throne room.exe

Alexey Kurilenko

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application throne room.exe, “Installer for QuickSet” by Alexey Kurilenko has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
QuickSet  (signed by Alexey Kurilenko)

Product:
QuickSet

Description:
Installer for QuickSet

Version:
2013.11.20.1837

MD5:
e7be63a8a30ccfc96b80c58a80de5f35

SHA-1:
a7f596b4ff5f3397d7acc12e290e6b69eb214c09

SHA-256:
270dab78b91dc9e5f255611ccbcdeee0464791ed58096bb401fa452f1bfff468

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
12/25/2024 1:11:35 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2015.02.01

Avira AntiVirus
Adware/InstallRex.Q
7.11.206.68

avast!
Win32:InstalleRex-AZ [PUP]
150129-1

Bkav FE
W32.FamVT.AntiFWK.Trojan
1.3.0.6379

Clam AntiVirus
Win.Adware.Installerex-2
0.98/20010

Comodo Security
Application.Win32.InstalleRex.KG
20914

Dr.Web
Adware.Downware.1719
9.0.1.05190

ESET NOD32
Win32/InstalleRex.L potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
1/31/2015

F-Prot
W32/InstallRex.B
4.6.5.141

G Data
Win32.Application.InstalleRex
15.1.25

IKARUS anti.virus
PUA.TDownloader
t3scan.1.8.6.0

K7 AntiVirus
Unwanted-Program
13.193.14818

Kaspersky
Trojan.Win32.AntiFW
14.0.0.2557

Malwarebytes
PUP.Optional.InstalleRex
v2015.01.31.04

McAfee
PUP-FHQ
5600.6868

NANO AntiVirus
Riskware.Win32.Downware.crcxkg
0.30.0.65070

Quick Heal
Trojan.AntiFW.A5
1.15.14.00

Reason Heuristics
Adware.WebPick.Installer
15.1.31.16

Rising Antivirus
PE:Trojan.DL.Win32.AntiFW.a!1075355932
23.00.65.15129

Sophos
PUA 'InstallRex'
5.09

SUPERAntiSpyware
Adware.InstalleRex/Variant
10082

Vba32 AntiVirus
Downware.TSU
3.12.26.3

VIPRE Antivirus
Threat.4150696
36666

Zillya! Antivirus
Downloader.Adload.Win32.16871
2.0.0.2050

File size:
304.2 KB (311,456 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2013 QuickSet

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\throne room.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
7/18/2013 8:00:00 PM

Valid to:
7/19/2014 7:59:59 PM

Subject:
CN=Alexey Kurilenko, O=Alexey Kurilenko, STREET="Str. Sums'ka, 28", L=Kharkiv, S=Kharkivska, PostalCode=61057, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EC26735E2AD490D07645FA7A606FA1EE

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:srkx9uEo2S1YnQmCX492DkwNP3qpYFkXdlP5IO5/OoCVHuy6SHZ86riVZkiizm:srkHu6/eIo4RXdrIO5/OpVHd6Ky6rizz

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9570

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file throne room.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=17072866&publisher_id=707&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=51218598&external_id=0&session_id=102437196&hardware_id=119510062&installer_file_name=throne+room

Remove throne room.exe - Powered by Reason Core Security