Manalyze report for 3bea978c7aeb4aaa56b9f8a817fae7b7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2022-Nov-18 20:10:21
Detected languages	English - United States
Debug artifacts	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb
CompanyName	Microsoft Update Service
FileDescription	Microsoft Update Health Service
FileVersion	`10.0.19041.3637`
LegalCopyright
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.19041.3637`
Assembly Version	10.0.19041.3637

Plugin Output

Info	Interesting strings found in the binary:	Contains domain names: cacerts.digicert.com crl3.digicert.com crl4.digicert.com digicert.com http://cacerts.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt0_ http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C http://crl3.digicert.com http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl0 http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 http://crl4.digicert.com http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 http://ocsp.digicert.com0 http://ocsp.digicert.com0A http://ocsp.digicert.com0C http://ocsp.digicert.com0\ http://www.digicert.com http://www.digicert.com/CPS0 www.digicert.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryExW` `Can access the registry: RegSetValueExW RegCreateKeyW RegOpenKeyW` `Interacts with services: CreateServiceW QueryServiceStatus OpenSCManagerW OpenServiceW`
Suspicious	The file contains overlay data.	`134144 bytes of data starting at offset 0x17450.` `The overlay data has an entropy of 7.96797 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 9/68 (Scanned on 2026-02-11 07:12:49)	`CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `Gridinsoft: Trojan.Win32.Wacatac.cl` `Jiangmin: Trojan.PSW.Stealer.dwe` `Rising: Hacktool.ConnectWiseControl!8.17790 (CLOUD)` `TrellixENS: Artemis!3BEA978C7AEB` `Zillya: Trojan.Stealer.Win32.37991` `huorong: HackTool/ConnectWiseControl.i`

Hashes

MD5	`3bea978c7aeb4aaa56b9f8a817fae7b7`
SHA1	`0f0093b3d66e473b26f93520b264c6c826363ef0`
SHA256	`014acff36a183ca360cf68a6f08d51dae9440b2acccb8bf86f8a61909e3d0d51`
SHA3	`17bcae64b4651200fe1791c444b799f004d43df166c64f368fdcbe599b3717d9`
SSDeep	`3072:ohbNDxZGXfdHrX7rAc6myJkgpJjSKapdNmJ2jMWvMEIxlQkHfS7kyEnp0ygOgmCj:ohvqbATapNHMWNsy7Qp0ygxmLv0HH`
Imports Hash	`5f510e22d141c137199e2ff4021a57be`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2022-Nov-18 20:10:21
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xc000`
SizeOfInitializedData	`0x29400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000217F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xd000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x39000`
SizeOfHeaders	`0x400`
Checksum	`0x3f850`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4903141203ee15a88e0ec583d004b2e1`
SHA1	`6509116efd1ec01f0a261f832548bb2e2140eb1b`
SHA256	`4e092069512ea94df2eda4c44dfd35fc1f90432625bd0baa45d6b36d8d4e87dd`
SHA3	`fcc00236acbedbd1ce20eecb836fd7ab5d5fdd78f7082e7aa720345435be8fbd`
VirtualSize	`0xbf3a`
VirtualAddress	`0x1000`
SizeOfRawData	`0xc000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.57656`

.rdata

MD5	`d7ff5c28f3b91b07d0d4a0084e0c4027`
SHA1	`6d43d9100a4e595ecfa5f60a4217976f9ae256ab`
SHA256	`78d798a02a7aa580ad51990948a5fd085dfa3f194772289e2f878d6802b41158`
SHA3	`c6e79e6ce63b48c8c2dd3d916640763cb6954ec0de5ae2f3105d866327a62073`
VirtualSize	`0x66f2`
VirtualAddress	`0xd000`
SizeOfRawData	`0x6800`
PointerToRawData	`0xc400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.80461`

.data

MD5	`c1c9bc79d0134b5bbd10e2601a2f323e`
SHA1	`1f87830aa8b528356f2a437016dbaa8701eda276`
SHA256	`6d4e1954f718096a5bee8e20db5760129dd57b21c32ad999e94cd2b60efea428`
SHA3	`6837a45909f2b53ed334e54134460ff22bdbb609731cec525969c286164e8d9e`
VirtualSize	`0x1284`
VirtualAddress	`0x14000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x12c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.14343`

.rsrc

MD5	`40c56a7632d234334094e781f5933b7b`
SHA1	`8c00c24c319f11003a9b231bb546d67404fac797`
SHA256	`3af7d17190aedc9ee31c59fd9267cb8fd16a5ccf18eda5986044889347faba36`
SHA3	`cbd1c90f325d9b5223cc2a9ae55b7715a3de71b13c77a5310753509254aaf81d`
VirtualSize	`0x210cc`
VirtualAddress	`0x16000`
SizeOfRawData	`0x21200`
PointerToRawData	`0x13600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.76811`

.reloc

MD5	`b8d6010afa6ab836c37551e6072726fe`
SHA1	`b1c4df2ab6bdfc101f399da4126d56c4dff852c0`
SHA256	`b7b424659e58cdf5c10cbc61a4691a475460c27f03943021f6f767478a66a428`
SHA3	`eebbb33015ef69e46b938f83d6d054cf873c72cd8ed43028381c5b99ecdd8622`
VirtualSize	`0xfc0`
VirtualAddress	`0x38000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x34800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.51232`

Imports

mscoree.dll	`CorBindToRuntimeEx`
SHLWAPI.dll	`StrCatW` `PathFindFileNameW` `StrCpyW` `PathRemoveExtensionW`
KERNEL32.dll	`SetEvent` `CloseHandle` `LoadLibraryW` `DecodePointer` `GetProcAddress` `GetLastError` `GetCurrentProcessId` `GetModuleHandleW` `SetStdHandle` `Sleep` `CreateEventW` `InitializeCriticalSectionAndSpinCount` `GetModuleFileNameW` `GetCommandLineW` `GetStringTypeW` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `SetFilePointerEx` `WriteConsoleW` `DeleteCriticalSection` `RtlUnwind` `GetFileType` `GetProcessHeap` `FreeEnvironmentStringsW` `IsDebuggerPresent` `OutputDebugStringW` `RaiseException` `EnterCriticalSection` `LeaveCriticalSection` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `CreateFileW` `SetLastError` `EncodePointer` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `ExitProcess` `GetModuleHandleExW` `GetModuleFileNameA` `MultiByteToWideChar` `WideCharToMultiByte` `GetStdHandle` `WriteFile` `GetACP` `HeapFree` `HeapSize` `HeapReAlloc` `LCMapStringW` `HeapAlloc` `FindClose` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetEnvironmentStringsW`
ADVAPI32.dll	`RegisterServiceCtrlHandlerExW` `CreateServiceW` `QueryServiceStatus` `CloseServiceHandle` `OpenSCManagerW` `SetServiceStatus` `RegSetValueExW` `StartServiceW` `RegCreateKeyW` `StartServiceCtrlDispatcherW` `OpenServiceW` `RegOpenKeyW`
OLEAUT32.dll	`VariantInit` `SysFreeString` `SysAllocString` `SafeArrayPutElement` `SafeArrayCreateVector` `VariantClear`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.88344`
MD5	`ebb32a0401b9b9f7edbad091fb1d3e47`
SHA1	`91c0785c1378be63901d34c898ae430a4fd266ed`
SHA256	`0177d94c0e9395c6c4c4cd0c8ae0c99f56e7ea8c49946d314add411ed5dd171a`
SHA3	`a8f3d9b7616c1bf4308a9462871275f1ad3c32e3a340507f60dbb39387711fef`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.32141`
MD5	`24c0f8fc5048c392c4b1e996dc227c6b`
SHA1	`42d415eb3831eb3bd1cc82db8c57eaeaa1d3f858`
SHA256	`1e880f4db103455254bd404f16f5237600607951d24c318eda117daef1b809f8`
SHA3	`411ead107f467c94b82632dc1a1596e6323ea18d7e12fed5ca39a52c13d3f08b`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2668`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.56508`
MD5	`2e9e8a61401de4ba87f810530a420f79`
SHA1	`99831b7a41e7223a2af7df68f967f2f2ce1b8a18`
SHA256	`26554bc47e0d3eb196e4f3ad6786bf0be15395dd1389c86da9ed238c420fd3ec`
SHA3	`fde0f3fbeeee79be5ceff5bfba97ce7e1f0e9fb36daa72b100d0885513db0e27`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1ce44`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98392`
Detected Filetype	PNG graphic file
MD5	`e8fcd451a229f10272d55c6e9c867422`
SHA1	`77d1eab211aef66af86baa9ffec4690658083e65`
SHA256	`1a343f6b62e17703cd5f5c942de093025bdcc64a3c916d49e33b88fdc701e067`
SHA3	`cc62495047bfb6ea15084d9054d4f2e4ca7694d69c944e64d632c637b4c757e0`

SERVICES

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.52869`
Detected Filetype	Icon file
MD5	`75774832aa69c01057dc79ac7f11bc90`
SHA1	`c16c01e79e9462d5ce3127bc7944bfe6fbe8603e`
SHA256	`c104fd97366a93c40af589f608dba7aa74d49931bba8a93debd460f235eec264`
SHA3	`d93b1eb6f10a5e6a9b0c786f15cffeb08257c07cb0f25727b048df407bf6d0fc`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2f8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.45539`
MD5	`49b329c72fe8be25933c8c6aed5abf47`
SHA1	`d6a66edd12b6f47fad0a7e1eec0233c9a28a411f`
SHA256	`fee667b5135a43032a8183097eb9981672021ffd37d98195d8d661940a52d42b`
SHA3	`97ce9f7026601adcfc02e6522d819effc4a535afe7331796b0c8bbd8dd3ed5c6`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x184`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91862`
MD5	`3250787fdcd75aa2587529b89c7738b2`
SHA1	`622b5627941ecee9cfe6179c3017bbf7b43fffaa`
SHA256	`8b0de2e560d8476fb0013b44f1e10c2789ae71e0353866890dc5f9c57fb1f44a`
SHA3	`6bf4f0eaf6795c219d4d808caa895dcb53f7fe9c81e92ce03da1db7841bfcd3d`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	29.4.20.9296
ProductVersion	29.4.20.9296
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Microsoft Update Service
FileDescription	Microsoft Update Health Service
FileVersion (#2)	10.0.19041.3637
LegalCopyright
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.19041.3637
Assembly Version	10.0.19041.3637

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:21
Version	`0.0`
SizeofData	`110`
AddressOfRawData	`0x12438`
PointerToRawData	`0x11838`
Referenced File	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:21
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x124a8`
PointerToRawData	`0x118a8`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:21
Version	`0.0`
SizeofData	`812`
AddressOfRawData	`0x124bc`
PointerToRawData	`0x118bc`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:21
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x414004`
SEHandlerTable	`0x412378`
SEHandlerCount	`8`

RICH Header

XOR Key	`0xf04671bc`
Unmarked objects	`0`
241 (40116)	`10`
243 (40116)	`122`
242 (40116)	`24`
C objects (VS2022 Update 3 (17.3.0) compiler 31616)	`17`
ASM objects (VS2022 Update 3 (17.3.0) compiler 31616)	`20`
C++ objects (VS2022 Update 3 (17.3.0) compiler 31616)	`42`
Imports (VS2008 SP1 build 30729)	`10`
Imports (VS2008 build 21022)	`3`
Total imports	`112`
C++ objects (LTCG) (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`
Resource objects (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`
Linker (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`

Errors

[*] Warning: The WIN_CERTIFICATE appears to be invalid.