home

express_installer.exe

TINY INSTALLER

Tiny Installer is a download manager variant from Adknowledge that packages various adware-type offers (toolbar, coupon extensions, utilities) with software distributions. The application express_installer.exe, “Express Install ” by TINY INSTALLER has been detected as adware by 34 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent.
Publisher:
Express Install   (signed by TINY INSTALLER)

Product:
Express Install

Description:
Express Install

Version:
3, 7, 1, 0

MD5:
0572aeafb2c8fed777f81dadd6e0921c

SHA-1:
ea5a8120ef46bdef0d9179b427ba76dc534d2027

SHA-256:
eb0a1f302bf46165c6ed7f6bd628391a33a1ad86e74ba4c59a2a9e6c8311befa

Scanner detections:
34 / 68

Status:
Adware

Explanation:
The Tiny Installer download manager bundles various adware components.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/19/2024 7:52:26 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.OptimumInstaller.5
354

Agnitum Outpost
Riskware.AdWare
7.1.1

AhnLab V3 Security
Adware/Win32.IBryte
16.02.15

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.140.94

avast!
Win32:IBryte-BY [PUP]
2014.9-160215

AVG
Adware Skodna.Generic
2017.0.2832

Bitdefender
Trojan.GenericKDZ.23802
1.0.20.230

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.Adware.iBryte.BAA
18025

Dr.Web
Adware.Downware.1563, Adware.Downware.1554
9.0.1.046

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.OptimumInstaller
8.16.02.15.01

ESET NOD32
Win32/AdWare.iBryte.I application
10.7.0.302.0

Fortinet FortiGate
Riskware/PremiumInstaller
2/15/2016

F-Prot
W32/S-352b3331
v6.4.7.1.166

F-Secure
Riskware.Gen:Variant.Application.Bundler
11.2016-15-02_2

G Data
Win32.Adware.Ibryte
16.2.24

IKARUS anti.virus
Trojan.Win32.Buzus
t3scan.2.2.29

K7 AntiVirus
Adware
13.176.11613

Kaspersky
not-a-virus:AdWare.Win32.iBryte
14.0.0.657

Malwarebytes
PUP.Optional.OptimumInstaller.A
v2016.02.15.01

MicroWorld eScan
Trojan.GenericKDZ.23802
17.0.0.138

NANO AntiVirus
Trojan.Win32.Buzus.ckibss
0.28.0.58720

Norman
Gen:Variant.Application.Bundler.OptimumInstaller.5
11.20160215

nProtect
Trojan-Clicker/W32.iBryte.1813288
14.03.31.01

Panda Antivirus
Trj/Genetic.gen
16.02.15.01

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Quick Heal
Adware.iBryte.EK4
2.16.14.00

Reason Heuristics
PUP.Adknowledge.TINYINSTALLER.Installer (M)
16.2.15.13

Rising Antivirus
PE:Trojan.Injector!1.9C6C
23.00.65.16213

Sophos
iBryte Optimum Installer
4.98

SUPERAntiSpyware
PUP.IBryte/Variant
9322

Vba32 AntiVirus
SScope.Malware-Cryptor.iBryte
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
27896

Zillya! Antivirus
Trojan.Inject.Win32.63693
2.0.0.1776

File size:
1.7 MB (1,813,288 bytes)

Product version:
3, 7, 1, 0

Copyright:
Copyright (C) 2013 Express Install

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
English (United States)

Common path:
C:\users\{user}\downloads\express_installer.exe

Digital Signature
Signed by:
TINY INSTALLER

Authority:
VeriSign, Inc.

Valid from:
6/3/2013 1:00:00 AM

Valid to:
6/4/2014 12:59:59 AM

Subject:
CN=TINY INSTALLER, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TINY INSTALLER, L=Wilmington, S=Delaware, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
54C184C0CB6B6510B3582483FC098463

File PE Metadata
Compilation timestamp:
10/25/2013 7:45:41 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:V4jMfEG/6ZskSiunvHXQjcKXRcD7aSNyCLeHiCz:2MfEG/6ZYvgQCcDWSkCy

Entry address:
0x35995

Entry point:
E8, 5E, 8C, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, 78, 4C, 47, 00, E8, C1, 35, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, F8, 3B, 5B, 00, 77, 22, 6A, 04, E8, 61, 8E, 00, 00, 59, 83, 65, FC, 00, 56, E8, C3, 9B, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, CD, 35, 00, 00, C3, 6A, 04, E8, 44, 8D, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 83, 3D, 54, 28, 5B, 00, 00, 75, 18, E8, 99, 81, 00, 00, 6A, 1E, E8, C1, 7F, 00, 00, 68, FF, 00, 00, 00, E8, D7, 4C, 00, 00, 59, 59, A1...
 
[+]

Entropy:
7.1469

Code size:
390 KB (399,360 bytes)

The file express_installer.exe has been seen being distributed by the following URL.

http://secure.oinstaller8.com/o/.../Express_Installer.exe

Remove express_installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.