0pljatvnq1.exe

4201_obw_istartsurf

Fuyuan Zhou

The application 0pljatvnq1.exe by Fuyuan Zhou has been detected as adware by 7 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
Welnk.com  (signed by Fuyuan Zhou)

Product:
4201_obw_istartsurf

Description:
Welnk

Version:
6.6.86.1640

MD5:
41d7614e70c421dc6dff2d80c4697eb9

SHA-1:
3358e32f4cd95f32498688640ea491fc21d3b985

SHA-256:
d07e1165cde573d9609cceefb4ddbc5bcbeb37a5d2673bd464bc2305d3e4a345

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/25/2024 6:23:02 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Adware.Mutabaha.597
9.0.1.0211

herdProtect (fuzzy)
2015.9.2.15

Malwarebytes
PUP.Optional.IStartSurf.ShrtCln
v2015.07.30.01

NANO AntiVirus
Riskware.Win32.Mutabaha.dunath
0.30.24.2668

Quick Heal
PUA.MSJDGBTIR.OD6
9.15.14.00

Reason Heuristics
PUP.FuyuanZhou (M)
15.7.30.1

File size:
277.1 KB (283,744 bytes)

Product version:
6.6.86.1000

Copyright:
Copyright (C) Welnk 2006

Original file name:
WeLink.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0pljatvnq1.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
1/15/2015 1:00:00 AM

Valid to:
1/20/2016 1:00:00 PM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, L=Jilin, S=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0933772030CFD7E6A3D0D1959D875688

File PE Metadata
Compilation timestamp:
7/23/2015 12:47:48 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:coxCDGaymlXtzSCelgS/oOvtmOcnxY/HkQhpNw:cjaNm8ll/oOFmXnenpw

Entry address:
0x13584

Entry point:
E8, 87, B7, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 18, 95, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 60, 91, 42, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4...
 
[+]

Code size:
160 KB (163,840 bytes)

The file 0pljatvnq1.exe has been seen being distributed by the following URL.

Remove 0pljatvnq1.exe - Powered by Reason Core Security