prsetup.exe

ProductName

LLC

The application prsetup.exe by LLC has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address static-24-183-73-69.nocdirect.com on port 80 using the HTTP protocol.
Publisher:
Soft company  (signed by LLC )

Product:
ProductName

Description:
Files downloader

Version:
3.1.3.3

MD5:
3b2b4b457d2164950f81decb6a8fd61a

SHA-1:
e163f7950c86e2bb3be4567e759caa7519124af9

SHA-256:
8aa1e5d65c074c95ca23903ea8ce5ff733b386d6483b1133b0607bff916488a2

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 12:58:26 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonitize.Installer
17.2.8.13

File size:
4.2 MB (4,402,360 bytes)

Product version:
3.3.1

Copyright:
All right copyright

Trademarks:
Trademarks are all reserved

Original file name:
OriginalFilename

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\prsetup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/31/2017 9:00:00 AM

Valid to:
3/17/2017 8:59:59 AM

Subject:
CN="LLC ""IT SPECIALIST""", OU=IT, O="LLC ""IT SPECIALIST""", STREET="vul. Pidhirna, 7/36", L=Kiev, S=Kiev, PostalCode=04107, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008C6CBEECD71E68AC90B45DF9F41159B8

File PE Metadata
Compilation timestamp:
6/20/1992 7:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x17C76C

Entry point:
55, 8B, EC, 83, C4, D8, 53, 56, 57, 33, C0, 89, 45, E0, 89, 45, E4, 89, 45, E8, B8, 54, BD, 57, 00, E8, 76, B3, E8, FF, 33, C0, 55, 68, 9F, CB, 57, 00, 64, FF, 30, 64, 89, 20, E8, B3, 69, E8, FF, A1, 4C, 2A, 65, 00, E8, D5, 92, E8, FF, 8D, 55, E8, E8, 21, DF, E8, FF, 8B, 45, E8, E8, 69, E1, E8, FF, 85, C0, 7E, 3B, 89, 45, EC, C7, 05, 58, AA, 65, 00, 01, 00, 00, 00, A1, 58, AA, 65, 00, 83, 3C, 85, 50, 2A, 65, 00, 00, 7E, 14, A1, 58, AA, 65, 00, 83, 04, 85, 50, 2A, 65, 00, 01, 71, 05, E8, 05, 79, E8, FF, FF...
 
[+]

Entropy:
7.4217

Developed / compiled with:
Microsoft Visual C++

Code size:
1.5 MB (1,555,456 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wide.hornycone.com  (185.80.54.29:80)

TCP (HTTP):
Connects to static-24-183-73-69.nocdirect.com  (69.73.183.24:80)

Remove prsetup.exe - Powered by Reason Core Security