home

icreinstall_minecraftsetup.exe

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_minecraftsetup.exe has been detected as adware by 25 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download Minecraft but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
MD5:
1e02e93f89ec292b4128bf1d3ee39ef5

SHA-1:
450d156b1d6f87872f1b26003dd5a7b1f8461361

SHA-256:
a09d8ffbc032c3e6d813fbdaf6619ec7f4bfe9f80001c6ac9fec1af856dbfea5

Scanner detections:
25 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 3:25:10 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.48325
675

Agnitum Outpost
PUA.InstallCore
7.1.1

Avira AntiVirus
TR/Agent.646600.7
7.11.158.2

avast!
Win32:Malware-gen
2014.9-150401

AVG
MalSign.InstallC
2016.0.3153

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.1541

Bitdefender
Gen:Variant.Strictor.48325
1.0.20.455

Dr.Web
Adware.InstallCore.133
9.0.1.091

Emsisoft Anti-Malware
Gen:Variant.Strictor.48325
8.15.04.01.08

ESET NOD32
Win32/InstallCore.FB potentially unwanted application
9.7.0.302.0

F-Prot
W32/InstallCore.R.gen
v6.4.6.5.141

F-Secure
Gen:Variant.Strictor.48325
11.2015-01-04_4

G Data
Gen:Variant.Strictor.48325
15.4.24

herdProtect (fuzzy)
variant of minecraftsetup.exe
2015.7.6.5

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.185.13965

McAfee
Artemis!2FF1D6ED1240
5600.6809

MicroWorld eScan
Gen:Variant.Strictor.48325
16.0.0.273

NANO AntiVirus
Riskware.Win32.InstallCore.dimzgw
0.28.6.62995

Qihoo 360 Security
Win32/Trojan.1fa
1.0.0.1015

Reason Heuristics
PUP.InstallCore.Installer
15.4.1.8

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.15330

Sophos
Install Core Click run software
4.98

SUPERAntiSpyware
PUP.InstallCore/Variant
9962

Vba32 AntiVirus
Downware.InstallCore
3.12.26.0

File size:
631.4 KB (646,600 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_minecraftsetup.exe

File PE Metadata
Compilation timestamp:
6/19/1992 7:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:SbkOyMJfsGRBB4UJaDSbM67tqN0OaNnid0LGGWXPsQl8aKLEI221sUx1aY:SAOyMJfsNUaD+M60N9dMGGWX3KLll+UJ

Entry address:
0x98CC

Entry point:
55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36 KB (36,864 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_minecraftsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.