» setup.exe
Overview
Analysis
File Details

setup.exe

Setup Module

Woolik technologies ltd

The application setup.exe, “Setup Application” by Woolik technologies ltd has been detected as adware by 41 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory.

File name:

setup.exe

Publisher:

Babylon Ltd. (signed by Woolik technologies ltd)

Product:

Setup Module

Description:

Setup Application

Version:

9.1.2.13

MD5:

d4fae9bd0e8abd119d3c83dc3e826bc2

SHA-1:

f66942e9329a4bd18ea548f1a3f537d5cb7b42a2

SHA-256:

32ccb35637e0197f9b406ccc707d8ee6e3e4180b7783f759ca99bf0245d8488c

Scanner detections:

41 / 68

Status:

Adware

Explanation:

The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:

4/26/2024 6:09:42 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Runouce.B@mm

904

Agnitum Outpost

I-Worm.Chir.B

7.1.1

AhnLab V3 Security

Win32/ChiHack.6652

14.08.15

Avira AntiVirus

W32/Chir.B

7.11.144.160

avast!

Win32:Oncer

2014.9-140815

AVG

Win32/Chir.B@mm

2015.0.3382

Baidu Antivirus

Virus.Win32.Runouce.$a

4.0.3.14815

Bitdefender

Win32.Runouce.B@mm

1.0.20.1135

Bkav FE

W32.Clod2b6.Trojan

1.3.0.4562

Boost by Reason

Optional.Wooliktechnologiesltd.F

188838

Clam AntiVirus

WIN.Worm.Brontok

0.98/18355

Comodo Security

Application.Win32.Babylon.id

17372

Dr.Web

Trojan.StartPage.56734

9.0.1.0353

Emsisoft Anti-Malware

Win32.Runouce.B@mm

8.14.08.15.01

ESET NOD32

Win32/Toolbar.Babylon (variant)

7.9120

Fortinet FortiGate

W32/Chir.B@mm

8/15/2014

F-Prot

W32/Thecid.B@mm

v6.4.7.1.166

F-Secure

Win32.Runouce.B@mm

11.2014-15-08_6

G Data

Win32.Runouce.B@mm

14.8.24

IKARUS anti.virus

Email-Worm.Win32.Runouce

t3scan.1.6.1.0

K7 AntiVirus

EmailWorm

13.176.11833

Kaspersky

Email-Worm.Win32.Runouce

14.0.0.3405

Malwarebytes

PUP.Optional.Babylon.A

v2013.12.19.09

McAfee

W32/Chir.b@MM

5600.7038

Microsoft Security Essentials

Virus:Win32/Chir.B@mm

1.10502

MicroWorld eScan

Win32.Runouce.B@mm

15.0.0.681

NANO AntiVirus

Trojan.Win32.StartPage.cssmvq

0.28.0.57630

Norman

Malware

11.20140815

nProtect

Win32.Runouce.B@mm

14.04.21.01

Panda Antivirus

W32/Chir.B

14.08.15.01

Qihoo 360 Security

Virus.Win32.CNHacker.C

1.0.0.1015

Quick Heal

W32.Runouce.B

8.14.12.00

Reason Heuristics

PUP.Installer.Wooliktechnologiesltd.F

14.8.7.21

Rising Antivirus

PE:Worm.ChineseHacker-2!23772

23.00.65.14813

Sophos

W32/Chir-A

4.98

Total Defense

Win32/Chir.B

37.0.10890

Trend Micro House Call

TROJ_GEN.F47V0927

7.2.353

Trend Micro

PE_Chir.B

10.465.15

Vba32 AntiVirus

suspected of Trojan.Downloader.gen

3.12.24.3

VIPRE Antivirus

Win32.chir.b

28462

ViRobot

Win32.Chir.B

2011.4.7.4223

File size:

1.2 MB (1,302,896 bytes)

Product version:

9.1.2.13

Original file name:

Setup32.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\latest\setup.exe

Digital Signature

Signed by:

Woolik technologies ltd

Authority:

VeriSign, Inc.

Valid from:

7/24/2013 9:00:00 PM

Valid to:

7/25/2014 8:59:59 PM

Subject:

CN=Woolik technologies ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Woolik technologies ltd, L=Or Yeuda, S=israel, C=IL

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

233D2998915945A85914A5071B609336

File PE Metadata

Compilation timestamp:

9/1/2013 10:51:53 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:UsW86TgA8OSFa/BSIUet30buvcrvAz0uyUHvFYmBuv/U4:UPyOSg/ZOuvyYtxHvFYr/U4

Entry address:

0x75ED9

Entry point:

E8, 95, DF, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 60, 7D, 4C, 00, E8, C1, F4, FF, FF, E8, A4, 22, 00, 00, 0F, B7, F0, 6A, 02, E8, 28, DF, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, A4, 7D, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

614 KB (628,736 bytes)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.