File name:

Un_A.exe

Full analysis: https://app.any.run/tasks/14b9a984-9b87-48c7-96b0-3705e8581ac2
Verdict: Malicious activity
Analysis date: January 20, 2024, 13:28:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

48611AA164F2967CF826BB01C81B45C2

SHA1:

EE27F22CC57FE2A79DB023158EAF82B7117197F2

SHA256:

DB9A547DD2CADC027870BFA078A999857CA8B4160F5367045EBF289EECAC2FA4

SSDEEP:

6144:1aD3J2jYoygcJeQR/5ZgRPi/JwqOaz4ZX:k52jYoygoeyzkazY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Un_A.exe (PID: 2044)
      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1288)
      • uninst.exe (PID: 1344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Un_A.exe (PID: 2044)
      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1288)
      • uninst.exe (PID: 1344)

    • Starts itself from another location

      • Un_A.exe (PID: 2044)
      • Un_A.exe (PID: 1072)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1288)
      • uninst.exe (PID: 1344)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1344)
      • uninst.exe (PID: 1288)

    • Application launched itself

      • uninst.exe (PID: 1288)

    • Uses TASKKILL.EXE to kill process

      • uninst.exe (PID: 1344)

  • INFO

    • Reads the computer name

      • Un_A.exe (PID: 2044)
      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1288)
      • uninst.exe (PID: 1344)

    • Checks supported languages

      • Un_A.exe (PID: 2044)
      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1288)
      • uninst.exe (PID: 1344)

    • Create files in a temporary directory

      • Un_A.exe (PID: 2044)
      • Un_A.exe (PID: 1072)
      • uninst.exe (PID: 1288)
      • uninst.exe (PID: 1344)

    • Reads the machine GUID from the registry

      • Un_A.exe (PID: 1072)

    • Process checks whether UAC notifications are on

      • uninst.exe (PID: 1288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 23:24:46+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.11.0.0
ProductVersionNumber: 4.11.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: MEGA Limited
FileDescription: MEGAsync
FileVersion: 4.11.0.0
LegalCopyright: MEGA Limited 2023
ProductName: MEGAsync
ProductVersion: 4.11.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start un_a.exe un_a.exe uninst.exe uninst.exe taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Un_A.exe" _?=C:\Users\admin\AppData\Local\Temp\C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Un_A.exe
Un_A.exe
User:
admin
Company:
MEGA Limited
Integrity Level:
MEDIUM
Description:
MEGAsync
Exit code:
0
Version:
4.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\~nsu.tmp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1288"C:\Users\admin\AppData\Local\Temp\nsjF994.tmp\uninst.exe" _?=C:\Users\admin\AppData\Local\TempC:\Users\admin\AppData\Local\Temp\nsjF994.tmp\uninst.exe
Un_A.exe
User:
admin
Company:
MEGA Limited
Integrity Level:
MEDIUM
Description:
MEGAsync
Exit code:
0
Version:
4.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\nsjf994.tmp\uninst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1344"C:\Users\admin\AppData\Local\Temp\nsjF994.tmp\uninst.exe" /UAC:30128 /NCRC _?=C:\Users\admin\AppData\Local\TempC:\Users\admin\AppData\Local\Temp\nsjF994.tmp\uninst.exe
uninst.exe
User:
admin
Company:
MEGA Limited
Integrity Level:
HIGH
Description:
MEGAsync
Exit code:
0
Version:
4.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\nsjf994.tmp\uninst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1584taskkill /f /IM MEGASync.exeC:\Windows\System32\taskkill.exeuninst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2044"C:\Users\admin\AppData\Local\Temp\Un_A.exe" C:\Users\admin\AppData\Local\Temp\Un_A.exe
explorer.exe
User:
admin
Company:
MEGA Limited
Integrity Level:
MEDIUM
Description:
MEGAsync
Exit code:
0
Version:
4.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
2 744
Read events
2 743
Write events
1
Delete events
0

Modification events

(PID) Process:(1344) uninst.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nslFD8C.tmp\UAC.dll
Executable files
14
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1072Un_A.exeC:\Users\admin\AppData\Local\Temp\nsjF994.tmp\uninst.exeexecutable
MD5:48611AA164F2967CF826BB01C81B45C2
SHA256:DB9A547DD2CADC027870BFA078A999857CA8B4160F5367045EBF289EECAC2FA4
1072Un_A.exeC:\Users\admin\AppData\Local\Temp\nsjF994.tmp\UserInfo.dllexecutable
MD5:9EB662F3B5FBDA28BFFE020E0AB40519
SHA256:9AA388C7DE8E96885ADCB4325AF871B470AC50EDB60D4B0D876AD43F5332FFD1
1072Un_A.exeC:\Users\admin\AppData\Local\Temp\nsjF994.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
1344uninst.exeC:\Users\admin\AppData\Local\Temp\nslFD8C.tmp\UAC.dllexecutable
MD5:113C5F02686D865BC9E8332350274FD1
SHA256:0D21041A1B5CD9F9968FC1D457C78A802C9C5A23F375327E833501B65BCD095D
1344uninst.exeC:\Users\admin\AppData\Local\Temp\nslFD8C.tmp\UserInfo.dllexecutable
MD5:9EB662F3B5FBDA28BFFE020E0AB40519
SHA256:9AA388C7DE8E96885ADCB4325AF871B470AC50EDB60D4B0D876AD43F5332FFD1
1344uninst.exeC:\Users\admin\AppData\Local\Temp\nslFD8C.tmp\LangDLL.dllexecutable
MD5:AB1DB56369412FE8476FEFFFD11E4CC0
SHA256:6F14C8F01F50A30743DAC68C5AC813451463DFB427EB4E35FCDFE2410E1A913B
1344uninst.exeC:\Users\admin\AppData\Local\Temp\nslFD8C.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
1288uninst.exeC:\Users\admin\AppData\Local\Temp\nszF9F2.tmp\UserInfo.dllexecutable
MD5:9EB662F3B5FBDA28BFFE020E0AB40519
SHA256:9AA388C7DE8E96885ADCB4325AF871B470AC50EDB60D4B0D876AD43F5332FFD1
1072Un_A.exeC:\Users\admin\AppData\Local\Temp\nsjF994.tmp\mega.initext
MD5:1C1D2BEA43C1913B93577FC090DF9E9D
SHA256:674881A447126EDCB7F54C8FECFB5C1C80F6F47F2BC8F497272661AEFEB95555
2044Un_A.exeC:\Users\admin\AppData\Local\Temp\~nsu.tmp\Un_A.exeexecutable
MD5:48611AA164F2967CF826BB01C81B45C2
SHA256:DB9A547DD2CADC027870BFA078A999857CA8B4160F5367045EBF289EECAC2FA4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Un_A.exe