» wservice.exe
Overview
Analysis
File Details
Network (2)

wservice.exe

Sysinternals autoruns

Supersoft

The application wservice.exe, “Autostart program viewer” by Supersoft has been detected as adware by 22 anti-malware scanners.

File name:

wservice.exe

Publisher:

Sysinternals - www.sysinternals.com (signed by Supersoft)

Product:

Sysinternals autoruns

Description:

Autostart program viewer

Version:

11.70

MD5:

dbf24364b05472171328cd20c97f9e30

SHA-1:

bea8bddade86277db5535d0c362e3e8bed5ec849

SHA-256:

20b2d88f8d4ef998fd7acd9c629ae6e052a5b4a206883cf1949ffec367ab27db

Scanner detections:

22 / 68

Status:

Adware

Analysis date:

5/8/2024 6:05:13 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Strictor.55699

892

Agnitum Outpost

Trojan.Citron

7.1.1

Avira AntiVirus

TR/Injector.DKS

7.11.169.94

avast!

Win32:Zbot-UHB [Trj]

140813-1

AVG

Trojan horse MSIL3.RON

2014.0.4007

Baidu Antivirus

Trojan.MSIL.Injector

4.0.3.14826

Bitdefender

Gen:Variant.Strictor.55699

1.0.20.1190

Bkav FE

HW32.CDB

1.3.0.4959

Dr.Web

Trojan.DownLoader9.22024

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Strictor.55699

9.0.0.4324

ESET NOD32

MSIL/Injector.EGA trojan

7.0.302.0

F-Secure

Gen:Variant.Strictor.55699

11.2014-26-08_3

G Data

Gen:Variant.Strictor.55699

14.8.24

Kaspersky

Trojan.MSIL.Citron

15.0.0.494

Malwarebytes

Trojan.Agent.CMOGen

v2014.08.26.05

MicroWorld eScan

Gen:Variant.Strictor.55699

15.0.0.714

Qihoo 360 Security

Win32/Trojan.30d

1.0.0.1015

Reason Heuristics

PUP.Supersoft.I

14.8.26.16

Sophos

Mal/Cleaman-B

4.98

Trend Micro House Call

TROJ_SPNR.36F514

7.2.238

Trend Micro

TROJ_SPNR.36F514

10.465.26

VIPRE Antivirus

Threat.4150696

32210

File size:

287.2 KB (294,072 bytes)

Product version:

11.70

Original file name:

autoruns.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\windows services\wservice.exe

Digital Signature

Signed by:

Supersoft

Authority:

Supersoft

Valid from:

9/30/2012 11:26:38 AM

Valid to:

1/1/2040 1:59:59 AM

Subject:

CN=Supersoft

Issuer:

CN=Supersoft

Serial number:

6B50254A40C7CFB14A405056B8F04272

File PE Metadata

Compilation timestamp:

4/23/2014 10:03:55 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

6144:putk2ISauVsUMCTatUqVzAWXHKWP4EGUk:ckbSaSsHQatUqRTKWPq

Entry address:

0x425DE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 48, B8, 00, 00, 00, 00, 00, 00, 00, 00, 49, 39, 40, 08, 74, 0C, 48, B8, 00, 00, 00, 00, 00, 00, 00, 00, FF, E0, 48, B8, 00, 00, 00, 00, 00, 00, 00, 00, FF, E0, 55, 8B, EC, 8B, 45, 10, 81, 78, 04, 7D, 1D, EA, 0C, 74, 07, B8, B6, B1, 4A, 06, EB, 05, B8, B6, 92, 40, 0C, 5D, FF, E0, 7B, 05, 4A, 0C, F4, 9C, DD, 9A, 79, DD, B7, 29, 79, 41, 09, 2B, 43, 51, 17, 2B, 4A, 3F, 40, 17... 
[+]

Entropy:

7.7034

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

257.5 KB (263,680 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to a23-15-155-27.deploy.static.akamaitechnologies.com (23.15.155.27:80)

TCP (HTTP):

Connects to a23-50-91-27.deploy.static.akamaitechnologies.com (23.50.91.27:80)

Remove wservice.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.