Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
05/03/2023, 20:48
General
-
Target
IObitUninstallerPro.exe
-
Size
41.9MB
-
MD5
ca3ea9f9e7ea2acabe198d10ebb3f2e9
-
SHA1
6733097ddbf32b8f2b518db62be2464e2258b6bc
-
SHA256
d07c6790f1ed323cc52b723ccf02bd2b03c125083e163d80ea9228ec937a8164
-
SHA512
de6f10d0e2e24c61311cfeb75da1c7d34995623404803a9cfb6c7b16a5074786be9ee0592308f87b0b9d765b6b57b36480ba36d555da51ed83885acfcfbe883d
-
SSDEEP
786432:cWo8a8H+CXdclEUmxx5e38O49Px5+3PyMxHl0pgbUUZYh4Y7KfAnE:dfa8zKl3o53x9PbmP0pgbZYq7+E
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 14 IoCs
-
Themida packer 18 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\IObitUninstallerPro.exe"C:\Users\Admin\AppData\Local\Temp\IObitUninstallerPro.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FQOFV.tmp\IObitUninstallerPro.tmp"C:\Users\Admin\AppData\Local\Temp\is-FQOFV.tmp\IObitUninstallerPro.tmp" /SL5="$80022,42727854,1166336,C:\Users\Admin\AppData\Local\Temp\IObitUninstallerPro.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-41I0J.tmp\WebrootCommAgentService.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\IObit Uninstaller 12.0.0.10.exe"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\IObit Uninstaller 12.0.0.10.exe" /install /quiet /norestart3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-QSGCK.tmp\IObit Uninstaller 12.0.0.10.tmp"C:\Users\Admin\AppData\Local\Temp\is-QSGCK.tmp\IObit Uninstaller 12.0.0.10.tmp" /SL5="$101B6,21265115,79872,C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\IObit Uninstaller 12.0.0.10.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net" stop "IObit Uninstaller Service"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IObit Uninstaller Service"6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-41I0J.tmp\VCR-2005-2023-09.02.2023.exe"C:\Users\Admin\AppData\Local\Temp\is-41I0J.tmp\\VCR-2005-2023-09.02.2023.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-41I0J.tmp\VCR-2005-2023-09.02.2023.exe"C:\Users\Admin\AppData\Local\Temp\is-41I0J.tmp\\VCR-2005-2023-09.02.2023.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.6MB
MD5c36937f7be7aebe65f683b4e5915cdfc
SHA1a637a186fedf37e4ba51c89b3dfe32b884d19420
SHA256cd764df8608430896a0eed4035d1d03b750af0d53a5e9f9d0418af3059530156
SHA5122c818b9f5fdc495e4d8e6cd286b65c60aa5a2bf969019963954b41d181192438c2503f8f2495c7d97ad4d8a7a5bb657a41cfc9fe886a234523922d6f7a5c9030
-
Filesize
20.6MB
MD5c36937f7be7aebe65f683b4e5915cdfc
SHA1a637a186fedf37e4ba51c89b3dfe32b884d19420
SHA256cd764df8608430896a0eed4035d1d03b750af0d53a5e9f9d0418af3059530156
SHA5122c818b9f5fdc495e4d8e6cd286b65c60aa5a2bf969019963954b41d181192438c2503f8f2495c7d97ad4d8a7a5bb657a41cfc9fe886a234523922d6f7a5c9030
-
Filesize
3.3MB
MD57c2c1204fe057d6e0f608eeac80e9bff
SHA142fce2aa75d5e46622fa7e37508607387fef8e5c
SHA256d39da988c83142af2d142ca39c63054586b7c74dad29e20c5f1cb47cbf9fb48c
SHA5124599e0a7bebdc289d534aa8a0edbf0914525236a8491c85413a44cf0cd785451e0425ec31aded81ee00b18976e617a635e3b065da044921ed26216cfb7171d14
-
Filesize
4.3MB
MD57e9d14aa762a46bb5ebac14fbaeaa238
SHA1a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9
SHA256e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3
SHA512280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023
-
Filesize
250.6MB
MD5cdf1935df4636d04de563a1402515350
SHA159be65f7a0755d752170006df06329cf02637d42
SHA2569c7fbc0d656d9d200effdd83f6bbd8ab870d49b8d4d74becd32fa389b207d3ca
SHA512a78ce76a78c64731cae286c228618e022018bf3a559adc6edce47acca64d8c3c58e3304ddccdd8c4ed1b3aed72bb8418e02957977287ec82b01240e9df096955
-
Filesize
206.2MB
MD53e22da2d4efdb51e4bd381424bc99692
SHA1361162d3769a753c1d08e2e7e5ef16f3fc233cc2
SHA25663bc24c56d93967415ef66fff82c036976a0bca05cc68b262fcffed6eeb6a442
SHA512ea0346cdad7145a79742e00444c7adfb4840b2d5eab6f5cfa0798887c8a1951d48a7642d8747591f696371a25808b8d2b17bd80b70d4d20df830ed00d36e4a8e
-
Filesize
223.7MB
MD58ec5c7621b5adadffe486e5ec0de5102
SHA1044ba0c0872d2927571f1dbe36b8935916d74c23
SHA25613a18d91a7fd98a6a09f99f2e34bd2c7c5fbe6530d3ee76193fae56bcd032787
SHA51219edeacbc2d494cc76b3599cedd058408961ff41fa909c138f7266fc38373b2ef4285c2c2025ec90a9eb184e5041d3217b38b1d715975de01a89e8ce59255bf5
-
Filesize
619B
MD5f2f6b265ffde779f57c23e594a6e11ce
SHA1da75a5fdb63be5f4d3a51369353e3e117e4dba48
SHA25602303d4fe27c3102e24e0a8349b3af9310e440d1f355c37dcf30b2cf5b8f366b
SHA512784ec181151752acff14ed4f97c242c726baebe24b40a423faa6a727958095e05eecfbdbac7d80ad194a4659c653611aa3b4d0de15e1a1fbba3530ffa9adb05a
-
Filesize
3.3MB
MD57c2c1204fe057d6e0f608eeac80e9bff
SHA142fce2aa75d5e46622fa7e37508607387fef8e5c
SHA256d39da988c83142af2d142ca39c63054586b7c74dad29e20c5f1cb47cbf9fb48c
SHA5124599e0a7bebdc289d534aa8a0edbf0914525236a8491c85413a44cf0cd785451e0425ec31aded81ee00b18976e617a635e3b065da044921ed26216cfb7171d14
-
Filesize
3.3MB
MD57c2c1204fe057d6e0f608eeac80e9bff
SHA142fce2aa75d5e46622fa7e37508607387fef8e5c
SHA256d39da988c83142af2d142ca39c63054586b7c74dad29e20c5f1cb47cbf9fb48c
SHA5124599e0a7bebdc289d534aa8a0edbf0914525236a8491c85413a44cf0cd785451e0425ec31aded81ee00b18976e617a635e3b065da044921ed26216cfb7171d14
-
Filesize
925KB
MD5457e97a95a10efceb0e90b5b8a6a5386
SHA13b986a3a4f3df9532ba3a74f533343464234a0b4
SHA2565ea4f8f49d7b328b0f51e26421e48ecab61f92459fabd83d4d2c73c3711a678b
SHA512ec5bdb1d4cb99f3847dd3b287cd46e38d27258cb5a31993716c65a2c1ce9460b3dd1f152bfe0fe6433f8dda2e83874351fd8a9914923e89a276f8431be4a8e89
-
Filesize
7KB
MD5cf96b338c7d6c1b770a2c0360d80d0ab
SHA14760f32ace504535a4d62723a6bbb48a0d601a58
SHA256a4a11d7de3c270bc5dd5f96c334b612b1a40c65eb07b74a6deae463dc89c55cc
SHA5122a19976498b356c49a60215fe14f18dc3e1649cbd06777b98d62d94e91c7534896480d9769df442ab6415bf6d28d0a0f12375e385bfca1317c9b95cb9d4bf9aa
-
Filesize
7KB
MD5cf96b338c7d6c1b770a2c0360d80d0ab
SHA14760f32ace504535a4d62723a6bbb48a0d601a58
SHA256a4a11d7de3c270bc5dd5f96c334b612b1a40c65eb07b74a6deae463dc89c55cc
SHA5122a19976498b356c49a60215fe14f18dc3e1649cbd06777b98d62d94e91c7534896480d9769df442ab6415bf6d28d0a0f12375e385bfca1317c9b95cb9d4bf9aa
-
Filesize
20.6MB
MD5c36937f7be7aebe65f683b4e5915cdfc
SHA1a637a186fedf37e4ba51c89b3dfe32b884d19420
SHA256cd764df8608430896a0eed4035d1d03b750af0d53a5e9f9d0418af3059530156
SHA5122c818b9f5fdc495e4d8e6cd286b65c60aa5a2bf969019963954b41d181192438c2503f8f2495c7d97ad4d8a7a5bb657a41cfc9fe886a234523922d6f7a5c9030
-
Filesize
4.3MB
MD57e9d14aa762a46bb5ebac14fbaeaa238
SHA1a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9
SHA256e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3
SHA512280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023
-
Filesize
229.7MB
MD5fdc924559ec6374771d7cd8c57d42db6
SHA13aa6ac122280e7a99e585dcb633372b99eec8721
SHA256c8ee59ab79e0c3eeaddfafd738be906719ffee92541793ffb07778f0725beacc
SHA512a10e4ecb692c90a186fe026a22f6b63f04481780095ee925aac9703d3ff9ffcf0589c2e23f4eaabdc2af625966a02b3508c6cd68b8cdaf8c4776fe6d545cb86e
-
Filesize
229.1MB
MD54f6ebbcdc3dff789182bf016fcb2ff58
SHA16ac4605837778fb52364cf291d1627cfa4d61b1c
SHA2566b3260ecd3e8777947a687c1fb14ec9f5bf972e382de03646ed39161fb0083fb
SHA512d0ec3d435a007c5642c140aedc0a281a17ef6f919505400dcc65205cdc46c7c6083efe1075726985726e50e851546053e24d45a07b81fb35cd129f3c4e061e6b
-
Filesize
184.1MB
MD5e9857da21f6b22a2b7d08dd538033464
SHA143f9ba09e32e243182e59000b2545cb9d09b60c9
SHA2569b0446b3c74eeb442e7d39f11d91a7a55b51e51f1fe3038ed5e0bb8481b073ad
SHA512f15ccac6e97f4f8caee3d9f32c6b2ef95fe0ee26183d047500c9f693ae1f252280f9e45e14395a606089ebcc16f50274f4e267232cb6c33b01bc747632c314cf
-
Filesize
176.5MB
MD5ee4317689d505e55b234eaeb331d81c9
SHA13ca2199b3017779897bf11c1c470a75f58996eb8
SHA256bc6e68e02a99619f7d17326e4513b42f90e7694d54314ba417f607daa0d4a00e
SHA512a6cdca669d75172725b0ab2eea7cc5db26633ed5c9e3c3ec952a43a70ef8f1d8ae9fd3250b8025d7bbd6fe0000617b239acd475f5ce93a243ac7b4c40cc34e8e
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
Filesize
3.3MB
MD57c2c1204fe057d6e0f608eeac80e9bff
SHA142fce2aa75d5e46622fa7e37508607387fef8e5c
SHA256d39da988c83142af2d142ca39c63054586b7c74dad29e20c5f1cb47cbf9fb48c
SHA5124599e0a7bebdc289d534aa8a0edbf0914525236a8491c85413a44cf0cd785451e0425ec31aded81ee00b18976e617a635e3b065da044921ed26216cfb7171d14
-
Filesize
925KB
MD5457e97a95a10efceb0e90b5b8a6a5386
SHA13b986a3a4f3df9532ba3a74f533343464234a0b4
SHA2565ea4f8f49d7b328b0f51e26421e48ecab61f92459fabd83d4d2c73c3711a678b
SHA512ec5bdb1d4cb99f3847dd3b287cd46e38d27258cb5a31993716c65a2c1ce9460b3dd1f152bfe0fe6433f8dda2e83874351fd8a9914923e89a276f8431be4a8e89
-
Filesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
Filesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
1.2MB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1000KB
-
Filesize
88KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
13.3MB
-
Filesize
13.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
3.4MB
-
Filesize
13.3MB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
84KB
-
Filesize
3.4MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4KB