wpc_istart123.exe

1226_wpc_istart123

Liyan Liu

The application wpc_istart123.exe by Liyan Liu has been detected as adware by 12 anti-malware scanners. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from the user's temporary directory.
Publisher:
File Syn  (signed by Liyan Liu)

Product:
1226_wpc_istart123

Description:
FileWork

Version:
6.1.7602.731

MD5:
969dac15f48b3e3e1945aab4cfe0085d

SHA-1:
c2b93ae60678dabcc689df284771b4c943a2339a

SHA-256:
966bd1fd547a5f675528118cb126678248aff2677b3bc593cc54ef0e5c344eed

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
12/24/2024 1:01:02 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Mutabaha
7.1.1

AhnLab V3 Security
PUP/Win32.Downloader
2014.10.08

AVG
Generic
2016.0.3102

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15522

ESET NOD32
Win32/ELEX.AX (variant)
9.10525

IKARUS anti.virus
Trojan.Win32.Wysotot
t3scan.1.7.8.0

K7 AntiVirus
Unwanted-Program
13.183.13611

Malwarebytes
PUP.Optional.SearchHijacker.A
v2015.05.22.10

McAfee
Artemis!969DAC15F48B
5600.6758

Reason Heuristics
PUP.LiyanLiu
15.5.22.10

Total Defense
Win32/Wysotot.HDGbZDD
37.0.11213

VIPRE Antivirus
Elex Installer
33718

File size:
670.9 KB (686,976 bytes)

Product version:
6.1.7602.731

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
Anglictina (Spojené královstvo)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\wpc_istart123.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
7/22/2014 2:00:00 AM

Valid to:
7/27/2015 2:00:00 PM

Subject:
CN=Liyan Liu, O=Liyan Liu, L=Wenzhou, S=Zhejiang, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
06A374858107D7F624D3CC328C92248A

File PE Metadata
Compilation timestamp:
8/14/2014 4:17:07 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:hthvpVDP62a2w30OMwpq80ggX06zxv6YQVQybf:/hhpNw3swpqFxv68ybf

Entry address:
0x332EF

Entry point:
E8, 3D, E9, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 94, 71, 49, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 48, 49, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 94, 71, 49, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Code size:
499.5 KB (511,488 bytes)

Remove wpc_istart123.exe - Powered by Reason Core Security