windows7 loader activator.exe

Trusted apps DDD

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application windows7 loader activator.exe by Trusted apps DDD has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from get.file28desktop.com.
Publisher:
Trusted apps DDD  (signed and verified)

MD5:
8badf0d0ef5e3452624cf646bf256a73

SHA-1:
9cb6b578e72312db7689dfb4cf6c5d0fe2e6c926

SHA-256:
fd2f8649199e08e67e3eb4aef4cc6e342fe13b3faf55397ac47d7b856ed570db

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 3:47:03 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse.Trusteda.Bundler (M)
16.7.2.17

File size:
92.2 KB (94,368 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\windows7 loader activator.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
2/12/2015 1:00:00 AM

Valid to:
1/28/2016 12:59:59 AM

Subject:
CN=Trusted apps DDD, O=Trusted apps DDD, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
28CE42E88072C01F3F984FE3A4C64783

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:cpgpHzb9dZVX9fHMvG0D3XJ8s7NeYRNgKJ+BCydo/bdkqIzjbanyUXZf2mGq6ZHG:qgXdZt9P6D3XJfeqgKJ+BC5Dd5K2Om9t

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file windows7 loader activator.exe has been seen being distributed by the following URL.

Remove windows7 loader activator.exe - Powered by Reason Core Security