URL:

https://csocblobstorage.blob.core.windows.net/misc/CsUninstallTool.exe

Full analysis: https://app.any.run/tasks/c6f6477c-c47f-4baf-86e6-9b5f6df335f5
Verdict: Malicious activity
Analysis date: August 12, 2022, 17:10:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

453DB2C5DE927EA315DA28EEA38455AF

SHA1:

B41D3E6648E3F80813B3E43B3F4DA94BE3C5955B

SHA256:

5EA37B7D8290AFBFF6825EF4F5D0F94F7915F713B5287FE54C7D61DF92E8378D

SSDEEP:

3:N8LwJSwkWERR2An:2CErn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • iexplore.exe (PID: 3956)
      • iexplore.exe (PID: 3432)

    • Application was dropped or rewritten from another process

      • CsUninstallTool.exe (PID: 2716)
      • CsUninstallTool.exe (PID: 3084)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • iexplore.exe (PID: 3956)
      • iexplore.exe (PID: 3432)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3956)
      • iexplore.exe (PID: 3432)

    • Checks supported languages

      • CsUninstallTool.exe (PID: 3084)

    • Searches for installed software

      • CsUninstallTool.exe (PID: 3084)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3432)
      • iexplore.exe (PID: 3956)

    • Application launched itself

      • iexplore.exe (PID: 3432)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3432)
      • iexplore.exe (PID: 3956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3956)

    • Changes internet zones settings

      • iexplore.exe (PID: 3432)

    • Checks supported languages

      • iexplore.exe (PID: 3432)
      • iexplore.exe (PID: 3956)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3956)
      • iexplore.exe (PID: 3432)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3432)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 3432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe csuninstalltool.exe no specs csuninstalltool.exe

Process information

PID
CMD
Path
Indicators
Parent process
2716"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\CsUninstallTool.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\CsUninstallTool.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\csuninstalltool.exe
c:\windows\system32\ntdll.dll
3084"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\CsUninstallTool.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\CsUninstallTool.exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\csuninstalltool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msi.dll
c:\windows\system32\user32.dll
3432"C:\Program Files\Internet Explorer\iexplore.exe" "https://csocblobstorage.blob.core.windows.net/misc/CsUninstallTool.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3432 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
Total events
12 455
Read events
12 334
Write events
121
Delete events
0

Modification events

(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30977646
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30977646
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
11
Text files
6
Unknown types
6

Dropped files

PID
Process
Filename
Type
3432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:
SHA256:
3432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:
SHA256:
3956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:
SHA256:
3956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
3432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3432iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab38C4.tmpcompressed
MD5:
SHA256:
3432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:
SHA256:
3432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
15
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3432
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3432
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3956
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f8fa4bb561dbb3e8
US
compressed
4.70 Kb
whitelisted
3432
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?132242f422a4848f
US
compressed
4.70 Kb
whitelisted
3432
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c8f1ab772922d8d7
US
compressed
60.2 Kb
whitelisted
3956
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
iexplore.exe
20.150.37.228:443
csocblobstorage.blob.core.windows.net
US
unknown
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3432
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3432
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3432
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3956
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3432
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3432
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3432
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
csocblobstorage.blob.core.windows.net
  • 20.150.37.228
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://csocblobstorage.blob.core.windows.net/misc/CsUninstallTool.exe