File name:

Uninstaller.exe

Full analysis: https://app.any.run/tasks/603c1c65-1fba-496f-92a7-a178d0903e5b
Verdict: Malicious activity
Analysis date: April 30, 2024, 08:17:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

04027C89FDABFC5B5E4FE366109CCC57

SHA1:

63C7123799600AC8D7C967C0BAFAC93809F289AB

SHA256:

1B86ED2AD6EB24B4ECAA255C4506EAEB7B75C8579C66833CD5D8A1900E34953B

SSDEEP:

1536:rEcbt8jipCxuxVy88gxN3zEwIUu5OuCVr+a9MQTe1gsYWHdz6:zJ8OpCxu/ytKtu8uCVrL9MQC1gsYWHh6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Uninstaller.exe (PID: 4088)
      • Un_A.exe (PID: 928)

  • SUSPICIOUS

    • Starts itself from another location

      • Uninstaller.exe (PID: 4088)

    • Executable content was dropped or overwritten

      • Uninstaller.exe (PID: 4088)
      • Un_A.exe (PID: 928)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 928)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 928)

    • Reads the Internet Settings

      • Un_A.exe (PID: 928)

    • Reads security settings of Internet Explorer

      • Un_A.exe (PID: 928)

    • Checks Windows Trust Settings

      • Un_A.exe (PID: 928)

    • Reads settings of System Certificates

      • Un_A.exe (PID: 928)

  • INFO

    • Reads the computer name

      • Uninstaller.exe (PID: 4088)
      • Un_A.exe (PID: 928)
      • wmpnscfg.exe (PID: 1580)

    • Checks supported languages

      • Uninstaller.exe (PID: 4088)
      • Un_A.exe (PID: 928)
      • wmpnscfg.exe (PID: 1580)

    • Create files in a temporary directory

      • Uninstaller.exe (PID: 4088)
      • Un_A.exe (PID: 928)

    • Reads the machine GUID from the registry

      • Un_A.exe (PID: 928)

    • Checks proxy server information

      • Un_A.exe (PID: 928)

    • Reads the software policy settings

      • Un_A.exe (PID: 928)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1580)

    • Creates files or folders in the user directory

      • Un_A.exe (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.1.1089
ProductVersionNumber: 1.1.1.1089
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: 1089hi
FileDescription: Setup
LegalCopyright: 1089hi
ProductName: 1089hi
ProductVersion: 1.1.1.1089
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start uninstaller.exe un_a.exe wmpnscfg.exe no specs uninstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\admin\AppData\Local\Temp\C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Uninstaller.exe
User:
admin
Company:
1089hi
Integrity Level:
HIGH
Description:
Setup
Modules
Images
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1580"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3984"C:\Users\admin\AppData\Local\Temp\Uninstaller.exe" C:\Users\admin\AppData\Local\Temp\Uninstaller.exeexplorer.exe
User:
admin
Company:
1089hi
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\uninstaller.exe
c:\windows\system32\ntdll.dll
4088"C:\Users\admin\AppData\Local\Temp\Uninstaller.exe" C:\Users\admin\AppData\Local\Temp\Uninstaller.exe
explorer.exe
User:
admin
Company:
1089hi
Integrity Level:
HIGH
Description:
Setup
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\uninstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
9 826
Read events
9 765
Write events
49
Delete events
12

Modification events

(PID) Process:(4088) Uninstaller.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(928) Un_A.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
3
Suspicious files
2
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
928Un_A.exeC:\Users\admin\AppData\Local\Temp\nsv39FF.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
928Un_A.exeC:\Users\admin\AppData\Local\Temp\nsv39FF.tmp\inetc.dllexecutable
MD5:A35CDC9CF1D17216C0AB8C5282488EAD
SHA256:A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
4088Uninstaller.exeC:\Users\admin\AppData\Local\Temp\nsv39B0.tmpbinary
MD5:EE1420D47B8391714BD0D7029405C1B8
SHA256:F3D5B6DF92338CFD0C72C07B3BD5F84029FECDD4A97A53657D8927E5378C523D
928Un_A.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0binary
MD5:2391FF26638AD6E896DA152CDD53333F
SHA256:CD5B3E370D7DCAE97923E9023EF305DF386793B22D58B1E6FF827F3D491235DE
928Un_A.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:1DA44E34836C1BB4EACEC4FED276CF3C
SHA256:246BC14FD55BED554034F3BF342C9D758CF92229AD1F4A361BA48F2411ED31B4
928Un_A.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0binary
MD5:93042A41FB237FD25602315F22F0D1D2
SHA256:3072CD47F64BCF1C99B07D15835525A5467E6D9C7F2C78FED5FBDE9D6FBC1B04
928Un_A.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:BFA9F5A72E8C838997BEFB114D40F2C8
SHA256:74BCCC449B69293F38E62B9C191B7DFB097CFDC0A50C9E32B07504CBDCD575DA
4088Uninstaller.exeC:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeexecutable
MD5:04027C89FDABFC5B5E4FE366109CCC57
SHA256:1B86ED2AD6EB24B4ECAA255C4506EAEB7B75C8579C66833CD5D8A1900E34953B
928Un_A.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:B2260E6E88D8627C7BB5B8D0D204F2E2
SHA256:73F3A75FAA39F461506A27732FEFC3E08EB6EEADD95394703A6C24CBA0FF7223
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
928
Un_A.exe
GET
200
192.229.221.95:80
http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAJsJgstJqiVbIfWU4Raykw%3D
unknown
unknown
928
Un_A.exe
GET
304
92.123.27.145:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c9836e7cce37c4c7
unknown
unknown
928
Un_A.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
928
Un_A.exe
209.222.21.115:443
pcapp.store
AS-CHOOPA
US
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
928
Un_A.exe
92.123.27.145:80
ctldl.windowsupdate.com
AKAMAI-AS
AT
unknown
928
Un_A.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
pcapp.store
  • 209.222.21.115
  • 159.223.126.41
  • 104.248.126.225
  • 45.32.1.23
  • 167.99.235.203
unknown
ctldl.windowsupdate.com
  • 92.123.27.145
  • 92.123.27.131
  • 92.123.27.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
status.rapidssl.com
  • 192.229.221.95
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Uninstaller.exe