winsvc.exe

Qt Designer

Digia Plc and/or its subsidiary(-ies)

The executable winsvc.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Microsoft Windows Services’. The file has been seen being downloaded from evaporez.com.
Publisher:
Digia Plc and/or its subsidiary(-ies)

Product:
Qt Designer

Version:
1.0.0.0

MD5:
a2655e2989d15b0d19c3c23d0c68a071

SHA-1:
59955265ab3556374363274ebb40eb31f8f31830

SHA-256:
971c45654c3efcd4113f14136ed95f70029454af284ed375e5bf58d43963244b

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/25/2024 1:23:45 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Injector.CLWY (variant)
9.12521

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1163

File size:
859.5 KB (880,128 bytes)

Product version:
1.0.0.0

Copyright:
Copyright (C) 2015 The Qt Company Ltd.

Original file name:
designer.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\windows\m-50504236059630380393025030\winsvc.exe

File PE Metadata
Compilation timestamp:
12/17/2014 4:33:25 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:4+x9BZJTxEox9OxYwHMmW0GO7vPiY0t8hZk:Nd/xupkihO

Entry address:
0xA9520

Entry point:
55, 8B, EC, 83, C4, F0, B8, 90, 92, 4A, 00, E8, 4C, D7, F5, FF, A1, B4, 1B, 4B, 00, 8B, 00, E8, 7C, 18, FB, FF, 8B, 0D, 34, 1D, 4B, 00, A1, B4, 1B, 4B, 00, 8B, 00, 8B, 15, B8, 89, 4A, 00, E8, 7C, 18, FB, FF, A1, B4, 1B, 4B, 00, 8B, 00, E8, F0, 18, FB, FF, E8, 77, AF, F5, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.7065

Developed / compiled with:
Microsoft Visual C++

Code size:
673.5 KB (689,664 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Services

Command:
C:\windows\m-50504236059630380393025030\winsvc.exe


The file winsvc.exe has been seen being distributed by the following URL.

Remove winsvc.exe - Powered by Reason Core Security