Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Widdit

PUP.Widdit

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Widdit
Signature status: Modified signature

Known Samples

MD5: 30a56e3f0085d1d092e1fd7030fc16cb
SHA1: 1319265614c8291a78a998c5a8c717ed65715634
File Size: 921.90 KB, 921904 bytes
MD5: dd5eed9659f215120e5da8b73a181aad
SHA1: 682d4e242152fbe0cc227b1af6fad5548e34ec80
File Size: 921.55 KB, 921552 bytes
MD5: 213d24f4cc1ae1590c43e2d00b02e770
SHA1: f9a10403ac4c728eff0cf597f3e6d215e999a5b0
SHA256: A1F0AA9B39B3393A1E38B4CD627D9D0150B5CC29BD88A8C9AEA308D08A185A71
File Size: 920.07 KB, 920072 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments This installation was built with Inno Setup.
File Description Installer Setup
File Version
  • 13.1
  • 12.5
  • 12.0
Legal Copyright Copyright (c) 2012, www.simplytech.com
Product Name Installer
Product Version
  • 13.1
  • 12.5
  • 12.0

Files Modified

File Attributes
c:\users\user\appdata\local\temp\is-1c0f6.tmp\1319265614c8291a78a998c5a8c717ed65715634_0000921904.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3fjg1.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-3fjg1.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-3fjg1.tmp\appimageorign.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3fjg1.tmp\cinshlpr.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3fjg1.tmp\innocallback.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3fjg1.tmp\innosetuphelper.dll Synchronize,Write Data
c:\users\user\appdata\local\temp\is-3fjg1.tmp\innosetuphelpernet4.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3fjg1.tmp\isxdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3fjg1.tmp\webbrowser.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\is-aikvj.tmp\f9a10403ac4c728eff0cf597f3e6d215e999a5b0_0000920072.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-qmmkl.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-qmmkl.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-qmmkl.tmp\appimageorign.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-qmmkl.tmp\cinshlpr.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-qmmkl.tmp\innocallback.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-qmmkl.tmp\innosetuphelper.dll Synchronize,Write Data
c:\users\user\appdata\local\temp\is-qmmkl.tmp\innosetuphelpernet4.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-qmmkl.tmp\isxdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-qmmkl.tmp\webbrowser.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-saipl.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-saipl.tmp\appimageorign.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\appimageorign.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\appimageorign2.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\appimageorign2.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\cinshlpr.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\innocallback.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\innosetuphelper.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\isxdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-saipl.tmp\webbrowser.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-vk0j0.tmp\682d4e242152fbe0cc227b1af6fad5548e34ec80_0000921552.tmp Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Encryption Used
  • BCryptOpenAlgorithmProvider
User Data Access
  • GetUserObjectInformation

Shell Command Execution

"C:\Users\Deqwfxap\AppData\Local\Temp\is-1C0F6.tmp\1319265614c8291a78a998c5a8c717ed65715634_0000921904.tmp" /SL5="$10242,500774,146432,c:\users\user\downloads\1319265614c8291a78a998c5a8c717ed65715634_0000921904.exe"
"C:\Users\Ekbyofye\AppData\Local\Temp\is-VK0J0.tmp\682d4e242152fbe0cc227b1af6fad5548e34ec80_0000921552.tmp" /SL5="$1025E,500148,146432,c:\users\user\downloads\682d4e242152fbe0cc227b1af6fad5548e34ec80_0000921552.exe"
"C:\Users\Gfmidnjx\AppData\Local\Temp\is-AIKVJ.tmp\f9a10403ac4c728eff0cf597f3e6d215e999a5b0_0000920072.tmp" /SL5="$2013E,498315,146432,c:\users\user\downloads\f9a10403ac4c728eff0cf597f3e6d215e999a5b0_0000920072"

Trending

Most Viewed

Loading...