» 0p1faklnmsg==2.exe
Overview
Analysis
File Details
Downloads (2)

0p1faklnmsg==2.exe

5372_obw_yoursearching

CHAODONG XIAO

The application 0p1faklnmsg==2.exe by CHAODONG XIAO has been detected as a potentially unwanted program by 6 anti-malware scanners. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).The file has been seen being downloaded from d3kj6o4rxau601.cloudfront.net and multiple other hosts.

File name:

0p1faklnmsg==2.exe

Publisher:

CHAODONG XIAO (signed and verified)

Product:

5372_obw_yoursearching

Version:

7,0,0,2918

MD5:

78de36723e71e0db8ddceeb22d0bfb27

SHA-1:

4e621d70cc94fb873e011d931a409affebb0ad61

SHA-256:

0d2c691c68661e945bfc67458b07bd91fdf676a4b59816f5b8da8c576f93c25c

Scanner detections:

6 / 68

Status:

Potentially unwanted

Explanation:

Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:

12/26/2024 4:24:35 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.ELEX

4.0.3.15125

ESET NOD32

Win32/ELEX.FG potentially unwanted (variant)

9.12675

Malwarebytes

PUP.Optional.YourSearching.ShrtCln

v2015.12.05.01

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1077

Reason Heuristics

PUP.CHAODONGXIAO (M)

15.12.5.13

VIPRE Antivirus

Elex Installer

45628

File size:

190.3 KB (194,816 bytes)

Product version:

7,0,0,2918

File type:

Executable application (Win32 EXE)

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\0p1faklnmsg==2.exe

Digital Signature

Signed by:

CHAODONG XIAO

Authority:

thawte, Inc.

Valid from:

12/3/2015 4:00:00 PM

Valid to:

10/20/2016 4:59:59 PM

Subject:

CN=CHAODONG XIAO, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

1D355F4673632E66CBCBBA66F7565946

File PE Metadata

Compilation timestamp:

12/4/2015 1:52:52 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

3072:r8EgK1bY8aBRYDpCYnGRrmkErWnLZdD9EhHky+ve9xp0Vl:r8EB1bMwC6GRSJmy4

Entry address:

0xF404

Entry point:

E8, DB, A5, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B8, A9, 42, 00, E8, 06, 5D, 00, 00, E8, B2, 24, 00, 00, 0F, B7, F0, 6A, 02, E8, 6E, A5, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 62, 59, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

6.3782

Code size:

129.5 KB (132,608 bytes)

The file 0p1faklnmsg==2.exe has been seen being distributed by the following 2 URLs.

http://d3kj6o4rxau601.cloudfront.net/.../obw_yoursearching.exe

http://d2drfrdurj6mvo.cloudfront.net/.../obw_yoursearching.exe

Remove 0p1faklnmsg==2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.