home

windowsupdate.exe

Salung International Corporation

The executable windowsupdate.exe has been detected as malware by 28 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Windows Update’.
Publisher:
Salung International Corporation  (signed and verified)

MD5:
c4b7e7c8b1cfc2170a038def5e291137

SHA-1:
30c1a3c4a11666d633524d1ef959b200a16000f8

SHA-256:
8db1d58c6135543cce692a9fa037e4aa08ef11254cc01c47bb2acb47f29f2481

Scanner detections:
28 / 68

Status:
Malware

Analysis date:
11/24/2024 7:36:54 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.3353898
22

AegisLab AV Signature
Troj.Spy.W32.Agent!c
2.1.4+

AhnLab V3 Security
Malware/Win32.Generic.N2044136895
3.7.5.15

Avira AntiVirus
TR/Dropper.MSIL.fkyu
8.3.3.4

Arcabit
Trojan.Generic.D332D2A
1.0.0.741

avast!
Win32:Malware-gen
2014.9-170112

AVG
Atros3
2018.0.2500

Baidu Antivirus
Win32.Trojan.WisdomEyes.151026.9950
4.0.3.17112

Bitdefender
Trojan.GenericKD.3353898
1.0.20.60

Comodo Security
TrojWare.MSIL.Agent.GLE
25439

Emsisoft Anti-Malware
Trojan.GenericKD.3353898
8.17.01.12.12

ESET NOD32
MSIL/Kryptik.GMF (variant)
11.13801

Fortinet FortiGate
MSIL/Kryptik.GMF!tr
1/12/2017

F-Secure
Trojan.GenericKD.3353898
11.2017-12-01_5

G Data
Trojan.GenericKD.3353898
17.1.25

IKARUS anti.virus
Trojan.MSIL.Crypt
t3scan.2.1.6.0

K7 AntiVirus
Trojan
13.234.20233

Kaspersky
Trojan-Spy.Win32.Agent
14.0.0.-1003

Malwarebytes
Backdoor.Bot
v2017.01.12.12

McAfee
RDN/Generic.tfr
5600.6156

Microsoft Security Essentials
TrojanSpy:MSIL/Golroted
1.1.12902.0

MicroWorld eScan
Trojan.GenericKD.3353898
18.0.0.36

nProtect
Trojan.GenericKD.3353898
16.07.14.01

Panda Antivirus
Trj/GdSda.A
17.01.12.12

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R02KC0DG316
10.465.12

VIPRE Antivirus
Trojan.Win32.Generic
50828

Zillya! Antivirus
Trojan.Agent.Win32.701577
2.0.0.2956

File size:
981.5 KB (1,005,096 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\windowsupdate.exe

Digital Signature
Signed by:
Salung International Corporation

Authority:
Salung International Corporation

Valid from:
6/25/2016 6:45:36 AM

Valid to:
6/26/2026 6:45:36 AM

Subject:
E=sales@salung.com, CN=www.salung.com, OU=Sales Department, O=Salung International Corporation, L=Columbus, S=Ohio, C=US

Issuer:
E=sales@salung.com, CN=www.salung.com, OU=Sales Department, O=Salung International Corporation, L=Columbus, S=Ohio, C=US

Serial number:
00866E0A24F3686932

File PE Metadata
Compilation timestamp:
6/27/2016 8:21:57 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0xEE96E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9264

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
948 KB (970,752 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Windows Update

Command:
C:\users\{user}\appdata\roaming\windowsupdate.exe


Remove windowsupdate.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.