icreinstall_gimp-13219-dp.exe

Kisi

Mode Beta (Fried Cookie Ltd)

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_gimp-13219-dp.exe, “Kisi Setup ” by Mode Beta (Fried Cookie) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions.
Publisher:
Sacip   (signed by Mode Beta (Fried Cookie Ltd))

Product:
Kisi

Description:
Kisi Setup

Version:
3.2.2.4

MD5:
2086d886894c45c03b704546c2e64db3

SHA-1:
feca95dfa976b79d2b280967e8101a4b21df01b8

SHA-256:
9ac784aaf3165bf6eab5551b8548470cd4496da86ec698ca6a5e39886ddf8f5a

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 6:28:25 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.FC.Installer (M)
16.4.21.16

File size:
952.6 KB (975,504 bytes)

Product version:
4.4.2

Copyright:
File Lite

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_gimp-13219-dp.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
12/16/2015 3:37:06 PM

Valid to:
7/7/2016 7:06:18 PM

Subject:
CN=Mode Beta (Fried Cookie Ltd), O=Mode Beta (Fried Cookie Ltd), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112172B4C29D53526C8AFAEF1C4F6265E881

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:bjJz9OiMv1hlYlmHZRY5L5H/9x7NJXH6:blZMb/5RYRV9h36

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file icreinstall_gimp-13219-dp.exe has been seen being distributed by the following 50 URLs.

http://www.capitalsoftwaredownload.com/WVl6OTRQVTEzT0dWVVpqRllNVTVEY0daVGNFTkNaV2N6UkdnekpUSkdaWEIxVjA1b2EzQmtlR0Z2WTFOVFRGaEtjeVV6UkNaalBYTjZkSEpOY1hobmFISk5lbXB6V1ZGSU4ySnpKVEpDTWt3eE5FdzFKVEpHU1Rab09VdHJNVXRNTXpWSldHOVhOMnRvYW1Kb05rVjNaMFJ0Umpkb1MzaG5hbXB1U1RGMlVrSmFaa3gyUWtkVlNFcEpiV2RzY0dOdVJrRnhXbHBpUlRSVFMxZGFVRFkxYjJ3bE1rSkdVa3hhWTJ4T1pYTklVa3BrUVd4S1YxSkZXVTFVTkVwMldtaE5aVkpqTjI1a2R6UkhSMnhpWWlVeVJteERKVEpHTUVFbE0wUWxNMFFtWlQwd0ptWmhiR3hpWVdOclgzVnliRDFvZEhSd0pUTmhKVEptSlRKbVpHOTNibXh2WVdRdVoybHRjQzV2Y21jbE1tWndkV0lsTW1abmFXMXdKVEptZGpJdU9DVXlabmRwYm1SdmQzTWxNbVpuYVcxd0xUSXVPQzR4TmkxelpYUjFjQzB5TG1WNFpTWmtiM2R1Ykc5aFpFRnpQVWRKVFZBdE1UTXlNVGt0WkhBdVpYaGw=

http://www.appsfunbyte.com/WVl6OTRQVVZOUWtOSWNtUTVkMFk0Y1hORGRFbEhSVU5EVUVSRmVqTnpObVppWldsRE16ZERlRWc1YW1jMVV6UWxNMFFtWXoxRFdXWTBWM1JSVlV0bllXVTVaRGQzZWxsNlZGUm9VbEY1VmpSTFlXUkNjbUZNZFhGUVoxWkZkekZoWlZCTWRqUmxNR3RuVUhacE4ycGlNREpVSlRKR09GTk9NbEpaVDFkNU4wbEdOR3BSUkhGWmRuQnNTSE5QYm05bE5tcHJaRWhETVVWalYyVnRRMWxHYTFOVlJHVklNbGx0ZFdOdlVFcFJVU1V5UW1sbU1EbG5WV0ZpYVZKaVJXNXVUMDh6YlVwM2RtZFFRVFZvVjBWQkpUTkVKVE5FSm1VOU1DWm1ZV3hzWW1GamExOTFjbXc5YUhSMGNDVXpZU1V5WmlVeVptUnZkMjVzYjJGa0xtZHBiWEF1YjNKbkpUSm1jSFZpSlRKbVoybHRjQ1V5Wm5ZeUxqZ2xNbVozYVc1a2IzZHpKVEptWjJsdGNDMHlMamd1TVRZdGMyVjBkWEF0TWk1bGVHVW1aRzkzYm14dllXUkJjejFIU1UxUUxURXpNakU1TFdSd0xtVjRaUT09

http://www.citysafeapplication.com/WVl6OTRQV1Z6TUVGUWRHZ3llRW93TlUxelRHZzJaM2hKTVUxNWJubGtRVm9sTWtKdmRpVXlRblkyU1hrMUpUSkdUVGxhVlUwbE0wUW1ZejAyUVhKV00zRjRZMWsyTlV4WFZtOXlPU1V5Um5Cb2RYSnpOMU53V0RONlJGWm1ZMmRxY0d4MFMzVTVNbmRhZUhZelMwOXhjSEZCU2t4NmRFNHhNRXRUU2tkU01WSTRkMkV4YXpKcVUwVm9kbmhhY25CUWRsVnRhVWQ0Ym5NeWJVSlRkSFp4Y1VGQ09HUlJTVWhXVlZSdFpraERjRVZDV1c5MEpUSkNjU1V5UW1wRGVraEZUM1phU21oeVVqUjBjMEZDVVdkRWFWSnBPWE5DWlZFbE0wUWxNMFFtWlQwd0ptWmhiR3hpWVdOclgzVnliRDFvZEhSd0pUTmhKVEptSlRKbVpHOTNibXh2WVdRdVoybHRjQzV2Y21jbE1tWndkV0lsTW1abmFXMXdKVEptZGpJdU9DVXlabmRwYm1SdmQzTWxNbVpuYVcxd0xUSXVPQzR4TmkxelpYUjFjQzB5TG1WNFpTWmtiM2R1Ykc5aFpFRnpQVWRKVFZBdE1UTXlNVGt0WkhBdVpYaGw=

http://www.cycleupdateguard.com/WVl6OTRQVk56WjI4eFQzaGxORlpuWWxCVFZURTFPVlYzSlRKQ1YwVnRWRTVZZHpNNVVubHNSMEpYTVdka1pGVldRU1V6UkNaalBVcEtjMkUxTUdFM1kyWm9lVkZGWm1VeU1XWTBTRmRzTjJsalIwMHhaRE5xVkhNMmIzaExPSFoxSlRKQ1R6bGtTV3BOTWs1emFreDBTMGRoVmxab1pERk9hWEZxY0NVeVFucEhNbVExU0RBelFtMUNSM2gyY0hKRE9GUjJRMlpJYW5KNmRIcFpSbkJaWVRVMk9YQmtUemd6YTBOeFNERk9URFFsTWtZeGIxbGhZVnAzYUdkb1MwcEtkbWhIY2pCeFZEQlVNVE4xU0VKb2RYYzRkeVV6UkNVelJDWmxQVEFtWm1Gc2JHSmhZMnRmZFhKc1BXaDBkSEFsTTJFbE1tWWxNbVprYjNkdWJHOWhaQzVuYVcxd0xtOXlaeVV5Wm5CMVlpVXlabWRwYlhBbE1tWjJNaTQ0SlRKbWQybHVaRzkzY3lVeVptZHBiWEF0TWk0NExqRTJMWE5sZEhWd0xUSXVaWGhsSm1SdmQyNXNiMkZrUVhNOVIwbE5VQzB4TXpJeE9TMWtjQzVsZUdVPQ==

http://www.cycleupdateguard.com/WVl6OTRQVlkxY0dFbE1rSndTRTlNWVhNNU5EbDVka1Y0WWxwMldYVkpNSEJKZDJwa1ZWb3pVVk5vWlVSQlZXcHBWU1V6UkNaalBVMUxUemwwVmtwcGVIcENkbXc1WTBaVGVsVWxNa1o2VjNGS09VMTVjVE14VVRaM1dUUkZVa013Y21OV1JVeHROV2RyYWtjemNVRk9Va0ZuU1ROV05tZ2xNa1owUTFodmJFSkdhR2R5YWs1alRXMVBUbWcwTWs4d1V6bFFOSEZLVlRKaFFWZFhka3BHZW5KYWVFOVVkVVZRWTFwaWVTVXlSa0ZQWlVSaVUzVkZUa00xUjJ4SFpsSnVXRFF6WlVOR2FVRnlibFYxVmt0b2RWb3daeVV6UkNVelJDWmxQVEFtWm1Gc2JHSmhZMnRmZFhKc1BXaDBkSEFsTTJFbE1tWWxNbVprYjNkdWJHOWhaQzVuYVcxd0xtOXlaeVV5Wm5CMVlpVXlabWRwYlhBbE1tWjJNaTQ0SlRKbWQybHVaRzkzY3lVeVptZHBiWEF0TWk0NExqRTJMWE5sZEhWd0xUSXVaWGhsSm1SdmQyNXNiMkZrUVhNOVIwbE5VQzB4TXpJeE9TMWtjQzVsZUdVPQ==

http://www.downloadguardpresent.com/WVl6OTRQWFJsYlRsQ2NEZzRibXBOVDFscVdXTllUbFZ6WlhvNU5EUnFaVTFqTjAxc1VWVlBNalJuV0hkU2Jsa2xNMFFtWXoxd1NURlVXSGxMTlU1T1pETnpha3hUTVdkR2VGRmxNMGhaWjNGdVJIWmlhQ1V5UW1Od09YWlZNV3R6TmpoamJuVktRak1sTWtJMFdYTmxNbWswUjIxVU1uUTBWMlpGTURoRmJYRmFZVU5SSlRKR1IyNDRSa0ZDV1RScVJYTnRPVmh0YUcxTlUyRnhkSGw1T1RKUWJTVXlRamRrT1VsRmVUbFRjVWRYVjBKcWVYTnpkbkZPWVZOS1psaHFabkprVDNSSFdERmFaRFZpWnpObWJuUktVU1V6UkNVelJDWmxQVEFtWm1Gc2JHSmhZMnRmZFhKc1BXaDBkSEFsTTJFbE1tWWxNbVprYjNkdWJHOWhaQzVuYVcxd0xtOXlaeVV5Wm5CMVlpVXlabWRwYlhBbE1tWjJNaTQ0SlRKbWQybHVaRzkzY3lVeVptZHBiWEF0TWk0NExqRTJMWE5sZEhWd0xUSXVaWGhsSm1SdmQyNXNiMkZrUVhNOVIwbE5VQzB4TXpJeE9TMWtjQzVsZUdVPQ==

http://www.capitaltoursoftware.com/WVl6OTRQVVJVWjNoaGMyTkZUaVV5UW5CNVlYQjJabWRDVG1waGRTVXlRa3B3YWpGVVJFa3phMDlrV0ZGT2MxZEdPV3MwSlRORUptTTlZVTgyZDI1M1NtSXphbTh4WlhWVWVFbG1WRVpyVDNrNVdEbEliWHBOTlV0cFVGTWxNa1k0UlhoS2RtTnFlQ1V5UWpGRVNXSjRjbVp3TUVRbE1rWnhOVzVYTTNJMVpHOW9XRVprTjNvd2JWUkZVemxvVVhnelkzZFJabVU1UWt3eVRXWTVTblJEWmtGd1pHVXpaRFU1TjBWUE4xQXlSVlZFYjNaTFVEQm9jVFZtUjBObGRUQTRjMUZzWkhSR1dVZFlRMEZZYTJsVWFuaEdlVWRCSlRORUpUTkVKbVU5TUNabVlXeHNZbUZqYTE5MWNtdzlhSFIwY0NVellTVXlaaVV5Wm1SdmQyNXNiMkZrTG1kcGJYQXViM0puSlRKbWNIVmlKVEptWjJsdGNDVXlabll5TGpnbE1tWjNhVzVrYjNkekpUSm1aMmx0Y0MweUxqZ3VNVFl0YzJWMGRYQXRNaTVsZUdVbVpHOTNibXh2WVdSQmN6MUhTVTFRTFRFek1qRTVMV1J3TG1WNFpRPT0=

http://www.gifttownsign.com/WVl6OTRQV05VYzBscGMzRlZZa1o0U1Zsb2EzbFJVbk50TUZCaVdubzRaMm80UjNSS2JrdE9jbmhTVTFOQ0pUSkdXU1V6UkNaalBXcG1PSGR6V0had1pUWkVNbEl3VVNVeVFtOXdOR3hKTUVaR2VsVjRTbnBsVkRscmNXcDNOVUpzUjFaTWRqaHVUakpsYXpONk4xUkVNVzkzZG5vM00yZFlZVm95VkRkM0pUSkNSakpwVFNVeVFscERaR3NsTWtab1JscFlTMVZMZHpGdmIzaFVZMjA1V1U1WVNHbElVRkk1VkVSaWNqZHNWSGMzVlhrMmQzaDNVVUpPV1hoRFRqazFkV3h4VkdJd2QzSk9kMlJ0T1ZORWJXWmlXamxSSlRORUpUTkVKbVU5TUNabVlXeHNZbUZqYTE5MWNtdzlhSFIwY0NVellTVXlaaVV5Wm1SdmQyNXNiMkZrTG1kcGJYQXViM0puSlRKbWNIVmlKVEptWjJsdGNDVXlabll5TGpnbE1tWjNhVzVrYjNkekpUSm1aMmx0Y0MweUxqZ3VNVFl0YzJWMGRYQXRNaTVsZUdVbVpHOTNibXh2WVdSQmN6MUhTVTFRTFRFek1qRTVMV1J3TG1WNFpRPT0=

http://www.capitaltoursoftware.com/WVl6OTRQWFo1UTJwcVpXcFBkV3BFVUZGM2FGVkVUMkZGYkZKdUpUSkNUaVV5Um1WTUpUSkNkVmwwZGt0UVlsUlJUelpVYzJNbE0wUW1ZejFQYUdWMkpUSkdURFl6V0VJNU9YTjFVbVJFYVZZeWRVa3dXa2RJZFZaYWNHWlZSRzFLSlRKQ1ExbE1TazlVUTFkSVZuUlpKVEpDYjBKUVJUZEJUMnRwVERGMk4xY3laRzl2WW1wUFF6VmxWbmRKWWpVNFNVSnNTMnM1YWxoQmJVWjRhRGszUVVjNFN5VXlSa3BRT1NVeVFuWlBNR1JJYlZWaVdqSndVMUpETjI1cVJpVXlSbmcwYUhkb1VIRkJWVEJqTlRoaFNHWmhSWFJRVldGTVRTVXlRbmhRVVNVelJDVXpSQ1psUFRBbVptRnNiR0poWTJ0ZmRYSnNQV2gwZEhBbE0yRWxNbVlsTW1aa2IzZHViRzloWkM1bmFXMXdMbTl5WnlVeVpuQjFZaVV5Wm1kcGJYQWxNbVoyTWk0NEpUSm1kMmx1Wkc5M2N5VXlabWRwYlhBdE1pNDRMakUyTFhObGRIVndMVEl1WlhobEptUnZkMjVzYjJGa1FYTTlSMGxOVUMweE16SXhPUzFrY0M1bGVHVT0=

Latest 30 of 79 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_gimp-13219-dp.exe - Powered by Reason Core Security