icreinstall_facebook-video-calling.exe

UpdateStar GmbH

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_facebook-video-calling.exe by UpdateStar GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
UpdateStar GmbH  (signed and verified)

MD5:
d626fa7da777a8618ac5847de1cc2616

SHA-1:
64b8cf04a3bcb3eb198e0136d438dae0fe47b10d

SHA-256:
38b529e8b5a47079fa32754ffdaf721777efdc8cf9d08f7ab0bdd9ebcc6d8050

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/21/2024 10:24:14 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.1.11.19

File size:
1.1 MB (1,104,552 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_facebook-video-calling.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
11/30/2011 10:00:00 PM

Valid to:
11/30/2012 9:59:59 PM

Subject:
CN=UpdateStar GmbH, O=UpdateStar GmbH, STREET=Hauptstrasse 20, L=Berlin, S=Berlin, PostalCode=10827, C=DE

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4C04D272CAAEF51D5786CA84D80CFB98

File PE Metadata
Compilation timestamp:
6/19/1992 7:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xCD500

Entry point:
55, 8B, EC, 83, C4, F0, B8, 78, 6C, 41, 00, E8, 0F, E7, FF, FF, 00, 00, 56, 55, E8, 80, FD, FF, FF, 89, 03, 83, 3B, 00, 74, 23, 8B, D3, B8, E4, 45, 47, 00, E8, F5, FD, FF, FF, 84, C0, 75, 13, 68, 00, 80, 00, 00, 6A, 00, 8B, 03, 50, E8, 62, FD, FF, FF, 33, C0, 89, 03, 5D, 5F, 5E, 5B, C3, 90, 53, 56, 57, 55, 83, C4, EC, 89, 4C, 24, 04, 89, 14, 24, C7, 44, 24, 08, FF, FF, FF, FF, 33, D2, 89, 54, 24, 0C, 8B, E8, 8B, 04, 24, 03, C5, 89, 44, 24, 10, 8B, 1D, E4, 45, 47, 00, EB, 51, 8B, 3B, 8B, 73, 08, 3B, EE, 77...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
837.5 KB (857,600 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_facebook-video-calling.exe - Powered by Reason Core Security