d6d51e144c72adbcf595cbba251001059980cb576f22530e45c53d9f5a0a4dfb

Analysis

max time kernel
63s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

revosetup.exe
Size

6.6MB
MD5

e3574fa758b4bfc212fb9020dc882935
SHA1

2dccacd9037a88082214638440d4ccdf2a894990
SHA256

d6d51e144c72adbcf595cbba251001059980cb576f22530e45c53d9f5a0a4dfb
SHA512

d57e1f7d5247549f04cfd3cdfcd661be9d70c92a7f72d0b0c5a46ccec4ee98d93520eb4aa8a41561a03309b77ccdc7d4796940cc29eb612c521c1e3287f29ee9
SSDEEP

196608:Hdja9oHCYgyaUqjPCsqEc83U3pl6H5DUyXq:9ja9oHCPUqjbk3pYfa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

revosetup.tmpRevoUnin.exe

pid process

2052 revosetup.tmp
660 RevoUnin.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 53 IoCs

Processes:

revosetup.tmp

description	ioc	process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-IN7QH.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.msg	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-Q11FM.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ORIV7.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-NDMNR.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RU7HL.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-F1CIB.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-EPBC4.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-R57DR.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-IQ7F6.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-3HK5R.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1HD3P.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-H6H5U.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-95VT5.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-TRCJ2.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FV24D.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-C0DQ8.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-TM3V2.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OJ3KR.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-MU3R8.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-JAU2T.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-DI8VS.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-GBK6P.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ASFLK.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-C87JL.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1G85U.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-EG7RJ.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-3DQLI.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-DK1B7.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-I5CRF.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-0COEP.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-I5SSP.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QOCDG.tmp	revosetup.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-E0UCN.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-7JFIE.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ED4Q6.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ELQK3.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FOFC8.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-IN4RG.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4KFD5.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NVM37.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-S8K1J.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-17S15.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-D7M9G.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-9UVL1.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-CQ80R.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ROANB.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-UBFJN.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RAMDN.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-58M3N.tmp	revosetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-46GKQ.tmp	revosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

4664 msedge.exe
4664 msedge.exe
4424 msedge.exe
4424 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4424 msedge.exe
4424 msedge.exe
4424 msedge.exe
4424 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3440 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3440 AUDIODG.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4664	msedge.exe
4664	msedge.exe
4424	msedge.exe
4424	msedge.exe

pid	process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

description	pid	process
Token: 33	3440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3440	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

revosetup.tmpRevoUnin.exemsedge.exe

pid	process
2052	revosetup.tmp
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
660	RevoUnin.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

RevoUnin.exe

pid process

660 RevoUnin.exe
660 RevoUnin.exe
660 RevoUnin.exe
660 RevoUnin.exe
660 RevoUnin.exe
660 RevoUnin.exe
660 RevoUnin.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

RevoUnin.exe

pid	process
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe
660	RevoUnin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

revosetup.exerevosetup.tmpmsedge.exe

description	pid	process	target process
PID 4648 wrote to memory of 2052	4648	revosetup.exe	revosetup.tmp
PID 4648 wrote to memory of 2052	4648	revosetup.exe	revosetup.tmp
PID 4648 wrote to memory of 2052	4648	revosetup.exe	revosetup.tmp
PID 2052 wrote to memory of 660	2052	revosetup.tmp	RevoUnin.exe
PID 2052 wrote to memory of 660	2052	revosetup.tmp	RevoUnin.exe
PID 2052 wrote to memory of 4424	2052	revosetup.tmp	msedge.exe
PID 2052 wrote to memory of 4424	2052	revosetup.tmp	msedge.exe
PID 4424 wrote to memory of 1752	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 1752	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 2880	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4664	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4664	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3268	4424	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\revosetup.exe
"C:\Users\Admin\AppData\Local\Temp\revosetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\is-28SLL.tmp\revosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-28SLL.tmp\revosetup.tmp" /SL5="$A017E,6354921,266240,C:\Users\Admin\AppData\Local\Temp\revosetup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.revouninstaller.com/free-install-thankyou/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9ca146f8,0x7ffc9ca14708,0x7ffc9ca14718
4⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
4⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
4⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
4⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
4⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
4⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
4⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,12083303045570742002,12099721715747148889,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5128 /prefetch:8
4⤵
PID:940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x344
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
f9f58ecd1b97484c404fee66c2181a19

SHA1
7f215b968659f85e2a63c473666eb00133efce7e

SHA256
d44ef88619115183724e879883f883af5f8a15070647752c840a0eb4227c8c31

SHA512
fb6b0b277625d01a715d37c8d097a987e80a68971dcd176dd19d395ebfb8f1b7dade04b25be147b0f39dd22c6097e4e840aa2d04f4a86ef77f14db249091f129

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
f9f58ecd1b97484c404fee66c2181a19

SHA1
7f215b968659f85e2a63c473666eb00133efce7e

SHA256
d44ef88619115183724e879883f883af5f8a15070647752c840a0eb4227c8c31

SHA512
fb6b0b277625d01a715d37c8d097a987e80a68971dcd176dd19d395ebfb8f1b7dade04b25be147b0f39dd22c6097e4e840aa2d04f4a86ef77f14db249091f129

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
f9f58ecd1b97484c404fee66c2181a19

SHA1
7f215b968659f85e2a63c473666eb00133efce7e

SHA256
d44ef88619115183724e879883f883af5f8a15070647752c840a0eb4227c8c31

SHA512
fb6b0b277625d01a715d37c8d097a987e80a68971dcd176dd19d395ebfb8f1b7dade04b25be147b0f39dd22c6097e4e840aa2d04f4a86ef77f14db249091f129

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\lang\english.ini

Filesize
102KB

MD5
e6903d59a51caf13d6ec1a49275c9694

SHA1
cf200c3066c92685c1e3b3517d73fe2c6827b116

SHA256
c3c6ead6650e8bb3f3fefb473cbb8af8a1439b91f59b416c16f28969f2d0e8ad

SHA512
e1fe84d7ae6a90f4970c23f0d676cd80c27de73d8c4bf72bbc4f385cc56a27d99c999d5c6a69b96b51cc23ef62f39e4d2985268594eb542146af0729200334e5

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.exe

Filesize
1.3MB

MD5
0b68da15e95e3e76e0bf6058d153317e

SHA1
e560c04d14c3c387cbf45d77a9205131e60776a9

SHA256
ff41b93bfc3c910bbc7bb7d925debd4c680cbb87bbbca2f628d6d793bbbd5be2

SHA512
0b7d73375de6ccd4a6ecef7aecc5a52245f565b565f6c1e525522c9b8bf59219d014d9113b46db72d506350e9af0c588ad51bb73eeecdaaded24791676e2a933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a10efe23009825eadc90c37a38d9401

SHA1
fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

SHA256
05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

SHA512
89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1a3c45dc07f766430f7feaa3000fb18

SHA1
698a0485bcf0ab2a9283d4ebd31ade980b0661d1

SHA256
adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

SHA512
9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
92e30524edccdbb3dc688b92b865256d

SHA1
da8cef5909a9b8f87ea494993a0e4a33a6827718

SHA256
c2ab3495c3b8f33c670e1536819cc6ba547a838b4b8d85725bc0107ac833679e

SHA512
b9176b6021ef59a55a07b8bec3b41c9fab96d44ecb8ce1e83aab2095a3ddebc20362ca39a9b34cb93fa991c225c546d6f922c062d0bd399bac05447217dfab34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
398f9ed2167283ab4789d8e6a312dff3

SHA1
fe862d342763278c929020fabf2bdbea3efbe48d

SHA256
71acbc576752bb81d4584d673367e5bc4d802276eb9e291a9a130f964e463fb8

SHA512
1e7b6504593ca4e490b465d4a6194f06dc46b07045e159a8e01ddfa4e9468aac3df85cdbff17b19a9e9c047e9048e05bdea44d6b0a1bea0fa71b40969e0206a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
87108bd537a7574a15050269a3524c6a

SHA1
8d64552df9bad482d07b91c8851c8e377704d27f

SHA256
4ffa17d804048ce81e6e4764e31b3bcd6ca4b9642efe309388e64c23b3b195f0

SHA512
b626f50a2eac0de768a8b6a77eb51592ab0c9e43809a626a11b1d24b03e21e0e6c72f814bcee122a5586e5e4987cdf9196d0297d74b8c349ee1e48e6f4f7d0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a8740747b6aace86446eb772a5bdf8b9

SHA1
4417461b71872e29271d6798f40c4019e6fb49b3

SHA256
3b8cf6eee4d0a547f5db5be9e6f57aa2c36aeb40d1861ce743247fb250635c7f

SHA512
4d40f93b320e6447955f563d3000b7366cdbb550c3f984d9755aae6d833d7c7e1cbebdce132f277ee6de6fa3917e31559ebba45f66da2ce3fa9f5e70e7d8590e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
7da0d563f64e089fbbf98f256045daa0

SHA1
477106b5a3c7586643178f975620ba9ddb143cc3

SHA256
36b4f2c3a14383a76ff64dc08435aa613aa6363ede377eaf2966eee38e204108

SHA512
e2cb4c7f111417fd7aa619ceb69cadef9a58f3032ce758c78e0555ffc3da53e243849aecc4c15af1b9fe02048654bb32639c5e6478032ad54819d8d97bd9a6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
92e3932581a9d287762ce43cb83318b3

SHA1
d0ddf5455e3bc7fd533bff3b610e15a46ef43018

SHA256
14712a511f38bb99a94d5a9040069c455894b9f2e54e52a61914a0c4cf8a4b9c

SHA512
d4e13938353b2e18db877ca512f884cfed36c7b501823b4534aebeb6a8f7b26d05cd30e690496ee6f87559854dde17abdbf4b0a01c47dae815cbe8cdc3523cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5edab6d3ffbeee247ccb4423f929a323

SHA1
a4ad201d149d59392a2a3163bd86ee900e20f3d9

SHA256
460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933

SHA512
263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
41025ade3831550de438041b3660dd94

SHA1
b4ac51862c715151280f0f374f6010188b1cd5f7

SHA256
75b33a5790bf5207c8c095e6b80a1ce59ecc0f00fef12c9aff985216be6acec2

SHA512
07581fad7bb05799aa66142d8a9fa9d4ed9fe62fce010c9967fae0a705910e6a4a1c8491e2baaf8a422e2ea7887f38c9ecc8ede0d3898c0f019af377c13e0563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
7813253d54e8e1a8fcb21730431f0ee1

SHA1
afafbd548b1f172a6d9992a6db2edb7ef0bf684e

SHA256
e030bb1e2d5a42b4923022daf2ea6de0c8b095d1a49f3a4129aa2170f4bc06f8

SHA512
8fff9dfdcc696b985ba755abd98e7379623df6c5caf5ee2b898e381aece77ca50c27e9e2084ace59d2115924a53eb97646a9fdcd18c8a11924d2b3bb1dc870b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-28SLL.tmp\revosetup.tmp

Filesize
1.3MB

MD5
0b68da15e95e3e76e0bf6058d153317e

SHA1
e560c04d14c3c387cbf45d77a9205131e60776a9

SHA256
ff41b93bfc3c910bbc7bb7d925debd4c680cbb87bbbca2f628d6d793bbbd5be2

SHA512
0b7d73375de6ccd4a6ecef7aecc5a52245f565b565f6c1e525522c9b8bf59219d014d9113b46db72d506350e9af0c588ad51bb73eeecdaaded24791676e2a933

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-28SLL.tmp\revosetup.tmp

Filesize
1.3MB

MD5
0b68da15e95e3e76e0bf6058d153317e

SHA1
e560c04d14c3c387cbf45d77a9205131e60776a9

SHA256
ff41b93bfc3c910bbc7bb7d925debd4c680cbb87bbbca2f628d6d793bbbd5be2

SHA512
0b7d73375de6ccd4a6ecef7aecc5a52245f565b565f6c1e525522c9b8bf59219d014d9113b46db72d506350e9af0c588ad51bb73eeecdaaded24791676e2a933

Download Submit
memory/2052-269-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2052-265-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2052-144-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2052-142-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2052-141-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2052-138-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4648-270-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4648-133-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4648-140-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download