home

{blocked}.exe

The application {blocked}.exe has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a setup program which is used to install the application. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. The file has been seen being downloaded from inst.express-files.com.
MD5:
df03d4ca5ba5ff97807718522c6a0994

SHA-1:
c2277f10e971b25e6b1a512bf322427319809a7e

SHA-256:
d858438d427632c7c463d132d061b4df5f65b9c9538dc70f324e95336f1d0f30

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 1:03:49 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Downloader-TSH [PUP]
2014.9-150910

herdProtect (fuzzy)
variant of uninstall11193165.exe (Adware)
2015.9.10.1

K7 AntiVirus
Unwanted-Program
13.175.10837

Malwarebytes
PUP.Optional.ExpressFiles.A
v2015.09.10.01

McAfee
Artemis!AFDE4A33097C
5600.6647

Reason Heuristics
Threat.Win.Reputation.IMP
15.8.4.11

Sophos
Express Files
4.96

Trend Micro House Call
TROJ_SPNV.03KB13
7.2.253

Trend Micro
TROJ_SPNV.03KB13
10.465.10

VIPRE Antivirus
ExpressFiles Installer
25434

File size:
6 MB (6,283,360 bytes)

File type:
Executable application (Win16 EXE)

Common path:
C:\users\{user}\downloads\brooke_and_vikki_lesbian_twin_sluts_wmv_downloader_us_385.exe

File PE Metadata
Compilation timestamp:
3/21/2013 10:15:26 AM

OS version:
5.1

OS bitness:
Win16

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
98304:yD3DMje+qRp+cyI87RNh0dWGlfHqQUReYNa1ohs9IggpeV7klS+PlIU7tdIASaQK:K3Dl+q187Rn6llfTU3Na1oh0zRV4Y+Px

Entry address:
0xE507

Entry point:
E8, B9, 6B, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, A4, A7, 42, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, 47, 08, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 90, E6, 40, 00, 8B, C7, BA, 03, 00, 00, 00...
 
[+]

Entropy:
7.9300  (probably packed)

Code size:
111 KB (113,664 bytes)

The file {blocked}.exe has been seen being distributed by the following URL.

http://inst.express-files.com/.../it3s7sid6r2O22hj3htoJAjUfueNlDymSwX6cJVGujBXwTWyk1BiZQLB90xQxifcBU1nWAfe8c1SmyMLOQ=

Remove {blocked}.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.