sysfiles.exe

P4hostcom

The application sysfiles.exe by P4hostcom has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from healthcaregovtool.com.
Publisher:
P4hostcom  (signed and verified)

MD5:
2bf7e3399bc1eefb67570a3da4b97aff

SHA-1:
5afba48bedae4023a9239afad39af3cea97f4e01

SHA-256:
0f83d962bf14cf796b48ccafbcf1a67fb05bbf99c86876e0e8b2e023969f2e2d

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/25/2024 5:16:53 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.186320
628

Avira AntiVirus
ADWARE/Graftor.405000
8.3.1.6

avast!
Win32:Evo-gen [Susp]
2014.9-150518

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Superfish.160
9.0.1.0138

F-Secure
Gen:Variant.Adware.Graftor
11.2015-18-05_2

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.8.9.0

MicroWorld eScan
Gen:Variant.Adware.Graftor.186320
16.0.0.414

NANO AntiVirus
Riskware.Win32.Superfish.dqxuqy
0.30.24.1357

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Trend Micro House Call
Suspici.318CBDCE
7.2.138

File size:
9.6 MB (10,096,016 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\sysfiles.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2014 6:00:00 PM

Valid to:
12/11/2015 5:59:59 PM

Subject:
CN=P4hostcom, O=P4hostcom, STREET=15339 WYANDOTTE ST, L=VAN NUYS, S=California, PostalCode=91406, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
41454C8A0557125C4B0C373A489B1003

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
196608:nwXZfsWcitIbLyaHxf4yFzy21547XqMMIPI2LIF1y2f1exI:QsDbLyaHxVwXqL2LIF1yrG

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9996

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file sysfiles.exe has been seen being distributed by the following URL.

Remove sysfiles.exe - Powered by Reason Core Security