wrupdate318850109.exe

Webroot SecureAnywhere

Webroot Inc.

This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WRSVC’. This is installed with Webroot SecureAnywhere. The file has been seen being downloaded from downbox.webrootanywhere.com and multiple other hosts.
Publisher:
Webroot  (signed by Webroot Inc.)

Product:
Webroot SecureAnywhere

Version:
9.0.8.72

MD5:
e53b9d184d6a2ecc297eda15c4b1317a

SHA-1:
6ce1c36e98587c72c98c35bc740ec32460942413

SHA-256:
5533b78c201e472614c93d7a39a0da5cafd71e5107f8ba5fac8555561ab5175b

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
12/25/2024 5:15:17 PM UTC  (today)

File size:
852.6 KB (873,072 bytes)

Product version:
9.0.8.72

Copyright:
(c) Webroot 2006-2016

Original file name:
WRSA.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\wrupdate318850109.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
12/22/2015 7:00:00 PM

Valid to:
3/23/2019 7:59:59 PM

Subject:
CN=Webroot Inc., O=Webroot Inc., L=Broomfield, S=Colorado, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6FBB6E1D2367DC6BD38B1C8FA0BF6637

File PE Metadata
Compilation timestamp:
2/27/2016 3:01:36 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:gM60SCTlo7CPOQOBE70z1N3kCB6IPPo+cHCnBqhu3CPvvpfYXTw8CQ0hymloSNe:gMRSCTSQ5YD4rCg7CnBnKvvyw8KJ

Entry address:
0x250F30

Entry point:
60, BE, 00, A0, 18, 01, 8D, BE, 00, 70, E7, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, DF, E9, 24, 00, 57, 83, C3, 04, 53, 68, 29, 6F, 0C, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.9801  (probably packed)

Code size:
800 KB (819,200 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WRSVC

Command:
"C:\Program Files\webroot\wrsa.exe" -ul


The file wrupdate318850109.exe has been discovered within the following program.

Publisher's description - “Webroot SecureAnywhere uses a radically new cloud-based approach to online security that protects you against the latest threats as soon as they emerge. And it does so at blazing fast speeds, typically taking two minutes or less after the initial scan of your PC.”
www.webroot.com/En_US/consumer-products-secureanywhere-complete.html
25% remove it
 
Powered by Should I Remove It?

The file wrupdate318850109.exe has been seen being distributed by the following 22 URLs.

http://downbox.webrootanywhere.com/.../KEY_SAFBZDBB9224AB94AEF7exe

http://downbox.webrootanywhere.com/.../KEY_SA9FONLNACCF74EEDA29exe

http://downbox.webrootanywhere.com/.../KEY_SA5CZDBB542D3D32347Cexe

http://downbox.webrootanywhere.com/.../KEY_SA99ZDBBCFB355663744exe

http://downbox.webrootanywhere.com/.../KEY_SAA2ZDBB7BBE4E5FFA6Bexe

http://downbox.webrootanywhere.com/.../KEY_SA5DTTBBC96DFAC0B7F5exe

http://downbox.webrootanywhere.com/.../KEY_SAF7ZDBB86E48FBDFCC7exe

http://downbox.webrootanywhere.com/.../KEY_SAB2ZDBBCB6CE42BB8F5exe

Scan wrupdate318850109.exe - Powered by Reason Core Security