Winrmsrv

[Pascale]

Butunfortunately, this file can be targeted by malware. In that case, it can be classified as a Trojan Horse, used as a backdoor for ransomware by hackers. Therefore, if the firewall is blocking winrmsrv.exe, this file may be virus. In addition, the winrmsrv.exe may also be virus if you get any error message that resembles any of the followings:

Description: Winrmsrv.exe is not essential for Windows and will often cause problems. Winrmsrv.exe is located in an undetermined folder.

The file is not a Windows system file. The winrmsrv.exe file is a Windows scheduled tasks. The winrmsrv.exe file is an unknown file in the Windows folder. The program has no visible window. The software listens for or sends data on open ports to a LAN or the Internet.winrmsrv.exe appears to be a compressed file.Therefore the technical security rating is 68% dangerous.

Important: You should check the winrmsrv.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.

The following programs have also been shown useful for a deeper analysis: ASecurity Task Manager examines the active winrmsrv process on your computer and clearly tells you what it is doing. Malwarebytes' well-known Banti-malware tool tells you if the winrmsrv.exe on your computer displays annoying ads, slowing it down. This type of unwanted adware program is not considered by some antivirus software to be a virus and is therefore not marked for cleanup.

A clean and tidy computer is the key requirement for avoiding PC trouble. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.

Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.

In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.

The main target of Crackonosh was the installation of the coinminer XMRig, from all the wallets we found, there was one where we were able to find statistics. The pool sites showed payments of 9000 XMR in total, that is with today prices over $2,000,000 USD.

From the original compilation date of Crackonosh we identified 30 different versions of serviceinstaller.exe, the main malware executable, from 31.1.2018 up to 23.11.2020. It is easy to find out that serviceinstaller.exe is started from a registry key created by Maintenance.vbs.

The only clue to what happened before the Maintenance.vbs creates this registry key and how the files appear on the computer of the victim is the removal of InstallWinSAT task in maintenance.vbs. Hunting led us to uncover uninstallation logs containing Crackonosh unpacking details when installed with cracked software.

As noted before, the Crackonosh installer registerers the maintenance.vbs script with the Windows Task Manager and sets it to run on system startup. The Maintenance.vbs creates a counter, that counts system startups until it reaches the 7th or 10th system start, depending on the version. After that the Maintenance.vbs runs serviceinstaller.msi, disables hibernation mode on the infected system and sets the system to boot to safe mode on the next restart. To cover its tracks it also deletes serviceinstaller.msi and maintenance.vbs.

Serviceinstaller.msi does not manipulate any files on the system, it only modifies the registry to register serviceinstaller.exe, the main malware executable, as a service and allows it to run in safe mode. Below you can see the registry entries serviceinstaller.msi makes.

Older versions of serviceinstaller.exe used pathToSignedProductExe to obtain the containing folder. This folder was then deleted. This way Crackonosh could delete older versions of Avast or current versions with Self-Defense turned off.

In older versions of serviceinstaller.exe it drops windfn.exe which is responsible for dropping and executing winlogui.exe. Winlogui.exe contains coinminer XMRig and in newer versions the serviceinstaller drops winlogui and creates the following registry entry:

After decryption we found names of other parts of malware, some URLs, RSA public keys, communication keys for winrmsrv.exe and commands for XMRig. RSA keys are 8192 and 8912 bits long. These keys are used to verify every file downloaded by Crackonosh (via StartupCheckLibrary.dll, winrmsrv.exe, winscomrssrv.dll).

StartupCheckLibrary.dll is the way how the author of Crackonosh can download updates of Crackonosh on infected machines. Startupchecklibrary.dll queries TXT DNS records for domains first[.]universalwebsolutions[.]info and second[.]universalwebsolutions[.]info (or other TLDs like getnewupdatesdownload[.]net and webpublicservices[.]org). There are TXT DNS records like ajdbficadbbfC@@@FEpHw7Hn33. From the first twelve letters it computes the IP address as shown on image. Next five characters are the digits of the port encrypted by adding 16. This gives us a socket, where to download wksprtcli.dll. The last eight characters are the version. Downloaded data is validated against one of the Public keys stored in the config file.

Wksprtcli.dll (exports DllGetClassObjectMain) is updating older versions of Crackonosh. The oldest version of wksprtcli.dll that we found checks only the nonexistence of winlogui.exe. Then it deletes diskdriver.exe (previous coinminer) and autostart registry entry. The newest version has a time frame when it runs. It deletes older versions of winlogui.exe or diskdriver.exe and drops new version of winlogui.exe. It drops new config files and installs winrmsrv.exe and winscomrssrv.dll. It also changed the way of starting winlogui.exe from registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to a task scheduled on user login.

Wksprtcli.dll also checks computer time. The reason may be not to overwrite newer versions and to make dynamic analysis harder. It also has written date after which it to stop winlogui task to be able to replace files.

This malware further protects itself by disabling security software, operating system updates and employs other anti-analysis techniques to prevent discovery, making it very difficult to detect and remove.

In summary, Crackonosh shows the risks in downloading cracked software and demonstrates that it is highly profitable for attackers. Crackonosh has been circulating since at least June 2018 and has yielded over $2,000,000 USD for its authors in Monero from over 222,000 infected systems worldwide.

Researchers from Avast have discovered a flaw in the cryptographic schema of the DoNex ransomware and its predecessors. In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024. The cryptographic weakness was...

Introduction Code reuse is very frequent in malware, especially for those parts of the sample that are complex to develop or hard to write with an essentially different alternative code. By tracking both source code and object code, we efficiently detect new malware and track the evolution of...

So warns a new report from antivirus firm Avast, which says that a new piece of coin-mining malware called "Crackonosh" has infected more than 200,000 Windows PCs since 2018, netting the crooks behind it about $2 million in Monero cryptocurrency.

"Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics," wrote Avast researcher Daniel Benes.

Infected downloads containing Crackonosh include "cracked" installers of Fallout 4 Game of the Year edition, Far Cry 5, Grand Theft Auto V, NBA 2K19, Pro Evolution Soccer 2018 and, um, The Sims 4 and The Sims 4 Seasons.

Once a cracked game is installed, the malware makes some Windows Registry changes and installs a few executables that have names that sound like regular Windows services: winrmsrv.exe, winscomrssrv.dll and winlogui.exe. (The latter is the coin-mining part.) It lies in wait for a time, and then on the seventh or 10th restart after installation, boots the PC into Safe Mode.

Many cryptocurrency miners, aka "crypto-jackers," don't really do much damage to the machines they infect. They just want to "borrow" CPU and GPU cycles to generate coins. But Crackonosh is different.

It disables Microsoft/Defender, and deletes Avast, Bitdefender, F-Secure, Kaspersky, McAfee, Norton or Panda antivirus software if it's present. It then tweaks the Registry further to disable Windows security updates.

It's best just to avoid infection altogether by not installing cracked software. If you feel you absolutely must, then scan each software installer with antivirus software before you run it. You can often just right-click the installer in your Downloads folder and then select "Scan with" the antivirus software of your choice from the pop-out menu.

3a8082e126