» icreinstall_nsw8c88.tmp
Overview
Analysis
File Details

icreinstall_nsw8c88.tmp

The file icreinstall_nsw8c88.tmp has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory.

File name:

MD5:

8863e577eacf8baa6f4808c1ff377b57

SHA-1:

df0631716a42c1426f5c09eb4b225f2923e24a1e

SHA-256:

0eb27e8c637080012edf287158577778bb5e028b3a923991d3fa8570cdcc94b5

Scanner detections:

16 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/18/2024 9:36:36 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.InstallCore

7.1.1

Avira AntiVirus

ADWARE/InstallCore.Gen7

7.11.196.150

Baidu Antivirus

Adware.Win32.InstallCore

4.0.3.1541

Comodo Security

ApplicUnwnt

21608

Dr.Web

Trojan.MulDrop5.10078

9.0.1.091

ESET NOD32

Win32/InstallCore.PK potentially unwanted application

9.7.0.302.0

Fortinet FortiGate

Riskware/InstallCore

4/1/2015

F-Prot

W32/A-e3871acb

v6.4.7.1.166

G Data

Win32.Application.AnyProtect

15.4.24

herdProtect (fuzzy)

variant of icreinstall_nsx61.tmp (Adware)

2015.7.6.3

NANO AntiVirus

Riskware.Win32.InstallCore.dlaygu

0.30.0.65070

Qihoo 360 Security

Win32/Virus.Adware.94c

1.0.0.1015

Reason Heuristics

PUP.InstallCore

15.4.1.6

Sophos

Generic PUA NP

4.98

SUPERAntiSpyware

PUP.InstallCore/Variant

9962

VIPRE Antivirus

Threat.4150696

35418

File size:

574.6 KB (588,427 bytes)

Bundler/Installer:

installCore (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_nsw8c88.tmp

File PE Metadata

Compilation timestamp:

6/20/1992 3:52:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:qmvplXaF8uRbGQ6AXzEhlbJX0clvtxIFwNc/kGhXXFhT8:qmv/XbuIQ6AXKNlvH/6vhXXr

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Entropy:

7.8628

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

Remove icreinstall_nsw8c88.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.