» topsadon1c.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)
Network (9)

topsadon1c.exe

neomedia

The application topsadon1c.exe by neomedia has been detected as a potentially unwanted program by 3 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadonc’. The file has been seen being downloaded from down1.topsadon1.com.

File name:

topsadon1c.exe

Publisher:

neomedia (signed and verified)

MD5:

2dffef8c489d5267a49ca67e47315dab

SHA-1:

371c174128cb30ad3882c7677bdb542047b03bd7

SHA-256:

a0dc255e9ae00fe76c7e76639eb3030daccc0cceda611892963562dee91c3a82

Scanner detections:

3 / 68

Status:

Potentially unwanted

Analysis date:

4/30/2024 12:26:45 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/AdWare.KeywordFind.D application

6.3.12010.0

F-Prot

W32/Themida_Packed

4.6.5.141

Reason Heuristics

Adware.Neomedia (M)

16.11.2.23

File size:

1.2 MB (1,295,080 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe

Digital Signature

Signed by:

neomedia

Authority:

thawte, Inc.

Valid from:

1/25/2016 9:00:00 AM

Valid to:

1/25/2017 8:59:59 AM

Subject:

CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata

Compilation timestamp:

10/9/2016 10:59:28 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:bUgLPXfDHoT3Tm91zJ+w61zW/RuGDzSt2Hi:bPLff0XO3C89zW

Entry address:

0x2B1000

Entry point:

83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, F0, 0F, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 30, 1D, E4, 29, 68, 7C, C7, AD, 7A, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.0187

Code size:

418.5 KB (428,544 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

topsadonc

Command:

"C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe"

The file topsadon1c.exe has been seen being distributed by the following URL.

http://down1.topsadon1.com/.../topsadon1c.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-52-78-189-156.ap-northeast-2.compute.amazonaws.com (52.78.189.156:80)

TCP (HTTP):

Connects to i0-h0-s39.p59-icn.cdngp.net (14.0.67.86:80)

TCP (HTTP):

Connects to ec2-52-78-199-68.ap-northeast-2.compute.amazonaws.com (52.78.199.68:80)

TCP (HTTP):

Connects to i0-h0-s35.p59-icn.cdngp.net (14.0.67.53:80)

TCP (HTTP):

Connects to ec2-52-79-166-155.ap-northeast-2.compute.amazonaws.com (52.79.166.155:80)

TCP (HTTP):

Connects to i0-h0-s40.p59-icn.cdngp.net (14.0.67.87:80)

TCP (HTTP):

Connects to i0-h0-s36.p59-icn.cdngp.net (14.0.67.54:80)

TCP (HTTP):

Connects to i0-h0-s1693.p59-icn.cdngp.net (14.0.77.205:80)

TCP (HTTP):

Connects to i0-h0-s1687.p59-icn.cdngp.net (14.0.77.143:80)

Remove topsadon1c.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.