Windows Analysis Report
Uninstall.exe

Overview

General Information

Sample name: Uninstall.exe
Analysis ID: 1528656
MD5: 7904be8f714449e8d7d23d98d5942aef
SHA1: a5f579b308d08e595cb6b3601e7e354f157be33d
SHA256: c5e1df2580fa74e4caa8ff329d1e4b820093ef9d29433e644b227186beb6954a
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll Virustotal: Detection: 14% Perma Link
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Virustotal: Detection: 50% Perma Link
Multi AV Scanner detection for submitted file
Source: Uninstall.exe ReversingLabs: Detection: 45%
Source: Uninstall.exe Virustotal: Detection: 50% Perma Link
Uses 32bit PE files
Source: Uninstall.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Uninstall.exe Static PE information: certificate valid
Source: Binary string: C:\CODE\vitruvian\client\Installers\Windows\NSISPlugin\Release\NSISPlugin.pdb source: Au_.exe, 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000299E000.00000004.00000020.00020000.00000000.sdmp, NSISPlugin.dll.1.dr, nsu2089.tmp.1.dr
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_00405E61 FindFirstFileA,FindClose, 1_2_00405E61
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_0040263E FindFirstFileA, 1_2_0040263E
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Au_.exe, Au_.exe, 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmp, Au_.exe, 00000001.00000000.1721749700.0000000000409000.00000008.00000001.01000000.00000004.sdmp, Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Uninstall.exe, 00000000.00000002.1722365263.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 00000000.00000002.1722642452.0000000002804000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000296D000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2972921606.0000000000828000.00000004.00000020.00020000.00000000.sdmp, nsz1ED4.tmp.0.dr, nsu2089.tmp.1.dr String found in binary or memory: http://www.linkwizapp.com/uninstall-success
Source: Uninstall.exe, 00000000.00000002.1722365263.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 00000000.00000002.1722642452.0000000002804000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000296D000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2972921606.0000000000828000.00000004.00000020.00020000.00000000.sdmp, nsz1ED4.tmp.0.dr, nsu2089.tmp.1.dr String found in binary or memory: http://www.linkwizapp.com/uninstall-successrundll32.exeopenShellExecuteAsSessionUserWithFallback
Source: nsu2089.tmp.1.dr String found in binary or memory: https://weld.unitegenius.com/i?e=vitruvian-installer-uninstall-v0002
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Uninstall.exe, Au_.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/03
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405042
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_10001529 GetWindowLongA,lstrlenA,lstrlenA,lstrlenA,GlobalAlloc,wsprintfA,CreateProcessA,GetLastError,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,MultiByteToWideChar,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,CreateProcessWithLogonW,GetLastError,GetLastError,FormatMessageA,MessageBoxA,LocalFree,GetLastError,GlobalFree,CloseHandle,EndDialog,SetWindowLongA,GetDlgItem,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,LoadLibraryA,LoadImageA,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,GetDlgItem,SendMessageA,DestroyWindow, 1_2_10001529
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_0040323C
Detected potential crypto function
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_00404853 1_2_00404853
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_00406131 1_2_00406131
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C4ED2 1_2_6E5C4ED2
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5D4FD3 1_2_6E5D4FD3
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5D6FE7 1_2_6E5D6FE7
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5AAC87 1_2_6E5AAC87
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5D5CBF 1_2_6E5D5CBF
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C3D6C 1_2_6E5C3D6C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5D4A63 1_2_6E5D4A63
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5BFAF0 1_2_6E5BFAF0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5CCA91 1_2_6E5CCA91
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C3937 1_2_6E5C3937
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5D5543 1_2_6E5D5543
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C351F 1_2_6E5C351F
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5CB20C 1_2_6E5CB20C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5A83BA 1_2_6E5A83BA
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C302B 1_2_6E5C302B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5A3165 1_2_6E5A3165
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C71AD 1_2_6E5C71AD
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C41A1 1_2_6E5C41A1
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: String function: 6E5C5E60 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: String function: 6E5C12ED appears 69 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: String function: 6E5A165E appears 86 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: String function: 6E5A22ED appears 33 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: String function: 6E5C1320 appears 49 times
Sample file is different than original file name gathered from version info
Source: Uninstall.exe, 00000000.00000000.1718651106.000000000052B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelinkwiz-setup.exe2 vs Uninstall.exe
Source: Uninstall.exe Binary or memory string: OriginalFilenamelinkwiz-setup.exe2 vs Uninstall.exe
Uses 32bit PE files
Source: Uninstall.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@3/9@1/0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_10001529 GetWindowLongA,lstrlenA,lstrlenA,lstrlenA,GlobalAlloc,wsprintfA,CreateProcessA,GetLastError,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,MultiByteToWideChar,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,CreateProcessWithLogonW,GetLastError,GetLastError,FormatMessageA,MessageBoxA,LocalFree,GetLastError,GlobalFree,CloseHandle,EndDialog,SetWindowLongA,GetDlgItem,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,LoadLibraryA,LoadImageA,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,GetDlgItem,SendMessageA,DestroyWindow, 1_2_10001529
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_10002F22 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle, 1_2_10002F22
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5B5EB6 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 1_2_6E5B5EB6
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5AD008 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,_memset,Process32First,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle, 1_2_6E5AD008
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Users\user\Desktop\Uninstall.exe File created: C:\Users\user\AppData\Local\Temp\nsj1EC3.tmp Jump to behavior
Source: Uninstall.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Uninstall.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Uninstall.exe ReversingLabs: Detection: 45%
Source: Uninstall.exe Virustotal: Detection: 50%
Source: C:\Users\user\Desktop\Uninstall.exe File read: C:\Users\user\Desktop\Uninstall.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Uninstall.exe "C:\Users\user\Desktop\Uninstall.exe"
Source: C:\Users\user\Desktop\Uninstall.exe Process created: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\
Source: C:\Users\user\Desktop\Uninstall.exe Process created: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\ Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Uninstall.exe Static PE information: certificate valid
Source: Binary string: C:\CODE\vitruvian\client\Installers\Windows\NSISPlugin\Release\NSISPlugin.pdb source: Au_.exe, 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000299E000.00000004.00000020.00020000.00000000.sdmp, NSISPlugin.dll.1.dr, nsu2089.tmp.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_02502A10 push eax; ret 1_2_02502A3E
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C5EA5 push ecx; ret 1_2_6E5C5EB8
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C8473 pushad ; ret 1_2_6E5C8474
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C12BB push ecx; ret 1_2_6E5C12CE
Drops PE files
Source: C:\Users\user\Desktop\Uninstall.exe File created: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_100012B3 GetModuleFileNameA,SendMessageA,GetDlgItem,lstrcatA,GetDlgItem,GetPrivateProfileIntA,GetPrivateProfileIntA,EnableWindow,GetPrivateProfileIntA,ShowWindow, 1_2_100012B3
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C4ED2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_6E5C4ED2
Source: C:\Users\user\Desktop\Uninstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5AD008 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,_memset,Process32First,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle, 1_2_6E5AD008
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_00405E61 FindFirstFileA,FindClose, 1_2_00405E61
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_0040263E FindFirstFileA, 1_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5BE5BB VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 1_2_6E5BE5BB
Source: C:\Users\user\Desktop\Uninstall.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5CFB1E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 1_2_6E5CFB1E
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5CFB1E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 1_2_6E5CFB1E
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5AD008 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,_memset,Process32First,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle, 1_2_6E5AD008
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5BE5BB VirtualProtect ?,-00000001,00000104,?,?,?,0000001C 1_2_6E5BE5BB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_06D91759 Create,GetDlgItem,GetWindowRect,MapWindowPoints,CreateDialogParamA,SetWindowPos,SetWindowLongA,GetProcessHeap,HeapAlloc, 1_2_06D91759
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C5141 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E5C5141
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_1000255E _,CreateEventA,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,GetLastError,CreateThread,GetLastError,WaitForSingleObject,GetExitCodeThread,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,wsprintfA,SendMessageA,GetCurrentProcessId,GetCurrentThreadId,SetWindowLongA,GetCurrentProcessId,GetCurrentThreadId,wsprintfA,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,wsprintfA,GetLastError,GetCurrentProcessId,SetCurrentDirectoryA,PostMessageA,GetCommandLineA,IsWindowVisible,GetModuleHandleA,CreateDialogParamA,GetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowPos,LoadIconA,FindWindowExA,ShowWindow,ShowWindow,FindWindowExA,GetDlgItem,ShowWindow,GetClientRect,SetWindowPos,GetWindowLongA,SetWindowLongA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,GlobalAlloc,GlobalFree,GlobalAlloc,GetModuleFileNameA,lstrlenA,GlobalAlloc,wsprintfA,SetForegroundWindow,ShellExecuteExA,GetLastError,UnhookWindowsHookEx,GetCurrentProcessId,GetCurrentThreadId,MsgWaitForMultipleObjects,GetExitCodeProcess,GetLastError,CloseHandle,CloseHandle,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GlobalFree, 1_2_1000255E
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5C5657 cpuid 1_2_6E5C5657
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_6E5D1E0D
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW, 1_2_6E5D1E90
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_6E5D0C69
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: GetLocaleInfoW, 1_2_6E5D1CA2
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: EnumSystemLocalesW, 1_2_6E5D1D50
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_6E5CFDD8
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_6E5D1D90
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW, 1_2_6E5D1AE0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_6E5C2919
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_6E5D0665
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: GetLocaleInfoW, 1_2_6E5C54E9
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: EnumSystemLocalesW, 1_2_6E5C54AC
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_6E5D025C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 1_2_6E5D2258
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_6E5D22C0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 1_2_6E5C60D1
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: GetLocaleInfoW, 1_2_6E5D2083
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6E5D21AB
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_6E5B1ED8 GetISO8601Time,GetSystemTime,swprintf, 1_2_6E5B1ED8
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe Code function: 1_2_10001164 SendMessageA,GetDlgItem,GetUserNameA,wsprintfA,GetDlgItem,GetDlgItem,SendMessageA,SendMessageA,LoadLibraryA,LoadStringA,GetDlgItem,SendMessageA, 1_2_10001164
Source: C:\Users\user\Desktop\Uninstall.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405B88
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528656 Sample: Uninstall.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 56 24 18.31.95.13.in-addr.arpa 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 7 Uninstall.exe 1 7 2->7         started        signatures3 process4 file5 14 C:\Users\user\AppData\Local\Temp\...\Au_.exe, PE32 7->14 dropped 10 Au_.exe 20 7->10         started        process6 file7 16 C:\Users\user\AppData\...16SISPlugin.dll, PE32 10->16 dropped 18 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->18 dropped 20 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->20 dropped 22 C:\Users\user\AppData\Local\...\System.dll, PE32 10->22 dropped 30 Multi AV Scanner detection for dropped file 10->30 signatures8
No contacted IP infos

Contacted Domains

Name IP Active
18.31.95.13.in-addr.arpa unknown unknown