× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c17ee78f87a376086901791ac1b60d0bbe13f78a023882576bec7e00aceffac6
File name: UnInstall.exe
Detection ratio: 24 / 61
Analysis date: 2017-04-06 01:53:09 UTC ( 8 months, 1 week ago ) View latest
Antivirus Result Update
AegisLab Troj.W32.Gen.m6l9 20170406
Avast Win32:Rootkit-gen [Rtk] 20170406
AVG Ransom_s.RS 20170405
Avira (no cloud) TR/Crypt.Xpack.kxxos 20170405
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9998 20170405
Bkav W32.eHeur.Malware12 20170405
CrowdStrike Falcon (ML) malicious_confidence_68% (W) 20170130
Endgame malicious (high confidence) 20170406
ESET-NOD32 Win32/Filecoder.Cerber.G 20170406
Fortinet W32/Filecoder_Cerber.G!tr 20170406
GData Win32.Trojan.Agent.HFOYLY 20170406
Ikarus Win32.Outbreak 20170405
Sophos ML virus.win32.sality.at 20170203
Kaspersky Trojan-Ransom.Win32.Zerber.doxf 20170406
Malwarebytes Ransom.Cerber 20170406
McAfee Artemis!4E2A8A3179D0 20170406
McAfee-GW-Edition BehavesLike.Win32.MultiPlug.gc 20170406
Palo Alto Networks (Known Signatures) generic.ml 20170406
Rising Ransom.Cerber!8.3058 (cloud:O7FoI5DUKiE) 20170405
SentinelOne (Static ML) static engine - malicious 20170330
Sophos AV Mal/Generic-S 20170406
Symantec Trojan.Gen.2 20170405
TrendMicro-HouseCall Suspicious_GEN.F47V0405 20170406
ZoneAlarm by Check Point Trojan-Ransom.Win32.Zerber.doxf 20170405
Ad-Aware 20170405
AhnLab-V3 20170405
Alibaba 20170405
ALYac 20170405
Antiy-AVL 20170406
Arcabit 20170406
AVware 20170406
BitDefender 20170406
CAT-QuickHeal 20170405
ClamAV 20170405
CMC 20170405
Comodo 20170405
Cyren 20170406
DrWeb 20170406
Emsisoft 20170406
F-Prot 20170406
F-Secure 20170406
Jiangmin 20170406
K7AntiVirus 20170405
K7GW 20170406
Kingsoft 20170406
Microsoft 20170405
eScan 20170406
NANO-Antivirus 20170406
nProtect 20170406
Panda 20170405
Qihoo-360 20170406
SUPERAntiSpyware 20170406
Symantec Mobile Insight 20170406
Tencent 20170406
TheHacker 20170403
TrendMicro 20170406
Trustlook 20170406
VBA32 20170405
VIPRE 20170405
ViRobot 20170405
Webroot 20170406
WhiteArmor 20170327
Yandex 20170404
Zillya 20170404
Zoner 20170406
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2014 - . All rights reserved. Theranos

Product Commonparameters
File version 1.9.2.1
Description Backrest Swindlers Confliction Oakidata Enhance
Comments Backrest Swindlers Confliction Oakidata Enhance
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-01-28 12:07:06
Entry Point 0x00006783
Number of sections 5
PE sections
Overlays
MD5 4b6b0594a4f74383fe2e1a0bcc5da498
File type data
Offset 412672
Size 1995
Entropy 7.90
PE imports
SetSecurityDescriptorOwner
GetTokenInformation
RegCloseKey
FreeSid
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
AddAccessAllowedAce
AllocateAndInitializeSid
GetAce
RegSetValueExA
InitializeAcl
GetFileSecurityA
RegCreateKeyExA
GetLengthSid
SetFileSecurityA
InitializeSecurityDescriptor
AddAce
SetSecurityDescriptorGroup
ChooseFontA
GetObjectA
LineTo
CreateICA
DeleteDC
SetBkMode
CreateBitmap
MoveToEx
CreatePen
SetPolyFillMode
CreateFontIndirectA
GetTextMetricsA
SelectObject
StartPage
Rectangle
BitBlt
EnumFontsA
CreateCompatibleDC
GetGlyphOutlineA
CreateFontA
CreateSolidBrush
CreateToolhelp32Snapshot
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
lstrlenA
GetModuleFileNameW
GetConsoleCP
GetOEMCP
QueryPerformanceCounter
IsDebuggerPresent
GetTickCount
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
IsProcessorFeaturePresent
DeleteCriticalSection
GetCurrentProcess
GetStartupInfoW
GetConsoleMode
DecodePointer
GetCurrentProcessId
GetCPInfo
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
EncodePointer
GetAtomNameW
SetStdHandle
RaiseException
WideCharToMultiByte
LoadLibraryW
TlsFree
SetFilePointer
lstrcmpA
HeapSetInformation
SetUnhandledExceptionFilter
WriteFile
CloseHandle
GetSystemTimeAsFileTime
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
TerminateProcess
IsValidCodePage
HeapCreate
SetLastError
CreateFileW
InterlockedDecrement
Sleep
GetFileType
GetFullPathNameW
TlsSetValue
HeapAlloc
GetCurrentThreadId
LeaveCriticalSection
ExitProcess
LocalAlloc
WriteConsoleW
InterlockedIncrement
ICLocate
wglDeleteContext
glEnable
wglMakeCurrent
glLightfv
wglCreateContext
glBlendFunc
InitializeProcessForWsWatch
SetupDiGetClassDevsA
SHBrowseForFolderA
SHQueryRecycleBinA
SHEmptyRecycleBinA
SHDeleteKeyA
PathRelativePathToA
PathParseIconLocationA
PathQuoteSpacesA
MapVirtualKeyA
GetParent
SetPropA
BeginPaint
DefWindowProcA
PostQuitMessage
DefMDIChildProcA
FindWindowA
SetClassLongA
GetPropA
GetClipboardData
GetSysColorBrush
GetWindowRect
EndPaint
SetDlgItemTextA
CallWindowProcA
GetDlgItemTextA
MessageBoxA
GetSystemMenu
GetWindowLongA
GetDC
InsertMenuItemA
ReleaseDC
RemovePropA
DrawFocusRect
SendMessageA
GetClientRect
GetDlgItem
EnableMenuItem
wsprintfA
CreateWindowExA
IsDlgButtonChecked
GetDesktopWindow
GetDialogBaseUnits
GetClassNameA
GdipDisposeImage
GdipSaveImageToFile
GdipCreateBitmapFromHBITMAP
RevokeDragDrop
RegisterDragDrop
OleUninitialize
OleInitialize
CoLockObjectExternal
Number of PE resources by type
RT_STRING 9
RT_CURSOR 8
RT_ICON 4
RT_GROUP_CURSOR 3
Struct(241) 2
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 29
PE resources
ExifTool file metadata
LegalTrademarks
Copyright (c) 2014 - . All rights reserved. Theranos

SubsystemVersion
5.1

Comments
Backrest Swindlers Confliction Oakidata Enhance

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.9.2.1

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Backrest Swindlers Confliction Oakidata Enhance

CharacterSet
Unicode

InitializedDataSize
328192

PrivateBuild
1.9.2.1

EntryPoint
0x6783

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) 2014 - . All rights reserved. Theranos

FileVersion
1.9.2.1

TimeStamp
2016:01:28 13:07:06+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
1.9.2.1

UninitializedDataSize
0

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Theranos

CodeSize
83456

ProductName
Commonparameters

ProductVersionNumber
1.9.2.1

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 4e2a8a3179d0ba2aecf7a567a3a81187
SHA1 abe864c0360cf693dd580a23a6b3b4c1d84d4efc
SHA256 c17ee78f87a376086901791ac1b60d0bbe13f78a023882576bec7e00aceffac6
ssdeep
6144:hHwDESzhyMqZYL3pU7C4SgLSZ+cFHBV0kJxldKrVolQl1G9/LXzfn3QrPW+p6l3p:haESzhy1YL5WtSfP0yahoprzGNK3tNV

authentihash f16085583b6a6e354d398720b11636a8284da3f9b95652ec49274775e4619d3b
imphash d43b1faeeb15b83f27cdf0dd3bce7dc5
File size 404.9 KB ( 414667 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe suspicious-udp overlay

VirusTotal metadata
First submission 2017-04-05 13:17:41 UTC ( 8 months, 2 weeks ago )
Last submission 2017-10-05 17:42:20 UTC ( 2 months, 1 week ago )
File names UnInstall.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Moved files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
HTTP requests
DNS requests
TCP connections
UDP communications