home

windowsupdatekb12695__7428_il1.exe

The application windowsupdatekb12695__7428_il1.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. While running, it connects to the Internet address server-54-192-230-223.waw50.r.cloudfront.net on port 80 using the HTTP protocol.
Version:
1.1.5.26

MD5:
ec1471d757551b2101a6faf83384cff9

SHA-1:
acfa722ce5fe6b2a1f147a13dad0fe25ab16530d

SHA-256:
32532cff88abcf615ab70920c3e5d98cfa294f2f195bbbf9d0918a91078213ed

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
5/4/2024 6:02:11 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Amonetize (M)
17.2.8.8

File size:
667 KB (683,008 bytes)

Product version:
1.1.5.26

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\windowsupdatekb12695__7428_il1.exe

File PE Metadata
Compilation timestamp:
2/8/2017 4:00:44 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x372BB

Entry point:
E8, 84, 0A, 01, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 5C, 28, 48, 00, 00, 74, 05, E9, E3, 0A, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83...
 
[+]

Entropy:
6.8846

Code size:
396.5 KB (406,016 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-159-52.sin3.r.cloudfront.net  (54.192.159.52:80)

TCP (HTTP):
Connects to ec2-54-243-162-153.compute-1.amazonaws.com  (54.243.162.153:80)

TCP (HTTP):
Connects to server-54-230-5-122.dfw3.r.cloudfront.net  (54.230.5.122:80)

TCP (HTTP):
Connects to server-54-192-159-164.sin3.r.cloudfront.net  (54.192.159.164:80)

TCP (HTTP):
Connects to ec2-107-20-147-93.compute-1.amazonaws.com  (107.20.147.93:80)

TCP (HTTP):
Connects to server-54-192-25-251.mxp4.r.cloudfront.net  (54.192.25.251:80)

TCP (HTTP):
Connects to server-52-85-151-34.hkg51.r.cloudfront.net  (52.85.151.34:80)

TCP (HTTP):
Connects to server-52-85-151-122.hkg51.r.cloudfront.net  (52.85.151.122:80)

TCP (HTTP):
Connects to ec2-54-148-148-252.us-west-2.compute.amazonaws.com  (54.148.148.252:80)

TCP (HTTP):
Connects to server-54-230-5-110.dfw3.r.cloudfront.net  (54.230.5.110:80)

TCP (HTTP):
Connects to server-54-230-5-103.dfw3.r.cloudfront.net  (54.230.5.103:80)

TCP (HTTP):
Connects to server-54-192-25-95.mxp4.r.cloudfront.net  (54.192.25.95:80)

TCP (HTTP):
Connects to server-54-192-230-223.waw50.r.cloudfront.net  (54.192.230.223:80)

Remove windowsupdatekb12695__7428_il1.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.