Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.HiddenStart.A

PUP.HiddenStart.A

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.HiddenStart.A
Signature status: No Signature

Known Samples

MD5: a55723a77a061f2b97d165422a123f00
SHA1: 90bb15424460d80e975a6fa3bf7a8f714e567b9a
SHA256: BD84021440E6238670DA02B89F640DF15A484EE9FF4D884B5DEE08F0E4BAD906
File Size: 343.57 KB, 343572 bytes
MD5: 94e1894ff6583997e6d44438458f1975
SHA1: 540577ae8cfeb6ca55735b44efd2d3598cc00998
SHA256: 8BBCCBA63B5137D2602619FE4CE2134EC6C689C82DDB3B39C469CAE5A50A89AE
File Size: 16.79 KB, 16792 bytes
MD5: b615cf6a85198c10e1b3ad58e62a9ba8
SHA1: 7c39603c9ee6564d42574aaba0445b80fb5caf8a
SHA256: 17794F9E7DEE958FDC287ED704FC6606269AFD9E15D45C3F2884832446B26AC6
File Size: 122.60 KB, 122598 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name NTWind Software
File Description Hidden Start
File Version 2.2.0.0
Internal Name hstart.exe
Legal Copyright © 2008 NTWind Software
Original Filename hstart.exe
Product Name hstart
Product Version 2.2.0.0

Digital Signatures

Signer Root Status
Alexander Avdonin Alexander Avdonin Hash Mismatch

File Traits

  • x86

Block Information

Total Blocks: 445
Potentially Malicious Blocks: 0
Whitelisted Blocks: 438
Unknown Blocks: 7

Visual Map

0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • HiddenStart.A
  • Trojan.Downloader.Gen.M

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\data\status_log.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\data\status_log.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2231218 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_3043046 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\data Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver\install.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver\install.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver\kmsserver.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver\kmsserver.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver\server.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data\kmsserver\server.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\off10act.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data\off10act.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\off10act.lnk Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data\off10act.lnk Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\data\off10hs.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\data\off10hs.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\hstart.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\hstart.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\install.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\install.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\office2010kmsactivator.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\office2010kmsactivator.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\vtk.vbs Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\vtk.vbs Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䪯없묯ǜ RegNtPreCreateKey
Show More
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\ndfapi.dll,-40001 Windows Network Diagnostics RegNtPreCreateKey

Windows API Usage

Category API
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
Show More
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation

Shell Command Execution

(NULL) C:\Users\Undesyfg\AppData\Local\Temp\RarSFX0\Office2010KmsActivator.cmd
(NULL) C:\Users\Jtetgngb\AppData\Local\Temp\RarSFX0\Install.cmd
WriteConsole: Invalid paramete
WriteConsole:
WriteConsole: C:\Users\Jtetgng
Show More
WriteConsole: CLS
C:\Users\Jtetgngb\appdata\local\temp\rarsfx0\hstart.exe "C:\Users\Jtetgngb\appdata\local\temp\rarsfx0\hstart" /MSG="Creating Activation report
WriteConsole: The system canno
C:\WINDOWS\system32\reg.exe reg QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
C:\WINDOWS\system32\findstr.exe findstr /i "0x1"
C:\Users\Jtetgngb\appdata\local\temp\rarsfx0\hstart.exe "C:\Users\Jtetgngb\appdata\local\temp\rarsfx0\hstart" /MSG="Activation report completed

Trending

Most Viewed

Loading...