ContentFinder.exe

ContentFinder

DigitalSoftware Group

The application ContentFinder.exe has been detected as a potentially unwanted program by 8 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘ContentFinder’. While running, it connects to the Internet address customer.worldstream.nl on port 80 using the HTTP protocol.
Publisher:
DigitalSoftware Group

Product:
ContentFinder

Version:
2.2.0.0

MD5:
0d05fbd5e8c88de19094993d9341f14f

SHA-1:
cbfe475bbe77625a1c9df7a3451fb4898a0cc4f1

SHA-256:
79a2025ec28eb40a3e65181911a2d48e41f5614b230be53550953851830e11f5

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
9/26/2017 7:13:06 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.592015
640

Baidu Antivirus
PUA.Win32.SoundFrost
4.0.3.1556

Bitdefender
Gen:Variant.Kazy.592015
1.0.20.630

Emsisoft Anti-Malware
Gen:Variant.Kazy.592015
8.15.05.06.12

ESET NOD32
Win32/SoundFrost.E potentially unwanted (variant)
9.11490

F-Secure
Gen:Variant.Kazy.592015
11.2015-06-05_4

G Data
Gen:Variant.Kazy.592015
15.5.25

MicroWorld eScan
Gen:Variant.Kazy.592015
16.0.0.378

File size:
145.5 KB (148,992 bytes)

Product version:
2.2.0.0

Copyright:
Copyright (C) 2010-2015

Original file name:
ContentFinder.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\contentfinder.exe

File PE Metadata
Compilation timestamp:
4/17/2015 6:05:31 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:c9zaAZXOLbZZVf5IhjX7hmFiJtOAaOlMiUYdpZiqC2c08KZQ1:c9zT+/5xIhjX7hHtOAaOeNMNc0o

Entry address:
0x3C70

Entry point:
E8, 8E, 04, 00, 00, E9, 63, FD, FF, FF, FF, 25, A8, 50, 40, 00, FF, 25, A4, 50, 40, 00, FF, 25, A0, 50, 40, 00, CC, CC, CC, CC, 68, E9, 3C, 40, 00, 64, FF, 35, 00, 00, 00, 00, 8B, 44, 24, 10, 89, 6C, 24, 10, 8D, 6C, 24, 10, 2B, E0, 53, 56, 57, A1, 60, A1, 40, 00, 31, 45, FC, 33, C5, 50, 89, 65, E8, FF, 75, F8, 8B, 45, FC, C7, 45, FC, FE, FF, FF, FF, 89, 45, F8, 8D, 45, F0, 64, A3, 00, 00, 00, 00, C3, 8B, 4D, F0, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, C3, 8B, FF, 55, 8B, EC, FF, 75...
 
[+]

Code size:
15 KB (15,360 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ContentFinder

Command:
C:\users\{user}\appdata\local\contentfinder.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to customer.worldstream.nl  (217.23.7.144:80)

TCP (HTTP):
Connects to web12.mydevil.net  (31.186.83.114:80)

TCP (HTTP):
Connects to lincl981.okcomunication.com  (86.109.161.37:80)

TCP (HTTP):
Connects to server-54-192-36-88.jfk1.r.cloudfront.net  (54.192.36.88:80)

TCP (HTTP):
Connects to server-54-192-36-16.jfk1.r.cloudfront.net  (54.192.36.16:80)

TCP (HTTP SSL):
Connects to www349.sakura.ne.jp  (202.181.99.69:443)

TCP (HTTP):
Connects to vip1.g5.cachefly.net  (204.93.142.142:80)

TCP (HTTP):
Connects to ip-107-180-51-81.ip.secureserver.net  (107.180.51.81:80)

TCP (HTTP):
Connects to ec2-52-21-46-54.compute-1.amazonaws.com  (52.21.46.54:80)

TCP (HTTP):
Connects to cluster003.ovh.net  (213.186.33.4:80)

TCP (HTTP):
Connects to 147.62.236.23.bc.googleusercontent.com  (23.236.62.147:80)

TCP (HTTP):
Connects to 103.147.96.66.static.eigbox.net  (66.96.147.103:80)

TCP (HTTP SSL):
Connects to server-52-84-176-107.gru50.r.cloudfront.net  (52.84.176.107:443)

TCP (HTTP):
Connects to any-in-2615.1e100.net  (216.239.38.21:80)

TCP (HTTP):
Connects to ip-50-62-172-212.ip.secureserver.net  (50.62.172.212:80)

Remove ContentFinder.exe - Powered by Reason Core Security