home

winsere.exe

Yupeng Zhang

The application winsere.exe by Yupeng Zhang has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a windows Service named “Winsere”. This file is typically installed with the program yessearches Uninstall by ELEX which is a potentially unwanted software program. While running, it connects to the Internet address server-54-230-141-113.sfo5.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Yupeng Zhang  (signed and verified)

MD5:
c412273a08b123f15e937b476122abb4

SHA-1:
eed6f2cd25e33b61c27461d66bb9235c71a68879

SHA-256:
9fbd1f9adc52e1bb08e7bc94d5d1a597ccec48520b26d2d8745d4dedf3b18def

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/28/2024 2:25:03 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.SearchBeyond (M)
16.3.28.6

File size:
309.6 KB (316,984 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\searchestoyesbnd\winsere.exe

Digital Signature
Signed by:
Yupeng Zhang

Authority:
thawte, Inc.

Valid from:
3/14/2016 4:00:00 AM

Valid to:
2/4/2017 3:59:59 AM

Subject:
CN=Yupeng Zhang, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
56ED9E7C28D4E65DF6EF0253265ACB11

File PE Metadata
Compilation timestamp:
3/23/2016 1:41:39 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:v8msGb+GAmRPEGDDA4peAQlnwg8DI/MTbv2Ts5u8Iir:v84umd3A4p4nCc6vD5u8Iir

Entry address:
0x1F18E

Entry point:
E8, 91, 57, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 4C, B0, 44, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 70, 94, 44, 00, 01, 0F, 82, A9, 5C, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83...
 
[+]

Entropy:
6.4952

Code size:
226.5 KB (231,936 bytes)

Service
Display name:
Winsere

Description:
Enables the detection, download and installation of updates for Winsere and other programs. If this service is disabled, users of this computer will not be able to use Winsere Update or its automatic

Type:
Win32OwnProcess, InteractiveProcess


The file winsere.exe has been discovered within the following program.

yessearches Uninstall  by ELEX
yessearches is a web browser search hijacker that modifies the assets of the user's web browser in order to redirect search results.
yessearches.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-123-107.dfw50.r.cloudfront.net  (54.192.123.107:80)

TCP (HTTP):
Connects to server-54-192-203-232.fra50.r.cloudfront.net  (54.192.203.232:80)

TCP (HTTP):
Connects to server-54-240-186-159.mad50.r.cloudfront.net  (54.240.186.159:80)

TCP (HTTP):
Connects to server-54-230-95-156.fra2.r.cloudfront.net  (54.230.95.156:80)

TCP (HTTP):
Connects to server-54-230-163-125.jax1.r.cloudfront.net  (54.230.163.125:80)

TCP (HTTP):
Connects to server-54-192-203-142.fra50.r.cloudfront.net  (54.192.203.142:80)

TCP (HTTP):
Connects to server-54-192-130-96.ams50.r.cloudfront.net  (54.192.130.96:80)

TCP (HTTP):
Connects to server-54-192-130-201.ams50.r.cloudfront.net  (54.192.130.201:80)

TCP (HTTP):
Connects to server-54-192-130-142.ams50.r.cloudfront.net  (54.192.130.142:80)

TCP (HTTP):
Connects to server-54-192-129-9.ams50.r.cloudfront.net  (54.192.129.9:80)

TCP (HTTP):
Connects to server-52-85-83-21.lax1.r.cloudfront.net  (52.85.83.21:80)

TCP (HTTP):
Connects to server-52-85-63-67.lhr50.r.cloudfront.net  (52.85.63.67:80)

TCP (HTTP):
Connects to server-52-84-16-223.sea32.r.cloudfront.net  (52.84.16.223:80)

TCP (HTTP):
Connects to static.vnpt.vn  (113.171.224.246:80)

TCP (HTTP):
Connects to server-54-240-186-92.mad50.r.cloudfront.net  (54.240.186.92:80)

TCP (HTTP):
Connects to server-54-240-186-34.mad50.r.cloudfront.net  (54.240.186.34:80)

TCP (HTTP):
Connects to server-54-239-132-49.sfo9.r.cloudfront.net  (54.239.132.49:80)

TCP (HTTP):
Connects to server-54-230-95-9.fra2.r.cloudfront.net  (54.230.95.9:80)

TCP (HTTP):
Connects to server-54-230-95-59.fra2.r.cloudfront.net  (54.230.95.59:80)

TCP (HTTP):
Connects to server-54-230-95-222.fra2.r.cloudfront.net  (54.230.95.222:80)

Remove winsere.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.