» WGASetup.exe
Overview
Analysis
File Details
Behaviors (1)

WGASetup.exe

Microsoft Genuine Advantage

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable WGASetup.exe, “Windows Genuine Advantage Notifications Setup” has been detected as malware by 14 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler named WGASetup triggered to execute each time a user logs in.

File name:

WGASetup.exe

Publisher:

Microsoft Corporation* (Invalid match)

Product:

Microsoft Genuine Advantage

Description:

Windows Genuine Advantage Notifications Setup

Version:

1.9.0040.0

MD5:

10a54ed14e590722a84ea476fd7f85d6

SHA-1:

05c0a1544268ed2af82dedbdabe66b0956e0c3b3

SHA-256:

12471a95f6b207c58f49c63b65318487c4b36d86d4f9b73d028a73d5a6a033c6

Scanner detections:

14 / 68

Status:

Malware

Analysis date:

5/7/2024 7:04:43 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Kukacka

160203-1

AVG

Win32/Tanatos.M

2015.0.4489

Boost by Reason

Optional.Task

188838

Dr.Web

Win32.Sector.12

9.0.1.05190

ESET NOD32

Win32/Sality.NAU virus

7.0.302.0

F-Prot

W32/Sality.AK

4.6.5.141

F-Secure

Win32.Sality.OG

5.15.21

Kaspersky

Virus.Win32.Sality

15.0.0.562

McAfee

Virus.W32/Sality.gen.z

18.0.204.0

Microsoft Security Essentials

Threat.Undefined

1.213.5352.0

Norman

Win32.Sality.OG

03.02.2016 07:38:05

Sophos

Virus 'W32/Sality-AM'

5.23

VIPRE Antivirus

Threat.416209

46908

File size:

522.9 KB (535,432 bytes)

Product version:

1.9.0040.0

Original file name:

WGASetup.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Windows\System32\kb905474\wgasetup.exe

File PE Metadata

Compilation timestamp:

3/10/2009 9:41:46 PM

OS version:

6.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:/ESQdtRrH8Fqbavdj2jJSVkh+x3840aCOusOkTBksi3Kjqccgg2gxhaPByyx1lD4:/ES8HuqevJ2jCkhqFC5MWsqbDxIP5jN4

Entry address:

0x1338F

Entry point:

60, 2B, C1, 0F, BC, FE, 86, E7, 0F, B3, EA, 0F, BC, C8, 68, DC, D4, 30, 02, E8, 74, 02, 00, 00, 5B, 52, 68, E4, EF, C2, 03, E8, D2, 03, 00, 00, 31, E8, FF, C6, 0F, AC, FD, B2, 86, FE, 0F, AD, EA, F7, C2, 57, BE, 89, 28, 76, 17, 33, C5, 0F, AD, EA, 0F, BC, C8, 69, FE, A5, D4, 47, EE, F7, C2, 97, FE, C9, 68, C1, F3, 99, 81, C4, 05, 00, 00, 00, C0, F8, 37, 88, E6, 81, C4, 06, 00, 00, 00, 8D, 2D, 23, 5A, B5, A4, 47, 81, EC, 03, 00, 00, 00, F3, 0F, BB, D3, 0F, AF, C8, 0F, A4, F7, DD, 0F, A4, F7, AD, E8, 11, 00... 
[+]

Entropy:

6.9233

Code size:

362.5 KB (371,200 bytes)

Scheduled Task

Task name:

WGASetup

Path:

C:\WINDOWS\Tasks\WGASetup.job

Trigger:

Logon (Runs on logon)

Remove WGASetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.