» setupespl.exe
Overview
Analysis
File Details
Network (2)

setupespl.exe

world information which

Sergiy Maratov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setupespl.exe by Sergiy Maratov has been detected as adware by 31 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

setupespl.exe

Publisher:

necessitate like (signed by Sergiy Maratov)

Product:

world information which

Version:

2.5.0.0

MD5:

8bbeb6a766b100cb64d3f8caaa0e0370

SHA-1:

f5c65b512bb6cc458ff7eb1a572a96f2e1c1140c

SHA-256:

1ead89a901b8d346dd99d75fbd2b39129d09922bec74e49dd683149a8cbdc649

Scanner detections:

31 / 68

Status:

Adware

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/25/2024 3:59:59 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Kazy.467443

5535153

Agnitum Outpost

PUA.MultiPlug

7.1.1

Avira AntiVirus

ADWARE/Adware.Gen

8.3.1.6

avast!

Win32:MultiPlug-BF [PUP]

150521-0

AVG

Adware Generic5.BDZW

2014.0.4311

Bitdefender

Gen:Variant.Adware.Kazy.467443

1.0.20.710

Bkav FE

W32.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Agent-8079

0.98/21511

Comodo Security

Application.Win32.MegaSearch.ATK

22210

Dr.Web

Trojan.WebPick.2795

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Kazy.467443

10.0.0.5366

ESET NOD32

Win32/AdWare.MultiPlug.AP application

7.0.302.0

Fortinet FortiGate

W32/Generic.AC.445

5/22/2015

F-Prot

W32/A-6075dea0

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Kazy

5.14.151

G Data

Gen:Variant.Adware.Kazy.467443

15.5.25

IKARUS anti.virus

AdWare.Graftor

t3scan.1.8.9.0

K7 AntiVirus

Adware

13.204.16000

Kaspersky

not-a-virus:HEUR:WebToolbar.Win32.Cossder

14.0.0.2002

Malwarebytes

PUP.Optional.Multiplug

v2015.05.22.03

McAfee

Program.PUP-FLT

18.0.204.0

MicroWorld eScan

Gen:Variant.Adware.Kazy.467443

16.0.0.426

NANO AntiVirus

Trojan.Win32.WebPick.ddkmpr

0.30.24.1636

Norman

Gen:Variant.Kazy.467443

03.12.2014 13:20:04

Panda Antivirus

Trj/Genetic.gen

15.05.22.03

Quick Heal

AdWare.MultiPlug.r5 (Not a Virus)

5.15.14.00

Reason Heuristics

PUP.Installer.SergiyMaratov

15.5.22.14

Rising Antivirus

PE:Adware.Dropper!6.1AB0

23.00.65.15520

Sophos

PUA 'MultiPlug' (of type Adware)

5.14

VIPRE Antivirus

Threat.4150696

40432

Zillya! Antivirus

Backdoor.Klon.Win32.1086

2.0.0.2187

File size:

974.7 KB (998,120 bytes)

Product version:

2.5.0.0

Original file name:

both

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\temp\setupespl.exe

Digital Signature

Signed by:

Sergiy Maratov

Authority:

Unizeto Technologies S.A.

Valid from:

6/24/2014 1:43:54 PM

Valid to:

6/24/2015 1:43:54 PM

Subject:

E=SergiyIvanovich@hotmail.com, CN=Sergiy Maratov, O=Sergiy Maratov, C=RU

Issuer:

CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

774A5B60838D600A3706CAB0BC5A6286

File PE Metadata

Compilation timestamp:

8/2/2014 2:04:41 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:XnLd8kaBCURKpuSlGUebhEA3jsWiIHApiWf:XLd8kGtRnuGUxA3GMqhf

Entry address:

0x1918B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 78, EE, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C3, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.8106 (probably packed)

Code size:

142.5 KB (145,920 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=21879370&publisher_id=187&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=65638110&external_id=0&session_id=131276220&hardware_id=153155590&installer_file_name=setupespl

Remove setupespl.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.