Analysis MD5: 2215773d7413f782b320102fb7ea2326
Analysis of the file classifies it as a class A (Safe). The file is safe to use. The trust index of this analysis is 98 % (very high).
Description
uninstaller[1].exe with the description AUP, is part of Uninstaller, developed by Premium.
Filename: | uninstaller.exe (AUP) |
Threat analysis: | Safe |
Analysis trust: | |
Recent activity: | |
First seen: | 10 Feb, 2019 |
Last seen: | 26 Oct, 2019 |
Last analysis: | 15 Jun, 2019 |
Possible infection: | Clean |
uninstaller.exe AUP
Application: | Uninstaller |
Developer: | Premium |
Stability: | |
File version: | 0.0.0.0 |
File size: | 142122 bytes (139 KB.) |
Recent activity: | |
Historic activity: | |
CRC32 hash: | 2a093ed0 |
MD5 hash: | 2215773d7413f782b320102fb7ea2326 |
SHA1 hash: | 2d672ceaa57c7f8f3d9d9cde9dd247f095c2d8e0 |
SHA256 hash: | 2df4981c749f1f96eb5ae155b5bb623a7c1a409960cc226893829cb8ba883938 |
Signature verification
Unsigned
This file has no digital signature. The publisher of this file could not be verified.
File entropy
File entropy match: Encrypted
Parts of this file are encrypted. The reasons might be benign but it makes the analysis more difficult.
Plain Data Text Code Compressed Encrypted RandomFile signature
PE32 executable (GUI) Intel 80386 (stripped to external PDB)
This file can be executedFile header First 32 bytes of this file
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
The determination of a file type is done with a signature or magic-numbers. Files are identified using by comparing the first set of bytes in the file header. Using this method type of files are recognised no matter the extension used. This information is useful to for example recognise executable files cloaked as images or movies.
Multi malware scan Scan date: 10 Feb, 2019 18:57:47
Malicious code scan
No malicious code found
Agics makes een analysis of the source code of the file. We look for comparisons with known malicious source code. This is a good way to detect new malicious files which are in fact variations of existing, and known malicious files.
Scan results:
Fuzzy hash a.k.a. Context Triggered Piecewise Hashing
SSDEEP
Context Triggered Piecewise Hashing, also called Fuzzy Hashing, can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. Comparing a fuzzyhash is a good way to detect morphing malware. Malware which include random code in every copy to change its properties. Agics uses ssdeep to make create a fuzzyhash.
SSDEEP: 3072:7OwAFbmqOdDPx85L1A5mKmpIxFeeAsOZpPsvQRQ2oOrGeU7ambxmUE:41gUMHkUF4sA0vT2fGeU7ambxfE
No match found
Online virus scanners
Detection ration:
VirusShare.com
Not available on virusshare.com
VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code. Presence of the sample on this site indicates that the file is (Once considered) being malicious.Website: virusshare.com
National Software Reference Library
Not on the nsrl list
The NSRL contains a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.Website: www.nsrl.nist.gov
Behaviour
Sandbox behaviour analysis:
The file is executed in a safe environment to track its behaviour. The behaviour analysis can help with detecting new malware which is not recognized by virusscanners yet. However it has a high chance on a false-positive, especially with installers, uninstallers and virusscanners.
Deletes its original binary from disk
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
The binary likely contains encrypted or compressed data indicative of a packer
Detects VirtualBox through the presence of a file
The executable contains unknown PE section names indicative of a packer (could be a false positive)
Allocates read-write-execute memory (usually to unpack itself)
Network activity
No internet connection
Dropped files
File name | md5 | |
---|---|---|
modern-wizard.bmp | f13d4a46fbb5689f870a4c0083a6e84d | |
VBoxGuest.sys | 716e1f51bc39133ebd84add2938bfb33 | A |
Adobe_GDE.log | f317df45047fad0a358825304ae8b97c | |
PerceptionSimulationSixDof.inf | 019ac500ca05a38c2f44d488c3da4351 | A |
System.dll | 2e025e2cee2953cce0160c3cd2e1a64e | A |
firstrun.log | ffddc14b8cf76ca1daaaecc70adde9ce | |
wct24E6.tmp | 6692e4691749b41388a298fe7ac21339 | A |
AccessControl.dll | 055f4f9260e07fc83f71877cbb7f4fad | A |
DRAS-PC-20180224-0924.log | 3c44dfefa21b0efd990474470e88eacf | |
VBoxGuest.inf | ba36b20892afb8e5e581c074ff1de7a4 | B |
wmsetup.log | fc0b44fae43bd9b14a31872f7b4a045a | |
nsDialogs.dll | f832e4279c8ff9029b94027803e10e1b | A |
AdobeSFX.log | 007b4c92fdeefeae8899dc1afe4e51b3 | |
~DFA0EBB3C888944152.TMP | bf619eac0cdf3f68d496ea9344137e8b | |
UserInfo.dll | 9f0cb655a832fdecb9433dd781004637 | B |
Dras.bmp | 343fa15c150a516b20cc9f787cfd530e | |
tmpaddon-6aa830 | 76059d07209223fbb0c9c3b0d9cc6965 | |
modern-header.bmp | a1dbb741271a3bf37a4e4585fb958e1a | |
uninstaller.exe | 2215773d7413f782b320102fb7ea2326 | A |
ArmUI.ini | 864c22fb9a1c0670edf01c6ed3e4fbe4 | |
nsExec.dll | 428c3a07fba184367a5085e46e4a790b | A |
nshC4E9.tmp | d41d8cd98f00b204e9800998ecf8427e | |
~DF61A74456A44394C3.TMP | ce338fe6899778aacfc28414f2d9498b | B |
UserInfo.dll | e840e7f30c85e22b09a41098ff3f3343 | A |
AdobeARM.log | 4ac4664ffe80df19a0a39d9f26025ce7 | |
jusched.log | 4825dc6f0d79325fab48a24339d6d779 | |
au-descriptor-1.8.0_171-b11.xml | 9b1562627c1b82cd3e8491e531dd5e87 | |
tmpaddon | 8d16c0741499c8490e6308820b80cea3 | |
VBoxGuestInstallHelper.dll | 5494356a5f4ffbe434f8a1824100c119 | A |
Outlook-20180224T0935040006.etl | 95a4f56830e6d981d0e244c35be23f14 | |
AdobeARM_NotLocked.log | 5d88c735c18d1c407980228f53d2f70b | |
DRAS-PC-20180224-0923.log | d239f4a669882c5d0e4404931fafae96 | |
wct1E1C.tmp | e52b28af00be19f2e9549337d7d7806e | |
VBoxControl.exe | 97b810f41a2e9067ac99d5c38508e92e | A |
nsProcess.dll | a304fba25947dd17a81e74f8064a78d8 | A |
DRAS-PC-20180224-0922.log | 822555d10a1c97cfca13e6474259ca29 | |
nsDialogs.dll | 65373b20dbff5c3834548dd7330bb0c1 | A |
nsProcess.dll | faa7f034b38e729a983965c04cc70fc1 | B |
jawshtml.html | b2a4bc176e9f29b0c439ef9a53a62a1a | |
System.dll | 56a321bd011112ec5d8a32b2f6fd3231 | A |
NDFDiag.tmp | 7332eae6c43a5a51b4397d5c7f5f61c2 | |
wscadminui.exe | 0340d7461f800fa22ef5874bcf94a37f | A |
VBoxGuest.cat | af4a6cdf0211315e57792ff133cde5c9 | |
VBoxTray.exe | 206bd08aee1c37fcfae0ac1528aa4a7b | A |
JavaDeployReg.log | a2960fa4487f3d38f06f02e46b2ccc21 | |
Adobe_ADM.log | 3512d05e9e420acdd3fae36921a052f6 |
Import hashing
Imphash ffe3cc63e5a1efb4d2f4cc004c584646
Fingerprinting files can be done in various way. One way is to make a hash of the PE Imports. PE Imports are relative unique and this is a great way to find new variants of existing malware. The chance of false-positives is relative high. The resulting hash is often called an imphash.
Statistic analysis
Statistic analysis of the file
Deviates from other files with the same name (imitation) | |
File version is 0.0.0.0 | |
No certificate | |
Other files with the same name do not have a certificate as well | |
This is a very common file |
Neural network analysis
Analysis: Low risk
A neural network is a type of artificial intelligence. It recognized patterns nog clear for a human viewer. Our neural network is surprisingly accurate in recognizing dangerous files. The value below is the predicted chance the file is malicious.
User feedback
Read feedback on this file from other users. Help other users by providing feedback yourself.
You can earn reputation points !
You are currently not logged in. Login, or Create an account
Feedback users:
Login Create an account