home

uninstall9870339.exe

ExpressFiles Application

Faglaro Enterprises Limited

The application uninstall9870339.exe by Faglaro Enterprises Limited has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from install.express-downloader.com and multiple other hosts.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressFiles Application

Version:
1, 0, 0, 496

MD5:
ec35e15f5fae36cc72f095d239255485

SHA-1:
620eb031f1f34be7c2f3deb5ab89b36c3255d6f6

SHA-256:
b510cec99a47ba9ff4069348a4ea7981f910ff38a7aeda010a56b39c58b2a541

Scanner detections:
23 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 11:37:13 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.ExpressFiles
2013.11.27

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.110.152

avast!
Win32:Downloader-TSH [PUP]
2014.9-131226

AVG
MalSign.Faglaro Enterprises Limited
2014.0.3614

Bkav FE
W32.Clod4a8.Trojan
1.3.0.4562

Dr.Web
Adware.Downware.1440
9.0.1.0254

Emsisoft Anti-Malware
Riskware.Win32.ExpressFiles.AMN
8.14.09.11.02

ESET NOD32
Win32/ExpressFiles (variant)
7.9099

Fortinet FortiGate
Riskware/Agent
9/11/2014

G Data
Win32.Application.ExpressFiles
14.9.22

herdProtect (fuzzy)
variant of uninstall40618651.exe (Adware)
2014.1.5.15

IKARUS anti.virus
not-a-virus:Downloader.Win32.Agent
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.174.10410

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3267

Malwarebytes
PUP.Optional.ExpressFiles.A
v2013.12.26.03

McAfee
Artemis!EC35E15F5FAE
5600.7270

NANO AntiVirus
Riskware.Win32.Babylon.craswq
0.28.0.57029

Reason Heuristics
PUP.FaglaroEnterprisesLimited.Q
14.8.7.22

Rising Antivirus
PE:PUF.ExpressFiles!1.9E64
23.00.65.14909

Sophos
Express Files
4.95

Trend Micro House Call
TROJ_GEN.F47V1125
7.2.360

Vba32 AntiVirus
Downloader.Agent
3.12.24.3

VIPRE Antivirus
ExpressFiles Installer
23764

File size:
6.3 MB (6,637,664 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\uninstall9870339.exe

Digital Signature
Signed by:
Faglaro Enterprises Limited

Authority:
COMODO CA Limited

Valid from:
12/12/2012 4:00:00 PM

Valid to:
12/13/2015 3:59:59 PM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET=Boumpoulinas 11, L=Nicosia, S=Nicosia, PostalCode=1060, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
37B080A790663B8AF63D05448AD0343B

File PE Metadata
Compilation timestamp:
11/25/2013 5:50:21 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
98304:JtV8mMNm/MB+x7CRj8fpqc2C8m+zqjXEfHqQUReYNa19cmCZPVYS06A1eUgaH:h8mcmUM680c2xHyUfTU3Na19/CZ+JfH

Entry address:
0x12702

Entry point:
E8, DE, 7D, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, E4, 3A, 43, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, 49, 1E, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 80, 28, 41, 00, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03, C8, FF...
 
[+]

Entropy:
7.9327  (probably packed)

Code size:
129 KB (132,096 bytes)

The file uninstall9870339.exe has been seen being distributed by the following 31 URLs.

http://install.express-downloader.com/.../zy2yZjMpum82

http://data.express-downloader.com/.../zy2yZjMpum82

http://91.205.157.43/.../?wmid=99731&uid=675&q=Roy Orbison (Greatest Hits)-AJ-Planet Bytes Release

http://steblevsky.net/download.php?q=Um95IE9yYmlzb24gKEdyZWF0ZXN0IEhpdHMpLUFKLVBsYW5ldCBCeXRlcyBSZWxlYXNl

http://install.express-downloader.com/j5GGX2fXrhtn165Qf9alY37dpjRlr6svNqevLnmjxyRzpYFqF DffVWhjyhHsZVeF XBVwXGjRgL1c5XD9w1QgjVMQ==

http://data.express-downloader.com/j5GGX2fXrhtn165Qf9alY37dpjRlr6svNqevLnmjxyRzpYFqF DffVWhjyhHsZVeF XBVwXGjRgL1c5XD9w1QgjVMQ==

http://91.205.157.43/.../?wmid=99407&uid=814&q=Chegg account password crack

http://raisengine.com/gfeed/link/4wtMjE3fHwxMzgwOTY4NDgxfHwyMDI5fHwoRU5HSU5FKSBGb3J1bW90aW9uIHt9/Chegg_account_password_cracklkjh/.../1_fm.html

/other.php?d=j5GGX2fXrhBn165Qf9alaH7dpjRlr6svPaevLnmjxydt8dRjEuHcbxfh228Mq4QBWbGcAw/ZwF8G09scT4poFwPVPENyxy8LJ4Z5ES KTuoqwSahJW1w72s9Lbl8fFjjOzFW ARkXvoUcQvrGHlXxQd/.../q31T5aZ6VfHWOQS m2VZ75ttQ9WWakXBwhIWj8MHCbDTDLzKmB23yoEY7JyhX ycqRfkbbpa9mamva0=

http://install.express-downloader.com/j5GRVm7bjFVh2KRMYpieJWjQvCl34I8uZLe0IHTopyZyoMUTTaeHN0m1iXldtZgHE nFURSTjAlBiZQLB9E4Rw7bIwMxzThIfsE4TnvBJbE=

http://data.express-downloader.com/j5GRVm7bjFVh2KRMYpieJWjQvCl34I8uZLe0IHTopyZyoMUTTaeHN0m1iXldtZgHE nFURSTjAlBiZQLB9E4Rw7bIwMxzThIfsE4TnvBJbE=

http://91.205.157.43/.../?wmid=99407&uid=814&q=TalkEnglish Offline Version Full Download

http://mylinkdirs.com/gfeed/link/rr7MjE3fHwxMzgwOTY4NDgxfHwyMDI5fHwoRU5HSU5FKSBGb3J1bW90aW9uIHt9/TalkEnglish_Offline_Version_Full_Downloadlkjh/.../1_fm.html

http://smart.yourfiledownloader.com/j5GRVm7bjFVh2KRMYpOeJWjQvCl3648uZLe0IHTjpyZyoM4TTaeHN0m1iXleq8xSHeXBXwfSy1IDwo4aWJ9sGlrRPE52wD5dNYFvFi7FKLp6zCKhImFr/.../gYtHqtfMlnmGn0MzBp0UNVUVEvKEEJUzCVcOMMbEX2R4Vwg2O0JfJn8WT2q6mMhrv8lZPqlfWn3qX9U6qtqFaXNNBy40gsEu5dqV5eTPQ==

http://91.205.157.43/.../?wmid=128&uid=125&q=Dimitri From Paris - The Remix Files (2011) 320 kbps

http://download-client.com/.../?wmid=99143&uid=643&q=CyberLink PowerDirector 12 Ultra 12.0.0.1996 Multilingual [ChingLiu]

http://data.express-downloader.com/.../IJ6U9iXfwP2l9tm89LLtpLlXgYz0Wr1clHKJSJh0=

http://install.express-downloader.com/.../IJ6U9iXfwP2l9tm89LLtpLlXgYz0Wr1clHKJSJh0=

http://l.go-for-files.com/.../QjlXG6azAvrSJ9bepne071KntE5Qc2XekHckv2CUdF2h55CJJUVATJUEdRxhlDfIJYXDfY5kUqz9ldKYK5

http://starsearchtool.com/gfeed/link/ki7MjE3fHwxMzgzNTIwMTE1fHwyMDI5fHwoRU5HSU5FKSBGb3J1bW90aW9uIHt9/3cdaemon_para_windows_7bfdcm/.../1_fm.html

http://91.205.157.43/.../?wmid=99462&uid=814&q=3cdaemon para windows 7

http://data.express-downloader.com/j5H2VGbRrFZp2u1Pa8qwY3nVuyN9t6prIeKqInOs3GYu sMkV7KeNk w0GYT7MdRCKiGWgPTwV4D18hfA9s=

http://install.express-downloader.com/j5H2VGbRrFZp2u1Pa8qwY3nVuyN9t6prIeKqInOs3GYu sMkV7KeNk w0GYT7MdRCKiGWgPTwV4D18hfA9s=

http://91.205.157.43/TR/.../greatest.hits.huey.lewis.the.news

http://data.express-downloader.com/.../oIWTKuYDlbdwFIA08xJTps8Qg3UMEJwwDtKdA==

http://install.express-downloader.com/.../oIWTKuYDlbdwFIA08xJTps8Qg3UMEJwwDtKdA==

http://l.go-for-files.com/j5GxX2eboldz1uYOPZOndCCJ/jN9sqsueLD7O2n10GAn/dNnEuPYYgCnmD1dtZgHE XMUwTS3xhDhpQLB9E4RwjeIwcjgn0VI4ZSFi7FIqU5kXzjbzkpsnBwZP8/.../IGk1exEcZZ8MMQyHC4UQW0uIJfg==

http://hardlyfind.com/gfeed/link/192MjE3fHwxMzgzNTIwMTE1fHwyMDI5fHwoRU5HSU5FKSBGb3J1bW90aW9uIHt9/the_klub_17_v7.5_torrentbfdcm/.../1_fm.html

http://91.205.157.43/.../?wmid=99462&uid=814&q=the klub 17 v7.5 torrent

http://data.express-downloader.com/j5GxX2eQoldz1u0OPZindCCJ9TN9sqsueLD7OHehhW4r/.../RylMD0cpeC9o3

Latest 30 of 31 download URLs

Remove uninstall9870339.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.