installation.exe

Yes Apps

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application installation.exe by Yes Apps has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup.
Publisher:
Yes Apps  (signed and verified)

MD5:
9253b2235285fdd5bedd85f6279783b6

SHA-1:
7a37ed6a3bb77588536101ab79cf3e34839808e2

SHA-256:
323128b60c9ba0ec8f2c293b542bc7ab21e6e70ce07f1d1885c5207d68b779ac

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
1/11/2025 9:39:26 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2014.12.31

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.198.192

avast!
Malware-gen
141214-1

AVG
Potentially harmful program Downloader.CVJ
2014.0.4253

Dr.Web
infected with Trojan.OutBrowse.55
9.0.1.05190

ESET NOD32
Win32/OutBrowse.BN potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
12/30/2014

K7 AntiVirus
Unwanted-Program
13.188.14496

Malwarebytes
PUP.Optional.OutBrowse
v2014.12.30.04

McAfee
Artemis!2690B36FA914
5600.6900

NANO AntiVirus
Trojan.Win32.OutBrowse.dlghni
0.30.0.64448

Reason Heuristics
PUP.YesApps.M
14.12.30.16

Trend Micro House Call
Suspici.D7386B62
7.2.364

VIPRE Antivirus
Threat.4150696
35418

File size:
583.3 KB (597,280 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
12/16/2014 7:00:00 PM

Valid to:
12/17/2015 6:59:59 PM

Subject:
CN=Yes Apps, O=Yes Apps, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
09183CB6D2B76F4BEF1BA013E2A2DBE1

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:QksMg7HpTI6YxAmWDpBhKbVbSKzv+R+6da+YjcUyzRRJ1pJl866Fr:Q9pJTPYx/axUVbnzw+6dz4LG7l8z

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove installation.exe - Powered by Reason Core Security