home

todo_office_professional_plus_2010_vl.exe

AutoPlay Media Studio Runtime

The executable todo_office_professional_plus_2010_vl.exe, “AutoPlay Application” has been detected as malware by 13 anti-virus scanners. The file has been seen being downloaded from semyeng.device2820485.wd2go.com.
Product:
AutoPlay Media Studio Runtime

Description:
AutoPlay Application

Version:
8.0.1.0

MD5:
8771aa1e5dbdf60c61b499a1ad061610

SHA-1:
e38b135070da4858abf7228c9898b3bd8f490a2b

SHA-256:
622aa0ecce39fa9ade4e0084459bc06549339aa96d98a3441112a473cbd06ff6

Scanner detections:
13 / 68

Status:
Malware

Analysis date:
5/12/2024 12:33:56 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.Fullscreen
7.1.1

Avira AntiVirus
TR/Ransom.Fullscreen.xu.1
7.11.114.196

Baidu Antivirus
Trojan.Win32.Ransom
4.0.3.14911

K7 AntiVirus
Trojan
13.174.10588

McAfee
Artemis!1958DDD1A60C
5600.7010

Norman
Suspicious_Gen4.UUZA
11.20140911

Quick Heal
TrojanRansom.Fullscreen.ahx
9.14.12.00

Trend Micro House Call
TROJ_GEN.RCBZ3JS
7.2.254

Trend Micro
TROJ_GEN.RCBZ3JS
10.465.11

Vba32 AntiVirus
Hoax.Fullscreen
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
24660

ViRobot
Trojan.Win32.A.Fullscreen.6849024
2011.4.7.4223

Zillya! Antivirus
Trojan.Fullscreen.Win32.319
2.0.0.1856

File size:
6.8 MB (7,165,952 bytes)

Product version:
8.0.1.0

Copyright:
Runtime Engine Copyright © 2010 Indigo Rose Corporation (www.indigorose.com)

Trademarks:
AutoPlay Media Studio is a Trademark of Indigo Rose Corporation

Original file name:
ams_runtime.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
5/14/2010 3:18:22 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
98304:hX50dwfMA3Nh8rX+bREOOYF69VNLkMr02Fx0qgVGjtC8JXmiWoj9ghi1RebM3900:r+wfX/8rKwT0Gj88JqojD390brV9mp3

Entry address:
0x2AA227

Entry point:
E8, 6D, 29, 01, 00, E9, 78, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 83, C4, F4, 9B, D9, 7D, FE, 9B, 66, 8B, 45, FE, 80, CC, 0C, 66, 89, 45, FC, D9, 6D, FC, DF, 7D, F4, D9, 6D, FE, 8B, 45, F4, 8B, 55, F8, C9, C3, 8B, FF, 55, 8B, EC, 51, 51, 57, 8D, 45, F8, 50, FF, 15, C4, 03, 84, 00, 6A, 01, 6A, 00, 6A, 00, FF, 75, FC, E8, 99, A2, FF, FF, 2B, 05, 50, 6B, 96, 00, 8B, 4D, F8, 1B, 15, 54, 6B, 96, 00, 33, FF, 57, 03, C1, 68, 10, 27, 00, 00, 13, D7, 52, 50, E8, 37, C2...
 
[+]

Entropy:
6.7886

Code size:
4.2 MB (4,450,816 bytes)

The file todo_office_professional_plus_2010_vl.exe has been seen being distributed by the following URL.

https://semyeng.device2820485.wd2go.com/api/1.0/rest/file_contents/6.????/???/.../autorun.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a23-74-19-27.deploy.static.akamaitechnologies.com  (23.74.19.27:80)

TCP (HTTP):
Connects to a23-62-233-163.deploy.static.akamaitechnologies.com  (23.62.233.163:80)

TCP (HTTP):
Connects to a23-49-149-163.deploy.static.akamaitechnologies.com  (23.49.149.163:80)

Remove todo_office_professional_plus_2010_vl.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.