user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PUADlManager:Win32/InstallCore
PUADlManager:Win32/InstallCore - Windows Defender threat signature analysis

PUADlManager:Win32/InstallCore - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PUADlManager:Win32/InstallCore
Classification:
Type:PUADlManager
Platform:Win32
Family:InstallCore
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: PUADlManager for 32-bit Windows platform, family InstallCore

Summary:

This is a Potentially Unwanted Application (PUA) associated with the InstallCore bundling platform. It functions as a download manager, often installing bundled software, and employs various Windows tools like PowerShell, scheduled tasks, and potentially browser hooking for persistence and system modification, leading to unwanted ads or browser changes.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - irsoUninstallAddOpenBrowserCmd (PEHSTR_EXT)
 - irsoIsCompleted (PEHSTR_EXT)
 - irsoGetChromeEXE (PEHSTR_EXT)
 - 4.!GI (SNID)
 - u5l\N (SNID)
 - p/m3qY (SNID)
 - rp.coolvideoconverter.com (PEHSTR_EXT)
 - cdnus.coolvideoconverter.com (PEHSTR_EXT)
 - operaprefs.ini (PEHSTR_EXT)
 - Uninst.exe (PEHSTR_EXT)
 - Uninstall.exe (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: virussign.com_e3ff8593829a9c8fb976c964cac697f0
0b58bbe496218fa82f98aff8990622ed7529bcbef31c2b782657a80eadccc734
22/03/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate and remove the detected threat using Windows Defender. Follow up with a full system scan, check browser extensions for unauthorized additions, and manually review scheduled tasks or startup programs for any lingering persistence mechanisms.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/03/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$