home

icreinstall_setup.exe

Click run software

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_setup.exe by Click run software has been detected as adware by 20 anti-malware scanners. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.vlcplayerdownload.com and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Click run software  (signed and verified)

MD5:
92eff4cdbeec018de942757d3803fac5

SHA-1:
6c25fbe55b55b9c46a5fa732548ecfdf529f0d8e

SHA-256:
3f35171afe139e7702546264545afeecab54d6ec16742f9a24d05b4a70fb7f6d

Scanner detections:
20 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/16/2025 12:25:13 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Strictor.29707
1008

Avira AntiVirus
APPL/Downloader.Gen6
7.11.133.8

avast!
Win32:InstallCore-CI [PUP]
2014.9-140502

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.1452

Bitdefender
Gen:Variant.Adware.Strictor.29707
1.0.20.610

Comodo Security
Application.Win32.ClickRun.A
17821

Dr.Web
Adware.InstallCore.55
9.0.1.0122

Emsisoft Anti-Malware
Gen:Variant.Adware.Strictor.29707
8.14.05.02.12

ESET NOD32
Win32/InstallCore.AF (variant)
8.9452

F-Secure
Gen:Variant.Adware.Strictor.29707
11.2014-02-05_6

G Data
Gen:Variant.Adware.Strictor.29707
14.5.24

MicroWorld eScan
Gen:Variant.Adware.Strictor.29707
15.0.0.366

Panda Antivirus
PUP/MultiToolbar.A
14.05.02.12

Reason Heuristics
PUP.Installer.Clickrunsoftware.R
14.8.7.20

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14430

Sophos
Install Core Click run software
4.97

Trend Micro House Call
ADW_INSTALLCORE
7.2.122

Trend Micro
ADW_INSTALLCORE
10.465.02

Vba32 AntiVirus
BScope.Malware-Cryptor.InstallCore.2691
3.12.24.3

VIPRE Antivirus
Click run software
26682

File size:
1 MB (1,074,664 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_setup.exe

Digital Signature
Signed by:
Click run software

Authority:
COMODO CA Limited

Valid from:
4/18/2012 9:00:00 PM

Valid to:
4/19/2013 8:59:59 PM

Subject:
CN=Click run software, O=Click run software, STREET=63 Rotshylid Shderot, L=Tel-Aviv, S=NA, PostalCode=65785, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A243E49C0DAF69F7C5ACF083EB184161

File PE Metadata
Compilation timestamp:
6/19/1992 7:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:M3VBX4efvqt/HncKXqPTqTY9VVBz7yZptc:MFBX9fvy/ceqPdLHp

Entry address:
0xC9650

Entry point:
55, 8B, EC, 83, C4, F0, B8, EC, 23, 40, 00, E8, 79, E4, FF, FF, D6, 46, 00, 0C, 7D, 18, A1, 14, D6, 46, 00, 01, 05, 18, D6, 46, 00, 03, 35, 14, D6, 46, 00, 33, C0, A3, 14, D6, 46, 00, 8B, C6, 2B, C7, 01, 05, B4, D5, 46, 00, 8B, 45, 00, 25, 03, 00, 00, 80, 0B, F0, 89, 75, 00, B0, 01, E9, A2, 00, 00, 00, E8, 49, F9, FF, FF, 8B, DD, 03, DF, F6, 03, 02, 75, 4D, 8B, D3, 8B, C2, 8B, 48, 08, 89, 0C, 24, 8B, 0C, 24, 3B, 4C, 24, 04, 7D, 0E, 03, 14, 24, 8B, DA, 8B, 04, 24, 29, 44, 24, 04, EB, 2C, E8, 2A, F6, FF, FF...
 
[+]

Entropy:
6.8777

Developed / compiled with:
Microsoft Visual C++

Code size:
817.5 KB (837,120 bytes)

The file icreinstall_setup.exe has been seen being distributed by the following 6 URLs.

http://www.vlcplayerdownload.com/download/.../setup.exe

http://d53.myplaymedia.com/download/bin/.../setup.exe

http://geo.downloads-center.com/geo/gd/downloads/vGrabber/.../setup.exe

http://d52.playmediasite.com/download/bin/.../setup.exe

http://d53.myplaymedia.com/download/bin/.../Downloader.exe

http://d55.bestnewplay.com/download/bin/.../video_downloader.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.