home

installation.exe

Start Playing (Start Playing (KnockApps Limited))

The application installation.exe by Start Playing (Start Playing (KnockApps Limited)) has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.down1004life.info and multiple other hosts.
Publisher:
Start Playing (Start Playing (KnockApps Limited))  (signed and verified)

MD5:
2aab3779c09f443b251fb242f07c8594

SHA-1:
61874e079fcd237c34a928fee6e08eea883585d5

SHA-256:
db8d7fd331a70156347001cfabce78cf204cc44e21a890d837f9f2ccb1b25c3b

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/24/2024 12:16:05 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.199.126

AVG
Downloader
2016.0.3239

ESET NOD32
Win32/OutBrowse.BQ potentially unwanted application
7.0.302.0

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
15.0.0.543

Malwarebytes
PUP.Optional.OutBrowse
v2015.01.05.03

VIPRE Antivirus
Threat.4657539
36340

File size:
584.3 KB (598,352 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:
Start Playing (Start Playing (KnockApps Limited))

Authority:
COMODO CA Limited

Valid from:
10/26/2014 8:00:00 PM

Valid to:
10/27/2015 7:59:59 PM

Subject:
CN=Start Playing (Start Playing (KnockApps Limited)), O=Start Playing (Start Playing (KnockApps Limited)), STREET=3rd Floor Ulysses House, STREET=Foley Street, L=Dublin, S=Ireland, PostalCode=1, C=IE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D34BF2756FD3AD9451D9D46AD6D3194A

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:rGvAXlw96SDZg4SUiCkAAQytKB2N1NqkptKbyWyq:rFVwYSD64SXXDRc2N79ptKbyW7

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9746

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following 2 URLs.

http://get.down1004life.info/.../get38?p=13013&d=24749&l=24044&n=0&d1=1&s=rh-ujp1-usron10&clickid=f557fc76-1816-4fa6-9953-f18bea0c2b59

http://file.yourddl1000.info/.../Get?p=13013&d=24749&l=24044&n=0&d1=1&s=rh-ujp1-usron10&clickid=5ac3e2df-a69f-43fb-a0b0-5bf05abb3bff

Remove installation.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.