» icreinstall_installer.exe
Overview
Analysis
File Details
Network (3)

icreinstall_installer.exe

Downloadcentral ApS

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_installer.exe by Downloadcentral ApS has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.

File name:

Publisher:

Downloadcentral ApS (signed and verified)

MD5:

ab6422d59c3a1d27f8d64b5695854e15

SHA-1:

59215eb68327f57159ff168ba526b6c4b4a3e582

SHA-256:

a0f07c5e7f0d4c664a53c99ed07d3bba6d993aa96d41c3f83985ce30df24cc78

Scanner detections:

17 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 7:54:54 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Generic.547265

1085

Agnitum Outpost

Adware.Generic

7.1.1

Avira AntiVirus

ADWARE/InstallCore.Gen

7.11.131.194

Bitdefender

Adware.Generic.547265

1.0.20.230

Bkav FE

W32.HfsAutoA

1.3.0.4924

Dr.Web

Adware.InstallCore.68

9.0.1.046

Emsisoft Anti-Malware

Adware.Generic.547265

8.14.02.15.01

ESET NOD32

Win32/InstallCore.AF (variant)

8.9427

F-Prot

W32/InstallCore.V2.gen

v6.4.7.1.166

F-Secure

Adware.Generic.547265

11.2014-15-02_7

G Data

Adware.Generic.547265

14.2.24

K7 AntiVirus

Unwanted-Program

13.175.11177

MicroWorld eScan

Adware.Generic.547265

15.0.0.138

Reason Heuristics

PUP.Downloadcentral.V

14.8.7.21

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14213

Vba32 AntiVirus

BScope.Malware-Cryptor.InstallCore.2691

3.12.24.3

VIPRE Antivirus

InstallCore.b

26480

File size:

1 MB (1,091,200 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_installer.exe

Digital Signature

Signed by:

Downloadcentral ApS

Authority:

VeriSign, Inc.

Valid from:

7/10/2012 2:00:00 AM

Valid to:

7/11/2013 1:59:59 AM

Subject:

CN=Downloadcentral ApS, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Downloadcentral ApS, L=Odense, S=Odense, C=DK

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

3E0CD42145109655AB37716301DF2ABC

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:bQTBxBU8UlaISi5lmSFOAuwQxcPpwp5/jORCfKtUkZ:UT72/aISi5ls8K5/jdSU

Entry address:

0xCAAD0

Entry point:

55, 8B, EC, 83, C4, F0, B8, 14, 5C, 40, 00, E8, 04, F1, FF, FF, D9, FD, FF, FF, 33, C0, 89, 03, 5F, 5E, 5B, C3, 90, 53, 56, 57, 55, 8B, D9, 8B, F2, 8B, E8, C7, 43, 04, 00, 00, 10, 00, 6A, 04, 68, 00, 20, 00, 00, 68, 00, 00, 10, 00, 55, E8, A5, FD, FF, FF, 8B, F8, 89, 3B, 85, FF, 75, 1F, 81, C6, FF, FF, 00, 00, 81, E6, 00, 00, FF, FF, 89, 73, 04, 6A, 04, 68, 00, 20, 00, 00, 56, 55, E8, 80, FD, FF, FF, 89, 03, 83, 3B, 00, 74, 23, 8B, D3, B8, E4, D5, 47, 00, E8, F5, FD, FF, FF, 84, C0, 75, 13, 68, 00, 80, 00... 
[+]

Code size:

826 KB (845,824 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdneu.webfilescdn.com (65.254.40.36:80)

Remove icreinstall_installer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.