» installation.exe
Overview
Analysis
File Details

installation.exe

Start Playing

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application installation.exe by Start Playing has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup.

File name:

installation.exe

Publisher:

Start Playing (signed and verified)

MD5:

b11d9978f48a6a2927df394e4173c19c

SHA-1:

09633ece6e047f2a3e76dfc6f3fa8fe926c62ab9

SHA-256:

b3ee24b203a4c83e8d5aed9467875f79d68759e0870eaf8b4ed0e64bb422be08

Scanner detections:

18 / 68

Status:

Adware

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/25/2024 3:36:41 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Dropped:Application.Bundler.Outbrowse.AA

6212523

AhnLab V3 Security

PUP/Win32.OutBrowse

2014.12.22

Avira AntiVirus

APPL/Outbrowse.Gen

7.11.197.26

AVG

Downloader

2015.0.3253

Bitdefender

Dropped:Application.Bundler.Outbrowse.AA

1.0.20.1775

Emsisoft Anti-Malware

Dropped:Application.Bundler.Outbrowse.AA

9.0.0.4668

ESET NOD32

Win32/OutBrowse.BM potentially unwanted application

7.0.302.0

Fortinet FortiGate

Riskware/OutBrowse

12/21/2014

F-Secure

Riskware.Dropped:Application.Bundler.Outbrowse

5.13.68

G Data

Dropped:Application.Bundler.Outbrowse.AA

14.12.24

IKARUS anti.virus

Trojan-Clicker.Win32.Agent

t3scan.1.8.5.0

Malwarebytes

PUP.Optional.OutBrowse

v2014.12.21.09

MicroWorld eScan

Dropped:Application.Bundler.Outbrowse.AA

15.0.0.1065

Norman

Dropped:Application.Bundler.Outbrowse.AA

04.12.2014 14:30:06

Reason Heuristics

PUP.StartPlaying.M

14.12.21.21

Sophos

Generic PUA NO

4.98

Trend Micro House Call

Suspici.6BC7E129

7.2.355

VIPRE Antivirus

Threat.4150696

35418

File size:

572.7 KB (586,416 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

OutBrowse Revenyou (using Nullsoft Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\installation.exe

Digital Signature

Signed by:

Start Playing

Authority:

thawte, Inc.

Valid from:

12/10/2014 7:00:00 PM

Valid to:

12/11/2015 6:59:59 PM

Subject:

CN=Start Playing, O=Start Playing, L=Dublin, S=Dublin, C=IE

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

21C5B5952499A0186B18B4079B5188B0

File PE Metadata

Compilation timestamp:

12/5/2009 5:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:P7eYAMlDma0n9VlxuiLGxjHxobyJazBoIJR9rf9C:PCYFBmaI32iQjHxoemoIVrfc

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9734

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

Remove installation.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.