prsetup.exe

ProductName

LLC

The application prsetup.exe by LLC has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address static-24-183-73-69.nocdirect.com on port 80 using the HTTP protocol.
Publisher:
Soft company  (signed by LLC )

Product:
ProductName

Description:
Files downloader

Version:
3.1.3.3

MD5:
3c8f3b1ff58a6e9680a2ec7371439ecb

SHA-1:
258561a30d6b8d5dd3940ead1ebc6b4ee9469170

SHA-256:
4e8198f007956f9019af0d288395a8c1ba2fc5993028aa05922b793b322a3b3d

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 12:48:59 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonitize.Installer
17.2.6.12

File size:
4.2 MB (4,371,664 bytes)

Product version:
3.3.1

Copyright:
All right copyright

Trademarks:
Trademarks are all reserved

Original file name:
OriginalFilename

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\prsetup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/31/2017 8:00:00 AM

Valid to:
3/17/2017 7:59:59 AM

Subject:
CN="LLC ""IT PRIMUS""", OU=IT, O="LLC ""IT PRIMUS""", STREET="Shevchenkivsky Raion, Vulytsya Biloruska, Budynok 26", L=Kiev, S=Kiev, PostalCode=771, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A5CDCBD6E541756EAC5EF5AA66D966C6

File PE Metadata
Compilation timestamp:
6/20/1992 6:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x17CC9C

Entry point:
55, 8B, EC, 83, C4, D8, 53, 56, 57, 33, C0, 89, 45, E0, 89, 45, E4, 89, 45, E8, B8, 6C, C2, 57, 00, E8, 46, AE, E8, FF, 33, C0, 55, 68, C6, D0, 57, 00, 64, FF, 30, 64, 89, 20, E8, 83, 64, E8, FF, A1, 58, 3A, 65, 00, E8, A5, 8D, E8, FF, 8D, 55, E8, E8, F1, D9, E8, FF, 8B, 45, E8, E8, 39, DC, E8, FF, 85, C0, 7E, 3B, 89, 45, EC, C7, 05, 64, BA, 65, 00, 01, 00, 00, 00, A1, 64, BA, 65, 00, 83, 3C, 85, 5C, 3A, 65, 00, 00, 7E, 14, A1, 64, BA, 65, 00, 83, 04, 85, 5C, 3A, 65, 00, 01, 71, 05, E8, D5, 73, E8, FF, FF...
 
[+]

Entropy:
7.4949

Developed / compiled with:
Microsoft Visual C++

Code size:
1.5 MB (1,556,992 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to static-24-183-73-69.nocdirect.com  (69.73.183.24:80)

Remove prsetup.exe - Powered by Reason Core Security