home

icreinstall_flashplayer.exe

Max Setup

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_flashplayer.exe by Max Setup has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the installCore installer. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Max Setup  (signed and verified)

MD5:
d1eb664a02695c99c50589873e4400cd

SHA-1:
9984fcdc209b6e45b3cb3847370a8dd472cff4b0

SHA-256:
cab11fdbf4ff4d8af6be676ad5d558a3c7b4c91eaf85a11dc83458ae422933b0

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
5/1/2024 10:23:42 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur2.GZ.PGZ@bOvG9sai
951

Agnitum Outpost
Backdoor.Hupigon
7.1.1

Avira AntiVirus
ADWARE/InstallCore.Gen7
7.11.157.134

AVG
Potentially harmful program Skodna.Downloader.CW
2014.0.3986

Bitdefender
Gen:Trojan.Heur2.GZ.PGZ@bOvG9sai
1.0.20.895

Comodo Security
Application.Win32.Installcore.MX
18701

Dr.Web
Trojan.Packed.24524
9.0.1.05190

Emsisoft Anti-Malware
Gen:Trojan.Heur2.GZ.PGZ@bOvG9sai
8.14.06.28.03

ESET NOD32
Win32/InstallCore.BY potentially unwanted application
7.0.302.0

F-Secure
Gen:Trojan.Heur2.GZ.PGZ@bOvG9sai
11.2014-28-06_7

G Data
Gen:Trojan.Heur2.GZ.PGZ@bOvG9sai
14.6.24

IKARUS anti.virus
Trojan.Win32.Spy2
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.180.12553

MicroWorld eScan
Gen:Trojan.Heur2.GZ.PGZ@bOvG9sai
15.0.0.537

Reason Heuristics
PUP.MaxSetup.X
14.6.28.14

Sophos
Install Core Click run software
4.98

Vba32 AntiVirus
Downware.InstallCore
3.12.26.3

VIPRE Antivirus
Threat.4150696
29708

File size:
663.8 KB (679,760 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_flashplayer.exe

Digital Signature
Signed by:
Max Setup

Authority:
COMODO CA Limited

Valid from:
3/11/2014 4:00:00 AM

Valid to:
3/12/2015 3:59:59 AM

Subject:
CN=Max Setup, O=Max Setup, STREET=Lillienblam 28, L=Tel Aviv, S=Tel Aviv, PostalCode=651307, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008F6F1294DBB38F9F80A7A06DE489DF45

File PE Metadata
Compilation timestamp:
6/20/1992 2:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:ZnvpebEFCgHco3xqixdQuH7puHK4djfc1d8/ANRuDpwLBHaNqmdrp1p3JRw7IzHb:ZnvkEFCg8ojHlJufid840pbqEN3kOH

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8577

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_flashplayer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.