» setup.exezyihocw2.0sv.pendingoverwrite
Overview
Analysis
File Details

setup.exezyihocw2.0sv.pendingoverwrite

ViD PLaY

The file setup.exezyihocw2.0sv.pendingoverwrite by ViD PLaY has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. It is also typically executed from the user's temporary directory.

File name:

Publisher:

ViD PLaY (signed and verified)

MD5:

ae32c439bc92d4d5639918e6eda64f00

SHA-1:

8c79884e4d2137cad4069eaa34ef5b9b27c952af

SHA-256:

243a8298b22bc125d7bb412a255a42bb387ee64dbc060541e20d2324ff60b885

Scanner detections:

15 / 68

Status:

Adware

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:

1/12/2025 4:34:19 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.OutBrowse

7.1.1

AhnLab V3 Security

PUP/Win32.OutBrowse

2015.03.22

Avira AntiVirus

PUA/Outbrowse.Gen

7.11.218.230

Dr.Web

Trojan.OutBrowse.139

9.0.1.05190

ESET NOD32

Win32/OutBrowse.BU potentially unwanted application

7.0.302.0

F-Prot

W32/OutBrowse.J (exact, not disinfectable)

4.6.5.141

G Data

NSIS.Application.OutBrowse.AC

15.3.25

herdProtect (fuzzy)

variant of setup.exe (Adware)

2015.6.26.23

Kaspersky

not-a-virus:AdWare.Win32.OutBrowse

15.0.0.543

Malwarebytes

PUP.Optional.OutBrowse

v2015.03.21.06

McAfee

Adware-OutBrowse.e

5600.6820

NANO AntiVirus

Trojan.Win32.Generic.dorbni

0.30.8.659

Reason Heuristics

PUP.Installer.Outborwse

15.3.21.6

Trend Micro House Call

Suspici.AC0890C6

7.2.80

Vba32 AntiVirus

Adware.Outbrowse

3.12.26.3

File size:

617.2 KB (631,968 bytes)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\setup.exezyihocw2.0sv.pendingoverwrite

Digital Signature

Signed by:

ViD PLaY

Authority:

thawte, Inc.

Valid from:

3/10/2015 12:00:00 AM

Valid to:

12/17/2015 11:59:59 PM

Subject:

CN=ViD PLaY, O=ViD PLaY, L=Dublin, S=Dublin, C=IE

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

6559B30CB367EA0752AFDD3F7ACAAD29

File PE Metadata

Compilation timestamp:

12/5/2009 10:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:SW6TohvQGQFPHaejh7nbnuGnwUivj+p8YMm10QcN:SW6TohdUvaeRniGnwjj+jeQ

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9477

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

Remove setup.exezyihocw2.0sv.pendingoverwrite - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.