home

uninstall7998093.exe

ExpressFiles Application

http://www.express-files.com/

The application uninstall7998093.exe has been detected as a potentially unwanted program by 6 anti-malware scanners. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. It is also typically executed from the user's temporary directory.
Publisher:
http://www.express-files.com/

Product:
ExpressFiles Application

Version:
2, 0, 0, 38

MD5:
ae4d2f7643ba84d4f25306fb33d9cbb0

SHA-1:
6dda3be73e805e2df1957ecab006bb1fa81125d0

SHA-256:
e2c9e6de2921ced46ad0215960897dfc4edeeda0242d00c2aec0af4c1e140b3a

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 4:20:36 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Expressfiles-C [PUP]
2014.9-140124

Baidu Antivirus
Trojan.Win32.ExpressFiles
4.0.3.14124

ESET NOD32
Win32/ExpressFiles (variant)
8.9304

herdProtect (fuzzy)
variant of uninstall2818062.exe (PUP)
2014.2.27.7

Reason Heuristics
PUP.httpwwwexpressfiles.Q
14.2.23.10

VIPRE Antivirus
ExpressFiles Installer
25512

File size:
961 KB (984,064 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\uninstall7998093.exe

File PE Metadata
Compilation timestamp:
1/16/2014 3:15:00 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:uyg7zH6EBx5t0SaTa8Rdb5lxT9TxaDqTL6VbzsS2Ln2Nz2bFb:uHaEf8Ta8Rdb5lxxFaDqiVbzs0Ub

Entry address:
0x168C1

Entry point:
E8, 60, 91, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB...
 
[+]

Entropy:
7.2170

Code size:
160 KB (163,840 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to ec2-54-235-184-192.compute-1.amazonaws.com  (54.235.184.192:80)

TCP (HTTP):
Connects to ec2-50-17-236-103.compute-1.amazonaws.com  (50.17.236.103:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.42:80)

TCP (HTTP):
Connects to vip1.g.cachefly.net  (205.234.175.175:80)

TCP (HTTP):
Connects to unknown.carohosting.net  (74.81.170.110:80)

TCP (HTTP):
Connects to static.165.45.63.178.clients.your-server.de  (178.63.45.165:80)

TCP (HTTP):
Connects to sjc02-usadmm.dotomi.com  (66.151.150.249:80)

TCP (HTTP):
Connects to server-52-85-63-250.lhr50.r.cloudfront.net  (52.85.63.250:80)

TCP (HTTP):
Connects to server-52-84-102-50.del51.r.cloudfront.net  (52.84.102.50:80)

TCP (HTTP):
Connects to server-52-84-102-175.del51.r.cloudfront.net  (52.84.102.175:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (176.32.97.204:80)

TCP (HTTP):
Connects to retarget.ca.dc.openx.org  (173.241.250.7:80)

TCP (HTTP SSL):
Connects to r-199-59-148-84.twttr.com  (199.59.148.84:443)

TCP (HTTP):
Connects to presentation-sjc2.turn.com  (69.194.244.11:80)

TCP (HTTP):
Connects to pc-in-f95.1e100.net  (74.125.28.95:80)

TCP (HTTP):
Connects to mpr8.ngd.vip.ch1.yahoo.com  (217.163.21.41:80)

TCP (HTTP):
Connects to mpr2.ngd.vip.gq1.yahoo.com  (216.39.55.13:80)

TCP (HTTP):
Connects to map-e.pipelane.net  (204.2.197.201:80)

TCP (HTTP):
Connects to lax17s01-in-f28.1e100.net  (74.125.224.60:80)

Remove uninstall7998093.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.