» rstrui_win.exe
Overview
Analysis
File Details
Behaviors (1)

rstrui_win.exe

Microsoft Windows

The executable rstrui_win.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘SystemRestore’.

File name:

rstrui_win.exe

Publisher:

Microsoft Windows (signed and verified)

MD5:

a1afd50c2da017693431f4f0b37225c1

SHA-1:

10d9cf6a1531a6441e56fa1d4be882416ef59b41

SHA-256:

31c28f1ab547c1fdeec60bcc3300cc4ae2b1cb79e042a4e319fa7a9d2ea88e26

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

5/7/2024 11:32:20 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Win.Reputation.IMP

16.2.10.22

File size:

66.5 KB (68,064 bytes)

File type:

Executable application (Win32 EXE)

Digital Signature

Signed by:

Microsoft Windows

Authority:

Microsoft Windows

Valid from:

12/31/2011 11:30:00 PM

Valid to:

12/31/2014 11:30:00 PM

Subject:

CN=Microsoft Windows

Issuer:

CN=Microsoft Windows

Serial number:

5BB23983499B89A043A8103A67241378

File PE Metadata

Compilation timestamp:

9/27/2013 4:09:55 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

1536:FC0fERwsrzyFdzfupqe4fYDvctjfyMLqnyT2BiNFO:FC0MRw6yqgTYAda0T2D

Entry address:

0x3AB7

Entry point:

E8, 66, 48, 00, 00, E9, 89, FE, FF, FF, 66, 0F, EF, C0, 51, 53, 8B, C1, 83, E0, 0F, 85, C0, 75, 7F, 8B, C2, 83, E2, 7F, C1, E8, 07, 74, 37, 8D, A4, 24, 00, 00, 00, 00, 66, 0F, 7F, 01, 66, 0F, 7F, 41, 10, 66, 0F, 7F, 41, 20, 66, 0F, 7F, 41, 30, 66, 0F, 7F, 41, 40, 66, 0F, 7F, 41, 50, 66, 0F, 7F, 41, 60, 66, 0F, 7F, 41, 70, 8D, 89, 80, 00, 00, 00, 48, 75, D0, 85, D2, 74, 37, 8B, C2, C1, E8, 04, 74, 0F, EB, 03, 8D, 49, 00, 66, 0F, 7F, 01, 8D, 49, 10, 48, 75, F6, 83, E2, 0F, 74, 1C, 8B, C2, 33, DB, C1, EA, 02... 
[+]

Entropy:

6.2675

Code size:

46 KB (47,104 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

SystemRestore

Command:

C:\window\system-restore\rstrui_win.exe

Remove rstrui_win.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.