uninstall218635.exe

ExpressFiles Application

Faglaro Enterprises Limited

The application uninstall218635.exe by Faglaro Enterprises Limited has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address mail.smile-files.com on port 80 using the HTTP protocol.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressFiles Application

Version:
1, 0, 3, 1

MD5:
76f6e8033be7099c2d26b130f336bc7d

SHA-1:
ce07f158df79f8809c7c22b9f1c2c3b3c0ecd4be

SHA-256:
74e0352be62fc53f4f66ffca1c558ca3fdc697b1f197d8a5574a3dc03fb8e7d8

Scanner detections:
5 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/14/2024 3:13:14 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Expressfiles-C [PUP]
2014.9-140202

ESET NOD32
Win32/ExpressFiles (variant)
8.9182

Reason Heuristics
PUP.FaglaroEnterprisesLimited.P
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V0701
7.2.33

VIPRE Antivirus
ExpressFiles Installer
24452

File size:
476.6 KB (488,088 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\uninstall218635.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/16/2011 2:00:00 AM

Valid to:
12/16/2012 1:59:59 AM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET="Konstantinoupoleos, 22", L=Nicosia, S=Aglantzia/Cyprus, PostalCode=2107, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DD2A4BBB66262A8FB4E084560573E908

File PE Metadata
Compilation timestamp:
9/10/2012 3:14:31 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:ubwyEN/KjZdwH+LyVlSta/mm5CLJomiztHbYuey7W0IknT4pZlFea:TKjZM+2Eta/HILJIpsux7WTopa

Entry address:
0xC8A00

Entry point:
60, BE, 00, 00, 47, 00, 8D, BE, 00, 10, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
356 KB (364,544 bytes)

Windows Firewall Allowed Program
Name:
C:\Program Files\ExpressFiles\ExpressFiles.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to li1321-138.members.linode.com  (45.79.222.138:80)

TCP (HTTP SSL):
Connects to ip-172-30-177-21.ec2.internal  (172.30.177.21:443)

Remove uninstall218635.exe - Powered by Reason Core Security