home

uninstall3478463.exe

ExpressFiles Application

Faglaro Enterprises Limited

The application uninstall3478463.exe by Faglaro Enterprises Limited has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from inst.express-files.com and multiple other hosts.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressFiles Application

Version:
1, 0, 0, 496

MD5:
85b977e971d7b862a474a49977fb70d5

SHA-1:
4f40f60e79953c51bd0a469e61433c99aa714c55

SHA-256:
8f79ba064dda09a1e2d981cbdeb82847e49d2cef14075f090e2b14806dbcf69b

Scanner detections:
12 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/24/2024 11:06:09 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.ExpressFiles
2014.11.02

avast!
Win32:Downloader-TSH [PUP]
2014.9-150109

AVG
Faglaro Enterprises Limited
2016.0.3234

ESET NOD32
Win32/ExpressFiles (variant)
9.10656

G Data
Win32.Application.ExpressFiles
15.1.24

Malwarebytes
PUP.Optional.ExpressFiles.A
v2015.01.09.12

McAfee
Artemis!85B977E971D7
5600.6890

NANO AntiVirus
Riskware.Win32.Yotoon.cylviu
0.28.6.62995

Reason Heuristics
PUP.FaglaroEnterprisesLimited.Q
15.1.9.12

Sophos
Express Files
4.98

Trend Micro House Call
Suspicious_GEN.F47V0806
7.2.9

VIPRE Antivirus
ExpressFiles Installer
34438

File size:
6.5 MB (6,810,208 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\uninstall3478463.exe

Digital Signature
Signed by:
Faglaro Enterprises Limited

Authority:
COMODO CA Limited

Valid from:
12/12/2012 5:00:00 PM

Valid to:
12/13/2015 4:59:59 PM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET=Boumpoulinas 11, L=Nicosia, S=Nicosia, PostalCode=1060, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
37B080A790663B8AF63D05448AD0343B

File PE Metadata
Compilation timestamp:
5/7/2013 9:49:07 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
196608:p3Dl+q18z05nfwlfTU3Na1MKRCMLh0zRV4Y+Pleiw64:p3Dl+C8z05cfQdamMCMF0bKel64

Entry address:
0xE157

Entry point:
E8, B9, 6B, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, A4, A7, 42, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, 47, 08, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, E0, E2, 40, 00, 8B, C7, BA, 03, 00, 00, 00...
 
[+]

Code size:
110 KB (112,640 bytes)

The file uninstall3478463.exe has been seen being distributed by the following 8 URLs.

http://inst.express-files.com/j5GCX23DvRtS27pRKu2/KnjZpzR35q4mf6Dgeir8xyBrrpI6S7TUYh/.../DXwvQzl4E1A==

http://inst.express-files.com/j5GtXmDR6VVnxu1eeNmzbSDfuio0t7Qicvnofy7ukiZ8u4g Ru3QYhTh3Xleq8xSHerNVAvZylwE

http://inst.express-files.com/.../yTBKcsErCznFILB4xCawYjAhuA==

http://inst.express-files.com/.../f6e8aW2liDcj dVjBKOcOVG5hDsX4chRGOzTE0HdyFgA3MhaDNszQA==

http://inst.express-files.com/.../IVgHWwFsB1cxaAg==

http://inst.express-files.com/j5GpVnTVp19nxu1bY9m8LGDY9XUi8ettYam0Kyf90Wc4v5A1Vb2APxvt1G0c6NcXXeHEVATYylMD081a

http://inst.express-files.com/.../oYOR7jIUgLU3xhDhooCU4w8SgfeM0dkhHpGd8c7R3nIJbt2yw==

http://inst.express-files.com/j5GkRXTEqFxnxqhRKtS7Nmreuiw0t7Qicvnofy7ukiZ8u4g Ru3QYhTi3Xleq8xSHerNVwTXwV4F

Remove uninstall3478463.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.