home

llys_istartpageing.exe

5376_tugss_istartpageing

CHAODONG XIAO

The application llys_istartpageing.exe by CHAODONG XIAO has been detected as a potentially unwanted program by 12 anti-malware scanners. This is a setup program which is used to install the application. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from d3kj6o4rxau601.cloudfront.net.
Publisher:
CHAODONG XIAO  (signed and verified)

Product:
5376_tugss_istartpageing

Version:
7,0,0,2918

MD5:
ad4b0aa8758d0734e68e3ce1d3d5d7aa

SHA-1:
1db746eb8faa53b7b58af92cd2c2ba0e7897f482

SHA-256:
d195bd9dc45845d8023e2757f1d22e102105b197aebc236d90986d832ea34e9a

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
12/26/2024 4:16:44 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2015.12.13

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

AVG
Generic
2016.0.2897

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.151213

ESET NOD32
Win32/ELEX.FG potentially unwanted application
7.0.302.0

K7 AntiVirus
Adware
13.212.18089

Malwarebytes
PUP.Optional.PUP.Optional.IStartPageing.ChrPRST
v2015.12.13.04

Microsoft Security Essentials
Threat.Undefined
1.211.2544.0

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1077

Reason Heuristics
PUP.CHAODONGXIAO (M)
15.12.13.3

VIPRE Antivirus
Threat.4788726
45788

Zillya! Antivirus
Adware.OutBrowse.Win32.74938
2.0.0.2560

File size:
190.3 KB (194,816 bytes)

Product version:
7,0,0,2918

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\llys_istartpageing.exe

Digital Signature
Signed by:
CHAODONG XIAO

Authority:
thawte, Inc.

Valid from:
12/4/2015 1:00:00 AM

Valid to:
10/21/2016 12:59:59 AM

Subject:
CN=CHAODONG XIAO, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
1D355F4673632E66CBCBBA66F7565946

File PE Metadata
Compilation timestamp:
12/4/2015 10:52:52 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:t8EgK1bY8aBRYDpCYnGRrmkErWnLZdD9EhHky+ve9xp0Vm:t8EB1bMwC6GRSJmy4

Entry address:
0xF404

Entry point:
E8, DB, A5, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B8, A9, 42, 00, E8, 06, 5D, 00, 00, E8, B2, 24, 00, 00, 0F, B7, F0, 6A, 02, E8, 6E, A5, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 62, 59, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
129.5 KB (132,608 bytes)

The file llys_istartpageing.exe has been seen being distributed by the following URL.

http://d3kj6o4rxau601.cloudfront.net/.../llys_istartpageing.exe

Remove llys_istartpageing.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.