home

installation.exe

Start Playing (Start Playing (KnockApps Limited))

The application installation.exe by Start Playing (Start Playing (KnockApps Limited)) has been detected as a potentially unwanted program by 26 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.down1004life.info.
Publisher:
Start Playing (Start Playing (KnockApps Limited))  (signed and verified)

MD5:
968d7ef76426c9830b19b49fd150e358

SHA-1:
93078a8cdbedc1b8de2f83ed0b7fe0eb29ef553f

SHA-256:
bcf5b716af57173742b2db2e2251631f9aa0ce1049ccdb9bb89c1448aac4f9e8

Scanner detections:
26 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/27/2024 5:03:31 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
MemScan:Application.Bundler.Outbrowse.AN
5664641

Agnitum Outpost
PUA.OutBrowse
7.1.1

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.199.138

avast!
PUP-gen [PUP]
150319-1

AVG
Downloader
2016.0.3109

Bitdefender
MemScan:Application.Bundler.Outbrowse.AN
1.0.20.670

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.OutBrowse.MQPC
22115

Dr.Web
Trojan.OutBrowse.166
9.0.1.05190

Emsisoft Anti-Malware
MemScan:Application.Bundler.Outbrowse.AN
10.0.0.5366

ESET NOD32
Win32/OutBrowse.BQ potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
5/14/2015

F-Secure
Riskware.MemScan:Application.Bundler.Outbrowse
5.13.68

G Data
MemScan:Application.Bundler.Outbrowse.AN
15.5.25

herdProtect (fuzzy)
variant of unconfirmed 879717.crdownload
2015.8.11.13

K7 AntiVirus
Unwanted-Program
13.203.15912

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
14.0.0.1597

Malwarebytes
PUP.Optional.OutBrowse
v2015.05.14.04

McAfee
Adware-OutBrowse.e
5600.6765

MicroWorld eScan
MemScan:Application.Bundler.Outbrowse.AN
16.0.0.402

NANO AntiVirus
Trojan.Win32.OutBrowse.dlwssj
0.30.24.1357

Quick Heal
Adware.NSIS.OutBrowse.A
5.15.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.1832405C!405946460
23.00.65.15512

Sophos
Generic PUA CL
4.98

Vba32 AntiVirus
Downloader.OutBrowse
3.12.26.4

VIPRE Antivirus
Threat.4657539
36340

File size:
584.3 KB (598,320 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:
Start Playing (Start Playing (KnockApps Limited))

Authority:
COMODO CA Limited

Valid from:
10/26/2014 8:00:00 PM

Valid to:
10/27/2015 7:59:59 PM

Subject:
CN=Start Playing (Start Playing (KnockApps Limited)), O=Start Playing (Start Playing (KnockApps Limited)), STREET=3rd Floor Ulysses House, STREET=Foley Street, L=Dublin, S=Ireland, PostalCode=1, C=IE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D34BF2756FD3AD9451D9D46AD6D3194A

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:F0vAXlw96SDZg4SUiCkAAQytKB2N1NqkptKbyWyf:F/VwYSD64SXXDRc2N79ptKbyWc

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9746

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

http://get.down1004life.info/.../get38?p=233&d=24601&l=1694&n=0&d1=NUMBER,009085296&clickid=009085296018099317386

Remove installation.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.