home

0qvdfl1btsq==1.exe

5372_obw_yoursearching

CHAODONG XIAO

The application 0qvdfl1btsq==1.exe by CHAODONG XIAO has been detected as a potentially unwanted program by 11 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
CHAODONG XIAO  (signed and verified)

Product:
5372_obw_yoursearching

Version:
7,0,0,2918

MD5:
ea1eadeb6715cafce134149249d0a1d4

SHA-1:
f5256bc163659b574b566e55e2618ae63a7df5f6

SHA-256:
116991cc760254d7f3acfa5b9f7fe2a36dc9afd174fe7acec6edf5715c85edf8

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
6/16/2024 10:49:24 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2015.12.16

Avira AntiVirus
PUA/Subtab.Gen7
8.3.2.4

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.151216

ESET NOD32
Win32/ELEX.FG potentially unwanted (variant)
9.12728

K7 AntiVirus
Adware
13.212.18118

Malwarebytes
PUP.Optional.YourSearching.ShrtCln
v2015.12.16.06

Qihoo 360 Security
Trojan.Generic
1.0.0.1077

Reason Heuristics
PUP.CHAODONGXIAO (M)
15.12.16.18

Rising Antivirus
PE:Malware.Generic(Thunder)!1.A1C4 [F]
23.00.65.151214

VIPRE Antivirus
Elex Installer
45872

Zillya! Antivirus
Adware.OutBrowse.Win32.74938
2.0.0.2565

File size:
190.3 KB (194,816 bytes)

Product version:
7,0,0,2918

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0qvdfl1btsq==1.exe

Digital Signature
Signed by:
CHAODONG XIAO

Authority:
thawte, Inc.

Valid from:
12/16/2015 6:00:00 AM

Valid to:
10/21/2016 5:59:59 AM

Subject:
CN=CHAODONG XIAO, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
757B1422620446AD2C54D076AAE47ED1

File PE Metadata
Compilation timestamp:
12/4/2015 3:52:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:S8EgK1bY8aBRYDpCYnGRrmkErWnLZdD9EhHky+ve9xp0V+:S8EB1bMwC6GRSJmy4

Entry address:
0xF404

Entry point:
E8, DB, A5, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B8, A9, 42, 00, E8, 06, 5D, 00, 00, E8, B2, 24, 00, 00, 0F, B7, F0, 6A, 02, E8, 6E, A5, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 62, 59, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
129.5 KB (132,608 bytes)

The file 0qvdfl1btsq==1.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../obw_yoursearching.exe

Remove 0qvdfl1btsq==1.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.