pjr_webssearches.exe

2455_pjr_webssearches

Xiaoqing Liu

The application pjr_webssearches.exe by Xiaoqing Liu has been detected as adware by 5 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlwurina.com and multiple other hosts.
Publisher:
SysTools  (signed by Xiaoqing Liu)

Product:
2455_pjr_webssearches

Description:
SysTools

Version:
6.3.7601.1002

MD5:
8324eecad7f3454f003c4e9420f97fb9

SHA-1:
a0f86113f56caad122ccb4f53cf7f861ba0dba5e

SHA-256:
02db3398b0c7e21defab387172a255c49209a48bfdd79c1f39e3682dc6a09c05

Scanner detections:
5 / 68

Status:
Adware

Analysis date:
12/25/2024 12:50:36 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.1517

ESET NOD32
Win32/LiMo (variant)
9.10974

G Data
Win32.Application.Limo
15.2.24

Reason Heuristics
PUP.XiaoqingLiu.Q
15.1.7.13

Sophos
Elex
4.98

File size:
316.4 KB (324,040 bytes)

Product version:
6.3.7601.1002

Copyright:
SysTools

Original file name:
sTools.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pjr_webssearches.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/13/2014 12:00:00 AM

Valid to:
8/17/2015 12:00:00 PM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
01D9E1C9DEA81DDCA65062CC18203480

File PE Metadata
Compilation timestamp:
12/31/2014 9:09:57 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:kotrk0ky0geJCwQIV1NHrHdpx1EvkeUf+BdhZ5iG5xYxBDWnfYZ:koW0ky0geci56kT9pGfYZ

Entry address:
0x18B10

Entry point:
E8, B3, BC, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 50, 03, 44, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, 44, 44, 00, 00, 59, FF, 34, F5, 50, 03, 44, 00, FF, 15, EC, 10, 43, 00, 5E, 5D, C3, 56, 57, BE, 50, 03, 44, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, F4, 10, 43, 00, 53, E8, 66, C6, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 70, 04, 44, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Code size:
191.5 KB (196,096 bytes)

The file pjr_webssearches.exe has been seen being distributed by the following 2 URLs.

http://www.girlwurina.com/.../pjr_webssearches.exe

http://113.171.224.214/.../pjr_webssearches.exe

Remove pjr_webssearches.exe - Powered by Reason Core Security