home

express_installer.exe

TINY INSTALLER

Tiny Installer is a download manager variant from Adknowledge that packages various adware-type offers (toolbar, coupon extensions, utilities) with software distributions. The application express_installer.exe, “Express Install ” by TINY INSTALLER has been detected as adware by 34 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent.
Publisher:
Express Install   (signed by TINY INSTALLER)

Product:
Express Install

Description:
Express Install

Version:
3, 7, 1, 0

MD5:
788bca027accef334a673136a1561306

SHA-1:
0e5a51ceb32c45737cc41c6fc524cd66da4883fd

SHA-256:
a0caa28feae064ebe8c6c143b20e57a2b269720e85f7099149be3dd20084aa81

Scanner detections:
34 / 68

Status:
Adware

Explanation:
The Tiny Installer download manager bundles various adware components.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/19/2024 5:53:42 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.OptimumInstaller.5
416

Agnitum Outpost
Riskware.AdWare
7.1.1

AhnLab V3 Security
Adware/Win32.IBryte
15.12.15

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.140.94

avast!
Win32:IBryte-BY [PUP]
2014.9-151215

AVG
Adware Skodna.Generic
2016.0.2894

Bitdefender
Trojan.GenericKDZ.23802
1.0.20.1745

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.Adware.iBryte.BAA
18025

Dr.Web
Adware.Downware.1563, Adware.Downware.1554
9.0.1.0349

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.OptimumInstaller
8.15.12.15.06

ESET NOD32
Win32/AdWare.iBryte.I application
9.7.0.302.0

Fortinet FortiGate
Riskware/PremiumInstaller
12/15/2015

F-Prot
W32/S-352b3331
v6.4.7.1.166

F-Secure
Riskware.Gen:Variant.Application.Bundler
11.2015-15-12_3

G Data
Win32.Adware.Ibryte
15.12.24

IKARUS anti.virus
Trojan.Win32.Buzus
t3scan.2.2.29

K7 AntiVirus
Adware
13.176.11613

Kaspersky
not-a-virus:AdWare.Win32.iBryte
14.0.0.966

Malwarebytes
PUP.Optional.OptimumInstaller.A
v2015.12.15.06

MicroWorld eScan
Trojan.GenericKDZ.23802
16.0.0.1047

NANO AntiVirus
Trojan.Win32.Buzus.ckibss
0.28.0.58720

Norman
Gen:Variant.Application.Bundler.OptimumInstaller.5
11.20151215

nProtect
Trojan-Clicker/W32.iBryte.1813288
14.03.31.01

Panda Antivirus
Trj/Genetic.gen
15.12.15.06

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Quick Heal
Adware.iBryte.EK4
12.15.14.00

Reason Heuristics
PUP.Adknowledge.TINYINSTALLER.Installer (M)
15.12.15.18

Rising Antivirus
PE:Trojan.Injector!1.9C6C
23.00.65.151213

Sophos
iBryte Optimum Installer
4.98

SUPERAntiSpyware
PUP.IBryte/Variant
9445

Vba32 AntiVirus
SScope.Malware-Cryptor.iBryte
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
27896

Zillya! Antivirus
Trojan.Inject.Win32.63693
2.0.0.1776

File size:
1.7 MB (1,825,064 bytes)

Product version:
3, 7, 1, 0

Copyright:
Copyright (C) 2013 Express Install

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
English (United States)

Common path:
C:\users\{user}\downloads\express_installer.exe

Digital Signature
Signed by:
TINY INSTALLER

Authority:
VeriSign, Inc.

Valid from:
6/2/2013 5:00:00 PM

Valid to:
6/3/2014 4:59:59 PM

Subject:
CN=TINY INSTALLER, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TINY INSTALLER, L=Wilmington, S=Delaware, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
54C184C0CB6B6510B3582483FC098463

File PE Metadata
Compilation timestamp:
10/16/2013 11:21:39 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:oTkuR6cuVxhn7en5jriS7h5cu8yU/jS67:8RR6VVxhn77M+EU7

Entry address:
0x358C5

Entry point:
E8, 5E, 8C, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, F0, 4B, 47, 00, E8, C1, 35, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 18, 69, 5B, 00, 77, 22, 6A, 04, E8, 61, 8E, 00, 00, 59, 83, 65, FC, 00, 56, E8, C3, 9B, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, CD, 35, 00, 00, C3, 6A, 04, E8, 44, 8D, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 83, 3D, 74, 55, 5B, 00, 00, 75, 18, E8, 99, 81, 00, 00, 6A, 1E, E8, C1, 7F, 00, 00, 68, FF, 00, 00, 00, E8, D7, 4C, 00, 00, 59, 59, A1...
 
[+]

Entropy:
7.1540

Code size:
390 KB (399,360 bytes)

The file express_installer.exe has been seen being distributed by the following URL.

http://secure.oinstaller8.com/o/.../Express_Installer.exe

Remove express_installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.