» winsvc.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (3)

winsvc.exe

The executable winsvc.exe has been detected as malware by 31 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Services’. The file has been seen being downloaded from smseaside.com and multiple other hosts.

File name:

winsvc.exe

MD5:

2b49585f2811734ccd2811f1a7004c06

SHA-1:

600c365a8a1aef35cd74fd5d61c6ecb2992a0cc5

SHA-256:

e2a52d767bfedc697affa7f00e2ca37ce9466020125f8919a2d4700bdc11c2ef

Scanner detections:

31 / 68

Status:

Malware

Analysis date:

11/24/2024 8:29:59 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.PWS.Fareit.AS

630

Agnitum Outpost

Trojan.IRCbot

7.1.1

Avira AntiVirus

TR/Injector.1038848.6

3.6.1.96

avast!

Win32:Malware-gen

2014.9-150515

AVG

Inject2

2016.0.3108

Baidu Antivirus

Trojan.Win32.IRCbot

4.0.3.15515

Bitdefender

Trojan.PWS.Fareit.AS

1.0.20.675

Comodo Security

UnclassifiedMalware

22006

Dr.Web

Win32.HLLW.Phorpiex.54

9.0.1.0135

Emsisoft Anti-Malware

Trojan.PWS.Fareit.AS

8.15.05.15.12

ESET NOD32

Win32/Injector.BZKB

9.11577

Fortinet FortiGate

W32/BZKB!tr

5/15/2015

F-Secure

Trojan.PWS.Fareit.AS

11.2015-15-05_6

G Data

Trojan.PWS.Fareit.AS

15.5.25

IKARUS anti.virus

Trojan.Win32.Injector

t3scan.1.8.9.0

K7 AntiVirus

Trojan

13.203.15801

Kaspersky

Trojan.Win32.IRCbot

14.0.0.2037

McAfee

RDN/Spybot.worm!t

5600.6764

Microsoft Security Essentials

VirTool:Win32/DelfInject

1.1.11602.0

MicroWorld eScan

Trojan.PWS.Fareit.AS

16.0.0.405

NANO AntiVirus

Trojan.Win32.IRCbot.drcjrj

0.30.24.1357

Norman

Troj_Generic_2.GGKK

11.20150515

nProtect

Trojan.PWS.Fareit.AS

15.05.04.01

Panda Antivirus

Trj/Genetic.gen

15.05.15.12

Qihoo 360 Security

Win32/Trojan.BO.87a

1.0.0.1015

Quick Heal

Trojan.IRCbot.r8

5.15.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

15.5.17.10

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_GEN.R047H07DU15

7.2.135

VIPRE Antivirus

Backdoor.IRCBot

39956

Zillya! Antivirus

Trojan.IRCBot.Win32.7384

2.0.0.2166

File size:

1014.5 KB (1,038,848 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\m-505034039586930203940876\winsvc.exe

File PE Metadata

Compilation timestamp:

6/19/1992 9:54:54 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:U3SeudJkK2S1dcBoaEGLPnSb23Fg4ZjGmQeRoAzs/JW:4K2Som8S6FwAUJW

Entry address:

0xCD2B4

Entry point:

55, 8B, EC, 83, C4, F0, B8, 04, D0, 4C, 00, E8, 2C, 9B, F3, FF, A1, 18, 64, 4D, 00, 8B, 00, E8, 94, 8B, F9, FF, 8B, 0D, BC, 65, 4D, 00, A1, 18, 64, 4D, 00, 8B, 00, 8B, 15, F0, C6, 4C, 00, E8, 94, 8B, F9, FF, A1, 18, 64, 4D, 00, 8B, 00, E8, 08, 8C, F9, FF, E8, 4B, 73, F3, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.7103

Developed / compiled with:

Microsoft Visual C++

Code size:

817 KB (836,608 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Microsoft Windows Services

Command:

C:\windows\m-505034039586930203940876\winsvc.exe

The file winsvc.exe has been seen being distributed by the following 3 URLs.

http://smseaside.com/doc.exe

http://94.102.51.61/.../doc.exe

http://fusionsalongr.com/doc.exe

Remove winsvc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.