Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.HidCon.A

PUP.HidCon.A

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.HidCon.A
Signature status: No Signature

Known Samples

MD5: 7a901d1e6ab9a205ea96589ca356353a
SHA1: 6bf37d33c0685cb9b905235f53c0da93e06c6332
SHA256: 63487B67B08BA2A686B9A325EC8250A62555C48D020D9E2A2DA2470357D90901
File Size: 465.46 KB, 465463 bytes
MD5: f5cec3430767e5e6b6b5afd68b249b0b
SHA1: 2ec0246252be92f1cae2c5c2dc0aefb9861ea87d
SHA256: 2587C45A5A622A750C81BB728945BC4A9CAA8C23519E29C1E703F792D1AEE6E9
File Size: 465.64 KB, 465639 bytes
MD5: 259eba58f34cb26effd4d0a6a4bfafc3
SHA1: dee209168db1c0bace6b554b2ff6a017a65b3e10
SHA256: 930036D57545A20AA4A63A940AE9A50BC79D6CBC3B1ADDFBD0C26FD0697F51BD
File Size: 5.04 MB, 5039183 bytes
MD5: 280550b23cb4a36c338d5b297fb3b5de
SHA1: fb07e0aaa4ffa8d2cd98868eb402d2b28bfb0427
SHA256: 3C30612545923B23C7CF03AB8A4E4D1BBE52713299BC5A00C4A69FB8D887D54A
File Size: 488.55 KB, 488551 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • No Version Info
  • x86

Files Modified

File Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll Synchronize,Write Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll.dat Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll.tmp Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll.000 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\bccc11e01e04.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_12858296 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2145765 Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2926812 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_4670875 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\_setup.msi Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\_setup.msi Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\delrunonce.reg Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\delrunonce.reg Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\hidcon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\hidcon.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\hidcon.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\icon.ico Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\reg.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\reg.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\run.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\run.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\runme.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\runme.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\second.reg Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\second.reg Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\setup.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\setup.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\uiso9.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\uiso9.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\xxmklink.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\xxmklink.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx1 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx1\__tmp_rar_sfx_access_check_2147328 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx1\uiso9_pe.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx1\uiso9_pe.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\classes\.esd::browserflags RegNtPreCreateKey
HKLM\software\classes\.esd::editflags RegNtPreCreateKey
Show More
HKLM\software\classes\.esd:: Файл сжатого машинного образа Windows RegNtPreCreateKey
HKLM\software\classes\.esd\defaulticon:: C:\Windows\appcompat\esd.ico,0 RegNtPreCreateKey
HKLM\software\classes\.tib::browserflags RegNtPreCreateKey
HKLM\software\classes\.tib::editflags RegNtPreCreateKey
HKLM\software\classes\.tib:: Файл резервной копии Acronis True Image RegNtPreCreateKey
HKLM\software\classes\.tib\defaulticon:: C:\Windows\appcompat\tib.ico,0 RegNtPreCreateKey
HKLM\software\classes\.tibx::browserflags RegNtPreCreateKey
HKLM\software\classes\.tibx::editflags RegNtPreCreateKey
HKLM\software\classes\.tibx:: Файл резервной копии Acronis True Image RegNtPreCreateKey
HKLM\software\classes\.tibx\defaulticon:: C:\Windows\appcompat\tibx.ico,0 RegNtPreCreateKey
HKLM\software\classes\.wim::browserflags RegNtPreCreateKey
HKLM\software\classes\.wim::editflags RegNtPreCreateKey
HKLM\software\classes\.wim:: Файл машинного образа Windows RegNtPreCreateKey
HKLM\software\classes\.wim\defaulticon:: C:\Windows\appcompat\wim.ico,0 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion::registeredowner Hawksoft RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\main::window title System RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\explorer\driveicons\c\defaultlabel:: System RegNtPreCreateKey
HKCU\control panel\international::slongdate d MMMM yyyy 'г.' RegNtPreCreateKey
HKCU\control panel\international::sshortdate ddd dd.MM.yyyy RegNtPreCreateKey
HKCU\control panel\international::stimeformat H:mm:ss RegNtPreCreateKey
HKCU\control panel\international::sshorttime H:mm RegNtPreCreateKey
HKCU\control panel\international::syearmonth MMMM yyyy RegNtPreCreateKey
HKLM\software\policies\microsoft\windows\system::disableacrylicbackgroundonlogon  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᴨ渎泚ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion::registeredowner KDFX RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\main::window title 24H2 IoT by KDFX RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\explorer\driveicons\c\defaultlabel:: 24H2 IoT by KDFX RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::mrulist alekjihgbcdf RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::b regedit\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::c msconfig\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::d gpedit.msc\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::e calc\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::f ping\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::g cmd\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::h devmgmt.msc\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::i secpol.msc\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::j firewall.cpl\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::k explorer\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::l winver\1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\runmru::a mspaint\1 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 녳眐蘏ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 튓뉣訥ǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Process Manipulation Evasion
  • NtUnmapViewOfSection
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
Show More
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtUserCallNoParam
  • win32u.dll!NtUserConsoleControl
  • win32u.dll!NtUserCreateEmptyCursorObject
  • win32u.dll!NtUserGetDC
  • win32u.dll!NtUserGetGUIThreadInfo
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetProcessWindowStation
  • win32u.dll!NtUserGetThreadState
  • win32u.dll!NtUserReleaseDC
  • win32u.dll!NtUserSelectPalette
  • win32u.dll!NtUserSetCursorIconData
  • win32u.dll!NtUserSetProcessDpiAwarenessContext

Shell Command Execution

(NULL) C:\Users\Diamyius\AppData\Local\Temp\RarSFX0\hidcon.exe run.cmd
run.cmd
WriteConsole:
WriteConsole: C:\Users\Diamyiu
WriteConsole: REGEDIT
Show More
WriteConsole: /S delrunonce.r
WriteConsole:
C:\WINDOWS\system32\regedit.exe REGEDIT /S delrunonce.reg
WriteConsole:
WriteConsole: C:\Users\Diamyiu
WriteConsole: REGEDIT
WriteConsole: /S second.reg
WriteConsole:
C:\WINDOWS\system32\regedit.exe REGEDIT /S second.reg
WriteConsole:
WriteConsole: C:\Users\Diamyiu
WriteConsole: RMDIR
WriteConsole: /S /Q C:\$WINDO
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: C:\Users\Diamyiu
WriteConsole: RMDIR
WriteConsole: /S /Q C:\$WINDO
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: C:\Users\Diamyiu
WriteConsole: RMDIR
WriteConsole: /S /Q C:\$Windo
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: C:\Users\Diamyiu
WriteConsole: DEL
WriteConsole: /F /S /Q /A "C:
WriteConsole:
(NULL) C:\Users\Dijfcglg\AppData\Local\Temp\RarSFX0\hidcon.exe run.cmd
WriteConsole: C:\Users\Dijfcgl
(NULL) C:\Users\Bumnwflt\AppData\Local\Temp\RarSFX0\hidcon.exe Setup.cmd
Setup.cmd
WriteConsole: ECHO is off.
WriteConsole: Installing Ultra
C:\Users\Bumnwflt\AppData\Local\Temp\RarSFX0\uiso9.exe uiso9.exe
(NULL) C:\Users\Bumnwflt\AppData\Local\Temp\RarSFX1\uiso9_pe.exe /VERYSILENT /NORESTART
(NULL) C:\Users\Gtivhbcj\AppData\Local\Temp\RarSFX0\hidcon.exe runme.bat
runme.bat
C:\Users\Gtivhbcj\AppData\Local\Temp\RarSFX0\_setup.msi _setup.msi /qb

Trending

Most Viewed

Loading...