home

dae_do-search.exe

4698_dae_do-search

Thinknice Co., Limited

The application dae_do-search.exe by Thinknice Co., Limited has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.girlliuxiaowei.com and multiple other hosts.
Publisher:
Portmon/EE  (signed by Thinknice Co., Limited)

Product:
4698_dae_do-search

Description:
Portmon/EE

Version:
7.0.1.12

MD5:
b8250a532bb315c465adbd8b32af3bcf

SHA-1:
68344fa910ac502fa7c191473baadfb5c2d42444

SHA-256:
96cd6fbb8e5072f717cd88733bb8f509aef6e789bafd6807e310b5c2b38f040d

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/6/2024 2:34:27 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Thinknice.ThinkniceCo (M)
16.1.23.11

File size:
311.6 KB (319,128 bytes)

Product version:
7.0.1.12

Copyright:
Portmon/EE

Original file name:
portmon.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\dae_do-search.exe

Digital Signature
Signed by:
Thinknice Co., Limited

Authority:
GlobalSign nv-sa

Valid from:
8/24/2015 12:34:54 PM

Valid to:
10/21/2015 9:26:52 AM

Subject:
CN="Thinknice Co., Limited", O="Thinknice Co., Limited", L=香港, S=香港, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121CBE5C1558EDCC9CCFB7F6A4D0149AC0F

File PE Metadata
Compilation timestamp:
8/28/2015 9:31:28 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:Y9KDmF0UPYfD0jZDI8JByxIltt1Azp9FSZCNC+RdbVUhqcxxUvv1B6S/:YQDm0gy45jqxoCzAZFozJdB62

Entry address:
0x180B6

Entry point:
E8, 00, BE, 00, 00, E9, 7F, FE, FF, FF, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 4C, 4D, 44, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 50, F8, 43, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 4C, 4D, 44, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03, 00, 00, 00...
 
[+]

Code size:
193 KB (197,632 bytes)

The file dae_do-search.exe has been seen being distributed by the following 2 URLs.

http://www.girlliuxiaowei.com/.../dae_do-search.exe

https://d2drfrdurj6mvo.cloudfront.net/.../dae_do-search.exe

Remove dae_do-search.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.