home

lyi_my.exe

Ding Ruan

The application lyi_my.exe by Ding Ruan has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-54-230-141-191.sfo5.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Ding Ruan  (signed and verified)

MD5:
72375575e96c80908e33143d836b5c28

SHA-1:
16f0640edccc11caa4cf64e95668a705170ae485

SHA-256:
683c43605cd36a242e243f3404d7cce1d1f15946dbed097afc0bc49905328cfc

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
6/16/2024 1:38:45 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX (M)
17.2.2.5

File size:
416.9 KB (426,944 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lyi_my.exe

Digital Signature
Signed by:
Ding Ruan

Authority:
thawte, Inc.

Valid from:
1/19/2017 10:00:00 PM

Valid to:
4/13/2017 8:59:59 PM

Subject:
CN=Ding Ruan, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
77066975BD19A6EDE7F46F9F1AA50737

File PE Metadata
Compilation timestamp:
1/18/2017 7:41:19 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x8481

Entry point:
E8, C2, A0, FF, FF, E9, FB, 61, 00, 00, 8B, 0D, 64, B7, 46, 00, 33, D2, 85, C9, 75, 05, B9, 88, 03, 46, 00, 56, 6A, 20, 5E, 0F, B7, 01, 66, 3B, C6, 77, 09, 66, 85, C0, 74, 27, 85, D2, 74, 1B, 83, F8, 22, 75, 09, 33, C0, 85, D2, 0F, 94, C0, 8B, D0, 83, C1, 02, EB, DC, 66, 3B, C6, 77, 0B, 83, C1, 02, 0F, B7, 01, 66, 85, C0, 75, F0, 8B, C1, 5E, C3, 55, 8B, EC, 83, EC, 10, 53, 56, 8B, 75, 0C, 85, F6, 74, 18, 8B, 5D, 10, 85, DB, 74, 11, 80, 3E, 00, 75, 14, 8B, 45, 08, 85, C0, 74, 05, 33, C9, 66, 89, 08, 33, C0...
 
[+]

Code size:
371.5 KB (380,416 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-141-182.sfo5.r.cloudfront.net  (54.230.141.182:80)

TCP (HTTP):
Connects to server-54-230-141-73.sfo5.r.cloudfront.net  (54.230.141.73:80)

TCP (HTTP):
Connects to server-54-230-141-236.sfo5.r.cloudfront.net  (54.230.141.236:80)

TCP (HTTP):
Connects to server-54-230-141-119.sfo5.r.cloudfront.net  (54.230.141.119:80)

TCP (HTTP):
Connects to server-52-84-246-56.sfo20.r.cloudfront.net  (52.84.246.56:80)

TCP (HTTP):
Connects to server-54-230-95-94.fra2.r.cloudfront.net  (54.230.95.94:80)

TCP (HTTP):
Connects to server-54-230-95-227.fra2.r.cloudfront.net  (54.230.95.227:80)

TCP (HTTP):
Connects to server-54-230-95-208.fra2.r.cloudfront.net  (54.230.95.208:80)

TCP (HTTP):
Connects to server-54-230-95-162.fra2.r.cloudfront.net  (54.230.95.162:80)

TCP (HTTP):
Connects to server-54-230-141-191.sfo5.r.cloudfront.net  (54.230.141.191:80)

TCP (HTTP):
Connects to server-54-230-141-99.sfo5.r.cloudfront.net  (54.230.141.99:80)

TCP (HTTP):
Connects to server-54-230-141-159.sfo5.r.cloudfront.net  (54.230.141.159:80)

TCP (HTTP):
Connects to server-54-230-141-139.sfo5.r.cloudfront.net  (54.230.141.139:80)

TCP (HTTP):
Connects to server-52-84-246-247.sfo20.r.cloudfront.net  (52.84.246.247:80)

Remove lyi_my.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.