home

0qvdfl1btsq==1.exe

5372_obw_yoursearching

CHAODONG XIAO

The application 0qvdfl1btsq==1.exe by CHAODONG XIAO has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
CHAODONG XIAO  (signed and verified)

Product:
5372_obw_yoursearching

Version:
7,0,0,2918

MD5:
e986a7bfba6b93e64e7786e4c3c0d6ca

SHA-1:
51927fa75ddb917e956a4fd51a4621f11d46d88d

SHA-256:
23e53e35a3e81d23e6c5e201b55b9b765f889c935420a03b85b4b0de530dcfaa

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
12/26/2024 4:17:58 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2015.12.15

Avira AntiVirus
PUA/Subtab.Gen7
8.3.2.4

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.151216

ESET NOD32
Win32/ELEX.FG potentially unwanted (variant)
9.12725

K7 AntiVirus
Adware
13.212.18111

Malwarebytes
PUP.Optional.YourSearching.ShrtCln
v2015.12.16.02

Reason Heuristics
PUP.CHAODONGXIAO (M)
15.12.16.2

Rising Antivirus
PE:Malware.Generic(Thunder)!1.A1C4 [F]
23.00.65.151214

VIPRE Antivirus
Elex Installer
45856

Zillya! Antivirus
Adware.OutBrowse.Win32.74938
2.0.0.2562

File size:
190.3 KB (194,816 bytes)

Product version:
7,0,0,2918

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0qvdfl1btsq==1.exe

Digital Signature
Signed by:
CHAODONG XIAO

Authority:
thawte, Inc.

Valid from:
12/13/2015 10:00:00 PM

Valid to:
10/20/2016 9:59:59 PM

Subject:
CN=CHAODONG XIAO, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2B2A034F8507D947DEA36F9363582F61

File PE Metadata
Compilation timestamp:
12/4/2015 7:52:52 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:K8EgK1bY8aBRYDpCYnGRrmkErWnLZdD9EhHky+ve9xp0Vr:K8EB1bMwC6GRSJmy4

Entry address:
0xF404

Entry point:
E8, DB, A5, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B8, A9, 42, 00, E8, 06, 5D, 00, 00, E8, B2, 24, 00, 00, 0F, B7, F0, 6A, 02, E8, 6E, A5, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 62, 59, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
129.5 KB (132,608 bytes)

The file 0qvdfl1btsq==1.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../obw_yoursearching.exe

Remove 0qvdfl1btsq==1.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.