» reimageexpresspackage.exe
Overview
Analysis
File Details

reimageexpresspackage.exe

Reimage Express

Reimage Limited

The application reimageexpresspackage.exe, “Reimage Express Installation Package” by Reimage Limited has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider.

File name:

Publisher:

Reimage® (signed by Reimage Limited)

Product:

Reimage Express

Description:

Reimage Express Installation Package

Version:

1.012

MD5:

aff4b753049034714eb870d6b6eb271c

SHA-1:

9b69ac51c27bd07ad9c822afb69f6f5a2e52d462

SHA-256:

7d90c2a1838cb578fd66e1f542d6be13a1d265e6bacdaf0a9b57dc34b58e2e36

Scanner detections:

7 / 68

Status:

Potentially unwanted

Explanation:

The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:

4/26/2024 12:01:17 AM UTC (today)

Scan engine

Detection

Engine version

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

riskware program Program.Unwanted.376, is riskware program Program.Unwanted.35

9.0.1.040

ESET NOD32

Detection.Undefined

10.7.0.302.0

NANO AntiVirus

Riskware.Nsis.Babylon.cwhyhv

0.28.0.59288

Reason Heuristics

PUP.Optional.Reimage.Installer

16.2.9.0

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF

23.00.65.16207

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.26.0

File size:

7.4 MB (7,776,032 bytes)

Product version:

1.012

Original file name:

ExpressPackage.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\reimageexpresspackage.exe

Digital Signature

Signed by:

Reimage Limited

Authority:

VeriSign, Inc.

Valid from:

4/11/2012 1:00:00 AM

Valid to:

5/4/2014 12:59:59 AM

Subject:

CN=Reimage Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Reimage Limited, L=Nicosia, S=Nicosia, C=CY

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

08242D065B8CE1035215AAA943CF9166

File PE Metadata

Compilation timestamp:

12/5/2009 10:50:46 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

196608:N8IYDDbptc1ypXp3lMUiIRvwn3MHbWiBKm7VXoi:N813pXp3mIRvK3WWiBKmJN

Entry address:

0x323C

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00... 
[+]

Entropy:

7.9996

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

Remove reimageexpresspackage.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.