home

updatewinexpand.exe

WinExpandSetup_v2flash365

JS Communications Corp

The application updatewinexpand.exe by JS Communications Corp has been detected as a potentially unwanted program by 14 anti-malware scanners. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
CJMooter  (signed by JS Communications Corp)

Product:
WinExpandSetup_v2flash365

Version:
1, 0, 0, 2

MD5:
c1cd1f652ff55096e90df32dc1e47271

SHA-1:
f3e935c611559b7e48c86c01c2c0eb1487daa7de

SHA-256:
b0adc3300a2ebd916971f15851c252372dab80dca094bc449e786f885a30c95b

Scanner detections:
14 / 68

Status:
Potentially unwanted

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
5/4/2024 5:50:12 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Downloader.Gen
8.3.2.4

avast!
Win32:Adware-gen [Adw]
2014.9-160211

AVG
Generic
2017.0.2837

Baidu Antivirus
Adware.Win32.Kraddare
4.0.3.16211

Dr.Web
Trojan.Fakealert.51941
9.0.1.042

ESET NOD32
Win32/Adware.Kraddare.HA (variant)
10.12639

Fortinet FortiGate
Riskware/Kraddare
2/11/2016

K7 AntiVirus
Adware
13.212.17997

Malwarebytes
Adware.KorAd
v2016.02.11.02

McAfee
Artemis!C1CD1F652FF5
5600.6493

Sophos
Generic PUA PD (PUA)
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
45476

Zillya! Antivirus
Adware.BrowseFox.Win32.193894
2.0.0.2536

File size:
491 KB (502,816 bytes)

Product version:
1, 0, 0, 2

Copyright:
(c) CJMooter. All rights reserved.

Original file name:
WinExpandSetup_v2flash365.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\updatewinexpand.exe

Digital Signature
Signed by:
JS Communications Corp

Authority:
VeriSign, Inc.

Valid from:
6/25/2015 9:00:00 AM

Valid to:
8/24/2016 8:59:59 AM

Subject:
CN=JS Communications Corp, O=JS Communications Corp, L=Gangnam-Gu, S=Seoul, C=KR

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6B4533C09FB38C8D161FDCC023BE8EBD

File PE Metadata
Compilation timestamp:
11/18/2015 2:45:02 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:yAuh0AcP3EIaEGlZzkQemQbIDa+HMSXw0VjYcB+BAnWK2ORHwmtXVac14I6SEM2L:ydZzUmQbS9PVRByFK2ORZ5f6Y2fD

Entry address:
0x2CE35

Entry point:
E8, 10, 9E, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75, 08, E8, 89, 9E, 00, 00, 83, C4, 14, 5D, C3, 8B, FF, 55, 8B, EC, 8B, 45, 08, 66, 8B, 08, 40, 40, 66, 85, C9, 75, F6, 2B, 45, 08, D1, F8, 48, 5D, C3, 8B, FF, 55, 8B, EC, 8B, 55, 08, 53, 56, 57, 33, FF, 3B, D7, 74, 07, 8B, 5D, 0C, 3B, DF, 77, 1E, E8, 6B, 09, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 9A, 3B, 00, 00, 83, C4, 14, 8B, C6, 5F, 5E, 5B, 5D, C3, 8B, 75, 10, 3B, F7, 75, 07, 33, C0...
 
[+]

Entropy:
6.6347

Code size:
269.5 KB (275,968 bytes)

Remove updatewinexpand.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.