» winupt.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

winupt.exe

The application winupt.exe has been detected as a potentially unwanted program by 22 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from feidowns.com.

File name:

winupt.exe

MD5:

04a62fc93a993f0c84dd149c79a42217

SHA-1:

2cd68d29bf1dc115724012ae8562e94b6ca93b89

SHA-256:

d8dc30010a8244efc21da521b00e612a3f7160931038160ee75f114ec2ba7f25

Scanner detections:

22 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

11/27/2024 8:39:52 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Generic.1007001

812

Agnitum Outpost

Riskware.Agent

7.1.1

avast!

Win64:Malware-gen

2014.9-141114

AVG

Win32/DH

2015.0.3290

Baidu Antivirus

Hacktool.Win64.BitCoinMiner

4.0.3.141114

Bitdefender

Adware.Generic.1007001

1.0.20.1590

Emsisoft Anti-Malware

Adware.Generic.1007001

8.14.11.14.01

ESET NOD32

Win64/BitCoinMiner (variant)

8.10710

Fortinet FortiGate

Adware/BitCoinMiner

11/14/2014

F-Secure

Adware.Generic.1007001

11.2014-14-11_6

G Data

Adware.Generic.1007001

14.11.24

IKARUS anti.virus

HackTool.Win64.BitCoinMiner

t3scan.1.8.3.0

Kaspersky

HackTool.Win64.BitCoinMiner

14.0.0.2947

McAfee

Artemis!04A62FC93A99

5600.6946

MicroWorld eScan

Adware.Generic.1007001

15.0.0.954

Norman

Troj_Generic.VWAYD

11.20141114

Panda Antivirus

Trj/CI.A

14.11.14.01

Quick Heal

HackTool.Win64.r9 (Not a Virus)

11.14.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.176B8FC2!392925122

23.00.65.141112

Trend Micro House Call

TROJ_SPNR.11IN14

7.2.318

Trend Micro

TROJ_SPNR.11IN14

10.465.14

VIPRE Antivirus

Trojan.Win32.Generic

34732

File size:

589.5 KB (603,648 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\winupt.exe

File PE Metadata

Compilation timestamp:

8/29/1971 8:29:28 PM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

2.24

CTPH (ssdeep):

12288:i5zeqUyiWs/7MUumjscxOrvN5zCqI1sYzY24nl/KwI7GotFQWULpU3nT8:i5bzbtUuwscxOrl5uj1sYcOFgLSXT8

Entry address:

0x14B0

Entry point:

48, 83, EC, 28, C7, 05, 82, 32, 09, 00, 01, 00, 00, 00, E8, CD, 52, 07, 00, E8, B8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 48, 83, EC, 28, C7, 05, 62, 32, 09, 00, 00, 00, 00, 00, E8, AD, 52, 07, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 41, 57, 41, 56, 41, 55, 41, 54, 55, 57, 56, 53, 48, 81, EC, D8, 00, 00, 00, BB, 40, 00, 00, 00, 48, 8B, 71, 40, 48, 89, 4C, 24, 28, 48, 89, 54, 24, 30, 4C, 89, 44, 24, 20, 48, 29, F3, 4C, 39, C3, 0F, 87, 79, 87, 00, 00, 48, 8B, 54, 24, 28, 48, 8B, 4A, 48... 
[+]

Entropy:

6.6177

Code size:

499.5 KB (511,488 bytes)

Startup File (User Run Once)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

winappe

Command:

C:\users\{user}\appdata\roaming\winupt.exe

The file winupt.exe has been seen being distributed by the following URL.

http://feidowns.com/64.exe

Remove winupt.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.