home

setup.exe

Playtech PLC

The application setup.exe, “ONEWORLD Installer” by Playtech PLC has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from play.1world8.com.
Publisher:
ONEWORLD  (signed by Playtech PLC)

Product:
ONEWORLD

Description:
ONEWORLD Installer

Version:
1.1.1.35

MD5:
3e6c5a487a8694fa67bdb889bbe434fc

SHA-1:
76a72b98e517cbfe24c22bb65b3b7342802d91a2

SHA-256:
e4cc03842f5ee33d44f3a793209b88d5282d91e8213140bf7e4c97a0cca0c706

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/24/2024 12:27:38 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader13.6370
9.0.1.048

K7 AntiVirus
Riskware
13.212.17780

Reason Heuristics
Threat.Win.Reputation.IMP
16.12.11.6

Zillya! Antivirus
Trojan.InstallCore.Win32.989
2.0.0.2496

File size:
2.9 MB (3,012,504 bytes)

Copyright:
Copyright 2015

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Playtech PLC

Authority:
VeriSign, Inc.

Valid from:
11/14/2014 8:00:00 AM

Valid to:
2/13/2018 7:59:59 AM

Subject:
CN=Playtech PLC, O=Playtech PLC, L=Douglas, S=Isle Of Man, C=IM

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6B5F59AF1247A2E7A051034FF79F008A

File PE Metadata
Compilation timestamp:
2/19/2012 11:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
49152:FVxdYr5R5Qkj6pVb+UNIqC0I6hH8GeEDS+0QA8FZ3axkIpEWF+W/H5/JlbWE:ArD5e7BNrFeEXZ3jISWF+0HLBWE

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9939  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://play.1world8.com/

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.