» icreinstall_nsob1ad.tmp
Overview
Analysis
File Details

icreinstall_nsob1ad.tmp

The file icreinstall_nsob1ad.tmp has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory.

File name:

MD5:

1c1f54574c54857d213d25755c420dc5

SHA-1:

881e13d93bea6bbfa3cb6bac9387c048d5e33b0d

SHA-256:

6558fcfd58528af10354022ee6b4a10dc54b13732120f385a098924519a762a6

Scanner detections:

15 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/24/2024 8:21:20 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Trojan/Win32.Rogue

2014.10.31

Avira AntiVirus

TR/Rogue.590977

7.11.170.152

avast!

Dropper-gen [Drp]

141025-0

Baidu Antivirus

Trojan.Win32.Injected

4.0.3.141030

Dr.Web

Trojan.Packed.25266

9.0.1.05190

ESET NOD32

Win32/Injected.F trojan

7.0.302.0

Fortinet FortiGate

W32/Injected.F!tr

10/30/2014

F-Prot

W32/A-e3871acb

v6.4.7.1.166

McAfee

RDN/Generic.bfr!hk

5600.6962

Qihoo 360 Security

Win32/Trojan.Dropper.c9f

1.0.0.1015

Reason Heuristics

PUP.InstallCore.W

14.10.30.10

SUPERAntiSpyware

PUP.InstallCore/Variant

10268

Trend Micro House Call

Suspicious_GEN.F47V0618

7.2.303

VIPRE Antivirus

Trojan.Win32.Generic

30650

Zillya! Antivirus

Trojan.Injected.Win32.14

2.0.0.1908

File size:

577.1 KB (590,977 bytes)

Bundler/Installer:

installCore (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_nsob1ad.tmp

File PE Metadata

Compilation timestamp:

6/19/1992 5:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:KO1vp5KtSg1Yvcb1KO8qXWTaPIKBpZxwrsK6gZ8TOHs51y:KO1vrWSAYvlqmCBbCAYds

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Entropy:

7.8619

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

Remove icreinstall_nsob1ad.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.