home

installation.exe

VId Play

The application installation.exe by VId Play has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.file28desktop.com.
Publisher:
VId Play  (signed and verified)

MD5:
61e3a79c601ea2d03ecb3dad7fce5a1e

SHA-1:
82a5f137dec7d22570ace811c52be8ec1414d44e

SHA-256:
a54f51ddd7344d55a1ce3f5c0342718bcb228578aba549b26ca45926749abe7d

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
5/15/2024 9:27:39 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.02.04

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.206.224

AVG
Potentially harmful program Downloader.DHU
2014.0.4257

ESET NOD32
Win32/OutBrowse.BS potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
2/4/2015

G Data
Win32.Application.Agent.K632XZ
15.2.25

K7 AntiVirus
DoS-Trojan
13.193.14857

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
15.0.0.543

Malwarebytes
PUP.Optional.OutBrowse
v2015.02.04.06

McAfee
Adware-OutBrowse.e
5600.6865

Reason Heuristics
PUP.Outborwse
15.2.5.12

Trend Micro House Call
Suspici.6AAF7647
7.2.35

VIPRE Antivirus
Threat.4823950
37240

File size:
572.7 KB (586,416 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:
VId Play

Authority:
thawte, Inc.

Valid from:
1/26/2015 2:00:00 AM

Valid to:
12/18/2015 1:59:59 AM

Subject:
CN=VId Play, O=VId Play, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
494D796484B3D5B6685317AEFF4391C2

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:LtNiprDDIUbv5KhOf7Hh/92x+g0FsuMb2Ub1uM2KJNLFvDov:Lt4JDmwzh/9T4tb221Dv8

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9744

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

http://get.file28desktop.com/.../get?p=7392&d=10083&l=9525&n=1&dt=1413727118

Remove installation.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.