home

setup.exe

Wizard

Plugin Update S.L.

This is the Softpulse installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe by Plugin Update S.L has been detected as adware by 32 anti-malware scanners. The program is a setup application that uses the Softpulse SoftwareBundler installer. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from wflapfovf.d8ntvqxqk.com.
Publisher:
Plugin Update S.L.  (signed and verified)

Product:
Wizard

Version:
1. 9. 8. 7

MD5:
83b03636d6663952a117fa2487e0badc

SHA-1:
6c2c9db30f22255c7db3394c5565894d65723f17

SHA-256:
739b2e9febd2ae43bf4bfc1dd91ac946fd8571afa5eaa167a15d591888500163

Scanner detections:
32 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/6/2024 8:26:55 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.SoftPulse.5
355

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
Win-PUP/SoftPulse
2014.12.02

Avira AntiVirus
TR/Dropper.Gen
7.11.30.172

avast!
Win32:SoftPulse-BE [PUP]
2014.9-160214

AVG
Found Win32/DH{gRIxfX5QgQd5VE8VUYEVgQkcU4ETQYEP}
2017.0.2833

Bitdefender
Gen:Variant.Graftor.166365
1.0.20.225

Clam AntiVirus
Win.Adware.Softpulse-21
0.98/19753

Comodo Security
Application.Win32.SoftPulse.D
20252

Dr.Web
Adware.SoftPules.3
9.0.1.045

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.SoftPulse
8.16.02.14.02

ESET NOD32
Win32/SoftPulse.R potentially unwanted application
10.7.0.302.0

Fortinet FortiGate
W32/Kryptik.BWOY!tr
2/14/2016

F-Prot
W32/A-3f31f6a7
v6.4.7.1.166

F-Secure
Riskware.Gen:Variant.Application.Bundler
11.2016-14-02_1

G Data
Win32.Application.SoftPulse
16.2.24

K7 AntiVirus
Unwanted-Program
13.186.14210

Kaspersky
not-a-virus:AdWare.Win32.SoftPulse
14.0.0.662

Malwarebytes
PUP.Optional.SmartSec
v2016.02.14.02

McAfee
Program.SoftPulse
5600.6489

MicroWorld eScan
Gen:Variant.Graftor.166365
17.0.0.135

NANO AntiVirus
Trojan.Win32.DriverUpd.djrqtq
0.28.6.63850

Norman
Gen:Variant.Application.Bundler.SoftPulse.5
11.20160214

nProtect
Trojan.Agent.BGRP
14.12.05.01

Panda Antivirus
Trj/Genetic.gen
16.02.14.02

Qihoo 360 Security
Malware.QVM17.Gen
1.0.0.1015

Reason Heuristics
PUP.Softpulse.PluginUpdate.Bundler (M)
16.2.14.14

Sophos
PUA 'SoftPulse' (of type Adware)
58

SUPERAntiSpyware
Trojan.Agent/Gen-Nullo[Short]
9324

Vba32 AntiVirus
Signed-Adware.Softpulse
3.12.26.3

VIPRE Antivirus
Threat.4783235
35224

Zillya! Antivirus
Adware.SoftPulse.Win32.14
2.0.0.2001

File size:
874.4 KB (895,392 bytes)

Product version:
1. 9. 8. 7

Copyright:
Copyright (C) 2014

Original file name:
Wizard.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Softpulse SoftwareBundler

Language:
Espagnol (Espagne, alphabet international)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature
Signed by:
Plugin Update S.L.

Authority:
VeriSign, Inc.

Valid from:
10/8/2014 2:00:00 AM

Valid to:
10/9/2015 1:59:59 AM

Subject:
CN=Plugin Update S.L., O=Plugin Update S.L., L=Guia de Isora, S=Santa Cruz de Tenerife, C=ES

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0E923B9CF60DA59FC3A43A87A8071FC2

File PE Metadata
Compilation timestamp:
12/11/2014 5:53:02 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:962u5vuBxvzdQsewncQxiZNK2X4BuZ4S+pev4D9kLEzr8YUrBYqXcsgpXkRmvbE1:9+5vcrdQtwncQAb4BuZvi9BPCcTEe4v

Entry address:
0x1C046

Entry point:
B8, 60, 23, 52, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, FA, E6, 86, 6D, FA, 19, CB, 87, DB, 22, AE, 7C, 34, 71, 1A, DE, AC, C1, 2D, 65, 6A, F9, 95, DA, 7F, 6C, 47, AC, B5, 5D, 26, A9, F1, 0E, 05, D1, 8C, 00, DD, CF, 0F, 4A, 3F, DC, 0A, 67, AA, B0, B2, 4A, F1, 2C, 25, AC, 06, 3C, 4C, 1A, 01, A2, 07, 7C, 1B, 89, AF, 20, 84, 29, BE, 5A, 68, EF, 7B, A7, 86, A9, E0, 6C, 21, FC, 2A, 5D, BF, B6, A7, 48, 53, 6C, 31, 9B, 1B, EF, 01...
 
[+]

Packer / compiler:
PECompact v2

Code size:
208 KB (212,992 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://wflapfovf.d8ntvqxqk.com/Jbg6ubxxOkNuXwyMyglBuFd4GA0mVQcuc65AFu1WjAf2l0DrKVw3xzi73W8gUqWmZ36-4jKV88ib1FcdRusQ63ZQuAzr2udRQCqcH9SDwgSHHDkk12JjZrVCcEa3zr5q_hWQeE3W4hFe_gFLfgMRalEwssjlUu7MpiUxji4gkeE

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.