home

installation.exe

Vid play

The application installation.exe by Vid play has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from ads.adsrvmedia.net.
Publisher:
Vid play  (signed and verified)

MD5:
cb9c11e4c7d23ed2e4d025b8a3c2161e

SHA-1:
4eebedb0a688edaee6dcd1e793a147fefd1eb867

SHA-256:
f63a35077fca4cf4a5d893bdcd5b65572fc30bf88f5f454466ab4f802af4f4ed

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
12/26/2024 12:38:32 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.01.23

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.204.50

AVG
Downloader
2016.0.3222

ESET NOD32
Win32/OutBrowse.BS potentially unwanted application
7.0.302.0

IKARUS anti.virus
PUA.OutBrowse
t3scan.1.8.6.0

K7 AntiVirus
Trojan
13.191.14720

Malwarebytes
PUP.Optional.OutBrowse
v2015.01.22.09

McAfee
Adware-OutBrowse.e
5600.6878

Reason Heuristics
PUP.Outborwse
15.2.5.12

Trend Micro House Call
Suspici.83CCD372
7.2.22

VIPRE Antivirus
Threat.4823950
36694

File size:
572.3 KB (586,032 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:
Vid play

Authority:
thawte, Inc.

Valid from:
1/19/2015 2:00:00 AM

Valid to:
12/18/2015 1:59:59 AM

Subject:
CN=Vid play, O=Vid play, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
44A9DC044F6A8344A2D921814654E217

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:RHTLbWTl94ez319BoJnqi48RlEwQOcxH1hEkDI:RHTrwF9BoMtwQOiVDs

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9704

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

http://ads.adsrvmedia.net/event/click/0/vua1iryPdzZwTT7bAg_1g1-sb_a-lpbrc_s0Hs73ZbgW7VEFmGJW5jhI6CQG269RBcfdMvkJquxaO38ZrGK6NsX_vCqySzme5T4JQM711VGVoECaFV6FDllkdbVQcQkr2jKlNsvTalcZOEbkb4gn1tYt7ctp7qW0IuDbUMFwJs8zL7-ahESFOU6PXcwCeuobUC7nFhww_tvoxduk2N4dID8c4OW-qMg_H64RLBo77x5SRiCu_dxV0XoEemEarVNmaY5lPgOz1OekR64L2PnI6STNb-jAEx1BgQD3TkmSx_B_its2eC5Pq9AGfgklgcm65sHQFcHwv3uUaW-6D43z48Aoc2whBG7cZg04u7fmdup4KqbCxvUxFnYwll_2Mx6wfhXpdBcslbOAnNr_XocUWjYXhAHk8P1yz5siqo3KCL8/.../

Remove installation.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.