home

installation.exe

Start Playing (Start Playing (KnockApps Limited))

The application installation.exe by Start Playing (Start Playing (KnockApps Limited)) has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from rhtag.com.
Publisher:
Start Playing (Start Playing (KnockApps Limited))  (signed and verified)

MD5:
4713ee8cbeddff49506afb1110a1329e

SHA-1:
4aef55cef2b8eecacb47c6b18760b4221649d8e9

SHA-256:
7bcd0cd4484c7052ec6a42e8c474f5e9855887bc3bb20aa9fa4757963a2af054

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
5/9/2024 4:47:55 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OutBrowse (M)
16.7.28.7

File size:
573 KB (586,768 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:
Start Playing (Start Playing (KnockApps Limited))

Authority:
COMODO CA Limited

Valid from:
10/26/2014 8:00:00 PM

Valid to:
10/27/2015 7:59:59 PM

Subject:
CN=Start Playing (Start Playing (KnockApps Limited)), O=Start Playing (Start Playing (KnockApps Limited)), STREET=3rd Floor Ulysses House, STREET=Foley Street, L=Dublin, S=Ireland, PostalCode=1, C=IE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D34BF2756FD3AD9451D9D46AD6D3194A

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:1WvAXlw96SDZg4SUiCkAAQytKB2N1NqkptzDbya/:1VVwYSD64SXXDRc2N79ptby6

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9771

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

http://rhtag.com/adServe/adClick?ai=08zHTxdapFUc2xR9z/dRWxXNi06ZK VVGV7WYuAsyG5WHKgojFsIkZVdfgPeFZhAFrzd3sGI8YYJ WLjM7TIk6mYMQZqrp7a3LED2BEhrA4SIQwRblWL/UBdFM7IgOTPbks/8Q5M2HpwkOa4tirwCQFR7 KJ47RWeVguKiSIlyw94GEjL2j9W41nZV0oFuy465qqVsVJGr4LLdg3PfPPMKw0WM PHv1DSUcVal Y90JexBV067xKRpswzyX5bgVaYQMAGlbj7H9KidZMB9oXbbuU16NEWb9w7dNT6 zdwmJu6tzYHcU QNOYx4B6qxR6k5xY&ui=mznmkKyvwj1J wRSbN kwPbWwvziNp/1yuFXe 8mR4PZ dG/.../4lj64It &src=BANNER

Remove installation.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.