lumma | hxxps://drive[.]usercontent[.]google[.]com/download?id=1GKDJfJAlGmLAPVZKtqjldwXWvMrIew1v&export=download&authuser=0

Analysis

max time kernel
237s
max time network
241s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.usercontent.google.com/download?id=1GKDJfJAlGmLAPVZKtqjldwXWvMrIew1v&export=download&authuser=0

Score

10^/10

lumma discovery execution persistence phishing privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4760	powershell.exe
2884	powershell.exe
1340	powershell.exe
5732	powershell.exe
5480	powershell.exe
5580	powershell.exe
2688	powershell.exe
5824	powershell.exe
5432	powershell.exe
5508	powershell.exe
6024	powershell.exe
4708	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETAADC.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SETAADC.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\revoflt.sys	rundll32.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ruplp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RevoUninProSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ruplp.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

pid	Process
4680	RevoUninProSetup.exe
3412	RevoUninProSetup.exe
5020	RevoUninProSetup.exe
5160	RevoUninProSetup.exe
5344	RevoUninProSetup.exe
6000	RevoUninProSetup.exe
2628	nvtiskfjthawsd.exe
5636	nvtiskfjthawsd.exe
2284	nvtiskfjthawsd.exe
4740	nvtiskfjthawsd.exe
5668	nvtiskfjthawsd.exe
5920	nvtiskfjthawsd.exe
5192	RevoUninProSetup.exe
5684	RevoUninProSetup.tmp
4980	ruplp.exe
5400	RevoUninPro.exe
5292	RevoUninPro.exe
6032	ruplp.exe
3248	RevoUninPro.exe
5424	ruplp.exe

Loads dropped DLL 2 IoCs

pid	Process
5848	regsvr32.exe
3512	Process not Found

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
108	raw.githubusercontent.com
113	raw.githubusercontent.com
118	raw.githubusercontent.com
58	raw.githubusercontent.com
59	raw.githubusercontent.com
87	raw.githubusercontent.com
107	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2628	nvtiskfjthawsd.exe
5636	nvtiskfjthawsd.exe
5636	nvtiskfjthawsd.exe
2284	nvtiskfjthawsd.exe
2284	nvtiskfjthawsd.exe
4740	nvtiskfjthawsd.exe
5668	nvtiskfjthawsd.exe
5920	nvtiskfjthawsd.exe

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-SITDE.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LH4VS.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-L00GA.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MT44R.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-DTBEM.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-6KE8L.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-N1T0A.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1BVDQ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-77DQ2.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-30KTV.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4IDFT.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HQDJ4.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I38O4.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T4CJJ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-F4H7T.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4G3EC.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PPMMK.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BPA0I.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7O7D3.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-LGSO7.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-H93EU.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JVVD6.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I0KVR.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5OIFD.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-05FNM.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CAB7O.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-NL6FP.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q6BJV.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-58KKC.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-4RSO9.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D3CKA.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-24HCM.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SGV8R.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PAJA2.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6ST9E.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-HVJ59.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AV2U9.tmp	RevoUninProSetup.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-N2BOG.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8808O.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1B0EJ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-QRQB4.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-JINNG.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-E9VO0.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6Q0EB.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D1MDD.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q115N.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-95NJF.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.msg	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T3JJC.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-COQ3S.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-FMSD8.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q51A8.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-O7VQ8.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RVIO9.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-AJAFJ.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-6665C.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-B1PM7.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-R7B5U.tmp	RevoUninProSetup.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-S66U7.tmp	RevoUninProSetup.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtiskfjthawsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtiskfjthawsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtiskfjthawsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtiskfjthawsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtiskfjthawsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruplp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtiskfjthawsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUninProSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5324	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\ = "LicProtector Object"	ruplp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro"	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0"	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1"	ruplp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL\AppID = "{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library"	ruplp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.ruel	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}"	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32	ruplp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe"	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe"	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open	RevoUninProSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\""	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib	ruplp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	RevoUninProSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\RevoUninstallerPro.ruel\shell	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1	ruplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\"	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command	RevoUninProSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32	ruplp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version	ruplp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3496	msedge.exe
3496	msedge.exe
3560	msedge.exe
3560	msedge.exe
4560	identity_helper.exe
4560	identity_helper.exe
2044	msedge.exe
2044	msedge.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe
5432	powershell.exe
5432	powershell.exe
5432	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
5732	powershell.exe
5732	powershell.exe
5732	powershell.exe
6024	powershell.exe
6024	powershell.exe
6024	powershell.exe
5480	powershell.exe
5480	powershell.exe
5580	powershell.exe
5580	powershell.exe
5480	powershell.exe
5580	powershell.exe
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
5824	powershell.exe
5824	powershell.exe
5824	powershell.exe
6080	msedge.exe
6080	msedge.exe
6080	msedge.exe
6080	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5408	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	548	7zG.exe
Token: 35	548	7zG.exe
Token: SeSecurityPrivilege	548	7zG.exe
Token: SeSecurityPrivilege	548	7zG.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	5432	powershell.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	4680	RevoUninProSetup.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3412	RevoUninProSetup.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	5824	powershell.exe
Token: SeDebugPrivilege	5160	RevoUninProSetup.exe
Token: SeDebugPrivilege	5020	RevoUninProSetup.exe
Token: SeDebugPrivilege	5344	RevoUninProSetup.exe
Token: SeDebugPrivilege	6000	RevoUninProSetup.exe
Token: SeRestorePrivilege	5132	7zG.exe
Token: 35	5132	7zG.exe
Token: SeSecurityPrivilege	5132	7zG.exe
Token: SeSecurityPrivilege	5132	7zG.exe
Token: SeDebugPrivilege	5324	taskkill.exe
Token: 33	5848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5848	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
548	7zG.exe
5132	7zG.exe
5684	RevoUninProSetup.tmp
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
2628	nvtiskfjthawsd.exe
5636	nvtiskfjthawsd.exe
2284	nvtiskfjthawsd.exe
4740	nvtiskfjthawsd.exe
5668	nvtiskfjthawsd.exe
5920	nvtiskfjthawsd.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5408	OpenWith.exe
5168	OpenWith.exe
5168	OpenWith.exe
5168	OpenWith.exe
5400	RevoUninPro.exe
5400	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5292	RevoUninPro.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5292	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
5424	ruplp.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe
3248	RevoUninPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 1156	3560	msedge.exe	83
PID 3560 wrote to memory of 1156	3560	msedge.exe	83
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 4396	3560	msedge.exe	84
PID 3560 wrote to memory of 3496	3560	msedge.exe	85
PID 3560 wrote to memory of 3496	3560	msedge.exe	85
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86
PID 3560 wrote to memory of 5016	3560	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.usercontent.google.com/download?id=1GKDJfJAlGmLAPVZKtqjldwXWvMrIew1v&export=download&authuser=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3e7f46f8,0x7ffd3e7f4708,0x7ffd3e7f4718
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6572 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,16053252962089212082,12833687387315618145,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:860

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\" -ad -an -ai#7zMap12256:140:7zEvent30468
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:548

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\FnEnbEqXhH'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\FnEnbEqXhH\nvtiskfjthawsd.exe
  "C:\FnEnbEqXhH\nvtiskfjthawsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2628

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\UbyWzXsRe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\UbyWzXsRe\nvtiskfjthawsd.exe
  "C:\UbyWzXsRe\nvtiskfjthawsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5636

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\nYVylRfy'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5480
- C:\nYVylRfy\nvtiskfjthawsd.exe
  "C:\nYVylRfy\nvtiskfjthawsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4740

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5160
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\DpMXbamsJb'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\DpMXbamsJb\nvtiskfjthawsd.exe
  "C:\DpMXbamsJb\nvtiskfjthawsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2284

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\UFCxR'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\UFCxR\nvtiskfjthawsd.exe
  "C:\UFCxR\nvtiskfjthawsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5668

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\KiVbYwxG'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- C:\KiVbYwxG\nvtiskfjthawsd.exe
  "C:\KiVbYwxG\nvtiskfjthawsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\readme.txt
1⤵
PID:4544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5408
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\License\revouninstallerpro5.lic
  2⤵
  PID:5604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\fix\" -ad -an -ai#7zMap25432:228:7zEvent6824
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5132

C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\fix\RevoUninProSetup.exe
"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\fix\RevoUninProSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5192
- C:\Users\Admin\AppData\Local\Temp\is-236JG.tmp\RevoUninProSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-236JG.tmp\RevoUninProSetup.tmp" /SL5="$100286,17354271,196608,C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\fix\RevoUninProSetup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:5684
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im ruplp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
    3⤵
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Modifies registry class
    PID:5848
- - C:\Windows\system32\rundll32.exe
    "rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:5160
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:5224
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:3864
- - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
    "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4980
- - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
    "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5400
- - C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
    "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.revouninstaller.com/pro-install-thankyou/
    3⤵
    PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3e7f46f8,0x7ffd3e7f4708,0x7ffd3e7f4718
      4⤵
      PID:2996

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\readme.txt
1⤵
PID:1692

C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3248

C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FnEnbEqXhH\nvtiskfjthawsd.exe

Filesize
1.2MB

MD5
400a5fa50c11c7e7982b90341814ffb1

SHA1
b951758659ab1a7185d92bc4fd428abcb064e3d3

SHA256
fcc3476afef5cac8024038d9b1470f771d5516507040009646f5d331879c26af

SHA512
1592c9f22ab51b88078e807774b3daa7ecf2eafb1aff44dcafb602fc0449bea9e36102858c7175c844c45518222ce6dbffa2840b9e9a3eb733bc4112115c2607

Download Submit
C:\PROGRA~1\VSREVO~1\REVOUN~1\revoflt.sys

Filesize
37KB

MD5
ec8e58e6b58b4fcde77431cda3a24c0e

SHA1
ebb474009b2a2fbce648adff4b8b797fcd00c997

SHA256
25667717bf4691957f07a6363585e2c7eaf22e5fd7229bf32c91ea59ef4a2edd

SHA512
e2c667ebe97973ff27c1edf3e45ebf7950bc8d7aad1126da25290a2f590b21808654694cbe6a0ad1d3649566ec7645eb6b3379c7d7c0a650d5381a69e9cdade4

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll

Filesize
187KB

MD5
8b9964e06195fd375d126b424e236f03

SHA1
6f1741cfeb9fb70c34857dbba3e063c88c3c32fa

SHA256
bda04b693bfdea86a7a3b47f2e4ceae9cd9475c4e81b0aa73b70fd244a65f70f

SHA512
741019523b4c5f4ef9a7952172309b2d304a84cbd98fff99a719105cc1938157edb1691554a21b9dcd2b523c0f1ab0d37879deefc3b2fa5579c0d8c76cade483

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe

Filesize
24.4MB

MD5
ee15bfe5a394adbfb087b053a6a72821

SHA1
fa6fde156d571986b6dfd94c290daa80a75e8020

SHA256
9652f60de7ae4aa0970578974b1886e17a0ce7b6b68ba0f3e713b34ec3636071

SHA512
7efda209ee106a26b40858040aef9a1fc389284a1b171c9729edbf0005e213ad536850afcfc66083a81d724e52b50833e1e5ce2aa1cc108cafa7e8cc9b331ed8

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf

Filesize
2KB

MD5
edc78deb34de240c787b1011161e9a4e

SHA1
2d31275530dce33d3bc329991c8ad59e1b303577

SHA256
69569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b

SHA512
e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe

Filesize
9.6MB

MD5
216b49b7eb7be44d7ed7367f3725285f

SHA1
cf0776ecbc163c738fd43767bedcc2a67acef423

SHA256
c6d97857b3b9f26c8e93d7b6e6481f93a16db75cbf9d1756cb29fba0fd9e240e

SHA512
060fb76d91bee1b421f133cae17726a68adc97ddce76a67196d10e735e216d032bee939c905b847c50f29e859dca43cdf1b19e4ae349e00efe88147224d665cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RevoUninProSetup.exe.log

Filesize
1KB

MD5
480c164e1147059479578928631605fa

SHA1
bafc2e08ba198af11d2b9c7f377150f9be21367b

SHA256
2d4b853c113f9478a8320cf0b1f676a89b858f35e8e8a2e706da66b25f4e2971

SHA512
3c0a0ee27f086a17cbee8b4f7f58d733eda8de66023f6766b573d7bfcca91fcc02baeef5ce2d7be7ae7d1d7fca9abe7d096c46e71e7826d85370827903dbff89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f31e0833fd043f977cfe3bf81969647e

SHA1
bf17ba56cb0697fb524c99bb1ef6b2b9846022de

SHA256
62d7c85620d6b6835b0e635723836e954851715107f7daa5af6a116ffcb9a71c

SHA512
42bb1c7c8e0a3c56f047822897e4e13f699b9184ece7acc1bea1b8c2ac1e853a60a47c6f9bd45b3ba6491e133cc1a91b3fdae477876ea564472fd070aa20a948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6a4b6ac53a5ea9ce4a3748c889f33740

SHA1
35485a6bcc00ad9b8c4438e760c8c60347071cb5

SHA256
3abcae63de73830d77485dae1bed49e36f3f56e4f9c7c69c1c6803703cd5ad4f

SHA512
1da515dcbc37504b7ee3db75a1c4a74780a48f5b646bbfc491597e9ba14d2ef8440d0067359f159306a145c4315d2b3ab3987362cc35ed21b222f64b2ce03ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
602B

MD5
ac9a8ee2d4e2c4ee7d4e34b1b777b4f3

SHA1
c3359c381b7a11e3d8f6f853a78a563356d94cfb

SHA256
21d2f13b2081c3283d2b06fd869e2682c6c4a3720ea665feb466297d9557ac1f

SHA512
6680aaf94f49f743cfa1602318d070f8f1b8db9f63ea4d3dcbd045551f07fcf7f78941391a7e3e8b79e47f657c4f97a7dbf3d27ab33905e9361f29f657c275a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
aa61557cda734fae84230c091f8aa8e8

SHA1
0ef196709779145510ce5bd57ff399861c66e90e

SHA256
f287e1c7d942bfd20ec496219ca5cfec8268e8ad40a8d564c9c9389787f2675e

SHA512
7b59b0e2d0627ca000939bd73143b86e9e47210150262772aedc0006a5c41df633693124f40eb6cca958a81f82bba4d5e797fab83b4b1d8f9423a85e75eb89ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
894B

MD5
284ebe60add3e2bf796b98dd20af071e

SHA1
b7276a3417849c28f8dac8c58481a67e6c4445fa

SHA256
9d0a59feb6677e3ed44b182a54f70205d8c30f3d0b6b8547f42e2e4b4a50732b

SHA512
69ecfe97b4ff6c72688b156f35cea771f85d958bcc196f60c137f7c6affc2caf2ab4d1f1765b5ae5656d7af6440034739309c6e5091fd63f488b787040ad38b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ec0e85fa9e8ff36117acb213cd078fe5

SHA1
ed4c64a340d59ca95031f0bea70a9621a94e83de

SHA256
c6aea66b5587acb54449745dce8534ad5067df913a0c79a53bb73bdae635310e

SHA512
2701ee2d560b475cec38017bd9f86da1b2524d90be7c475bc882d22392266967e4811973f2a416a6c56e48d99d93cfb92324ed7a079decb8b76ecaca4a129274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
985811ff6c29ba75f23b8da913d3e4f4

SHA1
7d08d3d58091052025f41978c8d9d566fba0e744

SHA256
84f46f63a0f0458b537ba8a2e8beea09789ac7b266b3f835a410623d8be01917

SHA512
6e0efcaa349c3073533c53b30740257e49dc0ce0f313abfef4fc2d81a49a3c428121a15dcfc2d32c3169a041799ad5f3f9bc77866b47e15f7541a3c58711879a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9f0d476398a4f56968c6702ee07b9ea1

SHA1
0455f433721ac0a48722ee5d6ecf12fee855039d

SHA256
b3722b87390c94c3e23bad492587da105e38503b02249205717a1be82205f971

SHA512
92a4060ae8543677978639af28d89886c809d52749c0c715122a7e49744c38a4763a42afc6f30331a3f2e04ea14fe5aa673619a5fb3e924a05440321dde59dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0026f1f5613cc07885b80eedec799cbb

SHA1
b1cb67231e325d8de1880b892ce0057d9d12cf1c

SHA256
04ed0664e86c6e310d0fa0adab36638945aa94c3e120155d3bae1b576980a698

SHA512
ee201d46957a1b9f156f6c25a7a0c0ec9a7293d03f3e8e739fb6899e1328217e8b5d8a18e5dde8d616c1bc7530a70a5d81cf839a2c5fe8c4988affebb462dab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8adc550a9a5396b242a09d34c794d2bf

SHA1
90486ae2a6a43dd5012f0f591137b410c03576d7

SHA256
bac8747133daa0306044ec9d949a1dc36999f94edfef3be67c0bf5074ccfd742

SHA512
a0cd0b2235acddacb354baceba492cccc635d0ee1380738173dd30f8e88d6861afbe5844d3bad9d8cfb13de54d231a0f20cc8fe6ba63c11406ae813963dbd170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a1abd.TMP

Filesize
48B

MD5
470d440355bc511971e5ee250d7e87fa

SHA1
ef4d5706f85c8d1bedcf0d2ac362ba8de6280a9d

SHA256
c5105ecab7fa27b83fcbe42309e034b0beca2b4a724fe4ddabbe403b710655d8

SHA512
c81aa24a4cf63d6c69b9f33fe99c3c910b7e5ed7828d5db0bac28655fc20a95cc91e5564f814ce55735065149b9e28de295cf19e3c67f8a80161407c2bbe0c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
edd4c8775c5c3fd933761f23772a4348

SHA1
f21e6014c221f97bceb06aea7f10f9b7abd2da0d

SHA256
f7d4248e1fabacd604f21d0e99d6ca9ef0301284d56aa8638857bb6df3250421

SHA512
52bcbcefc5bcd3d325f495386a382579a56986e2a4687564d3ffa5bd19837c31e3a53f1064df5588fbb2c0795c7cfd2e4e8411c061d0c37172cb504448f69bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ec4a.TMP

Filesize
538B

MD5
f4f83557d1105baf5e71b21832a58277

SHA1
ee583db5ea178555e9667a3fe242615df83aafe8

SHA256
dc426fafe215427e26e574928579a42fc6821c3266538b93d93e39e6dacbacdc

SHA512
c4c9b38fae9614dbf922a9eb1b63762424771a6f034c4556cb2b49b6eddaf782a25b88cc58803d70cc9ced16893a99717ac6d45c1824ab8f973327aec11a51ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cf1dceca7083ee5a668cd2126781072

SHA1
78c534aa2ac37075d6c3d8e128ab6c8d5a11f6f5

SHA256
a968f8be1dbf9c6957aef79b42e943174ad23144d01cc80edda8f59696319c84

SHA512
8dc6082a4987de0254cc655b6cca01ba830860ce3473b2e0585f8737eeca17bcbe7fc7254da91fe6bc4928543f91691494a2ce4e1f4047a96cd1bf1bd9557940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57c470838161b23427b3f83436ab3a52

SHA1
9016c611c13db80984b1fcd68140e7e84c2a22ef

SHA256
16f31fd178e6a90317c6a4f21a0d42388ad0afa3239fe8ca88d2be2e9994c42b

SHA512
7d7152d08253dc5d7a433a5a4138173789c06ae93adfaeb17236382464a1c6f5fca74ecda1326e50d0d4e2c9f2ecb91d67a08aed17a08e0651338443bbfda29f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c2a75319a04817466b25e8aa47912319

SHA1
446c89288014308b023b53cf8609ef968765f0ad

SHA256
05d67ef05a927a6f75c7da052ddb99849331e75649409247db614a033f6ed5d2

SHA512
7f08a989526c23240cf0cb13e7ad9282943d4e4e27203b095a95bb8bd5541960c2a005cb8fc9314b13cd8b7bb145dc7a742f8facdd4998e0f90b4bb492465012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab8419b533996b7934c0d79d06266291

SHA1
afa151f19988ad5da688e6d8618c4999af77e8f7

SHA256
ec6a4d1684b2ba01098ccf72105599a2997bda399b48fc66188f6034312325da

SHA512
7601a2b5878e2b5636f1f332d5ab120c8dba7151db15125d6159739307fa7c46d119e46de9ceb5d4e26fe2124ec730d8b73f06b9a3a4c0572d99bb6a73d89baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
509a094fb2088e425c1dddfa02145970

SHA1
0f0314aa13de0433d3942072bddd3bfbc5f35a56

SHA256
a4d8ad6abe525357da5815e7dfc32af90dab872ba5962f642def9336505960b5

SHA512
145a4cf99f19c71beec26f1974645d4801bed31541cfc3642d0f08e93d2620c628334f6e4a0750172e2d6e90803b7be5adc22e7bf28f4afcafe3a21158fbc14d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f507508379087649dbbaa5b0797fdbe0

SHA1
2e3cfda85c4f62eb6d9a16aec423f63117952ac7

SHA256
b76a7e5b7f427839291cf1a979ae039a93c359d877c900ec39dd20075b08081d

SHA512
a57030aaadfddd0ef018d58245e3a52ebaded6ca43fd8809bcde30f4b3ae8fd58456d05002d0d95e24998ccfb2498cb383a5cd9647d955b60c4215c883eba62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a0574131428d2fc1c7a25f54daa1f914

SHA1
76386b6e478c6b41c6485a9f05c173608c9f98a0

SHA256
de26d3303bf2dae61b713608d71c21587e30e529ade50445e9db16e385090269

SHA512
8b402694619f0e269cc51243d0f010a7d6ffa9ebb6490750c3081b7fb787e3413c532227d9631051328ca8e4aba0bf299fd27a096bcd17556b5612b68be6fdcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8cefa122a46dd262884fb33a472c29d6

SHA1
be1b8e2e861c777ae68c17bb127387599c690e3d

SHA256
cb3f2bca1032b38f6b17e5e8be0c841c423f5c229ced5bd0ed1c5b6b8597d684

SHA512
3bf52a73441ccd3534437def03ca153ad30a2b960873acf9cbff988fc60a389106ccbe9eef73d1206cffd70f06457c411bba0fccee657939219591aabb2bf38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6d8c875a85fb7d703131b489cdb6e08f

SHA1
aac9f1d8396ad963834c07c16fd57ba31b84eac3

SHA256
912ad9b214b6c643622ab3a024b341ce3924bba766c37beaaecebf4e920ed741

SHA512
4ff00879c8702a6a48723956012b37943a1b2cc491c0c43f78cb2f89012966652a4f0af665fd41aba950bf9ad116e085c4a275e86b7f431d91334e7aa8dd652e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d88834c3f9948b1971a7d9b4cd3ea975

SHA1
911f1b9392df5c045068cb5b43372ca7bd4780db

SHA256
2f3c0b6608f3835e486706d8674aae62e1afe7d4574fe2296f2b76004d537d0e

SHA512
c396e662f5245c5feeb830439805f922dff6e35ba9916e02ba088ff0b6884109461f71b10a5a2885390e3b0db051145ba4f6bc7d51de8ee9df9a72c46a9aad15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0d1a1f3d7a6dec8c836a6537af28bdb0

SHA1
6907b4907c919d42d3c5af9c10c2759e1424d7e5

SHA256
fd5e14d635e893b111dd82d73afda961c37e7f5d92b42386c7e93e5874a48bdd

SHA512
132cfe622489003728da60539deb188d7849c50aafe746280c1befe18d9984fab0c46760fa2af560986f1357ea888a5ad950505ea73632ccc510425969802349

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfbuvjla.slz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-236JG.tmp\RevoUninProSetup.tmp

Filesize
1.2MB

MD5
a69cc5037831baaed15a32987570f410

SHA1
9a80953ea9f547ae5efe1cf106ec8eb84abec6ac

SHA256
0867c3a542489669d469faa8af89777c096ff7f695f3fa6637f35e36384192ef

SHA512
3c8053e70adda62ff2457a2a9b008879d5618a89a2ba20f6cda3cc249cb7f5b4eb9a3313d897a7b7f08298f516b2ff6ba7cc002d9898e764ecf45c382cbda4cb

Download Submit
C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\License\revouninstallerpro5.lic

Filesize
64KB

MD5
8462a9b69c76a9603a4143d51fbc201e

SHA1
4473590f93f94f22c340a354516191c3c0ba6532

SHA256
fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8

SHA512
2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570

Download Submit
C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\RevoUninProSetup.exe

Filesize
190KB

MD5
da8aa4ad4bc4acb50330417d2ab47b73

SHA1
676a4a95b701706ce1acbd356ea2a581324ea2dd

SHA256
fb458f636eb28d708105513b43a8043aacc8d0c4c831dec2f4a48f71744c14d6

SHA512
e5c0876936f21767662363e3fa9affe7e442d608d91518df9ae0885275d2da6b8481265123a91cab7af92d461b42c39a9d347c069077bbfa270e4e56420e3f45

Download Submit
C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\fix.rar

Filesize
17.0MB

MD5
5e1e631a344a100ce0be8b3fae3dc216

SHA1
7c45cc0091abac43f5872867c7c7ac2702c9e1c5

SHA256
458b298f19c057a274d14b3507004c38bfe4b1986f12ae608d3f2edfe3b0bfba

SHA512
292b75e058c34f82a5f8ee7709edf40ec9f91c5d5848f96177b2cf89efb6124adddb33178972ae165d9c2aeb5f2af513a31a09c3135ed88e9b3fe133ce37ccbe

Download Submit
C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\fix\RevoUninProSetup.exe

Filesize
17.1MB

MD5
385a558c685d455d4c199f62d736ba0d

SHA1
7b6a25a8b8bd7ee2c95f319b29d72a4d5818f45c

SHA256
cb3d5139c4c545056c96dc7934df475b886a3bec8f4608e5589db2c4e4131e83

SHA512
9e3d5013fbed039dccc9c5707d5a71aa2dd5591c1a12ecbd03db94502081777cc6c9fbfe8b3a56cc75eb4399bcabcc941185ce5b965acf970aedc438091dcc70

Download Submit
C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\readme.txt

Filesize
127B

MD5
9c6f0510cbfc39ec35fab9f7324e269e

SHA1
25e356e5bf79229ebac663f5979dae8523e705e8

SHA256
21ce0f3ad2f5cf31002d03b7c5c9588641a7a565e43f6ab7ecd23409ca96c561

SHA512
3625f17d1ccb38d71b5d48b5381c2a6cd292ce453735a56357a1d8354f83088c27aa0e724a0138c4a3e80fd290234f55a4609db48c30fcdaf80be88c33fbac2f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 467234.crdownload

Filesize
17.3MB

MD5
3263ed81c1808b388d587af325e6e8aa

SHA1
eea43062083172020810e8b111cf233d9bd034f4

SHA256
2404f0ee02484810760b42fbdbaacb606299d4d5f5c286a6f1d7141176fe7991

SHA512
73005a58e4b852187e9467f0f580612f5e5bc2c68fdb2b750a74bfc2703c338bd01337c5499703c990a07e28617a7430134bec270d555f8422ab7ff8e11c20c4

Download Submit
memory/1340-189-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/2284-467-0x0000000000950000-0x0000000000D0A000-memory.dmp

Filesize
3.7MB

Download
memory/2284-430-0x0000000000950000-0x0000000000D0A000-memory.dmp

Filesize
3.7MB

Download
memory/2628-280-0x0000000000F20000-0x00000000012DA000-memory.dmp

Filesize
3.7MB

Download
memory/2628-379-0x0000000000F20000-0x00000000012DA000-memory.dmp

Filesize
3.7MB

Download
memory/2688-396-0x0000000007B10000-0x0000000007B21000-memory.dmp

Filesize
68KB

Download
memory/2688-407-0x0000000007B60000-0x0000000007B74000-memory.dmp

Filesize
80KB

Download
memory/2688-380-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/2884-169-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/2884-157-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4680-104-0x0000000000060000-0x0000000000096000-memory.dmp

Filesize
216KB

Download
memory/4708-348-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/4740-440-0x0000000000A60000-0x0000000000E1A000-memory.dmp

Filesize
3.7MB

Download
memory/4740-469-0x0000000000A60000-0x0000000000E1A000-memory.dmp

Filesize
3.7MB

Download
memory/4760-123-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/4760-105-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/4760-108-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4760-109-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4760-119-0x0000000006070000-0x00000000063C4000-memory.dmp

Filesize
3.3MB

Download
memory/4760-120-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/4760-121-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/4760-106-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/4760-138-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/4760-122-0x0000000006C50000-0x0000000006C82000-memory.dmp

Filesize
200KB

Download
memory/4760-133-0x0000000007840000-0x000000000785E000-memory.dmp

Filesize
120KB

Download
memory/4760-107-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/4760-134-0x0000000007870000-0x0000000007913000-memory.dmp

Filesize
652KB

Download
memory/4760-135-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/4760-136-0x00000000079B0000-0x00000000079CA000-memory.dmp

Filesize
104KB

Download
memory/4760-144-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/4760-143-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/4760-142-0x0000000007BF0000-0x0000000007C04000-memory.dmp

Filesize
80KB

Download
memory/4760-141-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

Filesize
56KB

Download
memory/4760-140-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

Filesize
68KB

Download
memory/4760-139-0x0000000007C30000-0x0000000007CC6000-memory.dmp

Filesize
600KB

Download
memory/4980-796-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/5192-816-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5192-639-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5192-781-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5424-1005-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/5432-253-0x0000000007260000-0x0000000007274000-memory.dmp

Filesize
80KB

Download
memory/5432-241-0x0000000007220000-0x0000000007231000-memory.dmp

Filesize
68KB

Download
memory/5432-222-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/5480-315-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/5508-242-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/5580-325-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/5636-433-0x0000000000CE0000-0x000000000109A000-memory.dmp

Filesize
3.7MB

Download
memory/5636-375-0x0000000000CE0000-0x000000000109A000-memory.dmp

Filesize
3.7MB

Download
memory/5668-471-0x0000000000BC0000-0x0000000000F7A000-memory.dmp

Filesize
3.7MB

Download
memory/5668-456-0x0000000000BC0000-0x0000000000F7A000-memory.dmp

Filesize
3.7MB

Download
memory/5684-812-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/5684-795-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/5732-265-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/5824-409-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/5920-473-0x0000000000780000-0x0000000000B3A000-memory.dmp

Filesize
3.7MB

Download
memory/5920-465-0x0000000000780000-0x0000000000B3A000-memory.dmp

Filesize
3.7MB

Download
memory/6024-283-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

Filesize
304KB

Download
memory/6032-825-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download