home

express_installer.exe

TINY INSTALLER

Tiny Installer is a download manager variant from Adknowledge that packages various adware-type offers (toolbar, coupon extensions, utilities) with software distributions. The application express_installer.exe, “Express Install ” by TINY INSTALLER has been detected as adware by 34 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent.
Publisher:
Express Install   (signed by TINY INSTALLER)

Product:
Express Install

Description:
Express Install

Version:
3, 7, 1, 0

MD5:
cb594926b389acc640a065f7dc992160

SHA-1:
cd619cd60e0995d37278f83ee29829e5c7d62b33

SHA-256:
1a56deb698b715da1b3032cae51b60b1f120bc59f7eb105d63139652c887a629

Scanner detections:
34 / 68

Status:
Adware

Explanation:
The Tiny Installer download manager bundles various adware components.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
5/8/2024 2:02:13 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.OptimumInstaller.5
383

Agnitum Outpost
Riskware.AdWare
7.1.1

AhnLab V3 Security
Adware/Win32.IBryte
16.01.17

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.140.94

avast!
Win32:IBryte-BY [PUP]
2014.9-160117

AVG
Adware Skodna.Generic
2017.0.2861

Bitdefender
Trojan.GenericKDZ.23802
1.0.20.85

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.Adware.iBryte.BAA
18025

Dr.Web
Adware.Downware.1563, Adware.Downware.1554
9.0.1.017

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.OptimumInstaller
8.16.01.17.01

ESET NOD32
Win32/AdWare.iBryte.I application
10.7.0.302.0

Fortinet FortiGate
Riskware/PremiumInstaller
1/17/2016

F-Prot
W32/S-352b3331
v6.4.7.1.166

F-Secure
Riskware.Gen:Variant.Application.Bundler
11.2016-17-01_1

G Data
Win32.Adware.Ibryte
16.1.24

IKARUS anti.virus
Trojan.Win32.Buzus
t3scan.2.2.29

K7 AntiVirus
Adware
13.176.11613

Kaspersky
not-a-virus:AdWare.Win32.iBryte
14.0.0.802

Malwarebytes
PUP.Optional.OptimumInstaller.A
v2016.01.17.01

MicroWorld eScan
Trojan.GenericKDZ.23802
17.0.0.51

NANO AntiVirus
Trojan.Win32.Buzus.ckibss
0.28.0.58720

Norman
Gen:Variant.Application.Bundler.OptimumInstaller.5
11.20160117

nProtect
Trojan-Clicker/W32.iBryte.1813288
14.03.31.01

Panda Antivirus
Trj/Genetic.gen
16.01.17.01

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Quick Heal
Adware.iBryte.EK4
1.16.14.00

Reason Heuristics
PUP.Adknowledge.TINYINSTALLER.Installer (M)
16.1.17.13

Rising Antivirus
PE:Trojan.Injector!1.9C6C
23.00.65.16115

Sophos
iBryte Optimum Installer
4.98

SUPERAntiSpyware
PUP.IBryte/Variant
9380

Vba32 AntiVirus
SScope.Malware-Cryptor.iBryte
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
27896

Zillya! Antivirus
Trojan.Inject.Win32.63693
2.0.0.1776

File size:
1.7 MB (1,799,976 bytes)

Product version:
3, 7, 1, 0

Copyright:
Copyright (C) 2013 Express Install

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
English (United States)

Common path:
C:\users\{user}\downloads\express_installer.exe

Digital Signature
Signed by:
TINY INSTALLER

Authority:
VeriSign, Inc.

Valid from:
6/2/2013 8:00:00 PM

Valid to:
6/3/2014 7:59:59 PM

Subject:
CN=TINY INSTALLER, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TINY INSTALLER, L=Wilmington, S=Delaware, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
54C184C0CB6B6510B3582483FC098463

File PE Metadata
Compilation timestamp:
10/18/2013 9:29:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:RsEzQYLxP2AXFRs6Hv8DzMwuA8uOpYJc1RniZy3U6+:meQYLV2YF1k0FLuOpVRns6

Entry address:
0x36395

Entry point:
E8, BE, 8C, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, F0, 5B, 47, 00, E8, C1, 35, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 38, 0D, 5B, 00, 77, 22, 6A, 04, E8, C1, 8E, 00, 00, 59, 83, 65, FC, 00, 56, E8, 23, 9C, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, CD, 35, 00, 00, C3, 6A, 04, E8, A4, 8D, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 83, 3D, 94, F9, 5A, 00, 00, 75, 18, E8, F9, 81, 00, 00, 6A, 1E, E8, 21, 80, 00, 00, 68, FF, 00, 00, 00, E8, 37, 4D, 00, 00, 59, 59, A1...
 
[+]

Entropy:
7.1404

Code size:
392.5 KB (401,920 bytes)

The file express_installer.exe has been seen being distributed by the following URL.

http://get.zoomdownloader.com/DirDownload?url=http://secure.oinstaller8.com/o/.../Express_Installer.exe

Remove express_installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.