home

icreinstall_filezilla_3.9.0.6_win32-setup_inst.exe

Well Known Media Ltd

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_filezilla_3.9.0.6_win32-setup_inst.exe by Well Known Media has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Well Known Media Ltd  (signed and verified)

MD5:
d8bf89f02d85bbbd0b7c8aad3922a427

SHA-1:
3cac3a27cc23ef8ede2b150cea849b48c6d0eb0a

SHA-256:
485c37b540dbf69ad80d0e5a5bdef0371e7d8e79c8b828fddc8a0454efbd9ebd

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/16/2024 4:27:08 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/InstallCore.770360
7.11.182.172

AVG
Generic
2015.0.3304

Dr.Web
Trojan.InstallCore.2
9.0.1.0305

ESET NOD32
Win32/InstallCore.QS (variant)
8.10653

K7 AntiVirus
Unwanted-Program
13.185.13866

NANO AntiVirus
Riskware.Win32.InstallCore.dhpyhc
0.28.6.62995

Reason Heuristics
PUP.Installer.WellKnownMedia.l
14.11.1.2

Sophos
Install Core Click run software
4.98

VIPRE Antivirus
InstallCore
34422

File size:
752.3 KB (770,360 bytes)

Product version:
1.5

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\Local settings\temp\icreinstall_filezilla_3.9.0.6_win32-setup_inst.exe

Digital Signature
Signed by:
Well Known Media Ltd

Authority:
COMODO CA Limited

Valid from:
8/20/2014 5:30:00 AM

Valid to:
8/21/2015 5:29:59 AM

Subject:
CN=Well Known Media Ltd, O=Well Known Media Ltd, STREET=Kissack Court, STREET=29 Parliament Street, L=Ramsey, S=Isle of Man, PostalCode=IM8 1JA, C=IM

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
73CC925BC7B1EAFC96D9C9F2EAA55030

File PE Metadata
Compilation timestamp:
6/20/1992 3:52:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:+lvpEgGo8+MEmqYWZ9dbUNNCXVoU3NMriA/obS9+56WDM7nd9V:+lvC/d+MEIWzdbRSEXARwYWDM7nd9V

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8172

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.