» icreinstall_nswb378.tmp
Overview
Analysis
File Details

icreinstall_nswb378.tmp

The file icreinstall_nswb378.tmp has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory.

File name:

MD5:

a20b9476bd1d72893db4534c260d812c

SHA-1:

f530e0e8a1b7e6ee5b69430e1d53185bf8ee7c4d

SHA-256:

82dc82467a281f6b70d178e0e65650ac29f29fb3cfba2f4450ea78b1b8d68cbd

Scanner detections:

6 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/18/2024 12:13:58 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.InstallCore

4.0.3.14920

Dr.Web

Trojan.Packed.25266

9.0.1.0263

ESET NOD32

Win32/InstallCore.PO potentially unwanted application

8.7.0.302.0

herdProtect (fuzzy)

variant of icreinstall_nsba46b.tmp (Adware)

2014.12.3.10

NANO AntiVirus

Riskware.Win32.InstallCore.dfgmns

0.28.2.62483

Reason Heuristics

PUP.InstallCore.W

14.9.20.21

File size:

579.7 KB (593,591 bytes)

Bundler/Installer:

installCore (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_nswb378.tmp

File PE Metadata

Compilation timestamp:

6/19/1992 3:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:YDvpvpOZnu+VfNyNXPy0OKUsdFM518vAyzfpT5VQL/MCCkk/gd9lMM8lv:YDv5kZnUz9ndK5Hi0LCk4LM8l

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Entropy:

7.8631

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

Remove icreinstall_nswb378.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.