home

windows.exe

Remote Service Application

Microsoft Corp.

The executable windows.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘windows’.
Publisher:
Microsoft Corp.

Product:
Remote Service Application

Version:
1, 0, 0, 1

MD5:
cab83fa10367449eab0a1195b324e793

SHA-1:
e75a82e7ea86940973be2681cc0bdce977f2b9b4

SHA-256:
956f260c70e126af857f505a6db98ff1a0cd50601c6a0206adb77afa1bbdcc27

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
4/26/2024 7:24:06 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Backdoor.Fynloski.C
583

Agnitum Outpost
Trojan.Comet.Gen.LO
7.1.1

AhnLab V3 Security
Trojan/Win32.DelfInject
2014.12.03

Avira AntiVirus
BDS/DarkKomet.GR
7.11.190.0

avast!
Win32:Downloader-IDA [Trj]
2014.9-150701

AVG
BackDoor.Generic16
2016.0.3061

Bitdefender
Backdoor.Fynloski.C
1.0.20.910

Bkav FE
W32.OnGamesLTKVPOK.Trojan
1.3.0.6267

Clam AntiVirus
WIN.Trojan.DarkKomet
0.98/21511

Comodo Security
Backdoor.Win32.Agent.XAB
20266

Dr.Web
BackDoor.Comet.2020
9.0.1.0182

ESET NOD32
Win32/Fynloski.AA
9.10816

Fortinet FortiGate
W32/DarkKomet.ID!tr.bdr
7/1/2015

F-Secure
Backdoor.Fynloski.C
11.2015-01-07_4

G Data
Backdoor.Fynloski
15.7.24

IKARUS anti.virus
Trojan-Downloader.Win32.Small
t3scan.1.8.3.0

K7 AntiVirus
Backdoor
13.186.14210

Kaspersky
Backdoor.Win32.DarkKomet
14.0.0.1800

Malwarebytes
Backdoor.Agent.DCRSAGen
v2015.07.01.11

McAfee
Generic BackDoor.xa
5600.6717

Microsoft Security Essentials
Backdoor:Win32/Fynloski.A
1.11202

MicroWorld eScan
Backdoor.Fynloski.C
16.0.0.546

NANO AntiVirus
Trojan.Win32.DarkKomet.cssoim
0.28.6.63850

Norman
Downloader.HJVR
11.20150701

nProtect
Backdoor.Fynloski.C
14.12.02.01

Panda Antivirus
Trj/Packed.B
15.07.01.11

Qihoo 360 Security
Malware.QVM06.Gen
1.0.0.1015

Quick Heal
Backdoor.Fynloski.A9
7.15.14.00

Reason Heuristics
Trojan.Backdoor.Meta (M)
15.7.1.23

Rising Antivirus
PE:Backdoor.Pontoeb!1.6637
23.00.65.15629

Sophos
Troj/Backdr-ID
4.98

Total Defense
Win32/Fynloski.A!generic
37.0.11311

Trend Micro House Call
TROJ_AGENT_058807.TOMB
7.2.182

Trend Micro
TROJ_AGENT_058807.TOMB
10.465.01

Vba32 AntiVirus
Backdoor.DarkKomet
3.12.26.3

VIPRE Antivirus
Backdoor.Win32.Fynloski.A
35362

ViRobot
Backdoor.Win32.Agent.674304.A
2011.4.7.4223

Zillya! Antivirus
Trojan.Fynloski.Win32.3190
2.0.0.1997

File size:
11.9 MB (12,521,472 bytes)

Product version:
4, 0, 0, 0

Copyright:
Copyright (C) 1999

Original file name:
MSRSAAP.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
6/7/2012 10:59:53 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
196608:gQePvqxSrDTVokQwhM/kSEMTQINokXJw7lW740VeqQPRz:gzCxSrFokQw2NjUYuWU0ti

Entry address:
0x8F888

Entry point:
55, 8B, EC, B9, 30, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 51, 53, 56, 57, B8, E0, E3, 48, 00, E8, 2F, 7E, F7, FF, 33, C0, 55, 68, 56, 06, 49, 00, 64, FF, 30, 64, 89, 20, 6A, 00, E8, 2A, 07, F8, FF, A1, B0, 48, 49, 00, C6, 00, 01, E8, 21, B7, FF, FF, B2, 01, A1, 80, DE, 48, 00, E8, 19, E6, FF, FF, A3, E8, C3, 49, 00, 33, D2, 55, 68, 09, FA, 48, 00, 64, FF, 32, 64, 89, 22, 8D, 4D, EC, BA, 70, 06, 49, 00, A1, E8, C3, 49, 00, E8, 68, E6, FF, FF, 8B, 55, EC, A1, 38, 4B, 49, 00, E8, 7F, 5C, F7, FF, 8D, 55, E0...
 
[+]

Entropy:
6.7561

Developed / compiled with:
Microsoft Visual C++

Code size:
573 KB (586,752 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
windows

Command:
C:\users\{user}\documents\msdcsc\windows.exe


Remove windows.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.