home

installation.exe

Start Playing (Start Playing (KnockApps Limited))

The application installation.exe by Start Playing (Start Playing (KnockApps Limited)) has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from get.getpage1000.info.
Publisher:
Start Playing (Start Playing (KnockApps Limited))  (signed and verified)

MD5:
4f3b9a2578efb9e34fdcc38c686f25e0

SHA-1:
34d401d99f880b3b4e9594e93a031adc9f2ac614

SHA-256:
e8c9e26c65932b15b838c0dd42e02cf2370c2bc397817c2fcd69afc853b5ba4b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
5/11/2024 12:46:08 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OutBrowse.StartPla.Installer (M)
16.6.3.3

File size:
584.3 KB (598,320 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:
Start Playing (Start Playing (KnockApps Limited))

Authority:
COMODO CA Limited

Valid from:
10/27/2014 1:00:00 AM

Valid to:
10/28/2015 12:59:59 AM

Subject:
CN=Start Playing (Start Playing (KnockApps Limited)), O=Start Playing (Start Playing (KnockApps Limited)), STREET=3rd Floor Ulysses House, STREET=Foley Street, L=Dublin, S=Ireland, PostalCode=1, C=IE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D34BF2756FD3AD9451D9D46AD6D3194A

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:kQvAXlw96SDZg4SUiCkAAQytKB2N1NqkptKbyWyO:kLVwYSD64SXXDRc2N79ptKbyW3

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

http://get.getpage1000.info/.../Get?p=2777&d=25089&l=1694&n=0&d1=1&clickid=u4f9393ee542f2afd1e685ed4bf

Remove installation.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.