» ayryfsrb.exe
Overview
Analysis
File Details
Network (1)

ayryfsrb.exe

Boris Burkin

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The file ayryfsrb.exe, “Installer for TopApp software” by Boris Burkin has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

ayryfsrb.exe

Publisher:

TopApp software (signed by Boris Burkin)

Product:

TopApp software

Description:

Installer for TopApp software

Version:

2014.5.22.1509

MD5:

c5c1d24c6b88887b3080b6c7221484cc

SHA-1:

472641de304e6c131391c42e77f3e0c2234c6dae

SHA-256:

a35b821e6fda95c17e119bf51a2929e0b7243c90e59bb4c9757464d46edc97b8

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:

4/25/2024 3:25:27 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.WebPick.BorisBurkin.Installer (M)

15.10.18.22

File size:

618 KB (632,864 bytes)

Product version:

1.0.0.3

Original file name:

TSULoader.exe

Installer:

WebPick InstalleRex (Tarma)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\ayryfsrb.exe.part

Digital Signature

Signed by:

Boris Burkin

Authority:

COMODO CA Limited

Valid from:

9/18/2013 7:00:00 PM

Valid to:

9/19/2014 6:59:59 PM

Subject:

CN=Boris Burkin, O=Boris Burkin, STREET=Tankistiv 14, L=Kyiv, S=Kyivska, PostalCode=03061, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

033AD040336E8286DF7ACF4D4908361F

File PE Metadata

Compilation timestamp:

3/12/2013 3:51:45 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

12288:XrrjkogdCi7WNwx9l8oEGkuveY39Bn3Y4z9GiC0bZ6SBD2:AogvWNwmDuXnnI4zUiC09G

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Entropy:

7.5788

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove ayryfsrb.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.