home

windowsupdate.exe

Apple INC

The executable windowsupdate.exe has been detected as malware by 22 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Windows Update’.
Publisher:
Apple INC  (signed and verified)

Version:
0.0.0.0

MD5:
4204ff2ce9e94ac907cc4b159f5f87a5

SHA-1:
7f80ab7ad909261180e361bf84960c3abeb24143

SHA-256:
dfa0cd845934eb5a178cadce4902eea39bb11b2d4437033f8c30e0d846186e8e

Scanner detections:
22 / 68

Status:
Malware

Analysis date:
5/3/2024 4:12:50 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.14547956
145

avast!
MSIL:GenMalicious-ETX [Trj]
2014.9-160911

AVG
Worm/MSIL
2017.0.2623

Baidu Antivirus
Trojan.Win32.Dropper
4.0.3.16911

Bitdefender
Trojan.Generic.14547956
1.0.20.1275

Emsisoft Anti-Malware
Trojan.Generic.14547956
8.16.09.11.01

ESET NOD32
MSIL/Injector.JPC (variant)
10.11653

Fortinet FortiGate
MSIL/JPC!tr
9/11/2016

F-Secure
Trojan.Generic.14547956
11.2016-11-09_1

G Data
Trojan.Generic.14547956
16.9.25

Kaspersky
Trojan-Dropper.Win32.Sysn
14.0.0.-388

Malwarebytes
Backdoor.MSIL.P
v2016.09.11.01

McAfee
Artemis!4204FF2CE9E9
5600.6279

Microsoft Security Essentials
TrojanSpy:MSIL/Golroted.B
1.1.11701.0

MicroWorld eScan
Trojan.Generic.14547956
17.0.0.765

nProtect
Trojan.Generic.14547956
15.05.19.01

Panda Antivirus
Trj/CI.A
16.09.11.01

Qihoo 360 Security
Win32/Trojan.377
1.0.0.1015

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.R021C0DEG15
7.2.255

Trend Micro
TROJ_GEN.R021C0DEG15
10.465.11

VIPRE Antivirus
Trojan.Win32.Generic
40390

File size:
1.7 MB (1,732,104 bytes)

Product version:
0.0.0.0

Original file name:
po.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\windowsupdate.exe

Digital Signature
Signed by:
Apple INC

Authority:
getaCert - www.getacert.com

Valid from:
3/15/2015 11:44:29 PM

Valid to:
5/14/2015 11:44:29 PM

Subject:
CN=dev.serv6.apple.com, OU=Software Development, O=Apple INC, L=1 Infinite Loop Cupertino, S=California, C=US

Issuer:
O=getaCert - www.getacert.com, L=Seattle, S=Washington, C=US

Serial number:
0CF2

File PE Metadata
Compilation timestamp:
5/6/2015 2:34:34 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:XTwUlbPFafvL8qKKP/npqY19DeRfLbkpp4JY8Z:ZLzKnsTrF

Entry address:
0x1A7A5E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1114

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.6 MB (1,727,488 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Windows Update

Command:
C:\users\{user}\appdata\roaming\windowsupdate.exe


Remove windowsupdate.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.