home

ghrwbu25.exe

ACD/Installer 2012

Advanced Chemistry Development Inc.

The executable ghrwbu25.exe, “ACD/Installer application file” has been detected as malware by 4 anti-virus scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in.
Publisher:
Advanced Chemistry Development Inc.

Product:
ACD/Installer 2012

Description:
ACD/Installer application file

Version:
14.0.0.66576

MD5:
42e2e680485eb8d2491ac87ad3c3bcfc

SHA-1:
8e3108425b48cca6ed0654df756593d97a45fb4c

SHA-256:
6d097f7c7f366cd1073e7ca06e34fcacd24303a8e72487ce4ec743fc0e24f3da

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
4/1/2025 8:22:36 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader21.35799
9.0.1.05190

ESET NOD32
MSIL/NanoCore.E trojan
6.3.12010.0

Kaspersky
Backdoor.MSIL.NanoBot
15.0.2.529

Microsoft Security Essentials
Backdoor:MSIL/Noancooe.C
1.237.1214.0

File size:
757 KB (775,168 bytes)

Product version:
14

Copyright:
Copyright © ACD Inc. 1995-2013

Original file name:
SETUP.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\ghrwbu25.exe

File PE Metadata
Compilation timestamp:
3/11/2017 2:51:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0xBDC3E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.7963

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
751.5 KB (769,536 bytes)

Scheduled Task
Task name:
3351ea63-454d-4687-91be-020ffd6977cc

Path:
\Update\3351ea63-454d-4687-91be-020ffd6977cc

Trigger:
Logon (Runs on logon)


Remove ghrwbu25.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.