home

windowsupdate.exe

SourceTree

Even Balance, Inc.

The executable windowsupdate.exe has been detected as malware by 17 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Windows Update’.
Publisher:
Atlassian  (signed by Even Balance, Inc.)

Product:
SourceTree

Version:
4.12.7

MD5:
350d2d8da2a70bdb7316a097025ef9b6

SHA-1:
7a36e11fbd9e3d0ff1881301d7ccdd2c2f3bbd84

SHA-256:
02e3b0902ad822920e5b43354daefce1ef13b4c0e94a549806824385593357d6

Scanner detections:
17 / 68

Status:
Malware

Analysis date:
4/26/2024 1:23:50 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Spy.Agent.cikqo
8.3.3.4

avast!
Win32:Malware-gen
2014.9-170304

AVG
MSIL10
2018.0.2449

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.1734

Dr.Web
Trojan.PWS.Stealer.13025
9.0.1.063

ESET NOD32
MSIL/Injector.QVG (variant)
11.14612

Fortinet FortiGate
MSIL/Injector.QTQ!tr
3/4/2017

F-Prot
W32/MSIL_Injector.DX.gen
v6.4.7.1.166

Kaspersky
Trojan-Spy.MSIL.Agent
14.0.0.-1259

McAfee
Artemis!350D2D8DA2A7
5600.6105

NANO AntiVirus
Trojan.Win32.Agent.ejpszw
1.0.70.13328

Panda Antivirus
Trj/GdSda.A
17.03.04.05

Qihoo 360 Security
HEUR/QVM03.0.0000.Malware.Gen
1.0.0.1120

Rising Antivirus
Spyware.Agent!8.C6-gIg9cUJENZL (cloud)
23.00.65.17302

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.R00JH0CLF16
7.2.63

VIPRE Antivirus
Trojan.Win32.Generic
54510

File size:
1.2 MB (1,263,976 bytes)

Product version:
4.12.7

Copyright:
Copyright © 2016. Atlassian. All rights reserved.

Trademarks:
SourceTree

Original file name:
SC19B-6.35 CHasw,PNN.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\windowsupdate.exe

Digital Signature
Signed by:
Even Balance, Inc.

Authority:
VeriSign, Inc.

Valid from:
1/17/2013 2:00:00 AM

Valid to:
2/17/2014 1:59:59 AM

Subject:
CN="Even Balance, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Even Balance, Inc.", L=Magnolia, S=Texas, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
1C9525FC3BBEFAEE68FA17CE8CBADCA5

File PE Metadata
Compilation timestamp:
12/7/2016 6:42:14 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0x12EFFE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.9189

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.2 MB (1,236,992 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Windows Update

Command:
C:\users\{user}\appdata\roaming\windowsupdate.exe


Remove windowsupdate.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.