306.exe

4823_brd_istartsurf

Thinknice Co., Limited

The application 306.exe by Thinknice Co., Limited has been detected as adware by 12 anti-malware scanners. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from the user's temporary directory.
Publisher:
7th  (signed by Thinknice Co., Limited)

Product:
4823_brd_istartsurf

Description:
7th

Version:
7,0,0,2810

MD5:
2bc41b5d154b3f7155e7f5e9807d505d

SHA-1:
8dcce8767aec09c9cd65d634f28286b11bfc408e

SHA-256:
1af92e371826b32febb2a00a7bba59581d80568bbc44de718cc6c2f3093be4b3

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
11/30/2024 9:11:05 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Comodo Security
Application.Win32.ELEX.~B
23385

Dr.Web
Adware.Mutabaha.731
9.0.1.0283

ESET NOD32
Win32/ELEX.FG potentially unwanted (variant)
9.12384

Fortinet FortiGate
Riskware/Elex
10/10/2015

G Data
Win32.Application.IStartSurf
15.10.25

K7 AntiVirus
Adware
13.210.17488

Malwarebytes
PUP.Optional.IStartSurf.ShrtCln
v2015.10.10.01

Reason Heuristics
PUP.Thinknice.ThinkniceCo (M)
15.10.10.1

SUPERAntiSpyware
PUP.MyStartSearch/Variant
9579

VIPRE Antivirus
Elex Installer
44418

Zillya! Antivirus
Adware.ELEX.Win32.3
2.0.0.2437

File size:
353.1 KB (361,592 bytes)

Product version:
7,0,0,2810

Copyright:
7th

Original file name:
7th

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\306.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
9/25/2015 4:18:26 PM

Valid to:
10/21/2015 2:26:52 PM

Subject:
CN="Thinknice Co., Limited", O="Thinknice Co., Limited", L=香港, S=香港, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112170C8A859FAC5632237A13A696FA39819

File PE Metadata
Compilation timestamp:
9/12/2015 11:40:38 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:2fByutMgKwfe8nDY94mqqOyp2vTe6WVhLqnMALt4Nr0usU+5NeEdf6UerNzTxP+w:2gutMgh8y7nTeHoMg4dbsU4GAw

Entry address:
0x18724

Entry point:
E8, 5E, CF, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 80, 27, 45, 00, E8, 56, 67, 00, 00, E8, 82, 2D, 00, 00, 0F, B7, F0, 6A, 02, E8, F1, CE, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, B2, 63, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
5.9003

Code size:
190.5 KB (195,072 bytes)

Remove 306.exe - Powered by Reason Core Security