» usbflashcopy.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (6)

usbflashcopy.exe

Imposant

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘USBFlashCopy’. The file has been seen being downloaded from gsf-cf.softonic.com and multiple other hosts.

File name:

usbflashcopy.exe

Publisher:

Imposant (signed and verified)

MD5:

4b58062e85f145c6837cdbce3cd4bce8

SHA-1:

9e167e1087a431e8694082c9ba764c9f7638980a

SHA-256:

413431704584a21867ca674a2339dc3ae2a8c09af3ca4424e7551776ea48ce80

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)

Analysis date:

5/4/2024 1:32:10 AM UTC (today)

File size:

274 KB (280,584 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\downloads\usbflashcopy.exe

Digital Signature

Signed by:

Imposant

Authority:

COMODO CA Limited

Valid from:

8/22/2012 1:00:00 AM

Valid to:

8/23/2017 12:59:59 AM

Subject:

CN=Imposant, O=Imposant, STREET="17-76, Olimpiyskaya derevnya", STREET=Michurinsky prospekt, L=Moscow, S=Moscow, PostalCode=119602, C=RU

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00AB35D8BB16D774993034FF77BDA941AD

File PE Metadata

Compilation timestamp:

1/15/2014 12:33:28 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

3072:Z8NeKAQwYhpJxucKh5BHfbywbVBvbUsr9gPXW3ttAmqyUTE/em/Y7vbdnr9SU6PS:Z8AK6YhpJxmxbywbV95RqWQmqHrX1D

Entry address:

0x119B5

Entry point:

E8, 59, 4C, 00, 00, E9, 17, FE, FF, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 68, 63, 42, 00, 89, 0D, 64, 63, 42, 00, 89, 15, 60, 63, 42, 00, 89, 1D, 5C, 63, 42, 00, 89, 35, 58, 63, 42, 00, 89, 3D, 54, 63, 42, 00, 66, 8C, 15, 80, 63, 42, 00, 66, 8C, 0D, 74, 63, 42, 00, 66, 8C, 1D, 50, 63, 42, 00, 66, 8C, 05, 4C, 63, 42, 00, 66, 8C, 25, 48, 63, 42, 00, 66, 8C, 2D, 44, 63, 42, 00, 9C, 8F, 05, 78, 63, 42, 00, 8B, 45, 00, A3, 6C, 63, 42, 00, 8B, 45, 04, A3, 70, 63, 42, 00, 8D, 45, 08, A3, 7C, 63, 42, 00, 8B... 
[+]

Entropy:

5.6904

Code size:

120 KB (122,880 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

USBFlashCopy

Command:

C:\users\{user}\downloads\usbflashcopy.exe

The file usbflashcopy.exe has been seen being distributed by the following 6 URLs.

http://gsf-cf.softonic.com/9e1/67e/.../file?SD_used=0&channel=WEB&fdh=no&id_file=199121&instance=softonic_en&type=PROGRAM&Expires=1475713276&Signature=AVO3hTmH3bNly6X40xQWVUzP4QlEd~HKdvZnVgmDfq8F5QCzqNwfV369v5povef4XpBUqCqnXcgEyjlrqGr3lTiG1UJolaHewxeNOY0EwyjPbaAu0bIClxzc8MPCZO8gQsvJTB3ARI0DBT5vJoVHSc20Vd~PL0x492uz68FhGOM_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=usbflashcopy.exe

http://gsf-cf.softonic.com/9e1/67e/.../file?SD_used=0&channel=WEB&fdh=no&id_file=199121&instance=softonic_en&type=PROGRAM&Expires=1475774529&Signature=IuyjXE02Zq51dLJ3qjMSbYEeGrvL8-jVr9AdBzQShGkxXfarZJBmicNnCReUmL2sLFYjItdq7DVCx9pj6-KN8yIrsKZ9bq8D5Gt13IQenzR0LbrfadrIeGDhFjsqsvLjKoYEbFcJWEOV8RGjTA9Q-mnzHDoS0o0IVZ4gTunH2oE_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=usbflashcopy.exe

http://gsf-cf.softonic.com/9e1/67e/.../file?SD_used=0&channel=WEB&fdh=no&id_file=199121&instance=softonic_en&type=PROGRAM&Expires=1476015335&Signature=c39zggqprvBzXIqrB7eALvRJ6tGgVPwd8KYRjR53fnPUOaP0va2h1-7itX4JC5qQ3EzpM8rXwjhqvrhcETcakNqZ6GytaUte9QN9D9Kp8smMlUULO22CEKqLvr8BljES3GOXK2uHslqcCsqP7pxUwTSyKvg6DzVunTKIHVgIyA4_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=usbflashcopy.exe

http://usbflashcopy.com/.../usbflashcopy.exe

http://www.logitheque.com/.../2084db35.dl

http://www.usbflashcopy.com/.../usbflashcopy.exe

Scan usbflashcopy.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.