89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a

Analysis

max time kernel
62s
max time network
26s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RevoUninProSetup.exe
Size

16.9MB
MD5

b0f15df675ff3ff11fe6eac7a32e4409
SHA1

59178aed358362c8fb3905e66170ac924c803879
SHA256

89d038c065e1e236a4c086f9485dbf1315114ed92eed19e64d2e3fe771688d9a
SHA512

3f1d56d12948872632fe626e61533790852a54c892385c8d1cf8b6111a6ee4379bcc907958d6b8d82736476e2b9b9be6e53604c494227ae370d2496b84b48a47
SSDEEP

393216:4S2H6AdClOaamBv1XONf50LdeJ/mXjGyh+OLTvrGVJCmY0mB:RE6AdDwhc5IeNxyh+OPDGVJCmnmB

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET4F77.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET4F77.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\revoflt.sys	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ruplp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation ruplp.exe
Executes dropped EXE 5 IoCs

Processes:

RevoUninProSetup.tmpruplp.exeRevoUninPro.exeRevoUninPro.exeruplp.exe

pid process

552 RevoUninProSetup.tmp
2416 ruplp.exe
812 RevoUninPro.exe
2200 RevoUninPro.exe
2536 ruplp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	ruplp.exe

Loads dropped DLL 13 IoCs

Processes:

RevoUninProSetup.exeRevoUninProSetup.tmpregsvr32.exe

pid	process
2104	RevoUninProSetup.exe
552	RevoUninProSetup.tmp
552	RevoUninProSetup.tmp
552	RevoUninProSetup.tmp
1196
1196
1196
1196
860	regsvr32.exe
552	RevoUninProSetup.tmp
1196
1196
1196

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

RevoUninPro.exe

description ioc process

File opened (read-only) \??\D: RevoUninPro.exe
File opened (read-only) \??\F: RevoUninPro.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

description	ioc	process
File opened (read-only)	\??\D:	RevoUninPro.exe
File opened (read-only)	\??\F:	RevoUninPro.exe

Drops file in Program Files directory 62 IoCs

Processes:

RevoUninProSetup.tmpRevoUninPro.exe

description	ioc	process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CDFHL.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-51JS4.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-E8CEH.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-722UD.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-RIUK2.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2IEPN.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-IN8RE.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-B000V.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-TSQ57.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q0TJI.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HGR2S.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-ULSDE.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-2AVAO.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I0TDC.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-0UJ87.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.msg	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-E1V3K.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HQM2N.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-CL38D.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5VCP1.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8PH6I.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5VBR2.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-ELO1K.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-TVGFA.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2EMU3.tmp	RevoUninProSetup.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0RUEU.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-ALOL6.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-10SK8.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0D8Q1.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-E91F5.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-1NUOJ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-8C0A9.tmp	RevoUninProSetup.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldb	RevoUninPro.exe
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GOSMU.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4MP5A.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MGP0J.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-746QU.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JF8I5.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2A82D.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A7O7E.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-50Q67.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A9H0J.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2HKVV.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-S4H41.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AEBSG.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-RVB4L.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PIQHH.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-H4OM3.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P0OU3.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5PBQQ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5BV6M.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-109VL.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AQSCS.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-H8H03.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-0I6GN.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CJVOP.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-IGGP0.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LUKE9.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GKVM1.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-HERRV.tmp	RevoUninProSetup.tmp

Drops file in Windows directory 3 IoCs

Processes:

RevoUninPro.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	RevoUninPro.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico	RevoUninPro.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2756 taskkill.exe

pid	process
2756	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A7728131-19F2-11EF-BC57-569FD5A164C1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

ruplp.exeRevoUninProSetup.tmpregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\RevoUninstallerPro.ruel\shell	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\RevoUninstallerPro.ruel\DefaultIcon	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\""	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications"	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruel\ = "RevoUninstallerPro.ruel"	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\RevoUninstallerPro.ruel	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR	ruplp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.ruel	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS\ = "0"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID	ruplp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\RevoUninstallerPro.ruel\shell\open	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon	RevoUninProSetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RevoUninPro.exe

pid process

2200 RevoUninPro.exe
2200 RevoUninPro.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskkill.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeRestorePrivilege	1764	rundll32.exe
Token: SeRestorePrivilege	1764	rundll32.exe
Token: SeRestorePrivilege	1764	rundll32.exe
Token: SeRestorePrivilege	1764	rundll32.exe
Token: SeRestorePrivilege	1764	rundll32.exe
Token: SeRestorePrivilege	1764	rundll32.exe
Token: SeRestorePrivilege	1764	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

RevoUninProSetup.tmpiexplore.exeRevoUninPro.exe

pid	process
552	RevoUninProSetup.tmp
884	iexplore.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

RevoUninPro.exe

pid	process
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

RevoUninPro.exeRevoUninPro.exeiexplore.exeIEXPLORE.EXE

pid	process
812	RevoUninPro.exe
812	RevoUninPro.exe
2200	RevoUninPro.exe
884	iexplore.exe
884	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe
2200	RevoUninPro.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

RevoUninProSetup.exeRevoUninProSetup.tmprundll32.exerunonce.exeiexplore.exe

description	pid	process	target process
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 2104 wrote to memory of 552	2104	RevoUninProSetup.exe	RevoUninProSetup.tmp
PID 552 wrote to memory of 2756	552	RevoUninProSetup.tmp	taskkill.exe
PID 552 wrote to memory of 2756	552	RevoUninProSetup.tmp	taskkill.exe
PID 552 wrote to memory of 2756	552	RevoUninProSetup.tmp	taskkill.exe
PID 552 wrote to memory of 2756	552	RevoUninProSetup.tmp	taskkill.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 860	552	RevoUninProSetup.tmp	regsvr32.exe
PID 552 wrote to memory of 1764	552	RevoUninProSetup.tmp	rundll32.exe
PID 552 wrote to memory of 1764	552	RevoUninProSetup.tmp	rundll32.exe
PID 552 wrote to memory of 1764	552	RevoUninProSetup.tmp	rundll32.exe
PID 552 wrote to memory of 1764	552	RevoUninProSetup.tmp	rundll32.exe
PID 1764 wrote to memory of 1652	1764	rundll32.exe	runonce.exe
PID 1764 wrote to memory of 1652	1764	rundll32.exe	runonce.exe
PID 1764 wrote to memory of 1652	1764	rundll32.exe	runonce.exe
PID 1652 wrote to memory of 488	1652	runonce.exe	grpconv.exe
PID 1652 wrote to memory of 488	1652	runonce.exe	grpconv.exe
PID 1652 wrote to memory of 488	1652	runonce.exe	grpconv.exe
PID 552 wrote to memory of 2416	552	RevoUninProSetup.tmp	ruplp.exe
PID 552 wrote to memory of 2416	552	RevoUninProSetup.tmp	ruplp.exe
PID 552 wrote to memory of 2416	552	RevoUninProSetup.tmp	ruplp.exe
PID 552 wrote to memory of 2416	552	RevoUninProSetup.tmp	ruplp.exe
PID 552 wrote to memory of 812	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 812	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 812	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 812	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 2200	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 2200	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 2200	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 2200	552	RevoUninProSetup.tmp	RevoUninPro.exe
PID 552 wrote to memory of 884	552	RevoUninProSetup.tmp	iexplore.exe
PID 552 wrote to memory of 884	552	RevoUninProSetup.tmp	iexplore.exe
PID 552 wrote to memory of 884	552	RevoUninProSetup.tmp	iexplore.exe
PID 552 wrote to memory of 884	552	RevoUninProSetup.tmp	iexplore.exe
PID 884 wrote to memory of 1944	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1944	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1944	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1944	884	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\is-1GTJD.tmp\RevoUninProSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1GTJD.tmp\RevoUninProSetup.tmp" /SL5="$400F8,17135947,196608,C:\Users\Admin\AppData\Local\Temp\RevoUninProSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
3⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:860

C:\Windows\system32\rundll32.exe
"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:488

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2416

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.revouninstaller.com/pro-install-thankyou/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\VSREVO~1\REVOUN~1\revoflt.sys
Filesize
46KB

MD5
0006295c6c5f7fad92484785b9c8fac6

SHA1
7e50c90a91b92f943e951c1cd8809fe12fc75cc0

SHA256
4ba2879f2b82978110e4b3940ebfeb2ca2399660b0627998c6fea0bf33603b62

SHA512
37f02befaf3b988676af4e556cba142dfef78fd771d4c68f7744e92e789a5c1fd72afe2bb38e297e190f962a6ccf58c161f80bec2a7aacaf024256f25eb7bf03

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll
Filesize
187KB

MD5
8b9964e06195fd375d126b424e236f03

SHA1
6f1741cfeb9fb70c34857dbba3e063c88c3c32fa

SHA256
bda04b693bfdea86a7a3b47f2e4ceae9cd9475c4e81b0aa73b70fd244a65f70f

SHA512
741019523b4c5f4ef9a7952172309b2d304a84cbd98fff99a719105cc1938157edb1691554a21b9dcd2b523c0f1ab0d37879deefc3b2fa5579c0d8c76cade483

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini
Filesize
122KB

MD5
568164d9ea62cae83ede626832d51331

SHA1
4cfca32417534738891a154b872147d1bbe3ce7b

SHA256
e82261578d254a099a59fa8e13b5ae99e672b8a10946a253a1f18886cfc89e5a

SHA512
5786acedea4be6e39b43c336374ac2bdc5807c69a99c8bb8752edf3bcc78d33b308b2b373d6c1c842af0b47523ac0c291e2c5f3d7b3591ee872ac96e62cd10fb

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
Filesize
2KB

MD5
edc78deb34de240c787b1011161e9a4e

SHA1
2d31275530dce33d3bc329991c8ad59e1b303577

SHA256
69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

SHA512
e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldb
Filesize
18.8MB

MD5
e821132dbece4d288d3b1b3b68373b3a

SHA1
dac86f72e5c2aaeb5efdfea06bf9c5def980c74e

SHA256
e786fa86db21a4ffe8f78ebf032715390c05d1edbdb6c90fef75e0ed3d946cd3

SHA512
4701788f4a91f76f3a63843935df5a8f80535d85ff0f760af86c21601d73b40f8c4d00a883dc64e50482c201bb7d4f3867a038223593227ac79aa14520f2068e

Download Submit
C:\ProgramData\VS Revo Group\Revo Uninstaller Pro\revouninstallerpro5.lic
Filesize
62KB

MD5
5722432d7d07af9546bd015b5b891545

SHA1
21178dd652e6a719878bb168b6c630aa6bbdb444

SHA256
8203717a32696a2c505d7ad6a6b1c835c2ea5b4fd486fb584d9d151241d39936

SHA512
2e9faa6a8ec8a53e1f47b0a2641e5b0387c19986595b8fd2aa42430ce0da18a6c5814d5fcb4ea7f524afc26911f9a2f884d1ca75c90eb302554035f131ff5eb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a6618e0e85ae99c5781dc1138bf487a

SHA1
e46fd268ab6b8067d765984726dc9b2fc2178465

SHA256
78997278bff101684882f84dfee4a5e363ae92bd27a706b30de84c074dbcaa8d

SHA512
2cd1f76a7a07fe2921f8ae7526d96f483ace517d023253e5f3f507e004991f11380c206cf46dfb20f7d4cf8350ea03fd8c6d153996e4f672836a14687b9bfc97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2fef5ac2838d29a63aa585c11fe9f496

SHA1
c77f137fddba6bce9d93930596445c534c12a024

SHA256
8e2bc130407e34eaabd642acd024be9208a0ccd90662d0e36c3de47b7534a6c5

SHA512
dcd303b1b6a3f291c8828aa17180a4c19f46e09e17ad4e0bc84f258dc36c67fded9153357e2e24b2a3ae3c5666ec3ec871db48ee6fe1ac37f74518681d845fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a85c3cb37f95960d5d1437ca829ef41d

SHA1
7dd30377b9559990de7ca3c272fb2e284887f1c7

SHA256
663ed4c20c3c3ec5bf1858a36fffe0dc946a239265cc2f6a92b041790435ff45

SHA512
3db5fa82c0559779ecf89c4c952b987b88064405f46032619c416db5fba2586b2705dd350c30adb151e0ea6dfc6ce0e44b904f7135918edc8d409145e46a9b3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a2d53686c21a9b5227b61ebabd4406b2

SHA1
764be96513da67cc3102ab552a002e5182cb7e86

SHA256
b5803e572de47808a7d58f44ca86b6a241636b927a29fce5a3559bbac43b843e

SHA512
38832bcfa8ac2ba6f0b5caeb105758c8f4f06a8bc205ecfac2549ac22ee548c0bc2d24efdd680793c335f52bf7f0bfe289bb745afd015ade2495a02fbddf22ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8310afedc21d3e895e01b6c52a704947

SHA1
a24d2df9e7cc82e62e0ef8fa2fb452e76e3f9d58

SHA256
97d656d8550b4a2014f8b5cfb069c332378b8a0c573860d603c14eb438b5b5e1

SHA512
8ca9564ad69a0c208ce7aa9a7049c0a5a795cf800eb2d972d4981a93e56427665846fcb8f1918605b9e5865dde283aae4a3c3d0f33f215cbd4c37effa4915b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7966.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DCB.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DF0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\RUPBackUpData.ini
Filesize
166B

MD5
37f82bce620363376891d5e279fee17a

SHA1
d3ba83da02621bba0c6a265ba92d174c009d73aa

SHA256
9269ab912708edfed0a1a67585e355e5f01e461d34704d221c1b85c4fedf76ef

SHA512
0d99bc3c3ded414310db71fc7d4bb986e77f15286a62b1fb2d8d758f15dc808ae97a25cb147293d069f3b58ca18ef33bc031ca5f0f74494752ec652f7272a91c

Download Submit
C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\data\cachedata.dat
Filesize
46KB

MD5
eea9e266b6498bc9f686d436a031e7ed

SHA1
e9d1077f63ef24bb2b1a03003ddb0db967a784d7

SHA256
fcd7b58ce5869b03c4845c3032a7604e448b29c966c46a38f9995ab9ba5a87db

SHA512
d4b6479e684b8f2b7073d2beb23f4fad306d223bc4c6729f83d35b947ad20922e5704fdf7e27ee2b58ba9e457eec0f4127af2e6ffcdddf5fddef492e25791034

Download Submit
C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\logFile.vslog
Filesize
322B

MD5
1be62b53c8efc770ed740c3f6e3cd4f6

SHA1
63637f5859589ca192ccce1d8ad05d7c2dd8648c

SHA256
36883505afd9a0ec1775ee62dc7c61b50f8f50bcb944f21ea925cddc1702c4bb

SHA512
a3ea124f3e4cb71da2aaaf25b1ad2d613ad3b866024c0f9e22918c993e1a080f875a870c0506c9e603e4a296ab9f8289380ac73b691a15bb8590ab3ef58ef5f4

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
Filesize
24.1MB

MD5
5e2ff2230576765b06cc78525550b194

SHA1
1d0771dc3742e74f843832cd590499b5179b2b1f

SHA256
a61edc55db452493ac9cfce242a5fefba2229b75b2934277021f9fe4b9489527

SHA512
694a293c3b68dd8d220e65d4ad038caa20a198c26ab6c3d02e44d5485339b65f4dfdf23f89df517be81b5a2491e7c2f2f544d7a7cc480eae01330623fdbad418

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
Filesize
9.6MB

MD5
216b49b7eb7be44d7ed7367f3725285f

SHA1
cf0776ecbc163c738fd43767bedcc2a67acef423

SHA256
c6d97857b3b9f26c8e93d7b6e6481f93a16db75cbf9d1756cb29fba0fd9e240e

SHA512
060fb76d91bee1b421f133cae17726a68adc97ddce76a67196d10e735e216d032bee939c905b847c50f29e859dca43cdf1b19e4ae349e00efe88147224d665cb

Download Submit
\Users\Admin\AppData\Local\Temp\is-1GTJD.tmp\RevoUninProSetup.tmp
Filesize
1.2MB

MD5
5d46b017331b5c6acd69f35213277f2f

SHA1
8992114b0cb8d354376a956660f95f88bf7165e6

SHA256
800c00e3605ec37454d98aaa1732074b97dac39bc9d59a820f296223e8efc773

SHA512
4465609922a75f0e6206ccea0ddb974830f043fbffbfc4fd966817c133a1e398915ef3b014b2608e2378ffe62390a1cdb562d82817c8f746649cdbaa6a176cec

Download Submit
memory/552-171-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/552-8-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/552-177-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2104-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2104-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2104-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2104-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2416-165-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/2536-199-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download

pid	process
552	RevoUninProSetup.tmp
2416	ruplp.exe
812	RevoUninPro.exe
2200	RevoUninPro.exe
2536	ruplp.exe