home

icreinstall_winrar.exe

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_winrar.exe has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
MD5:
a205a39ce8f8b2510872bfa1069ddde9

SHA-1:
6000e467781fdc3936067fecb45b7d75085aa9a4

SHA-256:
2fac018a68e186c1cc5b59bfa83a6ef26ca569667f08f56ca837aaac8a03dec4

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/19/2024 9:05:57 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.InstallCore
2013.04.28

Avira AntiVirus
ADWARE/InstallCore.Gen
7.11.74.178

Bitdefender
Gen:Variant.Adware.SMSHoax.98
1.0.20.1205

Dr.Web
Adware.InstallCore.80
9.0.1.0241

Emsisoft Anti-Malware
Gen:Variant.Adware.SMSHoax.98
8.14.08.29.01

ESET NOD32
Win32/InstallCore.AZ (variant)
8.8274

Fortinet FortiGate
Adware/Fam.NB
8/29/2014

F-Prot
W32/InstallCore.S.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.SMSHoax.98
11.2014-29-08_6

G Data
Gen:Variant.Adware.SMSHoax.98
14.8.22

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.0.0.0

K7 AntiVirus
Unwanted-Program
13.166.8590

MicroWorld eScan
Gen:Variant.Adware.SMSHoax.98
15.0.0.723

Trend Micro House Call
TROJ_GEN.F47V0317
7.2.241

VIPRE Antivirus
Trojan.Win32.Generic
17256

File size:
1.1 MB (1,167,008 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_winrar.exe

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:PbnDcAxTkFyKlOcqHEOjoN0I8q2CmAqH/8:DDcKKlOcqFU0I8qjmAM

Entry address:
0xD6650

Entry point:
55, 8B, EC, 83, C4, F0, B8, 3C, 95, 40, 00, E8, C6, DE, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
869.5 KB (890,368 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_winrar.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.