» winsys32.exe
Overview
Analysis
File Details
Behaviors (1)
Network (13)

winsys32.exe

The executable winsys32.exe has been detected as malware by 5 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in.

File name:

winsys32.exe

Version:

0.0.0.0

MD5:

e3437b58ed58e9dbc2afcb4a82eff628

SHA-1:

0e302176f76cd68b81a7c95c72f42f3ea743aefe

SHA-256:

3fcb5b873087605db1294aae0e614fc09e5e518c19e2fc2359e2c492a47cbbac

Scanner detections:

5 / 68

Status:

Malware

Analysis date:

4/25/2024 1:35:42 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Malware-gen

160917-0

Dr.Web

Trojan.DownLoader22.58477

9.0.1.05190

ESET NOD32

MSIL/Agent.ADE trojan

6.3.12010.0

F-Secure

Variant.MSILPerseus.3430

5.15.154

Kaspersky

Trojan.Win32.Scar

15.0.2.529

File size:

589.5 KB (603,648 bytes)

Product version:

0.0.0.0

Original file name:

d.exe

File type:

Executable application (Win32 EXE)

Language:

Turkish (Turkey)

Common path:

C:\Program Files\client\winsys32.exe

File PE Metadata

Compilation timestamp:

10/6/2016 3:45:02 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

12288:vHJ+5F1JKiFVl6t0MXg8uBHRvE/Y+m+De4/oxXlMmUy6Ej:01ZvMP2pItbDh/2XlMmtj

Entry address:

0x940AE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

584.5 KB (598,528 bytes)

Scheduled Task

Task name:

Windows System Services

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to a23-219-92-144.deploy.static.akamaitechnologies.com (23.219.92.144:80)

TCP (HTTP):

Connects to a23-219-92-75.deploy.static.akamaitechnologies.com (23.219.92.75:80)

TCP (HTTP):

Connects to a104-96-220-200.deploy.static.akamaitechnologies.com (104.96.220.200:80)

TCP (HTTP):

Connects to a104-96-220-176.deploy.static.akamaitechnologies.com (104.96.220.176:80)

TCP:

Connects to 46-198-19-103.adsl.cyta.gr (46.198.19.103:1337)

TCP (HTTP):

Connects to a23-50-225-17.deploy.static.akamaitechnologies.com (23.50.225.17:80)

TCP (HTTP):

Connects to a23-50-225-11.deploy.static.akamaitechnologies.com (23.50.225.11:80)

TCP (HTTP):

Connects to a23-219-93-210.deploy.static.akamaitechnologies.com (23.219.93.210:80)

TCP (HTTP):

Connects to a23-219-92-177.deploy.static.akamaitechnologies.com (23.219.92.177:80)

TCP (HTTP):

Connects to a23-219-92-136.deploy.static.akamaitechnologies.com (23.219.92.136:80)

TCP (HTTP):

Connects to a23-204-138-163.deploy.static.akamaitechnologies.com (23.204.138.163:80)

TCP (HTTP):

Connects to a23-204-138-152.deploy.static.akamaitechnologies.com (23.204.138.152:80)

TCP:

Connects to 46-198-114-42.adsl.cyta.gr (46.198.114.42:1337)

Remove winsys32.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.