Analysis
-
max time kernel
146s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 12:35
Static task
static1
Behavioral task
behavioral1
Sample
Revo Uninstaller Pro 3.1.8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Revo Uninstaller Pro 3.1.8.exe
Resource
win10v2004-20241007-en
General
-
Target
Revo Uninstaller Pro 3.1.8.exe
-
Size
11.0MB
-
MD5
77ee834405bfecc0df121ac3453e8fa8
-
SHA1
3fa8ac41e93ea2305c8460c6aab6ea35a841ceb4
-
SHA256
b5092827faa342368419da2d7b4400a0c7c9409c7b55f578fa0219750770a9ed
-
SHA512
601331aaa32c3435d1a593427ae3e2a46082dff9c4d3a9880e1c93cf2f7ab504738dbfe6ca713732b912b36d4dae7bc808577cb40a969e55b135c37950026e2e
-
SSDEEP
196608:pw+KyuQ5hy4VkzLP4hIgB4N4eyidL7Eui+KDwOtvqMd4a2K5VfdjlS0LSr9:pjvlyF4hIVNJfL2wOtS5a2AVlj80LS5
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\SET6C89.tmp rundll32.exe File created C:\Windows\system32\DRIVERS\SET6C89.tmp rundll32.exe File opened for modification C:\Windows\system32\DRIVERS\revoflt.sys rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 57 IoCs
Processes:
Revo Uninstaller Pro 3.1.8.tmpdescription ioc process File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8EU16.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-521G2.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-QR9LI.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CP9UK.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-UN2V3.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-3KI66.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P3T5I.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1TKPB.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PKK9F.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RMP78.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3HGBP.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2MEUJ.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-K634P.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-A7LK6.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5LRPD.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D0508.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PHCBN.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-V8Q1C.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-K3ECU.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-EKD9G.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-58K8V.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HA1PQ.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MK0RR.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BD1VF.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q6ACB.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-AOGIS.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4GULK.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-487FO.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-L3S90.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4MJ65.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JCELO.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-218GT.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KK56B.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CLJ4M.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-TU2IS.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KT7MT.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-MAO1P.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-TRFS0.tmp Revo Uninstaller Pro 3.1.8.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BMV9Q.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-F3UBS.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2L373.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LBC7A.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CBI3P.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-7DV5D.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0R0CK.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5V11Q.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7BNEU.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L6U1E.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-EGKO4.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-JPIPN.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1OA5C.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-80SV9.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P3M63.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4CQRS.tmp Revo Uninstaller Pro 3.1.8.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-3546I.tmp Revo Uninstaller Pro 3.1.8.tmp -
Drops file in Windows directory 3 IoCs
Processes:
rundll32.exeRevoUninPro.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe RevoUninPro.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico RevoUninPro.exe -
Executes dropped EXE 5 IoCs
Processes:
Revo Uninstaller Pro 3.1.8.tmpruplp.exeRevoUninPro.exeRevoUninPro.exeruplp.exepid process 652 Revo Uninstaller Pro 3.1.8.tmp 2640 ruplp.exe 1528 RevoUninPro.exe 1560 RevoUninPro.exe 1716 ruplp.exe -
Loads dropped DLL 15 IoCs
Processes:
Revo Uninstaller Pro 3.1.8.exeRevo Uninstaller Pro 3.1.8.tmpregsvr32.exepid process 1820 Revo Uninstaller Pro 3.1.8.exe 652 Revo Uninstaller Pro 3.1.8.tmp 652 Revo Uninstaller Pro 3.1.8.tmp 652 Revo Uninstaller Pro 3.1.8.tmp 652 Revo Uninstaller Pro 3.1.8.tmp 1188 1188 1188 1188 2636 regsvr32.exe 652 Revo Uninstaller Pro 3.1.8.tmp 652 Revo Uninstaller Pro 3.1.8.tmp 1188 1188 1188 -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXERevo Uninstaller Pro 3.1.8.exeRevo Uninstaller Pro 3.1.8.tmpruplp.exeruplp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Revo Uninstaller Pro 3.1.8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Revo Uninstaller Pro 3.1.8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruplp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000014e07adb996b823bccdceb514c65e9c76a975b5676f4ae68234b62be499e119b000000000e80000000020000200000008a323909786106a9022c640bc474493d80d556759f590c720735420172917d4220000000a19942693c897834eb40fe60796b737c99f5e178aeed57004d503d5269258318400000000bda71d6fd1389311acd25cf997549405db16c3a10a3817157af4e8c539b1c0ade7332582bbf54474891d8a1701e5639aac949aafaccde1cc003b7d80e535ab9 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73A0FF91-95F2-11EF-BA45-72BC2935A1B8} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000af0c7930136c2ed71a93debd32c770b6e0911760b287cbd093fdad681b4310ea000000000e8000000002000020000000cfb9acb0ffb2fdb1eec13e5c2459b3700b14c4cf6c4397acc9d3c55eede8f9fc90000000fc73affc6adaca75dde585753e00f0558fb1bbd7eddc85c36ab9daba5dfb4d369c3f7c37612f1deb62d5b3e35c876ec363ee5d9efc907a59c4812a27c06efa25295f1a148bdaefdf686177f6505e5f3efee03051e5de4c6c20c56ec4be792a4315c244541c67506891a7470bf372cf2d15ffca6bfd08bb474350145ecbcda039536394e7f4e4f51f42ddd2ad4173f68d40000000b56aa0894d4fb3c6fde048cf504be1b49b467e2b3b810936c868209716b06bcd143a9edfac222c2fba947f5a218ac6c417413df3ed89c330a00b2fa9c2c37f24 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436367273" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01c754aff29db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Modifies registry class 64 IoCs
Processes:
Revo Uninstaller Pro 3.1.8.tmpruplp.exeregsvr32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8" Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\RevoUninstallerPro.ruel\shell Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}\Version ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ruel\ = "RevoUninstallerPro.ruel" Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\TypeLib\Version = "3.1" ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\Software\Classes\.ruel Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\RevoUninstallerPro.ruel\shell\open\command Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\ = "ILicProtectorEXE313" ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE313\Clsid\ = "{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488} ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF934249-FBAC-468D-AC6A-4DFA043B057F}\3.1\ = "LicProtector Library" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}\TypeLib\ = "{EF934249-FBAC-468D-AC6A-4DFA043B057F}" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe" Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF934249-FBAC-468D-AC6A-4DFA043B057F} ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\ProxyStubClsid32 ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}\Version\ = "3.1" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\TypeLib\Version = "3.1" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE313\ = "LicProtector Object" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE313\Clsid ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}\ProgID\ = "LicProtector.LicProtectorEXE313" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530} ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\TypeLib ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}\LocalServer32 ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF934249-FBAC-468D-AC6A-4DFA043B057F}\3.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" ruplp.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\RevoUninstallerPro.ruel Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\"" Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF934249-FBAC-468D-AC6A-4DFA043B057F}\3.1\FLAGS ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\TypeLib\ = "{EF934249-FBAC-468D-AC6A-4DFA043B057F}" ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder Revo Uninstaller Pro 3.1.8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder\Attributes = "48" Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF934249-FBAC-468D-AC6A-4DFA043B057F}\3.1 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF934249-FBAC-468D-AC6A-4DFA043B057F}\3.1\0\win32 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\ProxyStubClsid32 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9165A86-21D3-479C-A6B9-7BE13DC59530}\TypeLib ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD2E3DB-4E5D-47DA-967E-F289D1B2C488}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.ruel Revo Uninstaller Pro 3.1.8.tmp Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\RevoUninstallerPro.ruel\DefaultIcon Revo Uninstaller Pro 3.1.8.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" Revo Uninstaller Pro 3.1.8.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RevoUninPro.exepid process 1560 RevoUninPro.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 3036 rundll32.exe Token: SeRestorePrivilege 3036 rundll32.exe Token: SeRestorePrivilege 3036 rundll32.exe Token: SeRestorePrivilege 3036 rundll32.exe Token: SeRestorePrivilege 3036 rundll32.exe Token: SeRestorePrivilege 3036 rundll32.exe Token: SeRestorePrivilege 3036 rundll32.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
Revo Uninstaller Pro 3.1.8.tmpiexplore.exeRevoUninPro.exepid process 652 Revo Uninstaller Pro 3.1.8.tmp 2432 iexplore.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
RevoUninPro.exepid process 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
RevoUninPro.exeRevoUninPro.exeiexplore.exeIEXPLORE.EXEpid process 1528 RevoUninPro.exe 1528 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 2432 iexplore.exe 2432 iexplore.exe 756 IEXPLORE.EXE 756 IEXPLORE.EXE 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe 1560 RevoUninPro.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
Revo Uninstaller Pro 3.1.8.exeRevo Uninstaller Pro 3.1.8.tmprundll32.exerunonce.exeiexplore.exedescription pid process target process PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 1820 wrote to memory of 652 1820 Revo Uninstaller Pro 3.1.8.exe Revo Uninstaller Pro 3.1.8.tmp PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 2636 652 Revo Uninstaller Pro 3.1.8.tmp regsvr32.exe PID 652 wrote to memory of 3036 652 Revo Uninstaller Pro 3.1.8.tmp rundll32.exe PID 652 wrote to memory of 3036 652 Revo Uninstaller Pro 3.1.8.tmp rundll32.exe PID 652 wrote to memory of 3036 652 Revo Uninstaller Pro 3.1.8.tmp rundll32.exe PID 652 wrote to memory of 3036 652 Revo Uninstaller Pro 3.1.8.tmp rundll32.exe PID 3036 wrote to memory of 2040 3036 rundll32.exe runonce.exe PID 3036 wrote to memory of 2040 3036 rundll32.exe runonce.exe PID 3036 wrote to memory of 2040 3036 rundll32.exe runonce.exe PID 2040 wrote to memory of 2144 2040 runonce.exe grpconv.exe PID 2040 wrote to memory of 2144 2040 runonce.exe grpconv.exe PID 2040 wrote to memory of 2144 2040 runonce.exe grpconv.exe PID 652 wrote to memory of 2640 652 Revo Uninstaller Pro 3.1.8.tmp ruplp.exe PID 652 wrote to memory of 2640 652 Revo Uninstaller Pro 3.1.8.tmp ruplp.exe PID 652 wrote to memory of 2640 652 Revo Uninstaller Pro 3.1.8.tmp ruplp.exe PID 652 wrote to memory of 2640 652 Revo Uninstaller Pro 3.1.8.tmp ruplp.exe PID 652 wrote to memory of 1528 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1528 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1528 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1528 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1560 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1560 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1560 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 1560 652 Revo Uninstaller Pro 3.1.8.tmp RevoUninPro.exe PID 652 wrote to memory of 2432 652 Revo Uninstaller Pro 3.1.8.tmp iexplore.exe PID 652 wrote to memory of 2432 652 Revo Uninstaller Pro 3.1.8.tmp iexplore.exe PID 652 wrote to memory of 2432 652 Revo Uninstaller Pro 3.1.8.tmp iexplore.exe PID 652 wrote to memory of 2432 652 Revo Uninstaller Pro 3.1.8.tmp iexplore.exe PID 2432 wrote to memory of 756 2432 iexplore.exe IEXPLORE.EXE PID 2432 wrote to memory of 756 2432 iexplore.exe IEXPLORE.EXE PID 2432 wrote to memory of 756 2432 iexplore.exe IEXPLORE.EXE PID 2432 wrote to memory of 756 2432 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 3.1.8.exe"C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 3.1.8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\is-M1SOR.tmp\Revo Uninstaller Pro 3.1.8.tmp"C:\Users\Admin\AppData\Local\Temp\is-M1SOR.tmp\Revo Uninstaller Pro 3.1.8.tmp" /SL5="$6001E,10937662,200704,C:\Users\Admin\AppData\Local\Temp\Revo Uninstaller Pro 3.1.8.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"3⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:2636 -
C:\Windows\system32\rundll32.exe"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵PID:2144
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"3⤵
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1560 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.revouninstaller.com/proinstall_thankyou.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:756
-
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exeC:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5771a7c024bff66114b135835437ba542
SHA1aebaf5524ac44afbbfc613a9625ccfaee57983ad
SHA2561977c458cc71a9858b6cc01fe49b927f8caf7ab7b45931862be0aa8ace5f0b02
SHA512c7cca68400469a0edf9b9711bfff8829d381ba15a432d8533fd2f177a31125074aa0fa562ddf57fb57e5ef45107ba8e8c8005a1597da336a0031a53412be85e8
-
Filesize
2KB
MD55187ac55870310aff60ed802a729a31a
SHA1cea83a2959cfac57c75df6bd9618e71fe9f481ca
SHA256084309301ca31fc8384e97b30f0867559fbd20c38772e1ff7573d24bbc1a0833
SHA51270d1c28d87f223ecd93196aeb1c96591095b6a5c41ade2cf11c08182fe872986206706f7bf2f72f44d16803dcf593249872add4724af13ef7bb328a48c6cdb73
-
Filesize
1KB
MD5de004f19a86041cc0e533282703bccca
SHA1b6758ee838e072830bdab8aa25800b62cf812bcb
SHA2563721e70700c6f25da4150f5ba9614a42eb16d948a223b9ae27d8b62d946c157c
SHA512c8a6f97c372e41065b56cfb2cdb5ecc80a0191d3d1ec61e79159751a77466480a185ca3b63447631544e03b5ad165b48a54b51302c55dab08099953484da7319
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559d5f36cafe9ee757246c45a0a2d2dca
SHA16abda618bf1b61b0276673224936605d5c2ecaa4
SHA2566e53b02b276bc723a6dba4a51776442a2d3c88a400ec1f96b13f8cc143f1d757
SHA5125b572d625c4b53cd066954fb8006e9ef0ad70bc2119643dbab2968de9c1e9b1c35990b818a1694fbc3494eb102acfcfa7931cc3f89adc5a2cab150e410acf607
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ccfd7b63b4af292a0e12dfae09fb383
SHA1dad9bd707bef8d7de419026cabbe798b066d3b0f
SHA2565419278a6930b6e896142ce23bc3130919b0208aa1a2da633cd89e87dfbc507e
SHA512e14deb7a7f03afd6ed73d8453df92b4cff5c76f3a812dfefddaf69df75ba7142765493dd8613ecb9fe9b98cdae51dc9705133a5f5827e648fc0df5cb3c8c4305
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c290fa79c9d19aef480ac0ad4f354b3
SHA1c4ea4005ec7f16b1b16d4144619d2ff7e1485dfb
SHA25653e496ab00b45c58f95f54136d2d503359ac384efb7916c4e4e33185f8c616b9
SHA512a14c6460aaf3fdcf7c133da120d2e067247f3a1795be1511ce508a6f134d41a06c03683a8a7c5228b9baf43ab36a65b917a049e81ef79663c287bdfc178fb93e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2b7c20bd3fc24073f0bd9ccb75bdd41
SHA196ce78f8d5d2cbd80f53790d823a3b474e3b3873
SHA2560493198d01e945699bb1b9d8d81f32eba6d3c564b10ac64f0415cd5568d0eedd
SHA5123af47f77957338c4d639cf7151c0371c94bdfd4944cb369736a9da0759350fa784043b294b57d587a2dde45ba3be2dbb82b009701d772b398ea7d5c1d936d123
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569499db3f246a1fbf6d518e1eb357277
SHA146a4fff27a826e22778e3fbdf9005ac91112201b
SHA256d23fe56d6270a4332c7c81042f802cac2939595e2c248552c645fac0cae8b914
SHA512d7f32a0af020dff68e9d27240615ff736b82b6bcfe7b44e746d820a2df461035ff1c5ec65cce55b160c812e93f46ba77b4c1915c7344e41f99f48633033416a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8f2d0397d3cdecee8c3cd98e46c59f4
SHA1bd39e949b0d749d2d9d09033e28fb50d65d66b5f
SHA2567aa58d5c9ea2c71c09ffa44ebeaaaf9cd4e77179b48180d1088afe3ef8a7fe06
SHA51277d5c205f874816f5e34c3dc857532eb701b8d6ee09769ad649fa493f5f5c8981e219675e8458c87a223fcde5ad933177790b974cf6af5b469f7003d71d070fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a052b9d59d8cd7d85c16aee069ffe8ed
SHA1d2df0db37dc435a800b148ce4f80c71527533474
SHA25694e50ff891a28dddc362c6911c7a7d84fb69f9897097fadee779873fd7c4a497
SHA512f279c7175e4212ebf1c1747aa7e94db52f5bf8e6c3816e98d31c66793aee18172d06def790611a4636d9342d094b8a9fa8e3a9ea9c560c9f41604ba17efb96d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9d74409a2cbe1b3757f39cf51027c9f
SHA1562211dc43d8c3b8da93cdc07002abb45f8a3a5b
SHA256e817a8dbbf1f5b0aa4f71e57ffab84eea2d60b07f0978dcb06635c959b37e787
SHA5120ab95a3776be7fbd6b4cb10b7e4356f026a948ddbb166041efba423fbb01718353b427f6598d47f73ee7462c6f3bc4316a9bbcb1b8fc205f07e11c547f984b07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0609d6b93d0643f57105d3caebc7b77
SHA193f52bf0f59a2df112dee02b1b0b760829133616
SHA2564f24b06e9452d29e62ae32c1e3ec673bc8c32b31faa5590c4c4e9cc1705c8301
SHA512444366243aa11241256f5689db46dffa7de56b407c6931244e1c93336115be1c462f8b27359b3687311cf8bdb3bdd70c8b709e6684a5d12aa42a45377406b5d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef7fbccb893e65b3fbb3e23c76fbc399
SHA19f5c99f41504fe11ba26183081bd46d0332f2a85
SHA256dd768420536a21ea9d25c3e8deb7333162ac3cc644075a77764603775ae8e809
SHA512f19290646f4419268a882d43a4d19c90fcf99ca28735ef2115eb477f3b412aa61552ab1d3f9ba627506ac95d32fbfcee35848e13e09dcb0037858a5645558061
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f80967b07cc68588c9e8141ad477fa3e
SHA175a786018a5612b48de16cede6e703b1150aff32
SHA256fdfdceac10ada898e611dde7a64a3cfc0aaf48a9abcc560c59a0e8f89f529c68
SHA5125b07c92be3f5e699b4ba854e4239ba1618ad918aaf38aa0305811cc7a7b68264eb249b4f9f4e445a4357f972133d191032fe1ea404b796c3f8b760ac18b78941
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3f2808bb178f177723971f69816f5fc
SHA11d6f23cce44d5a8f9c543f5578aff1bbe91a6e74
SHA2562a98223ebc45c1104017f4b42749a2f20c013c41306d8f768623bc48c5b0fb11
SHA5126494aad6d59311b0ee6c1cfcb8a30062b134f9538dde0160488a8cbb415e31319ee4ae1d888a837aafc6ef981da3e264baca7cddd1c59e49dec6631b2915ea03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fc29597d61a1df4d770421dbc7bd723
SHA11c2415c4816a720615b42dad227261d12d1a4684
SHA2563170650b5d95da5adfb86197d31e57ff3b8276e991a300ea6df89af754faccdb
SHA512f905475d35a0227f44de34a9aedeb507ba83fa0e0b0cacd450fcdf370b20768b28bcada7ebc325fa812859ff27de4d3dd4a79658b53bacfcd7bb941f48ef780c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582f22af3ccf3a99fe56e2629cc93eac9
SHA1fed01ed72a894812e3dd313aa72b01058e29c7e7
SHA256496e30807c7f4526da9adbd30c103833ba78c9608902b6533132c6b5681f2066
SHA51202def9e65d4ab0dfa551a6c78ec5c193fc8222f6d955de2c937900e1bfa33931ee143597f08aacf015abbe1ee20cb12bdcad46e411052e0e1ee2d217c2e45a35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cde4c4e909e8725656eeb5587b0d004
SHA1ab4ba826ce5f4cbce29bb26bf5cb8ae34c2ce9ec
SHA256ef72b016371a60c9996633cd530ae299cc17011f3da1ecfb9650cde75de84b78
SHA512ebc1f556d853775888d19b54e4fc9fe13eb912182947fb95fdf87fd71a1ff19b09f051bd281b78e9cf58840919cf63986518ae3c9da35cdc57bd211f241ccbca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ee7d859681c3449d6638e06678c96e3
SHA1d7bd6dc620cfc2580b66a9c860111abf96f42904
SHA256e5df0d190294955717e092f22627214ef83c4d159309dd0f779f885e2fb521b4
SHA51272c4db5b1ba2804bac411ae2131141327f0c3383f059ad01cd20fe7bf935cdf1072cb1a81ea473b55f17465215a7f912c08998c65c6cc795371270798ba28fa2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537e8d1e6e98488e2165a08a8537762e1
SHA16e97fc473ed1006fe05349bf0e7dd9807defb935
SHA256bfb57ebc3e370c836525808896bb7aec4d7355fef144288439a16fbc71e3ad96
SHA5121c50cb378fd995aeabe5790593397a34356cace79e4648b14484e66bcae41c2381926e265d606e2685eca88d9e6fc17a69cb38381ae84fc3108f28845475453e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
45KB
MD5b2a09710c646a20c3a45bd513b02b755
SHA1e2fee1d4f49b118b3c7b70a31293e048fc43f659
SHA256f58a9ad66040ffe39cbef0e18787c1d970dbe8fae9c43ee6b519a3701052e59e
SHA512b27e2335274830ff23abadf1eb2008d43f7918b22a402b55c9c654c5a4415e3bf2433c1cd504d20899fde4d0521c66bd0e55ca1ff5fd80fe83ddba308f675e73
-
Filesize
39KB
MD5498c3d4d44382a96812a0e0ff28d575b
SHA1c34586b789ca5fe4336ab23ad6ff6eeb991c9612
SHA25623cb784547268cf775636b07cac4c00b962fd10a7f9144d5d5886a9166919bba
SHA512ce450128e9ca1675eab8aa734dc907dfc55f3dacd62503339080d6bd47b2523d063786dbe28e6833db041f1d5869670be2411a39c7b8d93d05a98b4c09cad1a1
-
Filesize
125KB
MD56566d185d44afe96c7629e3616d24dcf
SHA13e2bba2d9b53429f28445aaea9d117bb7a896ef9
SHA256ad6a370794cced41b61d892b61f265a52c0eaef10e36dd4461795eb92982fad0
SHA5122aa16d57247cfc1dda2c661671d40d7d1bbb95372f196655949608ca5022df578942cbd232f6b442a40cd48b4461f1745cc844111fe81e8ea0120262f2d8197f
-
Filesize
15.7MB
MD5bd21a3621749f9fdab6d2f5f0ef5f0de
SHA163103c5c5513bb84a9752b9ddc56616e810416c7
SHA256abbf602a55c0b4d72b0ad33f8cb2da736dd4df4c8310c63e872b1b48cf3a646b
SHA512206a349dd73cb62d398e9c6acc2feb950e2fc977ad354381619e2bc2a13976bafa2f4eb54a43c31dcde6a42df1888704d400063d9b06ebac6ee3f6223188ba25
-
Filesize
6.8MB
MD5e826f596ad587788a61430733e27fa4d
SHA1a1082de5220d4d7266e484f44f9e7701763031ba
SHA25677ae8e8e01347dd5d89663a8b812a5516709cfb7e325a196053047aa5c64e892
SHA5126afd7315aca463cfff7a7a1c4f37e7093ea451d1900ee53269af7f163028469634979809e797cd00abf5f301de6765433de2b0fbb528ae47eced7958a0cbe261
-
Filesize
1.2MB
MD58e7e10151dc91fcd9dd7a95baf20e841
SHA166a38486438d185a33c25a5f0419a07e7673d7c0
SHA256a7c79ccea5b61d053bd8abb2e28dcd93b0e987043f0e26cd9deff25e62b9adae
SHA5121d3c70d59782da4f8da8bd6e0050f1c288ccedb44804c93c6f949fe766af521e1b695d51616fa8d50b2ad4d81b2ce10098c4071590fdf0b1c53c213642c37472
-
Filesize
1.2MB
MD566ceba2f4211538b839d592920729789
SHA153f3fc1787280e9f2a06859c1cd2500edd86ea3c
SHA25626b6dfa36b45d707691af15bd1af22a252f17a357c8a6bd0c2c6077e4ca1d365
SHA5125832cc25faa9cf1ddc89731cf7935956631511a38b3f26c19de7178ca1c97cd4ac366fd8c72c89b1b540522866022d9f5972020311a26f29469fd910a2ce5abb