wpc_mystartsearch.exe

2417_wpc_mystartsearch

Fuyuan Zhou

The application wpc_mystartsearch.exe by Fuyuan Zhou has been detected as adware by 12 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlwurina.com and multiple other hosts.
Publisher:
One Syn  (signed by Fuyuan Zhou)

Product:
2417_wpc_mystartsearch

Description:
Syn worker

Version:
6,3,7601,1372

MD5:
87e3cb1edb40d233aa7af2d3b9642a69

SHA-1:
b4d2ed1279120359321ecc1e52a2b45364350de1

SHA-256:
e7c5600dc43592cfefd67e445ec9680b029806d4295658b673e1518a4c5fbc19

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
12/25/2024 11:58:41 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Elex.1
737

Agnitum Outpost
PUA.Mutabaha
7.1.1

AhnLab V3 Security
PUP/Win32.SearchHijacker
2015.01.29

Bitdefender
Gen:Application.Elex.1
1.0.20.145

Dr.Web
Adware.Mutabaha.98
9.0.1.029

F-Secure
Gen:Application.Elex.1
11.2015-29-01_5

G Data
Gen:Application.Elex
15.1.25

MicroWorld eScan
Gen:Application.Elex.1
16.0.0.87

Qihoo 360 Security
Win32/Application.33e
1.0.0.1015

Reason Heuristics
PUP.FuyuanZhou
15.2.14.11

Sophos
Elex
4.98

VIPRE Antivirus
BehavesLike.Win32.Malware.sfd (mx-v)
37062

File size:
301.1 KB (308,320 bytes)

Product version:
6,3,7601,1372

Copyright:
One Syn

Original file name:
Worker.exe

File type:
Executable application (Win32 EXE)

Language:
English (Wielka Brytania)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\wpc_mystartsearch.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
1/15/2015 1:00:00 AM

Valid to:
1/20/2016 1:00:00 PM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, L=Jilin, S=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0B378A1487E66949A44C8CAE23820481

File PE Metadata
Compilation timestamp:
12/3/2014 6:17:43 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:aCs10Khp7xcLca6+hImxVtn3h0aaMnND1ews/Wo4NtWPeY+hbvakgN2pLPX:a910OZQcJS3h0pcR5seo4N4PhogWLPX

Entry address:
0xC3D0

Entry point:
E8, 90, 6E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 54, 57, 42, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, C8, 30, 42, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 54, 57, 42, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00...
 
[+]

Code size:
94.5 KB (96,768 bytes)

The file wpc_mystartsearch.exe has been seen being distributed by the following 2 URLs.

Remove wpc_mystartsearch.exe - Powered by Reason Core Security