home

lly_webssearches.exe

517_tugs

Hefei Zhimingxingtong Software&Technology Co., Ltd.

The application lly_webssearches.exe by Hefei Zhimingxingtong Software&Technology Co. has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.po114.org and multiple other hosts.
Publisher:
Hefei Zhimingxingtong Software&Technology Co., Ltd.  (signed and verified)

Product:
517_tugs

Description:
File Work

Version:
14.4.4.13

MD5:
a9cbcc92443360e4a0493b15d6b51a86

SHA-1:
24010e50cfdf1f290595acd7ebcd794104b09e14

SHA-256:
8ffe323fc91d5cc0779e21cee1553572b28ce490e8414deecfc4e9f00ae2886b

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
11/6/2024 12:54:23 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.06.27

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.14717

Dr.Web
Adware.Mutabaha.54
9.0.1.05190

ESET NOD32
Win32/ELEX.AL potentially unwanted application
7.0.302.0

Kaspersky
not-a-virus:AdWare.Win32.ELEX
15.0.0.494

McAfee
Artemis!A9CBCC924433
5600.7066

Reason Heuristics
PUP.HefeiZhimingxingtongSoftwareTechnologyCo.Q
14.7.10.1

Rising Antivirus
PE:Worm.Rebhip!1.64F0
23.00.65.14715

Trend Micro House Call
Suspicious_GEN.F47V0613
7.2.198

File size:
625.2 KB (640,184 bytes)

Product version:
14.4.4.13

Copyright:
Copyright (C) 2014

Original file name:
FileWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\lly_webssearches.exe

Digital Signature
Signed by:
Hefei Zhimingxingtong Software&Technology Co., Ltd.

Authority:
GlobalSign nv-sa

Valid from:
10/29/2013 10:07:05 AM

Valid to:
10/30/2014 10:07:05 AM

Subject:
CN="Hefei Zhimingxingtong Software&Technology Co., Ltd.", O="Hefei Zhimingxingtong Software&Technology Co., Ltd.", L=Hefei, S=Anhui, C=CN

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11219E374B1001FFC6B983B5DE082D65401A

File PE Metadata
Compilation timestamp:
6/10/2014 3:37:01 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:eizhRMh7FVbkhPwhVZmEcZNCYE0kq6qh6VbVlbc4fEDyAs4fAA6h+t7xKa7KOZdi:Dzhah7FVzVZiZNCYE9D8J6hA7KZ

Entry address:
0x4F3DF

Entry point:
E8, 04, 08, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 83, 7D, 08, 00, 75, 0B, FF, 75, 0C, E8, 7C, BA, FF, FF, 59, 5D, C3, 56, 8B, 75, 0C, 85, F6, 75, 0D, FF, 75, 08, E8, 3D, B8, FF, FF, 59, 33, C0, EB, 4D, 53, EB, 30, 85, F6, 75, 01, 46, 56, FF, 75, 08, 6A, 00, FF, 35, B0, 71, 48, 00, FF, 15, 48, D2, 46, 00, 8B, D8, 85, DB, 75, 5E, 39, 05, B4, 71, 48, 00, 74, 40, 56, E8, 24, 61, 00, 00, 59, 85, C0, 74, 1D, 83, FE, E0, 76, CB, 56, E8, 14, 61, 00, 00, 59, E8, AB, C2, FF, FF, C7, 00, 0C, 00, 00, 00, 33, C0, 5B...
 
[+]

Code size:
430.5 KB (440,832 bytes)

The file lly_webssearches.exe has been seen being distributed by the following 4 URLs.

http://www.po114.org/hpnt/.../lly_webssearches.exe

http://www.girlmoli.com/hpnt/.../lly_webssearches.exe

http://www.girlliuliyan.com/hpnt/.../lly_webssearches.exe

http://www.po114.us/hpnt/.../lly_webssearches.exe

Remove lly_webssearches.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.