» icreinstall_superdownloads_nvu.exe
Overview
Analysis
File Details
Network (2)

icreinstall_superdownloads_nvu.exe

Stub

No Zebra Network Ltda.

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_superdownloads_nvu.exe, “Stub Setup ” by No Zebra Networka has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.

File name:

Publisher:

File (signed by No Zebra Network Ltda.)

Product:

Stub

Description:

Stub Setup

MD5:

3b53cdf99390b0e03349151429d314cc

SHA-1:

ec3e37795c9c75430145011cf4fd4139f22750ba

SHA-256:

4afad066c3920087c032ad2737c198f8603791fee807f1f679a05e8553630134

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/16/2024 9:07:45 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.installCore (M)

17.3.16.11

File size:

1.8 MB (1,869,424 bytes)

Product version:

4.4

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_superdownloads_nvu.exe

Digital Signature

Signed by:

No Zebra Network Ltda.

Authority:

GlobalSign nv-sa

Valid from:

3/14/2016 5:42:36 PM

Valid to:

6/11/2017 12:34:11 PM

Subject:

CN=No Zebra Network Ltda., O=No Zebra Network Ltda., L=Curitiba, C=BR

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

11218A29043D97A4BC57F62FED8B90559582

File PE Metadata

Compilation timestamp:

5/29/2012 8:51:48 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x16478

Entry point:

55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, B8, 52, 41, 00, E8, AC, 03, FF, FF, 33, C0, 55, 68, 45, 6B, 41, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 01, 6B, 41, 00, 64, FF, 32, 64, 89, 22, A1, 48, AB, 41, 00, E8, 56, EC, FF, FF, E8, FD, E7, FF, FF, 8D, 55, EC, 33, C0, E8, 7F, 84, FF, FF, 8B, 55, EC, B8, E8, D6, 41, 00, E8, E2, E9, FE, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, E8, D6, 41, 00, B2, 01... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

84 KB (86,016 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_superdownloads_nvu.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.