svcspwin.exe

WinsPop Enterprise Super V 2.0

agir

The application svcspwin.exe has been detected as a potentially unwanted program by 17 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “WinsPop Service”. While running, it connects to the Internet address 209-99-40-223.fwd.datafoundry.com on port 80 using the HTTP protocol.
Publisher:
agir

Product:
WinsPop Enterprise Super V 2.0

Version:
1, 3, 1, 177

MD5:
d8b1fc8b2382f06023006d98de40a783

SHA-1:
fc023c8c881e408326ffb5d9333a40b92a9f7454

SHA-256:
27664e9a03b25ff6330019581249b0878280024b85486c3d0123fd13d41f9308

Scanner detections:
17 / 68

Status:
Potentially unwanted

Analysis date:
12/16/2017 12:52:15 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.WinAgir
2013.11.09

avast!
Win32:Dropper-LAS [Drp]
2014.9-160625

AVG
Generic5
2017.0.2701

Bitdefender
Gen:Variant.Graftor.116422
1.0.20.885

Emsisoft Anti-Malware
Gen:Variant.Graftor.116422
8.16.06.25.07

ESET NOD32
Win32/Adware.Kraddare.FQ (variant)
10.9024

Fortinet FortiGate
Riskware/Kraddare
6/25/2016

F-Secure
Gen:Variant.Graftor.116422
11.2016-25-06_7

G Data
Gen:Variant.Graftor.116422
16.6.22

IKARUS anti.virus
not-a-virus:AdWare.Win32.WinAgir
t3scan.2.0.127

Kingsoft AntiVirus
Win32.Troj.Generic.a.(kcloud)
331020.49267

Malwarebytes
Adware.KorAd
v2016.06.25.07

McAfee
Artemis!D8B1FC8B2382
5600.6357

McAfee Web Gateway
Artemis!D8B1FC8B2382
7.6357

MicroWorld eScan
Gen:Variant.Graftor.116422
17.0.0.531

Panda Antivirus
Generic Malware
16.06.25.07

VIPRE Antivirus
Trojan.Win32.Generic
23172

File size:
96 KB (98,304 bytes)

Product version:
1, 3, 1, 177

Copyright:
Copyright (C) 2013

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\syswow64\svcspwin.exe

File PE Metadata
Compilation timestamp:
9/14/2013 1:16:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:5ynEn+NWQYKz3/DmTCdmQBs0TvAZR/Cn+JBCnFtixL9akkkkkkkkkkkkkkIrP:CNWQJz3/DSqmgGR6n+JBoFtmz

Entry address:
0x7483

Entry point:
55, 8B, EC, 6A, FF, 68, F0, F4, 40, 00, 68, 1C, AD, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 34, F1, 40, 00, 33, D2, 8A, D4, 89, 15, 94, 74, 41, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 90, 74, 41, 00, C1, E1, 08, 03, CA, 89, 0D, 8C, 74, 41, 00, C1, E8, 10, A3, 88, 74, 41, 00, 6A, 01, E8, BF, 25, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, E9, 09, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75...
 
[+]

Entropy:
5.4274

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
56 KB (57,344 bytes)

Service
Display name:
WinsPop Service

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 209-99-40-223.fwd.datafoundry.com  (209.99.40.223:80)

Remove svcspwin.exe - Powered by Reason Core Security