» tsvr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (68)

tsvr.exe

Trend Service

Shanghai Yuntong Technology Co., Ltd.

The application tsvr.exe by Shanghai Yuntong Technology Co. has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “IhPul”. While running, it connects to the Internet address server-54-239-132-245.sfo9.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

tsvr.exe

Publisher:

Trend Corp. (signed by Shanghai Yuntong Technology Co., Ltd.)

Product:

Trend Service

Description:

Service

Version:

3.0.0.59

MD5:

1a7cdc3de20ee3f5e25f394b73d32c13

SHA-1:

9c553157c17cba8d2ded70ab7d1998c778057eca

SHA-256:

ba8b464d26b1f06e193528991dd40922b88d82175d3d91420e2fa215de3b67fa

Scanner detections:

2 / 68

Status:

Potentially unwanted

Analysis date:

11/16/2024 12:19:20 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Adware.Mutabaha.1462

9.0.1.05190

Reason Heuristics

Adware.Elex

16.8.23.14

File size:

205.2 KB (210,128 bytes)

Product version:

3.0.0.59

Original file name:

TSvr

File type:

Executable application (Win32 EXE)

Language:

Chinese

Common path:

C:\users\{user}\appdata\roaming\setup1\tsvr.exe

Digital Signature

Signed by:

Shanghai Yuntong Technology Co., Ltd.

Authority:

thawte, Inc.

Valid from:

8/17/2016 9:00:00 PM

Valid to:

2/24/2017 8:59:59 PM

Subject:

CN="Shanghai Yuntong Technology Co., Ltd.", O="Shanghai Yuntong Technology Co., Ltd.", L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

726CC6DF3389C67071EAA1CF524BD992

File PE Metadata

Compilation timestamp:

8/18/2016 10:54:13 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

3072:Xwodqu+JFn3IkfjbGnfTXMLVt432eDwjedBczMjLOr2m:X9qr3NPGLXSeDYedmzh

Entry address:

0x1BA96

Entry point:

E8, 79, 02, 00, 00, E9, 03, FE, FF, FF, FF, 25, F8, F2, 41, 00, FF, 25, FC, F2, 41, 00, FF, 25, 00, F3, 41, 00, FF, 25, 04, F3, 41, 00, FF, 25, 08, F3, 41, 00, FF, 25, 0C, F3, 41, 00, FF, 25, 10, F3, 41, 00, FF, 25, 14, F3, 41, 00, 68, 29, BB, 41, 00, 64, FF, 35, 00, 00, 00, 00, 8B, 44, 24, 10, 89, 6C, 24, 10, 8D, 6C, 24, 10, 2B, E0, 53, 56, 57, A1, 00, 50, 42, 00, 31, 45, FC, 33, C5, 50, 89, 65, E8, FF, 75, F8, 8B, 45, FC, C7, 45, FC, FE, FF, FF, FF, 89, 45, F8, 8D, 45, F0, 64, A3, 00, 00, 00, 00, C3, 8B... 
[+]

Code size:

117 KB (119,808 bytes)

Service

Display name:

IhPul

Type:

Win32OwnProcess

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-95-204.fra2.r.cloudfront.net (54.230.95.204:80)

TCP (HTTP):

Connects to server-54-230-95-128.fra2.r.cloudfront.net (54.230.95.128:80)

TCP (HTTP):

Connects to server-52-85-77-18.lax3.r.cloudfront.net (52.85.77.18:80)

TCP (HTTP):

Connects to server-52-85-77-132.lax3.r.cloudfront.net (52.85.77.132:80)

TCP (HTTP):

Connects to server-52-84-25-37.sea32.r.cloudfront.net (52.84.25.37:80)

TCP (HTTP):

Connects to server-52-84-25-66.sea32.r.cloudfront.net (52.84.25.66:80)

TCP (HTTP):

Connects to server-52-85-74-14.lhr3.r.cloudfront.net (52.85.74.14:80)

TCP (HTTP):

Connects to server-52-85-83-249.lax1.r.cloudfront.net (52.85.83.249:80)

TCP (HTTP):

Connects to server-52-85-83-232.lax1.r.cloudfront.net (52.85.83.232:80)

TCP (HTTP):

Connects to server-52-85-74-127.lhr3.r.cloudfront.net (52.85.74.127:80)

TCP (HTTP):

Connects to server-54-230-95-164.fra2.r.cloudfront.net (54.230.95.164:80)

TCP (HTTP):

Connects to server-54-230-95-118.fra2.r.cloudfront.net (54.230.95.118:80)

TCP (HTTP):

Connects to server-52-85-83-14.lax1.r.cloudfront.net (52.85.83.14:80)

TCP (HTTP):

Connects to server-52-85-83-103.lax1.r.cloudfront.net (52.85.83.103:80)

TCP (HTTP):

Connects to server-52-85-63-89.lhr50.r.cloudfront.net (52.85.63.89:80)

TCP (HTTP):

Connects to server-52-85-63-154.lhr50.r.cloudfront.net (52.85.63.154:80)

TCP (HTTP):

Connects to server-54-192-230-152.waw50.r.cloudfront.net (54.192.230.152:80)

TCP (HTTP):

Connects to server-52-85-83-220.lax1.r.cloudfront.net (52.85.83.220:80)

TCP (HTTP):

Connects to server-52-84-25-147.sea32.r.cloudfront.net (52.84.25.147:80)

TCP (HTTP):

Connects to server-52-84-25-11.sea32.r.cloudfront.net (52.84.25.11:80)

Remove tsvr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.