win.exe

SendStat Module

The application win.exe has been detected as a potentially unwanted program by 24 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘win’. While running, it connects to the Internet address dmpro-ca-01.fooservers.com on port 80 using the HTTP protocol.
Product:
SendStat Module

Version:
0, 0, 0, 0

MD5:
005ba23ecd999903ac5ddf2cd1593bc0

SHA-1:
76c75b3f383f9d4b788417325e4e66458cd3eff9

SHA-256:
e228c967dd2f3c372917306f274998d9128d4ff8417a413973b9e0a94d79a123

Scanner detections:
24 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 2:46:03 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2895710
397

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Installer
2016.01.03

Arcabit
Trojan.Generic.D2C2F5E
1.0.0.637

avast!
Win32:Dropper-gen [Drp]
2014.9-160103

AVG
Generic_r
2017.0.2875

Baidu Antivirus
PUA.Win32.HideBaid
4.0.3.151126

Bitdefender
Trojan.GenericKD.2895710
1.0.20.15

Emsisoft Anti-Malware
Trojan.GenericKD.2895710
8.16.01.03.11

ESET NOD32
Win32/HideBaid.N potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/HideBaid
1/3/2016

F-Secure
Trojan.GenericKD.2895710
11.2016-03-01_1

G Data
Trojan.GenericKD.2895710
16.1.25

K7 AntiVirus
Adware
13.212.18302

Malwarebytes
Trojan.Downloader.QQ
v2016.01.03.11

McAfee
Artemis!005BA23ECD99
5600.6531

MicroWorld eScan
Trojan.GenericKD.2895710
17.0.0.9

NANO AntiVirus
Trojan.Win32.HideBaid.dyywxw
1.0.14.5380

nProtect
Trojan.GenericKD.2895710
15.12.31.01

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.16101

Trend Micro
TROJ_GEN.R00XC0EL115
10.465.03

VIPRE Antivirus
Trojan.Win32.Generic
46230

ViRobot
Trojan.Win32.Z.Hidebaid.188416[h]
2014.3.20.0

Zillya! Antivirus
Adware.PopAd.Win32.276
2.0.0.2591

File size:
184 KB (188,416 bytes)

Product version:
0, 0, 0, 0

Copyright:
Copyright 2013

Original file name:
SendStat.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\Program Files\tencent\win.exe

File PE Metadata
Compilation timestamp:
11/26/2015 12:27:15 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:49lHnOmVCznomqVaKxKYwsJ1vyDxwN1vm00XF5LKtULspgG:OJBraK0z61qDYm0knsp

Entry address:
0xAC7A

Entry point:
55, 8B, EC, 6A, FF, 68, 78, 29, 42, 00, 68, 5C, E0, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, C0, 11, 42, 00, 33, D2, 8A, D4, 89, 15, 2C, DF, 42, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 28, DF, 42, 00, C1, E1, 08, 03, CA, 89, 0D, 24, DF, 42, 00, C1, E8, 10, A3, 20, DF, 42, 00, 6A, 01, E8, 01, 4A, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, 62, 2A, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75...
 
[+]

Entropy:
6.0086

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
128 KB (131,072 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
win

Command:
C:\Program Files\tencent\win.exe httC:\down.baidu2016.com\qq\test.txt \start


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to dmpro-ca-01.fooservers.com  (167.114.156.214:80)

Remove win.exe - Powered by Reason Core Security