home

icreinstall_zipsetup.exe

JumpyApps

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_zipsetup.exe by JumpyApps has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
JumpyApps  (signed and verified)

MD5:
91654bfb7b8f5b5c9dccce3ad10e6a9d

SHA-1:
44b2889729c8ac358c6d6b06ac472d0383b2a8de

SHA-256:
8740405b44e396e3af354e5ee683ee52b7287d62adaa42d255985a62575dea0f

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/24/2024 3:20:05 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.InstallCore
7.1.1

AhnLab V3 Security
PUP/Win32.DownloadManager
2015.01.17

Avira AntiVirus
Adware/InstallCore.A.103
7.11.201.154

AVG
Adware InstallCore.JD
2014.0.4253

Comodo Security
Application.Win32.Installcore.IJU
20727

Dr.Web
Trojan.Packed.24524
9.0.1.05190

ESET NOD32
Win32/InstallCore.KE potentially unwanted application
7.0.302.0

G Data
Win32.Application.InstallCore
15.1.24

K7 AntiVirus
Unwanted-Program
13.191.14664

Malwarebytes
PUP.Optional.JumpyApps
v2015.01.16.06

NANO AntiVirus
Trojan.Win32.Kryptik.cwezfs
0.30.0.64448

Norman
Kryptik.CDMO
11.20150116

Panda Antivirus
Trj/Genetic.gen
15.01.16.06

Reason Heuristics
PUP.Installer.JumpyApps.U
15.1.16.6

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.15114

Sophos
PUA 'Install Core Click run software'
5.09

Vba32 AntiVirus
Downware.InstallCore
3.12.26.3

VIPRE Antivirus
Threat.4786018
36666

File size:
655.2 KB (670,920 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_zipsetup.exe

Digital Signature
Signed by:
JumpyApps

Authority:
COMODO CA Limited

Valid from:
2/18/2013 1:00:00 AM

Valid to:
2/19/2014 12:59:59 AM

Subject:
CN=JumpyApps, O=JumpyApps, STREET=63 Rothschild Blvd., L=Tel Aviv, S=NA, PostalCode=65785, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6DB423F9C6473168CF486AAF112EDD5C

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:EI8fSSJMZpDz0QzC0J+ocXbnyZJBmcsVmPOBoSD56GJPC8Dth5vq+NO:EUSGZpn0QzHwocXLaJBUMWoSD5JJq8Fk

Entry address:
0x8440

Entry point:
55, 8B, EC, 83, C4, EC, 33, C0, 89, 45, F0, 89, 45, EC, B8, 08, 84, 40, 00, E8, 48, C8, FF, FF, 33, C0, 55, 68, BD, 84, 40, 00, 64, FF, 30, 64, 89, 20, E8, 51, A2, FF, FF, 85, C0, 7E, 33, 8D, 55, F0, B8, 09, 00, 00, 00, E8, A0, A2, FF, FF, 8B, 45, F0, 50, B8, 64, 00, 00, 00, E8, EA, A2, FF, FF, 8D, 55, EC, E8, 42, D5, FF, FF, 8B, 55, EC, 58, E8, 5D, B0, FF, FF, 75, 05, E8, B2, FE, FF, FF, 33, C0, 5A, 59, 59, 64, 89, 10, 68, C4, 84, 40, 00, 8D, 45, EC, BA, 02, 00, 00, 00, E8, 78, AD, FF, FF, C3, E9, 0E, A8...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
29.5 KB (30,208 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_zipsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.