, C2, 08, 00, 58, 59, 87, 04, 24, FF, E0, 55, 8B, EC, 51, 51, 53, 56, 57, 64, 8B, 35, 00, 00, 00, 00, 89, 75, FC, C7, 45, F8, 18, 48, 41, 00, 6A, 00, FF, 75, 0C, FF, 75, F8, FF, 75, 08, E8, 54, E6, 00, 00, 8B, 45, 0C, 8B, 40, 04, 83... 
[+]

Entropy:

7.9995 (probably packed)

Code size:

144 KB (147,456 bytes)

The file setup.exe has been seen being distributed by the following 19 URLs.

http://dl.cleverbridge.com/852/.../wzsysutil.exe

http://store.winzip.com/852/.../53579186-Ubdgvj7N0xSJy0Dkh4IN-1-2-1

http://dl.cleverbridge.com/852/.../wzsysutil.exe

http://store.winzip.com/852/.../51532285-Qkj3mpxriqgEa0JFvA7P-1-2-1

http://download.winzip.com/.../wzsysutil.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to oi.cloud.avg.com (204.193.144.33:80)

TCP (HTTP):

Connects to inst.avg.com (204.193.144.89:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.