installation.exe

Start Playing (Start Playing (KnockApps Limited))

The application installation.exe by Start Playing (Start Playing (KnockApps Limited)) has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from clksite.com.
Publisher:

MD5:
e87e90335a0451177d9927dd8ea7de9c

SHA-1:
ffb315f0b2d29410d849002967dff64d6f152b0e

SHA-256:
3c145e146720c1db80bbd33810da4024681ffc662711db77282a8eb48a267ae6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
12/25/2024 4:32:12 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OutBrowse.StartPla.Installer (M)
16.6.23.3

File size:
573 KB (586,768 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
10/27/2014 2:00:00 AM

Valid to:
10/28/2015 1:59:59 AM

Subject:
CN=Start Playing (Start Playing (KnockApps Limited)), O=Start Playing (Start Playing (KnockApps Limited)), STREET=3rd Floor Ulysses House, STREET=Foley Street, L=Dublin, S=Ireland, PostalCode=1, C=IE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D34BF2756FD3AD9451D9D46AD6D3194A

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:5pvAXlw96SDZg4SUiCkAAQytKB2N1NqkptzDbya7:5eVwYSD64SXXDRc2N79ptby4

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9772

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

Remove installation.exe - Powered by Reason Core Security