home

setup.exe

Western Web Applications, LLC

The software will display additional offers (such as adware) during installation including a browser toolbar/extension as well as advertising injection software (part of the Injekt brand). The application setup.exe by Western Web Applications has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d.playjewelquest.com.
Publisher:
Western Web Applications, LLC  (signed and verified)

MD5:
e47401e0ac1535aaabc9c7661b6feba0

SHA-1:
b9eac8efdba8d253bebce3942c160387ad15cc0e

SHA-256:
59b287f1f717d15a2c92d59bd006efea9a38f020e67ed05c73a83f002b440090

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
2/25/2025 10:05:07 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.PullUpdate
7.1.1

Avira AntiVirus
ADWARE/Adware.Gen
7.11.165.4

avast!
Win32:Adware-gen [Adw]
2014.9-140830

AVG
Generic
2015.0.3367

Comodo Security
UnclassifiedMalware
19058

ESET NOD32
MSIL/Adware.PullUpdate
8.10193

Malwarebytes
PUP.Optional.JewelQuest.A
v2014.08.30.11

McAfee
Artemis!E47401E0AC15
5600.7023

NANO AntiVirus
Riskware.Win32.Agent.dbyfjc
0.28.2.61148

Reason Heuristics
PUP.Installer.WesternWebApplications.F
14.8.30.11

Sophos
Generic PUA LJ
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Graftor
10390

Trend Micro House Call
Suspicious_GEN.F47V0801
7.2.242

VIPRE Antivirus
Injekt
31852

File size:
4 MB (4,185,768 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature
Signed by:
Western Web Applications, LLC

Authority:
VeriSign, Inc.

Valid from:
6/2/2014 8:00:00 PM

Valid to:
6/3/2015 7:59:59 PM

Subject:
CN="Western Web Applications, LLC", O="Western Web Applications, LLC", L=Del Mar, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2846A7B6FF6C3C84D2AC5AD12B664347

File PE Metadata
Compilation timestamp:
6/6/2009 5:41:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:E0XUgunyXzjXIKgO+YnGhIXpRgjhIt/LtD4VHvCWgunyX6:FtIKBnGaRgt+/BsVqTq

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9710

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://d.playjewelquest.com/JewelQuest/125001/.../Setup.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.