» sysfiles.exe
Overview
Analysis
File Details
Downloads (1)

sysfiles.exe

P4hostcom

The application sysfiles.exe by P4hostcom has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from healthcaregovtool.com.

File name:

sysfiles.exe

Publisher:

P4hostcom (signed and verified)

MD5:

2bf7e3399bc1eefb67570a3da4b97aff

SHA-1:

5afba48bedae4023a9239afad39af3cea97f4e01

SHA-256:

0f83d962bf14cf796b48ccafbcf1a67fb05bbf99c86876e0e8b2e023969f2e2d

Scanner detections:

11 / 68

Status:

Adware

Analysis date:

4/29/2024 6:31:05 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Graftor.186320

628

Avira AntiVirus

ADWARE/Graftor.405000

8.3.1.6

avast!

Win32:Evo-gen [Susp]

2014.9-150518

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Adware.Superfish.160

9.0.1.0138

F-Secure

Gen:Variant.Adware.Graftor

11.2015-18-05_2

IKARUS anti.virus

Win32.SuspectCrc

t3scan.1.8.9.0

MicroWorld eScan

Gen:Variant.Adware.Graftor.186320

16.0.0.414

NANO AntiVirus

Riskware.Win32.Superfish.dqxuqy

0.30.24.1357

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Trend Micro House Call

Suspici.318CBDCE

7.2.138

File size:

9.6 MB (10,096,016 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\sysfiles.exe

Digital Signature

Signed by:

P4hostcom

Authority:

COMODO CA Limited

Valid from:

12/10/2014 6:00:00 PM

Valid to:

12/11/2015 5:59:59 PM

Subject:

CN=P4hostcom, O=P4hostcom, STREET=15339 WYANDOTTE ST, L=VAN NUYS, S=California, PostalCode=91406, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

41454C8A0557125C4B0C373A489B1003

File PE Metadata

Compilation timestamp:

12/5/2009 4:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

196608:nwXZfsWcitIbLyaHxf4yFzy21547XqMMIPI2LIF1y2f1exI:QsDbLyaHxVwXqL2LIF1yrG

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9996

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file sysfiles.exe has been seen being distributed by the following URL.

http://healthcaregovtool.com/installs/.../SysFiles.exe

Remove sysfiles.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.