» icreinstall_clickmein-cmiwbst2.exe
Overview
Analysis
File Details
Network (2)

icreinstall_clickmein-cmiwbst2.exe

ClickMeIn Limited

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_clickmein-cmiwbst2.exe, “Powered by InstallCore” by ClickMeIn Limited has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.

File name:

Publisher:

ClickMeIn (signed by ClickMeIn Limited)

Product:

ClickMeIn

Description:

Version:

2.0.1.73

MD5:

63d1fc258d2d8c799f1f974ae8309f35

SHA-1:

8b60523c09a577852d308faf96d9964089394642

SHA-256:

dcd687971773343e06456652a0fd12d1ee27ea15d40f002d3460665235ceea83

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/18/2024 8:10:45 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.installCore (M)

17.2.1.12

File size:

755.1 KB (773,256 bytes)

Product version:

2.0.1.73

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_clickmein-cmiwbst2.exe

Digital Signature

Signed by:

ClickMeIn Limited

Authority:

VeriSign, Inc.

Valid from:

3/2/2011 9:00:00 PM

Valid to:

3/2/2012 8:59:59 PM

Subject:

CN=ClickMeIn Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ClickMeIn Limited, L=Nicosia, S=Cyprus, C=CY

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

14E458E6106122ED8D122BDA9265B6A2

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x151F00

Entry point:

60, BE, 00, 30, 4C, 00, 8D, BE, 00, E0, F3, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Packer / compiler:

UPX 2.90LZMA

Code size:

576 KB (589,824 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_clickmein-cmiwbst2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.