137729dd45e10adc80a5a77c2f2f8bab

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jul-15 16:10:36
Detected languages English - United States
French - France
Debug artifacts Z:\C&C\Finals Release\V1.0 06-2019\x64\Release\Test Control command.pdb
CompanyName Microsoft Corporation
FileDescription Update
FileVersion 10.03.2.5
InternalName wuauclt.exe
LegalCopyright Copyright (C) 2019
OriginalFilename wuauclt.exe
ProductName Update
ProductVersion 10.03.2.5

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • govps.com
  • helper.govps.com
  • pool.supportxmr.com
  • supportxmr.com
Malicious This program may be a miner. Contains a valid Monero address:
  • 45U1KXjZmtc9BJknstsJaLfHA2dArpjyLiAdTmNg2C4YBzbN1hGxAvaNHC8ShSrbjNVqh3hSt2FoAFKxJFQXAfVw1sKaxJo
Info The PE contains common functions which appear in legitimate applications. Can access the registry:
  • RegOpenKeyExA
  • RegCloseKey
  • RegSetValueExA
  • RegCreateKeyExA
  • RegQueryValueExA
 Possibly launches other programs:
  • ShellExecuteW
  • system
 Has Internet access capabilities:
  • InternetOpenUrlA
  • InternetOpenA
  • InternetCloseHandle
  • URLDownloadToFileW
  • WinHttpOpenRequest
  • WinHttpConnect
  • WinHttpOpen
  • WinHttpSendRequest
Malicious VirusTotal score: 12/72 (Scanned on 2019-07-23 00:44:39) McAfee: Artemis!137729DD45E1
Kaspersky: HEUR:Trojan.Win64.Miner.gen
AegisLab: Trojan.Win64.Miner.4!c
McAfee-GW-Edition: Artemis
Jiangmin: Trojan.Miner.hax
Antiy-AVL: Trojan/Win64.Miner
ZoneAlarm: HEUR:Trojan.Win64.Miner.gen
Microsoft: Trojan:Win32/Wacatac.B!ml
AhnLab-V3: Malware/Gen.Generic.C3330380
Cylance: Unsafe
AVG: FileRepMalware
Qihoo-360: Win32/Trojan.9d5

Hashes

MD5 137729dd45e10adc80a5a77c2f2f8bab
SHA1 67b682b54ae15ac3fafd185b1841612e3deec34d
SHA256 7d6385a960e2604d713f63c6a6b40865000a5a1db20dcc5f9de3d01f7fe0810b
SHA3 48b477ced6544b3c3ec67d35d225f2fb3afc3d82cd9b4a2a95961ce55a5149ce
SSDeep 1536:zBQT9n6K5t0fsuGWa7FM12pO6nH+YhM5:mV6UtPuGZi2kCHnhq
Imports Hash 2f8e8e1b21f50c4595595d52867c6372

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2019-Jul-15 16:10:36
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xae00
SizeOfInitializedData 0x6c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000A78C (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x16000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 00eba2b85242ce359054b31d570c4134
SHA1 22762454aa1a048180830a7cf9fe968bf0a5d24b
SHA256 dd4a6a74d186ae974ba57f592cc464b985f7d98fb6e2e2bf1673ee3b72b735a1
SHA3 a9021673172afaa6b2550de43e8ea0995a76473b5b494ca50c70ebf6be46a2c6
VirtualSize 0xadfb
VirtualAddress 0x1000
SizeOfRawData 0xae00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.10837

.rdata

MD5 be9211b0927ffdcb7933468b185e7aaa
SHA1 fcf43d321f9ff08a7c8c52f3aeb989d2527b754a
SHA256 a3074fe6a9d1cb76767f1791397568dcfbb7cf254092c7ee8af7a8a1b8faf6f0
SHA3 f547ebff75eeeedd31521f0944eededfc21b450ec59c4371e154fdeda3a1f16a
VirtualSize 0x5096
VirtualAddress 0xc000
SizeOfRawData 0x5200
PointerToRawData 0xb200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.66741

.data

MD5 454c0a113ffb585723f32bc0752a8501
SHA1 87e967f4a0de4d2d5f46b2e7fd3b2d7227962323
SHA256 aeb5ab9616668b872f709c20f669533b8ecd1dbb14d8d50f4ca657052df6c826
SHA3 dfefc83ebeac5d3d96acae646d8014256734ecbd79cfea41e1520ba244c8cd9e
VirtualSize 0x9b0
VirtualAddress 0x12000
SizeOfRawData 0x400
PointerToRawData 0x10400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.55922

.pdata

MD5 d25bb6a0ba10d9bf6ae885d5572a9c16
SHA1 af66f6e4360d3f5f3e4ef3e11f2ba0dae5d3c6ce
SHA256 1a2cd05cc8408e527800e9ef20d8aee60e841e16ba7cf8d218004a8a93059e54
SHA3 7187a139f6ad2a8e51fad05737bb9c80fcc722aad7f41408531eff397ba81bd3
VirtualSize 0x7a4
VirtualAddress 0x13000
SizeOfRawData 0x800
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.30625

.rsrc

MD5 2cc2a4cb4addc28c32c1fb0f910259fc
SHA1 3db7ad9113cc64fc3304f47861b8584c8e349491
SHA256 584edb983faee53215ee46d2a05ab8436507a0b50f5dff7be1176987075745ef
SHA3 94d1c656227aff89e1c2c81cc3301fce8e25d9ccc37b31b8d27b16ef293b743a
VirtualSize 0x570
VirtualAddress 0x14000
SizeOfRawData 0x600
PointerToRawData 0x11000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.81336

.reloc

MD5 ca574c5d525c1a73373322eb2f058798
SHA1 ada8ecea5a50f3d95d13698c4ebd5d714a1bd9ab
SHA256 2eeaee92975ff485afd599e04e565e5ae23f758f901ecfe7021a5b667f10508b
SHA3 f95e66be28fbfb1617cdc3a0b0d3be05437ffabdc10b2e691a6ec0e652396e3e
VirtualSize 0x90
VirtualAddress 0x15000
SizeOfRawData 0x200
PointerToRawData 0x11600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 1.91116

Imports

KERNEL32.dll DeleteFileA
Sleep
CreateDirectoryA
CopyFileW
RtlLookupFunctionEntry
MoveFileW
GetModuleFileNameA
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlCaptureContext
ADVAPI32.dll RegOpenKeyExA
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
SHELL32.dll SHGetKnownFolderPath
ShellExecuteW
MSVCP140.dll ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?uncaught_exception@std@@YA_NXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Xinvalid_argument@std@@YAXPEBD@Z
WININET.dll InternetOpenUrlA
InternetOpenA
InternetCloseHandle
DeleteUrlCacheEntryW
urlmon.dll URLDownloadToFileW
WINHTTP.dll WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpSendRequest
VCRUNTIME140.dll __C_specific_handler
_CxxThrowException
__std_exception_copy
memchr
memcmp
memcpy
__std_exception_destroy
__CxxFrameHandler3
__std_terminate
memset
memmove
api-ms-win-crt-runtime-l1-1-0.dll _exit
_initterm_e
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_errno
terminate
_configure_narrow_argv
_invalid_parameter_noinfo_noreturn
_initialize_narrow_environment
exit
_initterm
system
api-ms-win-crt-convert-l1-1-0.dll strtol
api-ms-win-crt-stdio-l1-1-0.dll setvbuf
fflush
__p__commode
ungetc
fputc
fgetc
_set_fmode
fsetpos
_fseeki64
fgetpos
fclose
_get_stream_buffer_pointers
fread
fwrite
api-ms-win-crt-filesystem-l1-1-0.dll remove
_unlock_file
_lock_file
api-ms-win-crt-time-l1-1-0.dll _time64
api-ms-win-crt-utility-l1-1-0.dll rand
srand
api-ms-win-crt-heap-l1-1-0.dll malloc
_set_new_mode
_callnewh
free
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale

Delayed Imports

1

Type RT_VERSION
Language French - France
Codepage UNKNOWN
Size 0x5c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.16025
MD5 7428d7bd4d32d9469d7468dc2adc9b40
SHA1 bad70935173e96ab5c58f39af47b000363d2ebc5
SHA256 ef82997e65ed2c7d3a7bbbf6e5950353498f2ac73799fb51cd4d502ebd84e0e6
SHA3 408d82d82434186479c502684cbc5e46a6dfa2276b18a39ffbc850f91294b3a6

101

Type RT_VERSION
Language French - France
Codepage UNKNOWN
Size 0x2c0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.36722
MD5 f53a0ad0ec817e421e5d7557da6f6b14
SHA1 7758f7910966852ead1886390726c6defe96cac6
SHA256 aa1a7ab3c7649b703c0bcfd66091157e5fd551ed350a329204c42fe53f161f6d
SHA3 509a3d11a5915dbb2e5a690d023cdb0ccd5150776fd4c3eae9f839570408f7be

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.1
ProductVersion 1.0.0.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language French - France
CompanyName Microsoft Corporation
FileDescription Update
FileVersion (#2) 10.03.2.5
InternalName wuauclt.exe
LegalCopyright Copyright (C) 2019
OriginalFilename wuauclt.exe
ProductName Update
ProductVersion (#2) 10.03.2.5
Resource LangID French - France

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Jul-15 16:10:36
Version 0.0
SizeofData 96
AddressOfRawData 0xdbc4
PointerToRawData 0xcdc4
Referenced File Z:\C&C\Finals Release\V1.0 06-2019\x64\Release\Test Control command.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Jul-15 16:10:36
Version 0.0
SizeofData 20
AddressOfRawData 0xdc24
PointerToRawData 0xce24

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Jul-15 16:10:36
Version 0.0
SizeofData 736
AddressOfRawData 0xdc38
PointerToRawData 0xce38

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2019-Jul-15 16:10:36
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x108
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140012010

RICH Header

XOR Key 0x875387e7
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 18
C objects (27316) 10
ASM objects (27316) 2
C++ objects (27316) 28
Imports (27316) 4
262 (26213) 1
Imports (26213) 13
Total imports 166
265 (VS2019 RTM compiler 27508) 7
Resource objects (VS2019 RTM compiler 27508) 1
151 1
Linker (VS2019 RTM compiler 27508) 1

Errors

[!] Error: StringFileInfo expected, read 4 instead. [!] Error: StringFileInfo expected, read 4 instead. [*] Warning: Could not parse a VERSION_INFO resource!
<-- -->