» icreinstall_facebook-video-calling.exe
Overview
Analysis
File Details
Network (2)

icreinstall_facebook-video-calling.exe

UpdateStar GmbH

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_facebook-video-calling.exe by UpdateStar GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.

File name:

Publisher:

UpdateStar GmbH (signed and verified)

MD5:

d626fa7da777a8618ac5847de1cc2616

SHA-1:

64b8cf04a3bcb3eb198e0136d438dae0fe47b10d

SHA-256:

38b529e8b5a47079fa32754ffdaf721777efdc8cf9d08f7ab0bdd9ebcc6d8050

Scanner detections:

1 / 68

Status:

Potentially unwanted

Explanation:

Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/25/2024 10:47:45 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.installCore (M)

17.1.11.19

File size:

1.1 MB (1,104,552 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_facebook-video-calling.exe

Digital Signature

Signed by:

UpdateStar GmbH

Authority:

COMODO CA Limited

Valid from:

11/30/2011 10:00:00 PM

Valid to:

11/30/2012 9:59:59 PM

Subject:

CN=UpdateStar GmbH, O=UpdateStar GmbH, STREET=Hauptstrasse 20, L=Berlin, S=Berlin, PostalCode=10827, C=DE

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

4C04D272CAAEF51D5786CA84D80CFB98

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0xCD500

Entry point:

55, 8B, EC, 83, C4, F0, B8, 78, 6C, 41, 00, E8, 0F, E7, FF, FF, 00, 00, 56, 55, E8, 80, FD, FF, FF, 89, 03, 83, 3B, 00, 74, 23, 8B, D3, B8, E4, 45, 47, 00, E8, F5, FD, FF, FF, 84, C0, 75, 13, 68, 00, 80, 00, 00, 6A, 00, 8B, 03, 50, E8, 62, FD, FF, FF, 33, C0, 89, 03, 5D, 5F, 5E, 5B, C3, 90, 53, 56, 57, 55, 83, C4, EC, 89, 4C, 24, 04, 89, 14, 24, C7, 44, 24, 08, FF, FF, FF, FF, 33, D2, 89, 54, 24, 0C, 8B, E8, 8B, 04, 24, 03, C5, 89, 44, 24, 10, 8B, 1D, E4, 45, 47, 00, EB, 51, 8B, 3B, 8B, 73, 08, 3B, EE, 77... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

837.5 KB (857,600 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_facebook-video-calling.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.