00ca2f850fbf5b70a801cc88e80ea3df8628981caa99dfd54775f0c0bd17682d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 10:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

revosetup.exe
Size

7.2MB
MD5

f8468a02b9542db2f833917fd9bfcc3f
SHA1

93dc5a487d17e7fc2aead5823806cee0f8b4ec15
SHA256

00ca2f850fbf5b70a801cc88e80ea3df8628981caa99dfd54775f0c0bd17682d
SHA512

c6b6f8cded2d59b47b35249318f7c2613a13a61774d390f7a19234d1ff903d5e0a5b252baa7c966e3e06519851387e78d9f36118aa1bb6bf7ec4ee38ac36c04e
SSDEEP

196608:iDC3zciZ7PNZDr4QnUOp+4PIfTqJqHjQ0F0M:vHPHDrhnUOEqSjQ/M

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3692	revosetup.tmp
2344	RevoUnin.exe
5032	Uninst.exe

Registers COM server for autorun 1 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Uninst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-5BQIQ.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QNNFE.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RHJ9K.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NG5TR.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-8HJO2.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-F4OFV.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-78DKN.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OUGSP.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-53NH8.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-276CR.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NIIFS.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-KNM81.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-3HLSD.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-9B7LH.tmp	revosetup.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-0LURL.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-M8JQ1.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BSNPU.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-EN0QA.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-7EH74.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-PE50P.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4D1I4.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-UPS1D.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-GRAE1.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-PFI1P.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-VILN5.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4C929.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-F3TQA.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QI5OQ.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-PL2A6.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-67IDP.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-VS78K.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OMBEU.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BD9QI.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-H1F45.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-C9AIV.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-SDOML.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-S4GEO.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QIFTK.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-C14QE.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-OCRHM.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4I5OR.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-KCJ7L.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-7DL8L.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-N288Q.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-IL2JT.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-P8H7E.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RDDJQ.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-MHA71.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.msg	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BVGFQ.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-AFL25.tmp	revosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{23170F69-40C1-278A-1000-000100020000}	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\DRAGDROPHANDLERS\7-ZIP	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\DRIVE\SHELLEX\DRAGDROPHANDLERS\7-ZIP	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Uninst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{23170F69-40C1-278A-1000-000100020000}	Uninst.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
2656	msedge.exe
2656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3692	revosetup.tmp
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2656	msedge.exe
2656	msedge.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe
2344	RevoUnin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 3692	3484	revosetup.exe	84
PID 3484 wrote to memory of 3692	3484	revosetup.exe	84
PID 3484 wrote to memory of 3692	3484	revosetup.exe	84
PID 3692 wrote to memory of 2344	3692	revosetup.tmp	90
PID 3692 wrote to memory of 2344	3692	revosetup.tmp	90
PID 3692 wrote to memory of 2656	3692	revosetup.tmp	92
PID 3692 wrote to memory of 2656	3692	revosetup.tmp	92
PID 2656 wrote to memory of 2212	2656	msedge.exe	93
PID 2656 wrote to memory of 2212	2656	msedge.exe	93
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 4160	2656	msedge.exe	96
PID 2656 wrote to memory of 5076	2656	msedge.exe	97
PID 2656 wrote to memory of 5076	2656	msedge.exe	97
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98
PID 2656 wrote to memory of 3368	2656	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\revosetup.exe
"C:\Users\Admin\AppData\Local\Temp\revosetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\is-N8RSD.tmp\revosetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N8RSD.tmp\revosetup.tmp" /SL5="$80056,6916522,266240,C:\Users\Admin\AppData\Local\Temp\revosetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe
    "C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2344
  - - C:\Program Files\7-Zip\Uninstall.exe
      "C:\Program Files\7-Zip\Uninstall.exe"
      4⤵
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\7z7895CA0C\Uninst.exe
        
        C:\Users\Admin\AppData\Local\Temp\7z7895CA0C\Uninst.exe /N /D="C:\Program Files\7-Zip\"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --uninstall --msedge --system-level --verbose-logging
      4⤵
      PID:216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x110,0x270,0x7ff641f75460,0x7ff641f75470,0x7ff641f75480
        5⤵
        
        PID:1592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --suspend-background-mode
        5⤵
        
        PID:364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85aeb46f8,0x7ff85aeb4708,0x7ff85aeb4718
        6⤵
        
        PID:2936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5186956569914730176,14686793980311510051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
        6⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --uninstall
        5⤵
        
        PID:2192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85aeb46f8,0x7ff85aeb4708,0x7ff85aeb4718
        6⤵
        
        PID:3660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1800942908526469996,5529442336534415235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
        6⤵
        
        PID:3540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1800942908526469996,5529442336534415235,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.revouninstaller.com/free-install-thankyou/
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85aeb46f8,0x7ff85aeb4708,0x7ff85aeb4718
      4⤵
      PID:2212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:4160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
      4⤵
      PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
      4⤵
      PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
      4⤵
      PID:4188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
      4⤵
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,16869548701748675696,3726509163790835401,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2068 /prefetch:8
      4⤵
      PID:2992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x404
1⤵
PID:3364

C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe"
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
aa3642dc179595c1b20277b21bb5a561

SHA1
c9bf3b9d175533668be720a9ced85d4e11aa32df

SHA256
4d4e0e7d7b4d3100342c4acdb3997a9d35311902cae45878af88db6f402e164c

SHA512
9b05c6728438dd6151e949295859f64c99a804ff0b19a70e128ddb68f903dbcedb35d7aa1ec27448c0adbf18747425ca34d4550b342131944f3743fb3cdb35b7

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
aa3642dc179595c1b20277b21bb5a561

SHA1
c9bf3b9d175533668be720a9ced85d4e11aa32df

SHA256
4d4e0e7d7b4d3100342c4acdb3997a9d35311902cae45878af88db6f402e164c

SHA512
9b05c6728438dd6151e949295859f64c99a804ff0b19a70e128ddb68f903dbcedb35d7aa1ec27448c0adbf18747425ca34d4550b342131944f3743fb3cdb35b7

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
aa3642dc179595c1b20277b21bb5a561

SHA1
c9bf3b9d175533668be720a9ced85d4e11aa32df

SHA256
4d4e0e7d7b4d3100342c4acdb3997a9d35311902cae45878af88db6f402e164c

SHA512
9b05c6728438dd6151e949295859f64c99a804ff0b19a70e128ddb68f903dbcedb35d7aa1ec27448c0adbf18747425ca34d4550b342131944f3743fb3cdb35b7

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
aa3642dc179595c1b20277b21bb5a561

SHA1
c9bf3b9d175533668be720a9ced85d4e11aa32df

SHA256
4d4e0e7d7b4d3100342c4acdb3997a9d35311902cae45878af88db6f402e164c

SHA512
9b05c6728438dd6151e949295859f64c99a804ff0b19a70e128ddb68f903dbcedb35d7aa1ec27448c0adbf18747425ca34d4550b342131944f3743fb3cdb35b7

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\lang\english.ini

Filesize
102KB

MD5
70426e5a0477c6156db5eff96eab7db1

SHA1
806ec977e8a0923b63ad690cb383671fc357ea66

SHA256
5f759bd4c2df126c0145c4137c3ab444b60bbba0054e67789f36ffe65da2f284

SHA512
6728224fd2788d24b81ccc49880d1d01c066b1b5a9f2ec41e8027b47e5935911f23227ffa9ac9f7057c9fa9a6850caf940ace93e35aa53e9af71aca05d2ae270

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.exe

Filesize
1.3MB

MD5
ccd36551de8189eb2847e54eabd8f871

SHA1
a77a1f09fcc3eefbc9b13ed98bf0dbb103efe940

SHA256
1e55c77218cb2363762407db483a47ff09614c9c8e9e0dd735067e1de321ebaf

SHA512
010a3f5ac281367baa5c946808408f91d840b18a0ce66f50e69ba0e758ec42852e880a9072ea10e4114956fa93eb9334dc1a2bbb6eaa5481c401871e98e2d535

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Revo Uninstaller Help.lnk

Filesize
1KB

MD5
4ecad10338ba2aac5fdcddecf15993bf

SHA1
15821ba00cf5d6889611b13d593c3d351fe073d2

SHA256
03000ca6dd8a7e01f65b316d3a8cf2895a106bebe23c5a159bd5adb4a768099d

SHA512
ca926a8781b13f875a3b4809afa45ce5345dd7f56ad61083b876eed0dc1bf2ab5c969e567f9cfb1d8257b187f70cae937743936df2bdd26f8e0ec9e0bf8ea294

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Revo Uninstaller on the Web.url

Filesize
58B

MD5
8e02440366a76e3dceed1e12c0ce25e2

SHA1
cc3ce2a9230fce87be3621043417baf82ca6427a

SHA256
dd1fd179e29f6e68371c78a2c2e1c4da61c00be358d54b92c868b8f85d509bd7

SHA512
837b0fbad3cb8ec83bf5aff2a275260a285d84cfc2e4bcba40f102cc233e09d5bb9ca4f378adccca194ec5c38171d8e7fa32ddec4d90615d86c8a8cf37621141

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Revo Uninstaller.lnk

Filesize
1KB

MD5
3301f758bbeffaf490f03e0e4c400914

SHA1
88b30b3927f5ef36ef5d1d1d68b18abaee2ba545

SHA256
7a32473353209aa19a7f122240fc55d0fea6f1b0abe1d4e8736075a48e28ed88

SHA512
ebfe9c1192328cd7e435b6cdb910543401c4bd68fa348825609b05f42dc9935ca9e16a0a9614d56f78c0a01983ca3e45904d7f1e636e58295ab78ac271cde527

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Uninstall Revo Uninstaller.lnk

Filesize
1KB

MD5
473d4e1fe2fa2aacaa971f8eca3ba021

SHA1
3456890d0f0d58738c00ef5ac80a271b23f6b5dc

SHA256
693f6739b7e52a2a5836ede333ce448be85e0c61c5fe571336c5d051207d5cd1

SHA512
7871adb6449cb2b39b088bf52fc1274d7419056f32fd62166c288acda85522562029a490993132a11423b016591f44d76c074f17e16093701af9361712ddb1ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e068076538743d62dbebbbf7d7e2499

SHA1
12c776b76f9aafee6e1e3acb8f17c397d92dea92

SHA256
f14a4d84df6dc971f79343a4beab6944f2e84c1b86f02ed3ef3b92fd201c0e71

SHA512
f59481e8381089246c347229e95046a80d546bcfcd7f47e8dda630aad363265516b5ed006f4fc7d2d1a7bae3ff4f8cae5f081396f791c8a3b5c073ac3d3b6526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e068076538743d62dbebbbf7d7e2499

SHA1
12c776b76f9aafee6e1e3acb8f17c397d92dea92

SHA256
f14a4d84df6dc971f79343a4beab6944f2e84c1b86f02ed3ef3b92fd201c0e71

SHA512
f59481e8381089246c347229e95046a80d546bcfcd7f47e8dda630aad363265516b5ed006f4fc7d2d1a7bae3ff4f8cae5f081396f791c8a3b5c073ac3d3b6526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a7f2ac18d3bec8159c401dd436bba21

SHA1
fdd8481ccfd5041131496ecab910325e138a263f

SHA256
212f71272569718acec1daac0fe71fa641c38e57ba40e171d0efdf47b05de543

SHA512
9116e8b12349037cbebcef43a8fa997c16ea0c6bc21a4648f6dfed102a76d7016cb43d5b1f5e6edb1e3b1ec7f08b216f36fbe074f4b64a04a6ded046ddb47e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c3bb2ecaecc8489ebff326151830b41f

SHA1
27718b7556291c788315a472cea8bfeb2002a774

SHA256
c0c0241b68fa889af39b72a2f2014eca56619a57060ecdcd8971ea113c3d2ab0

SHA512
11b2ca01f8331d9e266cada7859487e25e4be3d40654cacd751026c0ad9118e9e2a910b541bb548c1bbd6b9590e6c6a3bace2a2fb5d7a2737827b1cc47e113f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c3bb2ecaecc8489ebff326151830b41f

SHA1
27718b7556291c788315a472cea8bfeb2002a774

SHA256
c0c0241b68fa889af39b72a2f2014eca56619a57060ecdcd8971ea113c3d2ab0

SHA512
11b2ca01f8331d9e266cada7859487e25e4be3d40654cacd751026c0ad9118e9e2a910b541bb548c1bbd6b9590e6c6a3bace2a2fb5d7a2737827b1cc47e113f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
dedcb103a4dfe6b5f5b9a98306deabd4

SHA1
eb64839784fb4af12939cd122fcae9f06460fa4d

SHA256
f55186817c841617ab03c67eef337299f67f8d4647ce48417660b4e04c1392d3

SHA512
4fe872e6ff1432fb69e665cb104553c83f9a783e372c2d4e6416ab6eea79060bc92651cd0062449d33686fb704da1c55fd44da298fff99aef18d5c90dcb9613c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
017ffd6372ff3813979ec0ebe75c65f2

SHA1
ccbbe018a931df032efc90fff5c599a538734e8c

SHA256
43fad02bfa678ca26ea31eb73f30ab7ed9c3addb54a3f300764a13f8f28c4c3c

SHA512
daa7723f8724544ebb92b05256efabfa881322afb5206c0d6eec1aa0e969af409481d1ae9a84af92ca58694d1835c3e51e041ab0569039a598894a73e389bc04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
a23fc20c36f62e10c4b799525bbdfdb4

SHA1
b34dbaf4dc979db86290c08afa7b4e3dd7b0bacf

SHA256
329367e83b31b361b3742db1c99099667dffc1768fa254199a8804de07d3d136

SHA512
e6333a41227e5606d418ca6747b505ccba4b2368dec1e2ea0451addde7c228e8b199d0cfb468df6ad346c022d29b9976b76a7a89cb62e4002adad6a4fe15d3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
734908f9d5fbcd8f38aa5e568269a82e

SHA1
90455d62a514221902c13575e8da18d468844b58

SHA256
f5ceac242d46588b978b10b511a7c6d6bcec28eddc47b36713d7b558f4e322fb

SHA512
ed8869ec4a535a19aa37cc2b09c96574ec04c190feccb54173c0c89586a6c034661fc3045a9868180ac93560229cb7bc9783823ec83be35ace8a2ab6b1a11baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8177f221225da6bbf9ccf6fcb458590f

SHA1
31704a2f3e56e364dd5c24626f7a4ec55a4fd94f

SHA256
6e6e52b7f9b57863e0bbbac02a8d262a345b73170546579119f3cfa99bd6ab13

SHA512
a230055dccb3436a1dcc998675be4208569e1f6ec16f23ef5128fab4eaf759af81d3ae671edbee95703d0b92ffed5166f778883a920fa5302b50882c7990e241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
485ab87693e6e66fb4800f762dcbdc35

SHA1
218d1e1d153f3ac2bbacbb9d9300a11847dea19b

SHA256
1d5dbac831447800843ac56c979e0ef63bbc6f9f6e68f00d2f7bf48d3573da51

SHA512
a9bd3943dfbb43d1e75a90c0a5f7b4e9962f45660edfb7b8491f39682f2869eaa16834e7c3bb10d6a90c872dbb9a8aff97d744d00130fc2f9e4172bb381ec04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
272db5b8167bc808e4b30e7371264cac

SHA1
539b5626e05e007ce0b34895dbb8d5c48ed4dd5b

SHA256
531ad83f846e1a6e699ec11e4e0fc25ac06fd62e294b7462f592019fbfb93ebe

SHA512
e17d8cea811769c91ac450d63d29a673b06ed72aaf38fc5d4610c6ff1935c0379d6465e68e75b8b3c4a8cda99cf3e0d8c05875a388ecb61ccbfa2d9a984c62ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
77e1590c30cbdf0b867343135f885bf0

SHA1
1f26e0c36d773410b5e5aff973574f3816e007af

SHA256
05e2ed5e9494aabc048c02d27b2f69c1bf361c78f2658da46eb6fae41251f4b0

SHA512
3b88394187ba98f990863f87ebd6fc60831fe2851b9048597582d91743b93a81c68bdb0ee47e5aa186eb6cd62e633cba977160af396f094dbc49d323058cf84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
392f9a32b2e4bd2c7da352742ef45171

SHA1
fe5b9db81e0db47973c95f2b7006c9ccfe824f4a

SHA256
9862b9d947be85187360414cae434f4c56efc3e04e16a81f338bc7d60f6c1900

SHA512
f22bb51fa5cfbd0e31e3a652fa759abe52ad66b790a8dace6f5b8b8194e855f2ab68aa14a8e107bbcf4b89c03c0b3c1fe2ae30df64d7433b9a11be343f385484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c2bde40b4395e86998b17d58f0f45026

SHA1
98010da69dcc308baaf0c916f41af28cb3a31b33

SHA256
67b34a051d9a4cabf5edace971249068ac55550763334fa9014b1c1838466022

SHA512
4b36558c0f9908145dd24d277c42e3c3ab1ef9db853a202d2dc62b39cd688df23aab754ca62b2ee3e77f400353d4c5d811e906efcf89b8ac82dcf1ba76f9e2fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
69b72d0a4a2f9cbec95b3201ca02ae2f

SHA1
fcc44ae63c9b0280a10408551a41843f8de72b21

SHA256
996c85ab362c1d17a2a6992e03fdc8a0c0372f81f8fad93970823519973c7b9c

SHA512
08d70d28f1e8d9e539a2c0fbac667a8447ea85ea7b08679139abbbbb1b6250d944468b128ed6b386782f41ca03020e3a82491acb1fe101b09635d606b1a298be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5e09c60c82ac54f65d61d933f4ab7984

SHA1
8985ef5668aad8329e417d30ec340b2a7ef36700

SHA256
18918a51e7cad45c70c3826179ccc95f3db1f91c766102096563b63939483576

SHA512
e5d466081c8e56ca4bc2c0400dc158f6c5ed17176b1c240b55b67175e38af68f306650880a7caa47722fd911d4773b43413fe5494efc9bcd5ff287079782df02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cd2ee270463b651648338b92be684c40

SHA1
33be388f8061f792a3dbd138945a85a37b67f833

SHA256
3793ebcd57846a9007e7fedf7359bf6ac67c5bee80700b5924c2be99c12d865c

SHA512
4dec58e97813b6ed0ca7441e1c97ae178e3f6bcf3806711940929adece8454304a448bd04d4fcdc79b442adb1c441d1be2046ba0c75ba112421d4a49922a23b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe575796.TMP

Filesize
2KB

MD5
21072456686eae8d5aa35a416390b19c

SHA1
f9c7f9b24e872a2ef01fe544ddcccbb819341561

SHA256
c04488f8539e5f17f9fccfead783a56d9210126ba593ff21b16997bb4efaa5e1

SHA512
1e2c072de438cef8b1ab577acab31d5e062c3476c4357c3e4aeaa57f27c89eeff9b27b7da47ca00b9e6082062ba303c2a0939ad1c643ce572141b05a0788fb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
b29ca8377a86ab5e5e78effaf8740568

SHA1
15a515663b9defbaecbc371bdda22b84648c38da

SHA256
5fc9848cf946f016447b7b767b772f8a3d17e83f987e76b60154bbc71fa717d8

SHA512
1a96c7adad9f5aa745631f94b5910278567a9c90a6b932515a12330a88d8011ac8970ff1e2389393aa0a655f142dc4e476654fc908f5b38d43f2ab325fb4a287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a8efd389dbb11780e5e791442220e2ed

SHA1
a403c5e8b71738f3968192c36b14822010169ac8

SHA256
75131f7c4a475ced7d1053904beb2b832134f87aae6386afbcfa77151b587919

SHA512
6339b6876eb47332e9f0865921149ec0348db9f232337e3064a066e21e3bd31165d60178f37f9128b70aa30638619a3d2fa1e9a0a7dc9febfc2b543f96fa09af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5208ccf71c2ff6433f5aca914cc437ac

SHA1
cc3ec5e814cceaa0ab12f3599edf16a2fc6273bc

SHA256
b1f8ea7b4254f6e1819728b46999ab7c4dffd8224c6566fef40b2cb97112f2b5

SHA512
e40dcf2b2ae20882c8267f1b8a13007dc607372fba1247bbdd383b08e47be225f2ad289d980c2500b6c32e3f9552b0966f932af0967edbb27aa0987268706929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5208ccf71c2ff6433f5aca914cc437ac

SHA1
cc3ec5e814cceaa0ab12f3599edf16a2fc6273bc

SHA256
b1f8ea7b4254f6e1819728b46999ab7c4dffd8224c6566fef40b2cb97112f2b5

SHA512
e40dcf2b2ae20882c8267f1b8a13007dc607372fba1247bbdd383b08e47be225f2ad289d980c2500b6c32e3f9552b0966f932af0967edbb27aa0987268706929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
96080e0052f2a974714ea57246bf9b7d

SHA1
acd346407297f4544df454ab82316166f6d18405

SHA256
6425c9ece4835ae8ae9fd8ef4945a70209a61be51294ed33ca9903230f0fadd6

SHA512
9a9d02342209c01d2ac0e480c6b74cc1f52edf353d7821100a719c8ee6257256673542dcd0219feae4f0249dd061a0ea378731251980e22fe9e387e3d6a6d338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
5B

MD5
b5a265603b9e918a8b44b1dc94b0985c

SHA1
5d28d6495d1a9bc3615128d542c88317b9853e61

SHA256
7b4199a33b01c99b2675efc4dc57bf9ee1b5db10a43931337443386a0aae4374

SHA512
79aaab1cac57ed3b0bf79a6638b5285de1b0aefe9ce870eaa3be413f1ebd638b780bb1a25e3b9a89630ccc2582916037eaadc9d761c17ba79fefe1342521207f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895CA0C\Uninst.exe

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8RSD.tmp\revosetup.tmp

Filesize
1.3MB

MD5
ccd36551de8189eb2847e54eabd8f871

SHA1
a77a1f09fcc3eefbc9b13ed98bf0dbb103efe940

SHA256
1e55c77218cb2363762407db483a47ff09614c9c8e9e0dd735067e1de321ebaf

SHA512
010a3f5ac281367baa5c946808408f91d840b18a0ce66f50e69ba0e758ec42852e880a9072ea10e4114956fa93eb9334dc1a2bbb6eaa5481c401871e98e2d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8RSD.tmp\revosetup.tmp

Filesize
1.3MB

MD5
ccd36551de8189eb2847e54eabd8f871

SHA1
a77a1f09fcc3eefbc9b13ed98bf0dbb103efe940

SHA256
1e55c77218cb2363762407db483a47ff09614c9c8e9e0dd735067e1de321ebaf

SHA512
010a3f5ac281367baa5c946808408f91d840b18a0ce66f50e69ba0e758ec42852e880a9072ea10e4114956fa93eb9334dc1a2bbb6eaa5481c401871e98e2d535

Download Submit
C:\Users\Public\Desktop\Revo Uninstaller.lnk

Filesize
1KB

MD5
20bddb3a464e7bb6445007ed341e4e3f

SHA1
be47d239d53622d045955fa957b5842220c69b16

SHA256
c2bf7786764943c60102bbbdcc93bdbfd85e3a7a9426c4e02454e3f10871f9ac

SHA512
53c8180179bcf3246f0584f4117a67be466dc0473772dcad42d16dd17743b6ddc515c93123e9f100133e1217ace5c4092f68dd832bb8559c23bb7d0517fdd14c

Download Submit
memory/3484-143-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3484-136-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3484-270-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3692-189-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/3692-230-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3692-141-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3692-268-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download