home

icreinstall_pdfreadersetup.exe

InstallCore Ltd.

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_pdfreadersetup.exe by InstallCore has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
InstallCore Ltd.  (signed and verified)

MD5:
3a8684b78fc87525a20a26a0888aefc6

SHA-1:
243eb25896e7e24429beb3fae8b1f18e32601af1

SHA-256:
62d6330d99c4a5918f6a5a39d2a99aaf976a11a1c085543baf1484454836ace4

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Analysis date:
4/25/2024 4:43:57 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.Installer (M)
16.2.13.4

File size:
1001.8 KB (1,025,808 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_pdfreadersetup.exe

Digital Signature
Signed by:
InstallCore Ltd.

Authority:
COMODO CA Limited

Valid from:
2/21/2012 4:00:00 AM

Valid to:
2/21/2013 3:59:59 AM

Subject:
CN=InstallCore Ltd., OU=Support, O=InstallCore Ltd., STREET=Nisim Aloni 21, L=Tel Aviv, S=N/A, PostalCode=62919, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0088971791FBF6CE4920268CDF6A0A825F

File PE Metadata
Compilation timestamp:
6/20/1992 2:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:vNIsfvzSve+OeOLqh9Y3iZw2KjKTIm4CkoicD:vNISzbeOLyq2TTI1CK

Entry address:
0xC1E2A

Entry point:
55, 8B, EC, 83, C4, F0, B8, 51, 2C, 44, 00, E8, 97, DB, FF, FF, AE, 9C, 26, 30, 43, 7F, 0D, 16, 92, BF, B4, EC, C7, 6B, 4C, 24, 2E, 68, 05, C5, 2A, 60, 7A, 39, 72, 21, A4, BD, E9, 08, C9, BA, 9B, 1E, 0A, 40, A5, F1, 80, 50, 2C, 5D, 20, D3, 85, BB, AE, 54, 4A, 4D, A1, D4, FC, BE, AC, 63, 61, 0E, 42, 49, D3, 57, 6B, EB, 19, 36, A3, BD, 89, B9, 9C, DB, 97, 33, 26, 34, FC, 4F, 9A, 53, 1D, 34, 7C, 28, 6D, B0, 33, 70, E3, A3, 17, 96, C5, 26, 32, 24, 57, 33, 5F, 25, 3D, BC, C5, 1A, 9B, 7A, BF, 4D, 41, E5, B2, B1...
 
[+]

Entropy:
6.9592

Developed / compiled with:
Microsoft Visual C++

Code size:
787 KB (805,888 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_pdfreadersetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.