home

icreinstall_flvplayer_v3.exe

Click run software

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_flvplayer_v3.exe by Click run software has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.toplugin.com and multiple other hosts.
Publisher:
Click run software  (signed and verified)

MD5:
72d76c936a51702ed9f5fb090118f9fd

SHA-1:
c8cf2dbe7a844015e2568ee769f63860b6e5b867

SHA-256:
a63fa2d747de0fc75407d51134b90c19373327a7c325bd1bbbd8a2e7d615fdb2

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/20/2024 12:30:37 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/Downloader.Gen6
7.11.121.122

avast!
Win32:InstallCore-AR [PUP]
2014.9-131224

Bkav FE
HW32.Laneul
1.3.0.4613

Clam AntiVirus
W32.Adware.InstallCore-1
0.98/18355

Comodo Security
Application.Win32.WebToolbar.InstallCore.~A
17489

Dr.Web
Adware.InstallCore.43
9.0.1.0358

ESET NOD32
Win32/InstallCore (variant)
7.9190

F-Prot
W32/Backdoor2.HMGG
v6.4.7.1.166

K7 AntiVirus
Unwanted-Program
13.174.10609

Malwarebytes
PUP.Adware.Installcore
v2013.12.24.09

McAfee
Artemis!39C4E0446E04
5600.7263

NANO AntiVirus
Trojan.Win32.InstallCore.cqjpin
0.28.0.57029

Reason Heuristics
PUP.Clickrunsoftware.Y
14.8.7.20

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.131222

Sophos
Install Core Click run software
4.96

Trend Micro House Call
TROJ_GEN.R0CBH0AJG13
7.2.358

Trend Micro
TROJ_SPNR.0BGS13
10.465.24

VIPRE Antivirus
Click run software
24684

File size:
1.1 MB (1,114,896 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_flvplayer_v3.exe

Digital Signature
Signed by:
Click run software

Authority:
COMODO CA Limited

Valid from:
4/18/2012 5:00:00 PM

Valid to:
4/19/2013 4:59:59 PM

Subject:
CN=Click run software, O=Click run software, STREET=63 Rotshylid Shderot, L=Tel-Aviv, S=NA, PostalCode=65785, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A243E49C0DAF69F7C5ACF083EB184161

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:RUp9ToJ9BTh+rrDP4KkhnjCkCDFRTSEXoTj7g1o:WpKT+HDgKkhjXWfT5XQ7

Entry address:
0xC1772

Entry point:
55, 8B, EC, 83, C4, F0, B8, A7, E0, 40, 00, E8, E4, E4, FF, FF, B7, 15, 07, 8B, 7D, F9, 64, F4, CF, CE, 52, AF, FD, CF, 19, 66, 33, C5, 0B, 9F, 99, E4, EE, A6, 52, E3, 4B, 95, 15, 32, 64, 17, 73, 90, 33, C4, 1E, 88, A4, 3A, A9, 7D, E7, 36, A6, 59, A5, 65, 17, 02, 57, BB, 90, 24, 1D, 6E, 87, 05, D2, EB, AE, 60, 3C, 77, 51, 7C, 7C, 33, 11, 09, 49, C7, 89, 72, 7C, F4, A0, AA, F8, B0, 91, A6, 0B, B5, 0E, 0A, A6, 86, E3, B8, 4B, 62, 11, 56, 51, A6, 3E, E0, F5, 98, F3, ED, 6F, 91, 15, 3E, CE, 0B, 6E, AD, 8D, 0E...
 
[+]

Entropy:
7.0378

Developed / compiled with:
Microsoft Visual C++

Code size:
787 KB (805,888 bytes)

The file icreinstall_flvplayer_v3.exe has been seen being distributed by the following 5 URLs.

http://www.toplugin.com/.../FLVPlayer_v3.exe

http://www.yoursportmanager.com/FLVPlayer_v3.exe

http://www.gpil.org/.../FLVPlayer_v3.exe

http://www.securefiledownload.com/.../FLVPlayer_v3.exe

http://www.gpilmart.com/FLVPlayer_v3.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-232-222-104.sa-east-1.compute.amazonaws.com  (54.232.222.104:80)

TCP (HTTP):
Connects to ec2-54-207-11-184.sa-east-1.compute.amazonaws.com  (54.207.11.184:80)

Remove icreinstall_flvplayer_v3.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.