windows.exe

The executable windows.exe has been detected as malware by 29 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler named Windows triggered to execute each time a user logs in.
MD5:
af2a8d36000004e08a2c7d91d59601d5

SHA-1:
efc99a36ea9eb5f9ae76cd3637be4a3c53537e0d

SHA-256:
87493b8f2a651ac0194b3e31fa9d44b02df1a301cb04eaab2aa17d2a2c5774c7

Scanner detections:
29 / 68

Status:
Malware

Analysis date:
11/29/2024 4:45:18 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.664899
-40

Agnitum Outpost
Backdoor.Androm
7.1.1

Avira AntiVirus
TR/Crypt.Xpack.261678
8.3.2.2

Arcabit
Trojan.Kazy.DA2543
1.0.0.585

avast!
Win32:Malware-gen
2014.9-170316

AVG
MSIL8
2018.0.2438

Baidu Antivirus
Backdoor.Win32.Androm
4.0.3.17316

Bitdefender
Gen:Variant.Kazy.664899
1.0.20.375

Dr.Web
Trojan.PWS.Stealer.13025
9.0.1.075

Emsisoft Anti-Malware
Gen:Variant.Kazy.664899
8.17.03.16.11

ESET NOD32
MSIL/Injector.KQP (variant)
11.12460

Fortinet FortiGate
MSIL/Injector.KNE!tr
3/16/2017

F-Secure
Gen:Variant.Kazy.664899
11.2017-16-03_5

G Data
Gen:Variant.Kazy.664899
17.3.25

IKARUS anti.virus
Trojan.MSIL.Injector
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.212.17639

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.-1317

McAfee
Trojan-FGUJ!AF2A8D360000
5600.6094

Microsoft Security Essentials
Trojan:Win32/Skeeyah.A!bit
1.1.12205.0

MicroWorld eScan
Gen:Variant.Kazy.664899
18.0.0.225

NANO AntiVirus
Trojan.Win32.Androm.duatbm
0.30.26.3947

Panda Antivirus
Trj/CI.A
17.03.16.11

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Quick Heal
TrojanPWS.Inmnbg.IJ3
3.17.14.00

Rising Antivirus
PE:Malware.RDM.11!5.11[F1]
23.00.65.17314

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R01TC0DGK15
10.465.16

VIPRE Antivirus
Trojan.Win32.Generic
44804

Zillya! Antivirus
Backdoor.Androm.Win32.22422
2.0.0.2471

File size:
692 KB (708,608 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\windows.exe

File PE Metadata
Compilation timestamp:
7/12/2015 3:00:37 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0x866E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.4322

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
28 KB (28,672 bytes)

Scheduled Task
Task name:
Windows

Path:
\Update\Windows

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to a104-79-227-249.deploy.static.akamaitechnologies.com  (104.79.227.249:80)

Remove windows.exe - Powered by Reason Core Security