icreinstall_clickmein-cmiwbst2.exe

ClickMeIn Limited

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_clickmein-cmiwbst2.exe, “Powered by InstallCore” by ClickMeIn Limited has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
ClickMeIn  (signed by ClickMeIn Limited)

Product:
ClickMeIn

Description:
Powered by InstallCore

Version:
2.0.1.73

MD5:
63d1fc258d2d8c799f1f974ae8309f35

SHA-1:
8b60523c09a577852d308faf96d9964089394642

SHA-256:
dcd687971773343e06456652a0fd12d1ee27ea15d40f002d3460665235ceea83

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/24/2024 4:50:33 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.2.1.12

File size:
755.1 KB (773,256 bytes)

Product version:
2.0.1.73

Copyright:
Copyright © Instsaller

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_clickmein-cmiwbst2.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/2/2011 9:00:00 PM

Valid to:
3/2/2012 8:59:59 PM

Subject:
CN=ClickMeIn Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ClickMeIn Limited, L=Nicosia, S=Cyprus, C=CY

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
14E458E6106122ED8D122BDA9265B6A2

File PE Metadata
Compilation timestamp:
6/19/1992 7:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x151F00

Entry point:
60, BE, 00, 30, 4C, 00, 8D, BE, 00, E0, F3, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
576 KB (589,824 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_clickmein-cmiwbst2.exe - Powered by Reason Core Security