home

llys_istartsurf.exe

4845_tugss_istartsurf

Thinknice Co., Limited

The application llys_istartsurf.exe by Thinknice Co., Limited has been detected as adware by 6 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
Thinknice Co., Limited  (signed and verified)

Product:
4845_tugss_istartsurf

Description:
Installer Module

Version:
1, 0, 0, 1

MD5:
a3eafb17c9e279b051880760d4569b4b

SHA-1:
2d59f22b5b88f37f413b11243ea992a55999725c

SHA-256:
4d7a91c7bd17c038c7fbad9d02c4a6b1985e7de9863b1796245c4d2500f6a9d7

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/6/2024 3:29:40 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Oncer
2014.9-151007

Dr.Web
Win32.Runonce.6652
9.0.1.0280

F-Prot
W32/Thecid.B@mm
v6.4.6.5.141

Malwarebytes
PUP.Optional.OurSeaching
v2015.10.07.09

Reason Heuristics
PUP.Thinknice.ThinkniceCo.Installer (M)
15.9.27.12

VIPRE Antivirus
Threat.219451
43798

File size:
536.1 KB (548,984 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright 2015

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
Anglu (Amerikas Savienotas Valstis)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\llys_istartsurf.exe

Digital Signature
Signed by:
Thinknice Co., Limited

Authority:
GlobalSign nv-sa

Valid from:
9/25/2015 12:18:26 PM

Valid to:
10/21/2015 10:26:52 AM

Subject:
CN="Thinknice Co., Limited", O="Thinknice Co., Limited", L=香港, S=香港, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112170C8A859FAC5632237A13A696FA39819

File PE Metadata
Compilation timestamp:
9/11/2015 12:27:29 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:qTwsAln1giCPA6W8XHFlrZtTVq2QBOiVuAC91hrrrr+1:WDbPW+pZtYlBOigAC91w1

Entry address:
0x2E557

Entry point:
E8, C7, AD, 00, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 56, 57, 8B, 7D, 08, 85, FF, 74, 13, 8B, 4D, 0C, 85, C9, 74, 0C, 8B, 55, 10, 85, D2, 75, 1A, 33, C0, 66, 89, 07, E8, 64, 27, 00, 00, 6A, 16, 5E, 89, 30, E8, 04, 2E, 00, 00, 8B, C6, 5F, 5E, 5D, C3, 8B, F7, 66, 83, 3E, 00, 74, 06, 83, C6, 02, 49, 75, F4, 85, C9, 74, D4, 2B, F2, 0F, B7, 02, 66, 89, 04, 16, 8D, 52, 02, 66, 85, C0, 74, 03, 49, 75, EE, 33, C0, 85, C9, 75, D0, 66, 89, 07, E8, 20, 27, 00, 00, 6A, 22, EB, BA, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 74...
 
[+]

Code size:
344 KB (352,256 bytes)

The file llys_istartsurf.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../llys_istartsurf.exe

Remove llys_istartsurf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.