File name:

winserv.exe

Full analysis: https://app.any.run/tasks/a823bd7b-e416-4af6-8a4a-049555d64f48
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: August 07, 2024, 18:41:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
rms
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

3F4F5A6CB95047FEA6102BD7D2226AA9

SHA1:

FC09DD898B6E7FF546E4A7517A715928FBAFC297

SHA256:

99FD9E75E6241EFF30E01C5B59DF9E901FB24D12BEE89C069CC6158F78B3CC98

SSDEEP:

196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEoo:i6UZcWWeVj4FZ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • winserv.exe (PID: 7012)

    • RMS is detected

      • winserv.exe (PID: 7012)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • winserv.exe (PID: 7012)

    • Connects to unusual port

      • winserv.exe (PID: 7012)

    • Potential Corporate Privacy Violation

      • winserv.exe (PID: 7012)

  • INFO

    • Reads Windows Product ID

      • winserv.exe (PID: 7012)

    • Reads product name

      • winserv.exe (PID: 7012)

    • Reads the computer name

      • winserv.exe (PID: 7012)

    • Process checks computer location settings

      • winserv.exe (PID: 7012)

    • Reads Environment values

      • winserv.exe (PID: 7012)

    • Checks supported languages

      • winserv.exe (PID: 7012)

    • Reads the machine GUID from the registry

      • winserv.exe (PID: 7012)

    • Creates files or folders in the user directory

      • winserv.exe (PID: 7012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, No debug, Bytes reversed hi
PEType: PE32
LinkerVersion: 7
CodeSize: 10563584
InitializedDataSize: 118784
UninitializedDataSize: -
EntryPoint: 0x77b96c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.7.0.2
ProductVersionNumber: 6.7.0.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: tox
FileDescription: System
FileVersion: 6.7.0.2
LegalCopyright: Copyright © 2017 tektonit. All rights reserved.
LegalTrademarks: System
ProductName: System
ProductVersion: 6.7.0.2
PROGRAMID: PROGRAM
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RMS winserv.exe

Process information

PID
CMD
Path
Indicators
Parent process
7012"C:\Users\admin\AppData\Local\Temp\winserv.exe" C:\Users\admin\AppData\Local\Temp\winserv.exe
explorer.exe
User:
admin
Company:
tox
Integrity Level:
MEDIUM
Description:
System
Version:
6.7.0.2
Modules
Images
c:\users\admin\appdata\local\temp\winserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 161
Read events
4 152
Write events
9
Delete events
0

Modification events

(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:FUSClientPath
Value:
C:\Users\admin\AppData\Local\Temp\rfusclient.exe
(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:Options
Value:
545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F6755736509055369644964061034353531312E373738363835393732321144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E081953686F7749644E6F74696669636174696F6E52657175657374081A496E746567726174654669726577616C6C417453747572747570080000
(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:InternetId
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223637303032223E3C696E7465726E65745F69643E3C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E66616C73653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:CalendarRecordSettings
Value:
FFFE3C003F0078006D006C002000760065007200730069006F006E003D00220031002E0030002200200065006E0063006F00640069006E0067003D0022005500540046002D003100360022003F003E000D000A003C0073007200650065006E005F007200650063006F00720064005F006F007000740069006F006E002000760065007200730069006F006E003D0022003600370030003000320022003E003C006D00610069006E005F006F007000740069006F006E0073003E003C006100630074006900760065003E00660061006C00730065003C002F006100630074006900760065003E003C0069006E00740065007200760061006C005F00730068006F0074003E00360030003C002F0069006E00740065007200760061006C005F00730068006F0074003E003C00700072006F0074006500630074005F007200650063006F00720064003E00660061006C00730065003C002F00700072006F0074006500630074005F007200650063006F00720064003E003C0063006F006D007000720065007300730069006F006E005F007100750061006C006900740079003E00390030003C002F0063006F006D007000720065007300730069006F006E005F007100750061006C006900740079003E003C007300630061006C0065005F007100750061006C006900740079003E003100300030003C002F007300630061006C0065005F007100750061006C006900740079003E003C0063006F006D007000720065007300730069006F006E005F0074007900700065003E0030003C002F0063006F006D007000720065007300730069006F006E005F0074007900700065003E003C006D00610078005F00660069006C0065005F00730069007A0065003E003100300030003C002F006D00610078005F00660069006C0065005F00730069007A0065003E003C006100750074006F005F0063006C006500610072003E00660061006C00730065003C002F006100750074006F005F0063006C006500610072003E003C006100750074006F005F0063006C006500610072005F0064006100790073003E0030003C002F006100750074006F005F0063006C006500610072005F0064006100790073003E003C0075007300650064005F00660069006C0065005F006C0069006D00690074003E0074007200750065003C002F0075007300650064005F00660069006C0065005F006C0069006D00690074003E003C0061006C006C005F00660069006C00650073005F006C0069006D00690074005F006D0062003E0031003000300030003C002F0061006C006C005F00660069006C00650073005F006C0069006D00690074005F006D0062003E003C0064007200610077005F006400610074006100740069006D0065005F006F006E005F0069006D006100670065003E0074007200750065003C002F0064007200610077005F006400610074006100740069006D0065005F006F006E005F0069006D006100670065003E003C0063007500730074006F006D005F00720065006D006F00740065005F006400690072006500630074006F00720079003E003C002F0063007500730074006F006D005F00720065006D006F00740065005F006400690072006500630074006F00720079003E003C002F006D00610069006E005F006F007000740069006F006E0073003E003C007300630068006500640075006C00650073002F003E003C002F0073007200650065006E005F007200650063006F00720064005F006F007000740069006F006E003E000D000A00
(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:InternetId
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223637303032223E3C696E7465726E65745F69643E3631362D3539382D3832322D3434353C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E747275653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:PASSWORD
Value:
46003500350046004600420032003800430044003500420034003400350036003200420036003800340034003900370041003400360038004500320031004300390032003000420045004300380038003900420045004100350041003500450036004500360035004300300032003400300033003000420046004200420031003600440039003500380039003000390044003300300039003800350031003900370045004600330044003500380034004500420038003500330033004500350039003900440038003800350039003800430038003200440039004500420045003200350031003200380034003500350038003500380044003700310039003200
(PID) Process:(7012) winserv.exeKey:HKEY_CURRENT_USER\SOFTWARE\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:writeName:Options
Value:
545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F6755736509055369644964061034353531312E373738363835393732320A4164646974696F6E616C0604333637391144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E081953686F7749644E6F74696669636174696F6E52657175657374081A496E746567726174654669726577616C6C417453747572747570080000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7012winserv.exeC:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2024-08.htmlhtml
MD5:FE1B94D66F7DC733C537EF54142BDE22
SHA256:31A8B98B12F604D9B49DD1D4C3C8BEFE6CAC09468CC0256A88A19F64613A367A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
41
DNS requests
16
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5540
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6744
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6720
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4160
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4088
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
unknown
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5540
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5540
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.178
  • 104.126.37.128
  • 104.126.37.186
  • 104.126.37.161
  • 104.126.37.146
  • 104.126.37.130
  • 104.126.37.162
  • 104.126.37.139
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.134
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.14
whitelisted
rms-server.tektonit.ru
  • 95.213.205.83
malicious
th.bing.com
  • 104.126.37.130
  • 104.126.37.155
  • 104.126.37.146
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.161
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.186
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
Process
Message
winserv.exe
Error WTSQueryUserToken #1314
winserv.exe
07-08-2024_18:41:18:468#T:Error #20 @2
winserv.exe
07-08-2024_18:41:48:640#T:Msg Size: 104
winserv.exe
07-08-2024_18:41:48:640#T:Msg code: 3
winserv.exe
07-08-2024_18:41:48:640#T:MSG_KEEP_ALIVE
winserv.exe
MSG_KEEP_ALIVE
winserv.exe
07-08-2024_18:42:19:655#T:Msg Size: 104
winserv.exe
07-08-2024_18:42:19:655#T:Msg code: 3
winserv.exe
07-08-2024_18:42:19:655#T:MSG_KEEP_ALIVE
winserv.exe
MSG_KEEP_ALIVE
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winserv.exe