File name: | windowsupdateagent-7.6-x86.exe |
Full analysis: | https://app.any.run/tasks/900fb431-41bc-4538-ba8a-565d984db71a |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 16:49:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive |
MD5: | 8C8C7AFEC7C17837BEE660DCBD035BD0 |
SHA1: | E901A9994F10CF31F557E84AD27688FD368C7611 |
SHA256: | 9FC6856827123D0391A2C7451CCB1CBF93261442252DD87819AD5B8DB72B0EC0 |
SSDEEP: | 196608:kbou8KGmme8zM8RrWozfdwDpLzzpz6zU6WXcay16lVyzOQAUzjTU9AUnHLaQo:k0RzmmDzvRHYLpz6ABXfnfqOQNznQ2l |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 6.3.0021.0 |
---|---|
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | mergedwusetup.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | mergedwusetup.exe |
FileVersion: | 6.3.0021.0 (winblue_gdr_dev.140306-1815) |
FileDescription: | Windows Update Merged Standalone Setup |
CompanyName: | Microsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 6.3.21.0 |
FileVersionNumber: | 6.3.21.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | 6.3 |
OSVersion: | 6.3 |
EntryPoint: | 0x49d5 |
UninitializedDataSize: | - |
InitializedDataSize: | 13824 |
CodeSize: | 23040 |
LinkerVersion: | 11 |
PEType: | PE32 |
TimeStamp: | 2014:03:07 08:49:28+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Mar-2014 07:49:28 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Windows Update Merged Standalone Setup |
FileVersion: | 6.3.0021.0 (winblue_gdr_dev.140306-1815) |
InternalName: | mergedwusetup.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | mergedwusetup.exe |
ProductName: | Microsoft® Windows® Operating System |
ProductVersion: | 6.3.0021.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 07-Mar-2014 07:49:28 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000582C | 0x00005A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.38269 |
.data | 0x00007000 | 0x00011344 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.434903 |
.idata | 0x00019000 | 0x00000F22 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.33965 |
.magic | 0x0001A000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.183339 |
.rsrc | 0x0001B000 | 0x00000E6C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.65583 |
.reloc | 0x0001C000 | 0x0000104E | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.15938 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.05653 | 1126 | Latin 1 / Western European | English - United States | RT_MANIFEST |
100 | 3.0946 | 282 | Latin 1 / Western European | English - United States | RT_DIALOG |
107 | 2.9591 | 224 | Latin 1 / Western European | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
Cabinet.dll |
KERNEL32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
msvcrt.dll |
ntdll.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3816 | "C:\Users\admin\AppData\Local\Temp\windowsupdateagent-7.6-x86.exe" | C:\Users\admin\AppData\Local\Temp\windowsupdateagent-7.6-x86.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Merged Standalone Setup Exit code: 3221226540 Version: 6.3.0021.0 (winblue_gdr_dev.140306-1815) | ||||
3884 | "C:\Users\admin\AppData\Local\Temp\windowsupdateagent-7.6-x86.exe" | C:\Users\admin\AppData\Local\Temp\windowsupdateagent-7.6-x86.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Merged Standalone Setup Version: 6.3.0021.0 (winblue_gdr_dev.140306-1815) | ||||
3064 | c:\5346efdaea82beb8e7c066a5\MergedWuSetup.exe | c:\5346efdaea82beb8e7c066a5\MergedWuSetup.exe | — | windowsupdateagent-7.6-x86.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Merged Standalone Setup Version: 7.6.7600.320 (winmain_wtr_wsus3sp2(oobla).140514-0912) | ||||
3440 | WUA-Win7SP1.exe | c:\5346efdaea82beb8e7c066a5\WUA-Win7SP1.exe | MergedWuSetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Merged Standalone Setup Version: 6.3.0021.0 (winblue_gdr_dev.140306-1815) | ||||
2236 | c:\a59cbb03294ae3c8e8774c20fb22\wusetup.exe | c:\a59cbb03294ae3c8e8774c20fb22\wusetup.exe | — | WUA-Win7SP1.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Setup Version: 7.6.7600.320 (winmain_wtr_wsus3sp2(oobla).140514-0912) | ||||
2828 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2108 | C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3196 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "00000000" "000005C8" "000002BC" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3884 | windowsupdateagent-7.6-x86.exe | C:\5346efdaea82beb8e7c066a5\WUA-Downlevel.exe | executable | |
MD5:089A3A6FF94985DFD652BFAD3DAF5070 | SHA256:F6EDDBF4146F23A4FD749F95FCF247279CF9F83D7C97566BE739315B7A3CC021 | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\WUClient-SelfUpdate-Core-TopLevel.cab | compressed | |
MD5:BB7F386EA832B6495272B9D37143DA6B | SHA256:14FD6D89B07AEE35FDFF527389CE5872A32956C4D26487E5B412418380182604 | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\cs\eula.rtf | text | |
MD5:6940F05F9C0FA1C65C789CF3D17CC3E9 | SHA256:91ADE4761C4A29A761334AB27145EDCA214B09FDACBEEC37012993427C5826E4 | |||
3884 | windowsupdateagent-7.6-x86.exe | C:\5346efdaea82beb8e7c066a5\WUA-Win7SP1.exe | executable | |
MD5:5EFAF8662DC85C3581BD3BFDFAEDF4C3 | SHA256:354CC326C787E4444F53674B8DFFEA9AEE55D02A4AE393D68AF96145AD2A9B76 | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\wusetup.exe | executable | |
MD5:8797B25C25DB37CB2715DAF56D8A27AF | SHA256:5CE0926BAAEAF59F554C53505F84856E070DCB0309D01C6F76F2711D4809D548 | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\WUClient-SelfUpdate-ActiveX.cab | compressed | |
MD5:5F71A284F57AECD4A8588C9602F9DB26 | SHA256:8BCE99A8D466B729DC554F23E01F5375903B733DD82838B22DCDF7FAA165C081 | |||
3884 | windowsupdateagent-7.6-x86.exe | C:\5346efdaea82beb8e7c066a5\MergedWuSetup.exe | executable | |
MD5:ECA875136BBDEBC71F141F841C0D633E | SHA256:E294BDE1B22A8C950761E78B997AF2E6CB68A22F10E9148DC5F1EE1B3D8FF15A | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\en\wusetup.exe.mui | executable | |
MD5:8EA3CC86B2802E13DEDACC1C368B2A8F | SHA256:B3DC22667B1F03775A0F02CCFE2E2C01ACDD099AF6A16BECFDB12EA6D258C5E3 | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\wusetup.inf | ini | |
MD5:41DF52E45AA7B87631BFFB39A20AF32D | SHA256:5A661E9DFEEE5661E13F7E0BA6984C129619E7A9FA771285D825D0817595EB88 | |||
3440 | WUA-Win7SP1.exe | C:\a59cbb03294ae3c8e8774c20fb22\de\wusetup.exe.mui | executable | |
MD5:D2CB4127A29F0BDE331614D828062368 | SHA256:B15E8E7D47259DF36EAA6E0A00BB3C9AC996197FF6BF2026D408E1A327F0EE11 |