File name:

UCheck_setup.exe

Full analysis: https://app.any.run/tasks/a3319f27-b3cc-487f-95bf-55bc81d1571e
Verdict: Malicious activity
Analysis date: June 01, 2024, 18:51:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F6450F743EADE26308423CC7932587EF

SHA1:

12EC07F8B9CA69A363FB7A01D76E62979D13740E

SHA256:

9F1AC8F2125BB6AA6D5772A068D828F85804915D86339CF86BC4E2E584E2EEF1

SSDEEP:

196608:t9Kq8sbke1pbG3nA7At141bw+t7usEB4LpX56PRprgT7:WqBkYt7Atu1bl7usEB4LNMJprG7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • UCheck_setup.exe (PID: 6784)
      • UCheck_setup.exe (PID: 6884)
      • UCheck_setup.tmp (PID: 6916)

    • Changes the autorun value in the registry

      • UCheck64.exe (PID: 1944)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • UCheck_setup.exe (PID: 6784)
      • UCheck_setup.exe (PID: 6884)
      • UCheck_setup.tmp (PID: 6916)

    • Reads the date of Windows installation

      • UCheck_setup.tmp (PID: 6804)

    • Reads security settings of Internet Explorer

      • UCheck_setup.tmp (PID: 6804)
      • UCheck_setup.tmp (PID: 6916)
      • UCheck64.exe (PID: 1944)

    • Reads the Windows owner or organization settings

      • UCheck_setup.tmp (PID: 6916)

    • Uses TASKKILL.EXE to kill process

      • UCheck_setup.tmp (PID: 6916)

  • INFO

    • Checks supported languages

      • UCheck_setup.exe (PID: 6784)
      • UCheck_setup.tmp (PID: 6804)
      • UCheck_setup.exe (PID: 6884)
      • UCheck_setup.tmp (PID: 6916)
      • UCheck64.exe (PID: 1944)

    • Create files in a temporary directory

      • UCheck_setup.exe (PID: 6784)
      • UCheck_setup.exe (PID: 6884)
      • UCheck_setup.tmp (PID: 6916)

    • Reads the computer name

      • UCheck_setup.tmp (PID: 6804)
      • UCheck_setup.tmp (PID: 6916)
      • UCheck64.exe (PID: 1944)

    • Process checks computer location settings

      • UCheck_setup.tmp (PID: 6804)

    • Creates files in the program directory

      • UCheck_setup.tmp (PID: 6916)
      • UCheck64.exe (PID: 1944)

    • Checks proxy server information

      • UCheck_setup.tmp (PID: 6916)
      • UCheck64.exe (PID: 1944)

    • Reads the machine GUID from the registry

      • UCheck_setup.tmp (PID: 6916)
      • UCheck64.exe (PID: 1944)

    • Creates a software uninstall entry

      • UCheck_setup.tmp (PID: 6916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (91.2)
.exe | Win32 Executable (generic) (3.7)
.exe | Win16/32 Executable Delphi generic (1.7)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41472
InitializedDataSize: 93696
UninitializedDataSize: -
EntryPoint: 0xaa98
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.4.0.0
ProductVersionNumber: 5.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Adlice Software
FileDescription: UCheck Installer
FileVersion: 5.4.0.0
LegalCopyright: Adlice Software
ProductName: UCheck
ProductVersion: 5.4.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ucheck_setup.exe ucheck_setup.tmp no specs ucheck_setup.exe ucheck_setup.tmp taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs ucheck64.exe

Process information

PID
CMD
Path
Indicators
Parent process
1944"C:\Program Files\UCheck\UCheck64.exe" C:\Program Files\UCheck\UCheck64.exe
UCheck_setup.tmp
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files\ucheck\ucheck64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6784"C:\Users\admin\Desktop\UCheck_setup.exe" C:\Users\admin\Desktop\UCheck_setup.exe
explorer.exe
User:
admin
Company:
Adlice Software
Integrity Level:
MEDIUM
Description:
UCheck Installer
Exit code:
0
Version:
5.4.0.0
Modules
Images
c:\users\admin\desktop\ucheck_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6804"C:\Users\admin\AppData\Local\Temp\is-TNORV.tmp\UCheck_setup.tmp" /SL5="$701D2,24020986,136192,C:\Users\admin\Desktop\UCheck_setup.exe" C:\Users\admin\AppData\Local\Temp\is-TNORV.tmp\UCheck_setup.tmpUCheck_setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-tnorv.tmp\ucheck_setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6884"C:\Users\admin\Desktop\UCheck_setup.exe" /SPAWNWND=$1001CE /NOTIFYWND=$701D2 C:\Users\admin\Desktop\UCheck_setup.exe
UCheck_setup.tmp
User:
admin
Company:
Adlice Software
Integrity Level:
HIGH
Description:
UCheck Installer
Exit code:
0
Version:
5.4.0.0
Modules
Images
c:\users\admin\desktop\ucheck_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6916"C:\Users\admin\AppData\Local\Temp\is-NFJ2K.tmp\UCheck_setup.tmp" /SL5="$502A6,24020986,136192,C:\Users\admin\Desktop\UCheck_setup.exe" /SPAWNWND=$1001CE /NOTIFYWND=$701D2 C:\Users\admin\AppData\Local\Temp\is-NFJ2K.tmp\UCheck_setup.tmp
UCheck_setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nfj2k.tmp\ucheck_setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6992"taskkill.exe" /f /im "UCheck.exe"C:\Windows\System32\taskkill.exeUCheck_setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7000\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7124"taskkill.exe" /f /im "UCheck64.exe"C:\Windows\System32\taskkill.exeUCheck_setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 685
Read events
4 614
Write events
64
Delete events
7

Modification events

(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
041B0000317F62B654B4DA01
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
8B6B38458A45B87B2015A6756F06EB8C9D468E494652331CEC4C7B59CFA9719E
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\UCheck\RogueKillerDLL.dll
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
8B2FDC53CC3B08C99D5789C63B3A0E882684809E2BC57876FB4216ECB1F5FF81
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\C4E7EE54-826F-41C4-BE3C-375CC70DC1D8_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.9 (a)
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\C4E7EE54-826F-41C4-BE3C-375CC70DC1D8_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\UCheck
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\C4E7EE54-826F-41C4-BE3C-375CC70DC1D8_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\UCheck\
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\C4E7EE54-826F-41C4-BE3C-375CC70DC1D8_is1
Operation:writeName:Inno Setup: Icon Group
Value:
UCheck
(PID) Process:(6916) UCheck_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\C4E7EE54-826F-41C4-BE3C-375CC70DC1D8_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
14
Suspicious files
7
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6916UCheck_setup.tmpC:\Program Files\UCheck\is-KCN7M.tmp
MD5:
SHA256:
6916UCheck_setup.tmpC:\Program Files\UCheck\install.rk
MD5:
SHA256:
6916UCheck_setup.tmpC:\Program Files\UCheck\is-GLV9N.tmpexecutable
MD5:32F174071BD8831C5622DC96439EB1B7
SHA256:CAA6379B23494F23FCA56F3F623A785706C94E5F76EE7E2CA31A0233E6BBD9B3
6916UCheck_setup.tmpC:\Users\admin\AppData\Local\Temp\is-4U360.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6916UCheck_setup.tmpC:\Program Files\UCheck\is-ULDOH.tmpexecutable
MD5:7CCE6B8EC4A8623155918DAD5F84579A
SHA256:A01CAD467054D1D4ACCDABAA6B54FE84AB0CC3D39646BEC8BF8B8ADCD5DBFC9C
6916UCheck_setup.tmpC:\Program Files\UCheck\unins000.exeexecutable
MD5:32F174071BD8831C5622DC96439EB1B7
SHA256:CAA6379B23494F23FCA56F3F623A785706C94E5F76EE7E2CA31A0233E6BBD9B3
6916UCheck_setup.tmpC:\Program Files\UCheck\is-LKECA.tmptext
MD5:2D484A67AF979D9F7D14661541FF1BDC
SHA256:E2EC7BC91E4EE2E63499378C96D74CEDA61EED7A5D6AD00B37EF21FBCF7D663F
6916UCheck_setup.tmpC:\Program Files\UCheck\is-3F5JF.tmpexecutable
MD5:8F1F4946D0D32CD9DFA126C52F32A359
SHA256:C09DA693274D09A1036DCD3D5D28369FCE90F08EE415F1DE2F7B71E9D4BD8499
6916UCheck_setup.tmpC:\Program Files\UCheck\UCheck.exeexecutable
MD5:4861113336AA1EC78B9D8BEBB981832C
SHA256:F1550F91FAA827F4A9434238F73062EECDB9D5D5EA1CC16F358E862486AEDBED
6916UCheck_setup.tmpC:\Program Files\UCheck\is-PQ9N2.tmpexecutable
MD5:4861113336AA1EC78B9D8BEBB981832C
SHA256:F1550F91FAA827F4A9434238F73062EECDB9D5D5EA1CC16F358E862486AEDBED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
30
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.16.241.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
2.16.241.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
188.114.97.3:443
https://adflux.adlice.com/api.php?action=getnotifications&token=067158767e2655e9c5e298626d209619&lang=en&license=free&soft=ucheck&timestamp=0
unknown
ini
22.7 Kb
unknown
POST
204
95.100.146.17:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
GET
200
95.100.146.19:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.36 Kb
unknown
GET
200
95.100.146.19:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
s
21.3 Kb
unknown
GET
200
95.100.146.19:443
https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxdoIBhQGIAX95fLsBvgExrgExwQE&or=w
unknown
s
21.3 Kb
unknown
GET
200
188.114.97.3:443
https://status.adlice.com/api.php?action=config&token=FxdaJ5JabbPwT7aSWhXg
unknown
binary
150 b
unknown
GET
200
188.114.97.3:443
https://status.adlice.com/api.php?action=config&token=FxdaJ5JabbPwT7aSWhXg
unknown
binary
150 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
2.16.241.17:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2.16.241.17:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
6916
UCheck_setup.tmp
188.114.96.3:443
download.adlice.com
CLOUDFLARENET
NL
unknown
4
System
192.168.100.255:137
whitelisted
6916
UCheck_setup.tmp
188.114.97.3:443
download.adlice.com
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.17
  • 2.16.241.19
  • 2.16.241.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
download.adlice.com
  • 188.114.96.3
  • 188.114.97.3
whitelisted
status.adlice.com
  • 188.114.97.3
  • 188.114.96.3
unknown
www.bing.com
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.140
whitelisted
r.bing.com
  • 2.23.209.130
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.185
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.133
whitelisted
adflux.adlice.com
  • 188.114.96.3
  • 188.114.97.3
whitelisted
self.events.data.microsoft.com
  • 104.208.16.92
whitelisted

Threats

No threats detected
Process
Message
UCheck64.exe
QObject::moveToThread: Cannot move objects with a parent
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
UCheck64.exe
QCssParser::parseColorValue: Specified color without alpha value but alpha given: 'rgb 42, 123, 189, 100'
UCheck64.exe
QCssParser::parseColorValue: Specified color without alpha value but alpha given: 'rgb 42, 123, 189, 100'
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
UCheck64.exe
libpng warning: iCCP: known incorrect sRGB profile
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UCheck_setup.exe