sysfiles.exe

P4hostcom

The application sysfiles.exe by P4hostcom has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from healthcaregovtool.com.
Publisher:
P4hostcom  (signed and verified)

MD5:
4bd3e5bce67c84a10d8f3b0871c63056

SHA-1:
ed8b1701228fff814f720df3ba59a6b099c79b6d

SHA-256:
f5664672e5ae9dbbbd224d50a9d90cd224fc707c4106b786cacbb58462f8eaff

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
12/25/2024 3:43:04 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
2014.9-150807

AVG
Generic
2016.0.3025

Bkav FE
W32.HfsAdware
1.3.0.7062

Dr.Web
Adware.Superfish.217
9.0.1.0219

Malwarebytes
Rootkit.WeWatcher.PUP
v2015.08.07.06

Reason Heuristics
PUP.P4hostcom.Installer (M)
15.8.7.6

File size:
9.8 MB (10,271,008 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\sysfiles.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2014 10:00:00 PM

Valid to:
12/11/2015 9:59:59 PM

Subject:
CN=P4hostcom, O=P4hostcom, STREET=15339 WYANDOTTE ST, L=VAN NUYS, S=California, PostalCode=91406, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
41454C8A0557125C4B0C373A489B1003

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
196608:kBZTeIXiq1URo/tiufhlgj3nAY0WbbRHyKBHZ0Pq5YX+dN:jIX1Oo/UufhlSaWbt9BHuPq5YKN

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file sysfiles.exe has been seen being distributed by the following URL.

Remove sysfiles.exe - Powered by Reason Core Security