Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.UACMe.C

PUP.UACMe.C

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.UACMe.C
Signature status: No Signature

Known Samples

MD5: d7078f1821be0bf8e5d9245a32825743
SHA1: dee52105a37f3112710ce63602d0213091cb2f65
SHA256: 1649AA15FF4ADF65FAFCAAB19122796B23A21F506E6F3FE74D029483A8D166E9
File Size: 3.04 MB, 3044352 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name MKSTools Corpration.
File Description Setup
File Version 10.5.107.13
Internal Name Setup
Legal Copyright Copyright (C) 2025
Original Filename Setup
Product Name Setup
Product Version 10.5.107.13

File Traits

  • dll
  • fptable
  • ntdll
  • x64

Block Information

Total Blocks: 2,595
Potentially Malicious Blocks: 341
Whitelisted Blocks: 2,084
Unknown Blocks: 170

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 x 0 x 0 0 x 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 x 1 0 1 0 0 x 0 0 0 0 0 x 0 x 0 0 0 0 x 0 0 0 0 0 0 ? 0 ? 0 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 x 0 1 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 ? 0 0 ? 0 x ? ? ? ? ? x 0 ? ? 0 ? 0 ? 0 ? x 0 ? 0 ? 0 ? 0 0 ? 0 ? ? ? 0 0 ? x ? ? 0 ? ? x 0 x 0 0 ? ? ? ? ? 0 x ? 0 ? x 0 ? 0 x ? 0 ? 0 ? ? 0 ? 0 0 0 ? 0 ? ? 0 0 0 0 ? ? 0 ? 0 0 0 0 0 x 0 0 0 0 x 0 0 x ? 0 0 0 ? 0 0 0 ? 0 0 ? ? ? 0 0 ? 0 0 0 x 0 0 0 0 ? ? 0 0 0 0 x 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x ? 0 0 0 ? 0 x 0 x x x x x 0 0 x 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 ? x ? 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x 0 0 0 0 0 0 x 0 0 0 ? x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 ? 0 0 0 ? 0 ? ? 0 ? 0 x 0 0 0 x x 0 0 x 1 0 x 0 0 ? 1 ? 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? x x 0 x 0 ? 0 0 ? 0 ? 0 0 ? 0 ? ? ? 0 0 ? ? ? 0 0 0 ? ? 0 0 0 x x 0 0 0 0 ? 0 x 0 0 x 0 0 x 0 0 0 0 x 0 0 x 0 0 0 x 0 ? 0 0 ? x 0 0 0 x 0 0 0 x 0 x 0 x 0 0 0 x 0 x 0 0 0 0 0 0 0 ? x ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? ? ? 0 0 0 0 0 0 ? ? ? 0 0 x ? 0 0 0 ? 0 0 0 0 ? 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 ? x x ? 0 ? 1 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x ? 0 0 ? ? 0 ? 0 0 0 0 0 0 0 x 0 0 ? 0 0 x 0 ? 0 0 0 0 0 0 x 0 ? ? 0 x ? x x 0 ? 0 ? ? ? ? ? ? x ? x 0 ? 0 ? 0 0 0 ? 0 0 ? 0 0 x ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 ? 0 0 ? 0 0 ? 0 x x 0 ? 0 0 0 ? 0 0 x 0 x x 0 0 0 0 ? ? 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x x x x 0 x 0 0 0 0 0 0 0 0 x 0 x 0 0 x x x 0 x x x 0 x 0 0 x 0 x 0 0 0 0 x x x x 0 x x 0 x x x 0 x x x x x x x x x x x 0 x x x x 0 0 x 0 0 0 0 0 x x x 0 0 x x x 0 0 0 0 0 x 0 0 x x x x x 0 0 x x x 0 0 0 0 x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x x 0 0 0 x x 0 0 0 x x x x x x x x x x x x x 0 0 x x 0 0 0 x 0 0 0 0 x x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 x x x x x x x x x x x x x x x x x 0 x x x 0 x 0 x 0 x x x 0 x 0 x x x x 0 0 0 x x x x x x x 0 x x 0 x 0 x x 0 0 0 0 0 0 x 0 0 x x x x x x x x 0 0 0 0 0 0 x 0 x x 0 0 x x 0 x 0 x x 0 0 0 0 0 0 x x 0 x 0 0 0 x x 0 0 0 0 x 0 0 0 0 0 0 0 0 1 0 x 0 0 0 0 0 0 0 0 x 0 0 0 x 0 x x x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 0 x 0 x x x x 0 0 x 0 x 0 x x x x 0 x x 0 x x x 0 x 0 0 0 0 x x x x x x x x x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 x x 1 0 0 1 0 0 0 x 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? x 0 0 0 x 0 0 0 0 0 0 0 x ? 0 0 0 ? 0 0 0 ? ? x 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 x x 0 0 x x 0 ? 0 0 x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\programdata\golden\config.ini Generic Write,Read Attributes
c:\programdata\golden\wechatappex.exe Generic Write,Read Attributes
c:\programdata\golden\wechatappex_1.exe Generic Write,Read Attributes
c:\programdata\golden\xweb_elf.dll Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\clsid\{39b05c29-adcf-4d56-aa37-77d24470fb8b}\shell\manage\command:: "C:\ProgramData\Golden\\WeChatAppEx.exe" -2i RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\explorer.exe ש虹퉔ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcDisconnectPort
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation

Shell Command Execution

explorer.exe shell:::{39B05C29-ADCF-4D56-AA37-77D24470FB8B}

Trending

Most Viewed

Loading...