updatewin2.exe MalScore: 100 File type: File size: PE32 executable (GUI) Intel 80386, for MS Windows 274.50 KB (281088 bytes) Compile time: 2017-11-21 07:08:45 MD5: SHA1: Import hash: 996ba35165bb62473d2a6743a5200d45 52169b0b5cce95c6905873b8d12a759c234bd2e0 5921adaaf66f8c259aeda9e22686cd4b Submitted: 2019-01-22 05:48:04 URL(s) file hosting http://rosalos.ug/xxx/updatewin2.exe Antivirus Report Report date Detection Ratio Permalink 2019-01-22 00:24:39 48/71 Import library SHELL32.dll KERNEL32.dll GDI32.dll USER32.dll Page 1 Date: 2019-02-21 23:04:06
7 Behaviors detected by system signatures Attempts to repeatedly call a single API many times in order to delay analysis time - Spam: updatewin2.exe (2696) called API NtClose 62783 times The sample wrote data to the system hosts file. - added: 127.0.0.1 ds.download.windowsupdate.com - added: 127.0.0.1 www.update.microsoft.com - added: 127.0.0.1 download.windowsupdate.com - added: 127.0.0.1 fe2.update.microsoft.com - added: 127.0.0.1 whoer.net - added: 127.0.0.1 www.whoer.net - added: 127.0.0.1 windowsupdate.com - added: 127.0.0.1 www.windowsupdate.com - added: 127.0.0.1 microsoft.com - added: 127.0.0.1 www.microsoft.com - added: 127.0.0.1 www.windowsupdate.com - added: 127.0.0.1 windowsupdate.com - added: 127.0.0.1 www.microsoft.com - added: 127.0.0.1 www.360totalsecurity.com - added: 127.0.0.1 360totalsecurity.com - added: 127.0.0.1 www.gratissoftwaresite.com - added: 127.0.0.1 gratissoftwaresite.com - added: 127.0.0.1 tweakers.net - added: 127.0.0.1 www.tweakers.net - added: 127.0.0.1 www.avg.com - added: 127.0.0.1 avg.com - added: 127.0.0.1 www.bestevirusscanner.net - added: 127.0.0.1 bestevirusscanner.net - added: 127.0.0.1 www.consumentenbond.nl - added: 127.0.0.1 consumentenbond.nl - added: 127.0.0.1 cheaplicensing.com - added: 127.0.0.1 www.cheaplicensing.com - added: 127.0.0.1 global.ahnlab.com - added: 127.0.0.1 www.global.ahnlab.com - added: 127.0.0.1 www.ahnlab.com - added: 127.0.0.1 ahnlab.com - added: 127.0.0.1 downloads.tomsguide.com - added: 127.0.0.1 www.downloads.tomsguide.com - added: 127.0.0.1 www.download82.com - added: 127.0.0.1 download82.com - added: 127.0.0.1 download.cnet.com - added: 127.0.0.1 www.download.cnet.com - added: 127.0.0.1 www.avast.com - added: 127.0.0.1 avast.com - added: 127.0.0.1 support.avast.com - added: 127.0.0.1 www.support.avast.com - added: 127.0.0.1 www.consumentenbond.com - added: 127.0.0.1 consumentenbond.com - added: 127.0.0.1 www.goedkoopsteantivirus.com - added: 127.0.0.1 goedkoopsteantivirus.com - added: 127.0.0.1 www.toptenreviews.com - added: 127.0.0.1 toptenreviews.com - added: 127.0.0.1 www.antivirus.nl - added: 127.0.0.1 antivirus.nl - added: 127.0.0.1 www.bol.com - added: 127.0.0.1 bol.com - added: 127.0.0.1 www.avira.com - added: 127.0.0.1 avira.com - added: 127.0.0.1 www.bitdefender.com - added: 127.0.0.1 bitdefender.com Page 2 Date: 2019-02-21 23:04:06
- added: 127.0.0.1 licentie2go.com - added: 127.0.0.1 www.licentie2go.com - added: 127.0.0.1 www.bullguard.com - added: 127.0.0.1 bullguard.com - added: 127.0.0.1 www.kpn.com - added: 127.0.0.1 kpn.com - added: 127.0.0.1 virusscanner.software - added: 127.0.0.1 www.virusscanner.software - added: 127.0.0.1 www.comodo.com - added: 127.0.0.1 comodo.com - added: 127.0.0.1 www.drweb.com - added: 127.0.0.1 drweb.com - added: 127.0.0.1 download.drweb.com - added: 127.0.0.1 www.download.drweb.com - added: 127.0.0.1 vms.drweb.com - added: 127.0.0.1 www.vms.drweb.com - added: 127.0.0.1 alternativeto.ne - added: 127.0.0.1 www.alternativeto.ne - added: 127.0.0.1 softonic.com - added: 127.0.0.1 www.softonic.com - added: 127.0.0.1 www.softpedia.com - added: 127.0.0.1 softpedia.com - added: 127.0.0.1 www.flipkart.com - added: 127.0.0.1 flipkart.com - added: 127.0.0.1 virustotal.com - added: 127.0.0.1 www.virustotal.com - added: 127.0.0.1 www.emsisoft.com - added: 127.0.0.1 emsisoft.com - added: 127.0.0.1 www.antimalwaresoftware.com - added: 127.0.0.1 antimalwaresoftware.com - added: 127.0.0.1 www.pcwebplus.com - added: 127.0.0.1 pcwebplus.com - added: 127.0.0.1 www.pcmag.com - added: 127.0.0.1 pcmag.com - added: 127.0.0.1 www.eset.com - added: 127.0.0.1 eset.com - added: 127.0.0.1 www.surfspot.com - added: 127.0.0.1 surfspot.com - added: 127.0.0.1 www.topantivirus.com - added: 127.0.0.1 topantivirus.com - added: 127.0.0.1 www.techzine.com - added: 127.0.0.1 techzine.com - added: 127.0.0.1 www.eset.com - added: 127.0.0.1 eset.com - added: 127.0.0.1 www.fortinet.com - added: 127.0.0.1 fortinet.com - added: 127.0.0.1 fortiguard.com - added: 127.0.0.1 www.fortiguard.com - added: 127.0.0.1 forticlient.com - added: 127.0.0.1 www.forticlient.com - added: 127.0.0.1 www.kpn.com - added: 127.0.0.1 kpn.com - added: 127.0.0.1 www.kaspersky.com - added: 127.0.0.1 kaspersky.com - added: 127.0.0.1 www.consumentenbond.com - added: 127.0.0.1 consumentenbond.com - added: 127.0.0.1 www.surfspot.com - added: 127.0.0.1 surfspot.com - added: 127.0.0.1 www.topreviews.com - added: 127.0.0.1 topreviews.com - added: 127.0.0.1 www.amecomputers.com - added: 127.0.0.1 amecomputers.com - added: 127.0.0.1 www.instantsoftware.com Page 3 Date: 2019-02-21 23:04:06
- added: 127.0.0.1 instantsoftware.com - added: 127.0.0.1 www.malwarebytes.com - added: 127.0.0.1 malwarebytes.com - added: 127.0.0.1 www.malwarebytes.org - added: 127.0.0.1 malwarebytes.org - added: 127.0.0.1 download.cnet.com - added: 127.0.0.1 www.download.cnet.com - added: 127.0.0.1 www.bleepingcomputer.com - added: 127.0.0.1 bleepingcomputer.com - added: 127.0.0.1 www.majorgeeks.com - added: 127.0.0.1 majorgeeks.com - added: 127.0.0.1 www.seniorweb.com - added: 127.0.0.1 seniorweb.com - added: 127.0.0.1 www.amazon.com - added: 127.0.0.1 amazon.com - added: 127.0.0.1 www.techspot.com - added: 127.0.0.1 techspot.com - added: 127.0.0.1 filehippo.com - added: 127.0.0.1 www.filehippo.com - added: 127.0.0.1 www.idealsoftware.com - added: 127.0.0.1 idealsoftware.com - added: 127.0.0.1 uptodown.com - added: 127.0.0.1 www.uptodown.com - added: 127.0.0.1 www.mcafee.com - added: 127.0.0.1 mcafee.com - added: 127.0.0.1 home.mcafee.com - added: 127.0.0.1 www.home.mcafee.com - added: 127.0.0.1 www.coolblue.com - added: 127.0.0.1 coolblue.com - added: 127.0.0.1 www.pcmag.com - added: 127.0.0.1 pcmag.com - added: 127.0.0.1 www.sky.com - added: 127.0.0.1 sky.com - added: 127.0.0.1 norton.com - added: 127.0.0.1 www.norton.com - added: 127.0.0.1 www.kieskeurig.com - added: 127.0.0.1 kieskeurig.com - added: 127.0.0.1 internetsecurity.xfinity.com - added: 127.0.0.1 www.internetsecurity.xfinity.com - added: 127.0.0.1 www.symantec.com - added: 127.0.0.1 symantec.com - added: 127.0.0.1 www.campusshop.com - added: 127.0.0.1 campusshop.com - added: 127.0.0.1 www.pandasecurity.com - added: 127.0.0.1 pandasecurity.com - added: 127.0.0.1 www.paradigit.com - added: 127.0.0.1 paradigit.com - added: 127.0.0.1 www.sophos.com - added: 127.0.0.1 sophos.com - added: 127.0.0.1 home.sophos.com - added: 127.0.0.1 www.home.sophos.com - added: 127.0.0.1 sophos.virtualsecurity.com - added: 127.0.0.1 www.sophos.virtualsecurity.com - added: 127.0.0.1 www.gratissoftware.com - added: 127.0.0.1 gratissoftware.com - added: 127.0.0.1 www.seniorweb.com - added: 127.0.0.1 seniorweb.com - added: 127.0.0.1 www.softwareadvice.com - added: 127.0.0.1 softwareadvice.com - added: 127.0.0.1 www.symantec.com - added: 127.0.0.1 symantec.com - added: 127.0.0.1 hostedendpoint.spn.com - added: 127.0.0.1 www.hostedendpoint.spn.com Page 4 Date: 2019-02-21 23:04:06
- added: 127.0.0.1 www.g2crowd.com - added: 127.0.0.1 g2crowd.com - added: 127.0.0.1 www.trendmicro.com - added: 127.0.0.1 trendmicro.com - added: 127.0.0.1 www.goedkoopsteantivirus.com - added: 127.0.0.1 goedkoopsteantivirus.com - added: 127.0.0.1 download.cnet.com - added: 127.0.0.1 www.download.cnet.com - added: 127.0.0.1 www.ign.com - added: 127.0.0.1 ign.com - added: 127.0.0.1 www.trusteer.com - added: 127.0.0.1 trusteer.com - added: 127.0.0.1 my.webrootanywhere.com - added: 127.0.0.1 www.my.webrootanywhere.com - added: 127.0.0.1 www.webroot.com - added: 127.0.0.1 webroot.com - added: 127.0.0.1 www.techradar.com - added: 127.0.0.1 techradar.com - added: 127.0.0.1 support.microsoft.com - added: 127.0.0.1 www.support.microsoft.com - added: 127.0.0.1 www.microsoft.com - added: 127.0.0.1 microsoft.com - added: 127.0.0.1 pulse.microsoft.com - added: 127.0.0.1 www.pulse.microsoft.com - added: 127.0.0.1 pcmweb.com - added: 127.0.0.1 www.pcmweb.com - added: 127.0.0.1 www.security.com - added: 127.0.0.1 security.com - added: 127.0.0.1 ccm.net - added: 127.0.0.1 www.ccm.net - added: 127.0.0.1 www.enigmasoftware.com - added: 127.0.0.1 enigmasoftware.com - added: 127.0.0.1 howtoremove.guide - added: 127.0.0.1 www.howtoremove.guide - added: 127.0.0.1 www.2-viruses.com - added: 127.0.0.1 2-viruses.com - added: 127.0.0.1 www.2-spyware.com - added: 127.0.0.1 2-spyware.com - added: 127.0.0.1 sensorstechforum.com - added: 127.0.0.1 www.sensorstechforum.com - added: 127.0.0.1 greatis.com - added: 127.0.0.1 www.greatis.com - added: 127.0.0.1 www.pchubs.com - added: 127.0.0.1 pchubs.com - added: 127.0.0.1 www.pcrisk.com - added: 127.0.0.1 pcrisk.com - added: 127.0.0.1 www.malware-board.com - added: 127.0.0.1 malware-board.com - added: 127.0.0.1 pcthreatskiller.com - added: 127.0.0.1 www.pcthreatskiller.com - added: 127.0.0.1 pcfixhelp.net - added: 127.0.0.1 www.pcfixhelp.net - added: 127.0.0.1 stepsforkillingthreats.com - added: 127.0.0.1 www.stepsforkillingthreats.com - added: 127.0.0.1 www.removemalwarevirus.com - added: 127.0.0.1 removemalwarevirus.com - added: 127.0.0.1 spyware-techie.com - added: 127.0.0.1 www.spyware-techie.com - added: 127.0.0.1 anti-spyware-101.com - added: 127.0.0.1 www.anti-spyware-101.com - added: 127.0.0.1 www.removeallvirus.com - added: 127.0.0.1 removeallvirus.com - added: 127.0.0.1 www.pcthreat.com Page 5 Date: 2019-02-21 23:04:06
- added: 127.0.0.1 pcthreat.com - added: 127.0.0.1 www.pcinfectionsupport.com - added: 127.0.0.1 pcinfectionsupport.com - added: 127.0.0.1 www.howtouninstallpcmalware.com - added: 127.0.0.1 howtouninstallpcmalware.com - added: 127.0.0.1 computerprotectionpro.com - added: 127.0.0.1 www.computerprotectionpro.com Creates RWX memory Possible date expiration check, exits too soon after checking local time - process: updatewin2.exe, PID 2696 Dynamic (imported) function loading detected - DynamicLoader: kernel32.dll/createtoolhelp32snapshot - DynamicLoader: kernel32.dll/module32firstw - DynamicLoader: kernel32.dll/globalalloc - DynamicLoader: kernel32.dll/loadlibrarya - DynamicLoader: kernel32.dll/virtualalloc - DynamicLoader: kernel32.dll/virtualprotect - DynamicLoader: kernel32.dll/virtualfree - DynamicLoader: kernel32.dll/getversionexa - DynamicLoader: kernel32.dll/terminateprocess - DynamicLoader: kernel32.dll/exitprocess - DynamicLoader: kernel32.dll/seterrormode - DynamicLoader: kernel32.dll/createfilew - DynamicLoader: kernel32.dll/getfilesize - DynamicLoader: kernel32.dll/setfilepointer - DynamicLoader: kernel32.dll/writefile - DynamicLoader: kernel32.dll/closehandle - DynamicLoader: kernel32.dll/writeconsolew - DynamicLoader: kernel32.dll/setfilepointerex - DynamicLoader: kernel32.dll/getconsolemode - DynamicLoader: kernel32.dll/getconsolecp - DynamicLoader: kernel32.dll/flushfilebuffers - DynamicLoader: kernel32.dll/heaprealloc - DynamicLoader: kernel32.dll/heapsize - DynamicLoader: kernel32.dll/getprocessheap - DynamicLoader: kernel32.dll/lcmapstringw - DynamicLoader: kernel32.dll/getstringtypew - DynamicLoader: kernel32.dll/getfiletype - DynamicLoader: kernel32.dll/setstdhandle - DynamicLoader: kernel32.dll/freeenvironmentstringsw - DynamicLoader: kernel32.dll/getenvironmentstringsw - DynamicLoader: kernel32.dll/unhandledexceptionfilter - DynamicLoader: kernel32.dll/setunhandledexceptionfilter - DynamicLoader: kernel32.dll/getcurrentprocess - DynamicLoader: kernel32.dll/terminateprocess - DynamicLoader: kernel32.dll/isprocessorfeaturepresent - DynamicLoader: kernel32.dll/queryperformancecounter - DynamicLoader: kernel32.dll/getcurrentprocessid - DynamicLoader: kernel32.dll/getcurrentthreadid - DynamicLoader: kernel32.dll/getsystemtimeasfiletime - DynamicLoader: kernel32.dll/initializeslisthead - DynamicLoader: kernel32.dll/isdebuggerpresent - DynamicLoader: kernel32.dll/getstartupinfow - DynamicLoader: kernel32.dll/getmodulehandlew - DynamicLoader: kernel32.dll/rtlunwind - DynamicLoader: kernel32.dll/raiseexception - DynamicLoader: kernel32.dll/getlasterror - DynamicLoader: kernel32.dll/setlasterror - DynamicLoader: kernel32.dll/entercriticalsection Page 6 Date: 2019-02-21 23:04:06
- DynamicLoader: kernel32.dll/leavecriticalsection - DynamicLoader: kernel32.dll/deletecriticalsection - DynamicLoader: kernel32.dll/initializecriticalsectionandspincount - DynamicLoader: kernel32.dll/tlsalloc - DynamicLoader: kernel32.dll/tlsgetvalue - DynamicLoader: kernel32.dll/tlssetvalue - DynamicLoader: kernel32.dll/tlsfree - DynamicLoader: kernel32.dll/freelibrary - DynamicLoader: kernel32.dll/getprocaddress - DynamicLoader: kernel32.dll/loadlibraryexw - DynamicLoader: kernel32.dll/getstdhandle - DynamicLoader: kernel32.dll/getmodulefilenamew - DynamicLoader: kernel32.dll/multibytetowidechar - DynamicLoader: kernel32.dll/widechartomultibyte - DynamicLoader: kernel32.dll/exitprocess - DynamicLoader: kernel32.dll/getmodulehandleexw - DynamicLoader: kernel32.dll/getacp - DynamicLoader: kernel32.dll/heapalloc - DynamicLoader: kernel32.dll/heapfree - DynamicLoader: kernel32.dll/findclose - DynamicLoader: kernel32.dll/findfirstfileexw - DynamicLoader: kernel32.dll/findnextfilew - DynamicLoader: kernel32.dll/isvalidcodepage - DynamicLoader: kernel32.dll/getoemcp - DynamicLoader: kernel32.dll/getcpinfo - DynamicLoader: kernel32.dll/getcommandlinea - DynamicLoader: kernel32.dll/getcommandlinew - DynamicLoader: USER32.dll/MessageBoxA - DynamicLoader: SHELL32.dll/SHGetFolderPathW - DynamicLoader: SHLWAPI.dll/PathAppendW - DynamicLoader: msvcr100.dll/atexit - DynamicLoader: kernel32.dll/initializecriticalsectionex - DynamicLoader: kernel32.dll/flsalloc - DynamicLoader: kernel32.dll/flssetvalue - DynamicLoader: kernel32.dll/initializecriticalsectionex - DynamicLoader: kernel32.dll/flsalloc - DynamicLoader: kernel32.dll/flsgetvalue - DynamicLoader: kernel32.dll/flssetvalue - DynamicLoader: kernel32.dll/lcmapstringex Unconventionial language used in binary resources: Serbian SetUnhandledExceptionFilter detected (possible anti-debug) Page 7 Date: 2019-02-21 23:04:06