home

ntcontrolsvc.exe

Atom Security OOO

The application ntcontrolsvc.exe, “Network Maintenance Service” by Atom Security OOO has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “NtControlSvc”. While running, it connects to the Internet address bar-navig.yandex.ru on port 443.
Publisher:
RapidLights, Inc.  (signed by Atom Security OOO)

Description:
Network Maintenance Service

Version:
2.2.4.5

MD5:
ae747cb2764a28bddf223198066b48b9

SHA-1:
20b7f1b0980cdf830c5e06a95a2c00c7491ba38f

SHA-256:
d76ce35fa39442e07fd2daf16f786f45fd664273a832e0559e2c278ed2a4f53a

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 6:32:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.AtomSecurity.Service
16.2.13.19

File size:
3.6 MB (3,727,952 bytes)

Product version:
2.2.4.5

Copyright:
Copyright (C) 2015 RapidLights, Inc.

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\syswow64\ltprx\ntcontrolsvc.exe

Digital Signature
Signed by:
Atom Security OOO

Authority:
COMODO CA Limited

Valid from:
6/4/2015 3:00:00 AM

Valid to:
6/4/2018 2:59:59 AM

Subject:
CN=Atom Security OOO, OU=development, O=Atom Security OOO, STREET="Academician Koptyuga Prospect, 4,office 158", L=Novosibirsk, S=nso, PostalCode=630090, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2F74D159839B911DB6F1DFF991E70893

File PE Metadata
Compilation timestamp:
1/19/2016 12:11:30 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:GzZilSESbKCgVH5fT0XTWlLW+g1+2BL3E2NpFJD7NewRWqqbCdonoXTuMp/iUksR:oiQE4mailLW+ggoL33bNtWvbCDiUksuE

Entry address:
0x142F96

Entry point:
E8, F7, ED, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 75, 0B, FF, 75, 0C, E8, 34, D3, FF, FF, 59, 5D, C3, 56, 8B, 75, 0C, 85, F6, 75, 0D, FF, 75, 08, E8, B5, D3, FF, FF, 59, 33, C0, EB, 4D, 57, EB, 30, 85, F6, 75, 01, 46, 56, FF, 75, 08, 6A, 00, FF, 35, D0, CD, 77, 00, FF, 15, 54, 1D, 78, 00, 8B, F8, 85, FF, 75, 5E, 39, 05, D4, CD, 77, 00, 74, 40, 56, E8, A1, 18, 00, 00, 59, 85, C0, 74, 1D, 83, FE, E0, 76, CB, 56, E8, 91, 18, 00, 00, 59, E8, 75, EC, FF, FF, C7, 00, 0C, 00, 00, 00, 33...
 
[+]

Code size:
2.8 MB (2,942,976 bytes)

Service
Display name:
NtControlSvc

Description:
NtControlSvc's Redirector service

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to hk2sch130021131.wns.windows.com  (111.221.29.107:443)

TCP (HTTP SSL):
Connects to hk2sch130021831.wns.windows.com  (111.221.29.151:443)

TCP (HTTP SSL):
Connects to hk2sch130020854.wns.windows.com  (111.221.29.86:443)

TCP (HTTP SSL):
Connects to hk2sch130020737.wns.windows.com  (111.221.29.77:443)

TCP (HTTP SSL):
Connects to api.browser.yandex.ru  (213.180.204.82:443)

TCP (HTTP SSL):
Connects to hk2sch130022030.wns.windows.com  (111.221.29.163:443)

TCP (HTTP SSL):
Connects to hk2sch130021035.wns.windows.com  (111.221.29.101:443)

TCP (HTTP SSL):
Connects to hk2sch130022041.wns.windows.com  (111.221.29.166:443)

TCP (HTTP SSL):
Connects to hk2sch130020843.wns.windows.com  (111.221.29.85:443)

TCP (HTTP SSL):
Connects to srv81-165-240-87.vk.com  (87.240.165.81:443)

TCP (HTTP SSL):
Connects to hk2sch130022039.wns.windows.com  (111.221.29.165:443)

TCP (HTTP SSL):
Connects to hk2sch130020752.wns.windows.com  (111.221.29.79:443)

TCP (HTTP SSL):
Connects to yandex.ru  (5.255.255.50:443)

TCP (HTTP):
Connects to server-54-192-83-88.mia50.r.cloudfront.net  (54.192.83.88:80)

TCP (HTTP):
Connects to server-52-85-107-89.jax1.r.cloudfront.net  (52.85.107.89:80)

TCP (HTTP SSL):
Connects to sba.search.yandex.net  (87.250.250.232:443)

TCP:
Connects to ppp-58-8-173-22.revip2.asianet.co.th  (58.8.173.22:32085)

TCP:
Connects to ns3055063.ip-213-32-6.eu  (213.32.6.224:25565)

TCP:
Connects to host-156.220.156.206-static.tedata.net  (156.220.206.156:54366)

TCP (HTTP SSL):
Connects to hk2sch130022135.wns.windows.com  (111.221.29.172:443)

Remove ntcontrolsvc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.