» windowsupdate.exe
Overview
Analysis
File Details
Behaviors (1)

windowsupdate.exe

The executable windowsupdate.exe has been detected as malware by 23 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Windows Update’.

File name:

windowsupdate.exe

MD5:

74b8568c44d58771400756ae6ab2ed8b

SHA-1:

5b8b35b23e853571d15d8f1f8c2dba545b92d06b

SHA-256:

1a8b65b79612694751754a6432746f9cfdb1ec0ea7ec3398f8d22bbd0ea7f4b3

Scanner detections:

23 / 68

Status:

Malware

Analysis date:

4/27/2024 8:17:20 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.4388168

-40

AegisLab AV Signature

Ml.Attribute.Gen!c

2.1.4+

AhnLab V3 Security

Backdoor/Win32.DarkKomet.C1782311

3.8.3.16

Avira AntiVirus

DR/Delphi.klcsy

8.3.3.4

Arcabit

Trojan.Generic.D42F548

1.0.0.795

avast!

Win32:Malware-gen

2014.9-170316

AVG

Generic38

2018.0.2438

Bitdefender

Trojan.GenericKD.4388168

1.0.20.375

ESET NOD32

Win32/Injector.DLES (variant)

11.14943

Fortinet FortiGate

W32/DarkKomet.DLES!tr.bdr

3/16/2017

F-Secure

Trojan.GenericKD.4388168

11.2017-16-03_5

G Data

Trojan.GenericKD.4388168

17.3.25

IKARUS anti.virus

Trojan.Win32.Injector

0.1.3.4

K7 AntiVirus

Trojan

13.251.22434

Kaspersky

Backdoor.Win32.DarkKomet

14.0.0.-1315

McAfee

Artemis!74B8568C44D5

5600.6094

Microsoft Security Essentials

TrojanSpy:MSIL/Golroted.B

1.1.13407.0

MicroWorld eScan

Trojan.GenericKD.4388168

18.0.0.225

nProtect

Backdoor/W32.DarkKomet.1105408

17.02.16.01

Panda Antivirus

Trj/GdSda.A

17.03.16.02

Rising Antivirus

Backdoor.DarkKomet!8.13E (cloud:WLRbGMk0LDO)

23.00.65.17314

Trend Micro House Call

TROJ_GEN.R0E2H0DBE17

7.2.75

VIPRE Antivirus

Trojan.Win32.Generic

56006

File size:

1.1 MB (1,105,408 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\windowsupdate.exe

File PE Metadata

Compilation timestamp:

10/9/1991 12:04:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x92CF8

Entry point:

55, 8B, EC, 83, C4, F0, B8, 78, 2A, 49, 00, E8, F4, 3E, F7, FF, A1, CC, C5, 49, 00, 8B, 00, E8, B8, 55, FC, FF, 8B, 0D, 1C, C7, 49, 00, A1, CC, C5, 49, 00, 8B, 00, 8B, 15, C0, 24, 49, 00, E8, B8, 55, FC, FF, A1, CC, C5, 49, 00, 8B, 00, E8, 2C, 56, FC, FF, E8, 43, 17, F7, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.0658

Developed / compiled with:

Microsoft Visual C++

Code size:

583.5 KB (597,504 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Windows Update

Command:

C:\users\{user}\appdata\roaming\windowsupdate.exe

Remove windowsupdate.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.