» uninst.exe
Overview
Analysis
File Details
Behaviors (4)
Network (95)

uninst.exe

It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. This is the uninstaller utility registered in the Windows Control Panel for the program Yahoo! Powered.

File name:

uninst.exe

MD5:

9b46cba2bae47fe40fffba10b9570faa

SHA-1:

cbdcdeef75d33e7b9f12352c7dee63c6c937d291

SHA-256:

84c442fd55dbecd91f6f74b40608a66bb15a444683ce8aa91f4653343b922819

Scanner detections:

3 / 68

Status:

Inconclusive (not enough data for an accurate detection)

Analysis date:

11/5/2024 10:56:08 PM UTC (today)

Scan engine

Detection

Engine version

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Generic

14.0.0.-1117

McAfee

PUP-FPD

5600.6134

Qihoo 360 Security

HEUR/QVM05.1.0000.Malware.Gen

1.0.0.1120

File size:

2.8 MB (2,904,576 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\{dc33ea6f-f89b-86d7-9503-a33fb16b5fa7}\uninst.exe

File PE Metadata

Compilation timestamp:

12/15/2015 5:57:13 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x28B2A8

Entry point:

55, 8B, EC, 83, C4, F0, B8, BC, 3B, 68, 00, E8, D8, 29, D8, FF, A1, 50, 0E, 69, 00, 8B, 00, E8, 0C, CC, F1, FF, 8B, 0D, 6C, 0E, 69, 00, A1, 50, 0E, 69, 00, 8B, 00, 8B, 15, FC, 04, 5B, 00, E8, 0C, CC, F1, FF, A1, 50, 0E, 69, 00, 8B, 00, E8, 64, CD, F1, FF, E8, B3, DA, D7, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

2.5 MB (2,663,424 bytes)

3 Program Uninstaller

Program name:

Yahoo! Powered

Uninstall string:

"C:\users\{user}\appdata\local\{dc33ea6f-f89b-86d7-9503-a33fb16b5fa7}\uninst.exe" -fn=""-p=\uninstall \s \noun \delselfdir

Program name:

Search Provided by Yahoo

Uninstall string:

"C:\users\{user}\appdata\local\{635d5501-47f5-39b9-2a6d-1c510e05e0c9}\uninstall.exe" \uninstall \s \noun \delselfdir

Program name:

Chromium

Display publisher:

Chromium

Display version:

51.0.2683.0

Uninstall string:

"C:\users\{user}\appdata\local\{75b443e8-511c-2f50-3c84-0ab818ecf620}\uninstall.exe" \uninstall \s \noun \delselfdir

Scheduled Task

Task name:

{5B72C739-50F5-4A56-A1D3-979ADB9C1EF9}

Trigger:

Daily (Runs daily at 10:52)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-23-21-246-202.compute-1.amazonaws.com (23.21.246.202:80)

TCP (HTTP):

Connects to ec2-107-20-201-65.compute-1.amazonaws.com (107.20.201.65:80)

TCP (HTTP):

Connects to ec2-54-225-212-5.compute-1.amazonaws.com (54.225.212.5:80)

TCP (HTTP SSL):

Connects to geoip-zlb.vips.scl3.mozilla.com (63.245.215.82:443)

TCP (HTTP):

Connects to ec2-184-73-230-77.compute-1.amazonaws.com (184.73.230.77:80)

TCP (HTTP):

Connects to ec2-107-21-228-208.compute-1.amazonaws.com (107.21.228.208:80)

TCP (HTTP):

Connects to ec2-23-23-166-158.compute-1.amazonaws.com (23.23.166.158:80)

TCP (HTTP):

Connects to ec2-54-83-207-70.compute-1.amazonaws.com (54.83.207.70:80)

TCP (HTTP):

Connects to ec2-54-191-37-103.us-west-2.compute.amazonaws.com (54.191.37.103:80)

TCP (HTTP):

Connects to ec2-54-243-75-224.compute-1.amazonaws.com (54.243.75.224:80)

TCP (HTTP):

Connects to ec2-54-243-162-184.compute-1.amazonaws.com (54.243.162.184:80)

TCP (HTTP):

Connects to ec2-52-25-199-9.us-west-2.compute.amazonaws.com (52.25.199.9:80)

TCP (HTTP):

Connects to ec2-23-21-246-179.compute-1.amazonaws.com (23.21.246.179:80)

TCP (HTTP):

Connects to ec2-23-21-232-30.compute-1.amazonaws.com (23.21.232.30:80)

TCP (HTTP):

Connects to ec2-107-20-235-208.compute-1.amazonaws.com (107.20.235.208:80)

TCP (HTTP):

Connects to server-54-230-191-54.maa3.r.cloudfront.net (54.230.191.54:80)

TCP (HTTP):

Connects to server-54-192-159-225.sin3.r.cloudfront.net (54.192.159.225:80)

TCP (HTTP):

Connects to server-54-192-159-113.sin3.r.cloudfront.net (54.192.159.113:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (54.231.72.11:80)

TCP (HTTP):

Connects to ec2-23-21-200-178.compute-1.amazonaws.com (23.21.200.178:80)

Scan uninst.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.