home

updatewinexpand.exe

WinExpandSetup_imnw 응용 프로그램

JS Communications Corp

The application updatewinexpand.exe, “WinExpandSetup_imnw MFC 응용 프로그램” by JS Communications Corp has been detected as a potentially unwanted program by 12 anti-malware scanners. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
JS Communications Corp  (signed and verified)

Product:
WinExpandSetup_imnw 응용 프로그램

Description:
WinExpandSetup_imnw MFC 응용 프로그램

Version:
1, 0, 0, 1

MD5:
fe5b3513f8471c083dd49ba4f04e7cf2

SHA-1:
177d8e20cbb167795a27bd679e0145655e823e81

SHA-256:
d51bf0b3fe26407b94e036aaf47777bfe7642c00d890703eb8ecbf1f08bd2b9b

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
5/4/2024 1:23:34 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Downloader.Gen
8.3.2.4

avast!
Win32:Adware-gen [Adw]
2014.9-160407

AVG
Generic
2017.0.2781

Comodo Security
ApplicUnwnt
23732

Dr.Web
Trojan.Fakealert.51941
9.0.1.098

ESET NOD32
Win32/Adware.Kraddare.HA (variant)
10.12701

Fortinet FortiGate
Riskware/Kraddare
4/7/2016

IKARUS anti.virus
PUA.Kraddare
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.212.18068

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
45740

Zillya! Antivirus
Adware.BrowseFox.Win32.193894
2.0.0.2556

File size:
491 KB (502,816 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright (C) 2009

Original file name:
WinExpandSetup_imnw.EXE

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\updatewinexpand.exe

Digital Signature
Signed by:
JS Communications Corp

Authority:
VeriSign, Inc.

Valid from:
6/25/2015 9:00:00 AM

Valid to:
8/24/2016 8:59:59 AM

Subject:
CN=JS Communications Corp, O=JS Communications Corp, L=Gangnam-Gu, S=Seoul, C=KR

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6B4533C09FB38C8D161FDCC023BE8EBD

File PE Metadata
Compilation timestamp:
11/18/2015 2:49:50 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:5Auh0AcP3EIaEGlZzkQemQbIDa+HMSXw0VjYcB+BAnWK26Rjwmt+Vac14I6SEa2K:5dZzUmQbS9PVRByFK26Rs5f6G2fC

Entry address:
0x2CE35

Entry point:
E8, 10, 9E, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75, 08, E8, 89, 9E, 00, 00, 83, C4, 14, 5D, C3, 8B, FF, 55, 8B, EC, 8B, 45, 08, 66, 8B, 08, 40, 40, 66, 85, C9, 75, F6, 2B, 45, 08, D1, F8, 48, 5D, C3, 8B, FF, 55, 8B, EC, 8B, 55, 08, 53, 56, 57, 33, FF, 3B, D7, 74, 07, 8B, 5D, 0C, 3B, DF, 77, 1E, E8, 6B, 09, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 9A, 3B, 00, 00, 83, C4, 14, 8B, C6, 5F, 5E, 5B, 5D, C3, 8B, 75, 10, 3B, F7, 75, 07, 33, C0...
 
[+]

Entropy:
6.6363

Code size:
269.5 KB (275,968 bytes)

Remove updatewinexpand.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.