setup_kid001_silent.exe

winsys

The application setup_kid001_silent.exe by winsys has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from down.windoguide.com.
Publisher:
winsys  (signed and verified)

MD5:
4f144325add3e90259f008c513db722b

SHA-1:
e986c8c69857860a97f0a48f9aef07ad74aea341

SHA-256:
6364b2afc9c82f6c345870f02cc3ed7df71f38af4f46bca7ff34dda551cadbd1

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
12/28/2024 2:26:48 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-PUP/Helper.WindoGuide.233032
2014.01.24

Bkav FE
W32.Clod1e6.Trojan
1.3.0.4923

Dr.Web
Adware.Shopper.342
9.0.1.028

Malwarebytes
Adware.KorAd
v2014.01.28.07

McAfee
Artemis!4F144325ADD3
5600.7237

nProtect
Adware/W32.Agent.233032
14.01.24.02

Reason Heuristics
PUP.Installer.winsys.T
14.6.12.9

Trend Micro House Call
ADW_KRADDARE
7.2.28

Trend Micro
ADW_KRADDARE
10.465.28

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic!SB.0
25752

ViRobot
Adware.Agent.233032
2011.4.7.4223

File size:
227.6 KB (233,032 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\setup_kid001_silent.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
8/3/2012 9:00:00 AM

Valid to:
8/4/2013 8:59:59 AM

Subject:
CN=winsys, O=winsys, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
0ED81EA1C6AD38AAF7D1D6B65E23E6F2

File PE Metadata
Compilation timestamp:
12/6/2009 7:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:xe34NXRSP7uUDE0OyEt5q2pd5A8WH67E0OynU25t5q2pd5A8Wx:VXkPBbKbJd5A8RbbbJd5A8o

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8511

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file setup_kid001_silent.exe has been seen being distributed by the following URL.

Remove setup_kid001_silent.exe - Powered by Reason Core Security