» winsvc.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (3)

winsvc.exe

The executable winsvc.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Service’. The file has been seen being downloaded from bestbaconmichigan.com and multiple other hosts.

File name:

winsvc.exe

MD5:

6e76f833df57ec29a6ff717824d55cf5

SHA-1:

77ac3e8628e812c2a5aada331a9fd9aa371ec578

SHA-256:

082f83bd402e3044f1232ef64b5d245852795ed623f3d712908b76e2cec367cd

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

11/24/2024 8:55:40 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Win.Reputation.IMP

16.1.11.9

File size:

1019 KB (1,043,456 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\m-5050750405503593842050533740\winsvc.exe

File PE Metadata

Compilation timestamp:

6/20/1992 2:57:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:I3SeudJkK2S1dcBoaEGLPnSb23Fg4ZjGmQeRoAzs/HkXw:sK2Som8S6FwAUHkg

Entry address:

0xCD2B4

Entry point:

55, 8B, EC, 83, C4, F0, B8, 04, D0, 4C, 00, E8, 2C, 9B, F3, FF, A1, 18, 64, 4D, 00, 8B, 00, E8, 94, 8B, F9, FF, 8B, 0D, BC, 65, 4D, 00, A1, 18, 64, 4D, 00, 8B, 00, 8B, 15, F0, C6, 4C, 00, E8, 94, 8B, F9, FF, A1, 18, 64, 4D, 00, 8B, 00, E8, 08, 8C, F9, FF, E8, 4B, 73, F3, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.7061

Developed / compiled with:

Microsoft Visual C++

Code size:

817 KB (836,608 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Microsoft Windows Service

Command:

C:\windows\m-5050750405503593842050533740\winsvc.exe

The file winsvc.exe has been seen being distributed by the following 3 URLs.

http://bestbaconmichigan.com/w.exe

http://94.102.51.61/.../wu.exe

http://fusionsalongr.com/wu.exe

Remove winsvc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.