Edit tour

Windows Analysis Report
revosetup.exe

Overview

General Information

Sample name:	revosetup.exe
Analysis ID:	1432131
MD5:	63150c4846bfbcf27fa70ccaa8a01943
SHA1:	bfe32dcc00b041e0007a883af1588f354bb9f032
SHA256:	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Monitors registry run keys for changes

Tries to harvest and steal browser information (history, passwords, etc)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample searches for specific file, try point organization specific fake files to the analysis machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

revosetup.exe (PID: 1796 cmdline: "C:\Users\user\Desktop\revosetup.exe" MD5: 63150C4846BFBCF27FA70CCAA8A01943)

revosetup.tmp (PID: 2816 cmdline: "C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp" /SL5="$202EE,6355320,266240,C:\Users\user\Desktop\revosetup.exe" MD5: 7B77E7C3EBD213D95C4D909716F10030)

RevoUnin.exe (PID: 6532 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe" MD5: A9CCD5974308C40CBE6946B5E53D2DE9)

chrome.exe (PID: 6604 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.revouninstaller.com/free-install-thankyou/ MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1828,i,11340438784122239940,8123972705045919978,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: about:blank

HTTP Parser: No favicon

Source: revosetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENT AND COPYRIGHT========================IMPORTANT - READ CAREFULLY:This license agreement is a legal agreement between you (either personal or corporate) and VS Revo Group Ltd. the vendor of the software product Revo Uninstaller"."the Vendor" means the developer of the "Revo Uninstaller" software product VS Revo Group Ltd.YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING COPYING DISTRIBUTING OR OTHERWISE USING REVO UNINSTALLER. IF YOU DO NOT AGREE DO NOT INSTALL DISTRIBUTE OR USE REVO UNINSATALLER IN ANY WAYS.Revo Uninstaller is FREEWARE. You can freely use this software and distribute copies of the ORIGINAL DISTRIBUTION FILE as long as NO ALTERATIONS are made to the file and its contents no charge is raised and that this license agreement is not violated in any ways. Any other way of distributing this software is prohibited.This is not public domain software. The software is owned by the author and protected by copyright law. The Software is licensed not sold to You for Your use only under the terms of this Agreement and VS Revo Group Ltd. reserves all rights not expressly granted to You. You are NOT allowed to:1. Modify reverse engineer decompile disassemble or otherwise attempt to reconstruct or discover the source code or any parts of it from the binaries of Revo Uninstaller.2. Remove any product identification copyright proprietary notices or labels from Revo Uninstaller.3. Distribute Revo Uninstaller in any other form than in the official distribution packages without a written permission from the Vendor.4. Use run copy distribute or store Revo Uninstaller in your computer if this license agreement is violated in any ways.THE APPLICATION AND ANY RELATED DOCUMENTATION IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES. AND THAT THE VENDOR DOES NOT WARRANT THAT REVO UNINSTALLER WILL RUN UNINTERRUPTED OR ERROR FREE NOR THAT REVO UNINSTALLER WILL OPERATE WITH HARDWARE AND/OR SOFTWARE NOT PROVIDED BY THE VENDOR EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE REMAINS WITH YOUThe Agreement becomes effective when You agree to the terms and conditions of this Agreement by opening installing using accessing or manipulating the Software (the " Effective Date ") and this Agreement will terminate immediately upon notice to You if You materially breach any term or condition of this Agreement. You agree upon termination to promptly destroy the Software and all copies thereof.NOTE: REVO UNINSTALLER MAY CONNECT BY USERS REQUEST THROUGH THE INTERNET TO WWW.REVOUNINSTALLER.COM TO CHECK FOR UPDATES. DURING THIS PROCESS IT WILL DOWNLOAD A SMALL FILE THAT
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENT AND COPYRIGHT========================IMPORTANT - READ CAREFULLY:This license agreement is a legal agreement between you (either personal or corporate) and VS Revo Group Ltd. the vendor of the software product Revo Uninstaller"."the Vendor" means the developer of the "Revo Uninstaller" software product VS Revo Group Ltd.YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING COPYING DISTRIBUTING OR OTHERWISE USING REVO UNINSTALLER. IF YOU DO NOT AGREE DO NOT INSTALL DISTRIBUTE OR USE REVO UNINSATALLER IN ANY WAYS.Revo Uninstaller is FREEWARE. You can freely use this software and distribute copies of the ORIGINAL DISTRIBUTION FILE as long as NO ALTERATIONS are made to the file and its contents no charge is raised and that this license agreement is not violated in any ways. Any other way of distributing this software is prohibited.This is not public domain software. The software is owned by the author and protected by copyright law. The Software is licensed not sold to You for Your use only under the terms of this Agreement and VS Revo Group Ltd. reserves all rights not expressly granted to You. You are NOT allowed to:1. Modify reverse engineer decompile disassemble or otherwise attempt to reconstruct or discover the source code or any parts of it from the binaries of Revo Uninstaller.2. Remove any product identification copyright proprietary notices or labels from Revo Uninstaller.3. Distribute Revo Uninstaller in any other form than in the official distribution packages without a written permission from the Vendor.4. Use run copy distribute or store Revo Uninstaller in your computer if this license agreement is violated in any ways.THE APPLICATION AND ANY RELATED DOCUMENTATION IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES. AND THAT THE VENDOR DOES NOT WARRANT THAT REVO UNINSTALLER WILL RUN UNINTERRUPTED OR ERROR FREE NOR THAT REVO UNINSTALLER WILL OPERATE WITH HARDWARE AND/OR SOFTWARE NOT PROVIDED BY THE VENDOR EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE REMAINS WITH YOUThe Agreement becomes effective when You agree to the terms and conditions of this Agreement by opening installing using accessing or manipulating the Software (the " Effective Date ") and this Agreement will terminate immediately upon notice to You if You materially breach any term or condition of this Agreement. You agree upon termination to promptly destroy the Software and all copies thereof.NOTE: REVO UNINSTALLER MAY CONNECT BY USERS REQUEST THROUGH THE INTERNET TO WWW.REVOUNINSTALLER.COM TO CHECK FOR UPDATES. DURING THIS PROCESS IT WILL DOWNLOAD A SMALL FILE THAT

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-930TG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-SRMPO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QNP87.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1GMMQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-LQ7V0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-8HS44.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6JUB1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-TF4FP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-JLIIP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-51DQ4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ON5O0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-89KBO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-H8O5L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BHORG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NU8DV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-86R4G.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-O6OOC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OQLC1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BRMVK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-IE3NO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NA2VL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6D4JF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-P4FJN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-F6T79.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4HQ49.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-Q5ETH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-D9K51.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-AP8OQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-03S2V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RM1PV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-7F029.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-MV7M3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-A47CF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6RDSI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-JEUE8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-8N9CU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4H15I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-R94T1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-KQVVL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-57PF0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-2JR70.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FVNN5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-79H19.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-Q3DI4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FNPTG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QRKAM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-20FHR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-3UJFV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-UKQ9R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-3D3RB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.msg

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-04-26 #001.txt

Source: revosetup.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.8:443 -> 192.168.2.17:49808 version: TLS 1.2

Source: revosetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.6.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.6.208
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.revouninstaller.com
Source: global traffic	DNS traffic detected: DNS query: stackpath.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: f057a20f961f56a72089-b74530d2d26278124f446233f95622ef.ssl.cf1.rackcdn.com
Source: global traffic	DNS traffic detected: DNS query: static.zdassets.com
Source: global traffic	DNS traffic detected: DNS query: ekr.zdassets.com
Source: global traffic	DNS traffic detected: DNS query: widget.trustpilot.com
Source: global traffic	DNS traffic detected: DNS query: vsrevogroup.zendesk.com
Source: global traffic	DNS traffic detected: DNS query: static.hotjar.com
Source: global traffic	DNS traffic detected: DNS query: widget-mediator.zopim.com
Source: global traffic	DNS traffic detected: DNS query: connect.facebook.net
Source: global traffic	DNS traffic detected: DNS query: static.ads-twitter.com
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: analytics.google.com
Source: global traffic	DNS traffic detected: DNS query: stats.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: script.hotjar.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: v2assets.zopim.io
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.8:443 -> 192.168.2.17:49808 version: TLS 1.2

Source: revosetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus24.spyw.winEXE@21/109@60/309

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

File created: C:\Program Files\VS Revo Group

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\RevoUninstallerFree}

Source: C:\Users\user\Desktop\revosetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp

Source: C:\Users\user\Desktop\revosetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\revosetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\revosetup.exe

File read: C:\Users\user\Desktop\revosetup.exe

Source: unknown	Process created: C:\Users\user\Desktop\revosetup.exe "C:\Users\user\Desktop\revosetup.exe"
Source: C:\Users\user\Desktop\revosetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp "C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp" /SL5="$202EE,6355320,266240,C:\Users\user\Desktop\revosetup.exe"
Source: C:\Users\user\Desktop\revosetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp "C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp" /SL5="$202EE,6355320,266240,C:\Users\user\Desktop\revosetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process created: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe "C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.revouninstaller.com/free-install-thankyou/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1828,i,11340438784122239940,8123972705045919978,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process created: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe "C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.revouninstaller.com/free-install-thankyou/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1828,i,11340438784122239940,8123972705045919978,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\revosetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\revosetup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: apphelp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: msi.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wininet.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: msimg32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: oledlg.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: urlmon.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: version.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winmm.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: iertutil.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: srvcli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netutils.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: textshaping.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wintypes.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wintypes.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wintypes.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: d3d11.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: dcomp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: dxgi.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wldp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: propsys.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: profapi.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: thumbcache.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: policymanager.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: sspicli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: linkinfo.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ieframe.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netapi32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: userenv.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winhttp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wkscli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: msiso.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ieframe.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netapi32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: userenv.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winhttp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wkscli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ieframe.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netapi32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: userenv.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winhttp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wkscli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ieframe.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netapi32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: userenv.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winhttp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wkscli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ieframe.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netapi32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: userenv.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winhttp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wkscli.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: ieframe.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: netapi32.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: userenv.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: winhttp.dll
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Section loaded: wkscli.dll

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENT AND COPYRIGHT========================IMPORTANT - READ CAREFULLY:This license agreement is a legal agreement between you (either personal or corporate) and VS Revo Group Ltd. the vendor of the software product Revo Uninstaller"."the Vendor" means the developer of the "Revo Uninstaller" software product VS Revo Group Ltd.YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING COPYING DISTRIBUTING OR OTHERWISE USING REVO UNINSTALLER. IF YOU DO NOT AGREE DO NOT INSTALL DISTRIBUTE OR USE REVO UNINSATALLER IN ANY WAYS.Revo Uninstaller is FREEWARE. You can freely use this software and distribute copies of the ORIGINAL DISTRIBUTION FILE as long as NO ALTERATIONS are made to the file and its contents no charge is raised and that this license agreement is not violated in any ways. Any other way of distributing this software is prohibited.This is not public domain software. The software is owned by the author and protected by copyright law. The Software is licensed not sold to You for Your use only under the terms of this Agreement and VS Revo Group Ltd. reserves all rights not expressly granted to You. You are NOT allowed to:1. Modify reverse engineer decompile disassemble or otherwise attempt to reconstruct or discover the source code or any parts of it from the binaries of Revo Uninstaller.2. Remove any product identification copyright proprietary notices or labels from Revo Uninstaller.3. Distribute Revo Uninstaller in any other form than in the official distribution packages without a written permission from the Vendor.4. Use run copy distribute or store Revo Uninstaller in your computer if this license agreement is violated in any ways.THE APPLICATION AND ANY RELATED DOCUMENTATION IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES. AND THAT THE VENDOR DOES NOT WARRANT THAT REVO UNINSTALLER WILL RUN UNINTERRUPTED OR ERROR FREE NOR THAT REVO UNINSTALLER WILL OPERATE WITH HARDWARE AND/OR SOFTWARE NOT PROVIDED BY THE VENDOR EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE REMAINS WITH YOUThe Agreement becomes effective when You agree to the terms and conditions of this Agreement by opening installing using accessing or manipulating the Software (the " Effective Date ") and this Agreement will terminate immediately upon notice to You if You materially breach any term or condition of this Agreement. You agree upon termination to promptly destroy the Software and all copies thereof.NOTE: REVO UNINSTALLER MAY CONNECT BY USERS REQUEST THROUGH THE INTERNET TO WWW.REVOUNINSTALLER.COM TO CHECK FOR UPDATES. DURING THIS PROCESS IT WILL DOWNLOAD A SMALL FILE THAT
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENT AND COPYRIGHT========================IMPORTANT - READ CAREFULLY:This license agreement is a legal agreement between you (either personal or corporate) and VS Revo Group Ltd. the vendor of the software product Revo Uninstaller"."the Vendor" means the developer of the "Revo Uninstaller" software product VS Revo Group Ltd.YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING COPYING DISTRIBUTING OR OTHERWISE USING REVO UNINSTALLER. IF YOU DO NOT AGREE DO NOT INSTALL DISTRIBUTE OR USE REVO UNINSATALLER IN ANY WAYS.Revo Uninstaller is FREEWARE. You can freely use this software and distribute copies of the ORIGINAL DISTRIBUTION FILE as long as NO ALTERATIONS are made to the file and its contents no charge is raised and that this license agreement is not violated in any ways. Any other way of distributing this software is prohibited.This is not public domain software. The software is owned by the author and protected by copyright law. The Software is licensed not sold to You for Your use only under the terms of this Agreement and VS Revo Group Ltd. reserves all rights not expressly granted to You. You are NOT allowed to:1. Modify reverse engineer decompile disassemble or otherwise attempt to reconstruct or discover the source code or any parts of it from the binaries of Revo Uninstaller.2. Remove any product identification copyright proprietary notices or labels from Revo Uninstaller.3. Distribute Revo Uninstaller in any other form than in the official distribution packages without a written permission from the Vendor.4. Use run copy distribute or store Revo Uninstaller in your computer if this license agreement is violated in any ways.THE APPLICATION AND ANY RELATED DOCUMENTATION IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES. AND THAT THE VENDOR DOES NOT WARRANT THAT REVO UNINSTALLER WILL RUN UNINTERRUPTED OR ERROR FREE NOR THAT REVO UNINSTALLER WILL OPERATE WITH HARDWARE AND/OR SOFTWARE NOT PROVIDED BY THE VENDOR EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE REMAINS WITH YOUThe Agreement becomes effective when You agree to the terms and conditions of this Agreement by opening installing using accessing or manipulating the Software (the " Effective Date ") and this Agreement will terminate immediately upon notice to You if You materially breach any term or condition of this Agreement. You agree upon termination to promptly destroy the Software and all copies thereof.NOTE: REVO UNINSTALLER MAY CONNECT BY USERS REQUEST THROUGH THE INTERNET TO WWW.REVOUNINSTALLER.COM TO CHECK FOR UPDATES. DURING THIS PROCESS IT WILL DOWNLOAD A SMALL FILE THAT

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-930TG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-SRMPO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QNP87.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1GMMQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-LQ7V0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-8HS44.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6JUB1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-TF4FP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-JLIIP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-51DQ4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-ON5O0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-89KBO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-H8O5L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BHORG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NU8DV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-86R4G.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-O6OOC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OQLC1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-BRMVK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-IE3NO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NA2VL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6D4JF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-P4FJN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-F6T79.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4HQ49.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-Q5ETH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-D9K51.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-AP8OQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-03S2V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RM1PV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-7F029.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-MV7M3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-A47CF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6RDSI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-JEUE8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-8N9CU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-4H15I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-R94T1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-KQVVL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-57PF0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-2JR70.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FVNN5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-79H19.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-Q3DI4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FNPTG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-QRKAM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-20FHR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-3UJFV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-UKQ9R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-3D3RB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Directory created: C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.msg

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1

Source: revosetup.exe

Static PE information: certificate valid

Source: revosetup.exe

Static file information: File size 6970144 > 1048576

Source: revosetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\Program Files\VS Revo Group\Revo Uninstaller\is-3UJFV.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\revosetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-APUB4.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-04-26 #001.txt

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Revo Uninstaller.lnk
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Revo Uninstaller on the Web.url
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Uninstall Revo Uninstaller.lnk
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller\Revo Uninstaller Help.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\revosetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-APUB4.tmp\_isetup\_setup64.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.revouninstaller.com/free-install-thankyou/

Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	Queries volume information: C:\ VolumeInformation

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak\Google Drive.ico
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb\Docs.ico
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag\Slides.ico
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml\YouTube.ico
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf\Sheets.ico
Source: C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm\Gmail.ico

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	3 Masquerading	1 OS Credential Dumping	11 Query Registry	Remote Services	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Process Injection	LSASS Memory	2 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	Binary Padding	NTDS	21 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
revosetup.exe	3%	ReversingLabs
revosetup.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-APUB4.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-APUB4.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe (copy)	0%	ReversingLabs
C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe (copy)	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
jsdelivr.map.fastly.net	0%	Virustotal	Browse
platform.twitter.map.fastly.net	0%	Virustotal	Browse
static.ads-twitter.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
about:blank	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stackpath.bootstrapcdn.com	104.18.11.207	true	false		high
jsdelivr.map.fastly.net	151.101.129.229	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.14.35	true	false		high
v2assets.zopim.io	104.16.200.19	true	false		high
vsrevogroup.zendesk.com	104.16.53.111	true	false		high
platform.twitter.map.fastly.net	146.75.124.157	true	false	0%, Virustotal, Browse	unknown
stats.g.doubleclick.net	173.194.216.156	true	false		high
static.zdassets.com	104.18.72.113	true	false		high
scontent.xx.fbcdn.net	31.13.67.20	true	false		high
script.hotjar.com	13.226.52.129	true	false		high
widget-mediator.zopim.com	54.145.171.210	true	false		high
ekr.zdassets.com	104.18.70.113	true	false		high
td.doubleclick.net	142.250.217.162	true	false		high
analytics.google.com	142.250.217.174	true	false		high
www.google.com	142.250.189.132	true	false		high
widget.trustpilot.com	18.66.255.92	true	false		high
revouninstaller.com	146.20.152.114	true	false		high
static-cdn.hotjar.com	108.157.173.76	true	false		high
static.ads-twitter.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false		high
cdn.jsdelivr.net	unknown	unknown	false		high
f057a20f961f56a72089-b74530d2d26278124f446233f95622ef.ssl.cf1.rackcdn.com	unknown	unknown	false		high
connect.facebook.net	unknown	unknown	false		high
www.revouninstaller.com	unknown	unknown	false		high
static.hotjar.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
about:blank	false	Avira URL Cloud: safe	low
https://td.doubleclick.net/td/ga/rul?tid=G-P73P80145H&gacid=1413362299.1714136623&gtm=45je44o0v869118035z871855269za200&dma=0&gcd=13l3l3l3l1&npa=0&pscdl=noapi&aip=1&fledge=1&z=820655299	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.226.52.129	script.hotjar.com	United States	16509	AMAZON-02US	false
31.13.67.35	unknown	Ireland	32934	FACEBOOKUS	false
142.250.189.142	unknown	United States	15169	GOOGLEUS	false
18.66.255.92	widget.trustpilot.com	United States	3	MIT-GATEWAYSUS	false
146.20.152.114	revouninstaller.com	United States	27357	RACKSPACEUS	false
146.75.124.157	platform.twitter.map.fastly.net	Sweden	30051	SCCGOVUS	false
151.101.129.229	jsdelivr.map.fastly.net	United States	54113	FASTLYUS	false
104.71.249.186	unknown	United States	16625	AKAMAI-ASUS	false
142.250.217.238	unknown	United States	15169	GOOGLEUS	false
157.240.14.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
142.250.64.142	unknown	United States	15169	GOOGLEUS	false
142.251.35.238	unknown	United States	15169	GOOGLEUS	false
142.251.35.234	unknown	United States	15169	GOOGLEUS	false
54.145.171.210	widget-mediator.zopim.com	United States	14618	AMAZON-AESUS	false
104.18.72.113	static.zdassets.com	United States	13335	CLOUDFLARENETUS	false
104.16.200.19	v2assets.zopim.io	United States	13335	CLOUDFLARENETUS	false
142.250.217.162	td.doubleclick.net	United States	15169	GOOGLEUS	false
108.157.173.76	static-cdn.hotjar.com	United States	16509	AMAZON-02US	false
172.253.123.84	unknown	United States	15169	GOOGLEUS	false
142.250.189.131	unknown	United States	15169	GOOGLEUS	false
192.178.50.67	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.217.3.72	unknown	United States	15169	GOOGLEUS	false
104.16.53.111	vsrevogroup.zendesk.com	United States	13335	CLOUDFLARENETUS	false
142.250.189.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.189.138	unknown	United States	15169	GOOGLEUS	false
104.18.11.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
142.250.217.174	analytics.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.18.70.113	ekr.zdassets.com	United States	13335	CLOUDFLARENETUS	false
173.194.216.156	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
173.194.216.157	unknown	United States	15169	GOOGLEUS	false
142.251.35.228	unknown	United States	15169	GOOGLEUS	false
192.178.50.40	unknown	United States	15169	GOOGLEUS	false
18.66.255.15	unknown	United States	3	MIT-GATEWAYSUS	false
142.250.217.195	unknown	United States	15169	GOOGLEUS	false
31.13.67.20	scontent.xx.fbcdn.net	Ireland	32934	FACEBOOKUS	false
23.22.231.22	unknown	United States	14618	AMAZON-AESUS	false
18.66.255.55	unknown	United States	3	MIT-GATEWAYSUS	false
142.250.217.170	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432131
Start date and time:	2024-04-26 15:02:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	revosetup.exe
Detection:	SUS
Classification:	sus24.spyw.winEXE@21/109@60/309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 192.178.50.67, 172.253.123.84, 142.251.35.238, 34.104.35.123, 142.250.217.195, 142.251.35.234, 104.71.249.186
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\AppData\Local\Temp\is-QDQK0.tmp\revosetup.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines (479), with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	C1459801E75F90321DAA2BE48EC50B14
SHA1:	FFFCF28465FFDFE6A2F286BD6E5E534472863852
SHA-256:	18F086240EC88DDAB6F0C9597B3A7B6F99DF38465A1207F9CA89A751A375B3D5
SHA-512:	2686D8DF5F59E67D2DA89EABF28197C2512BCD41AA06FB5878A056FAE2AF8B84115BD379F2E8CCA38D5103D74F97D71289E77FDE29008A72C8B0AD4B5FE9E923
Malicious:	false
Reputation:	unknown
Preview:	LICENSE AGREEMENT AND COPYRIGHT..========================....IMPORTANT - READ CAREFULLY:..This license agreement is a legal agreement between you (either personal or corporate) and VS Revo Group Ltd., the vendor of the software product .Revo Uninstaller."....."the Vendor" means the developer of the "Revo Uninstaller" software product, VS Revo Group Ltd.....YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING, COPYING, DISTRIBUTING OR OTHERWISE USING REVO UNINSTALLER. IF YOU DO NOT AGREE, DO NOT INSTALL, DISTRIBUTE OR USE REVO UNINSATALLER IN ANY WAYS.....Revo Uninstaller is FREEWARE. You can freely use this software and distribute copies of the ORIGINAL DISTRIBUTION FILE as long as NO ALTERATIONS are made to the file and its contents, no charge is raised and that this license agreement is not violated in any ways. Any other way of distributing this software is prohibited.....This is not public domain software. The software is o

Process:	C:\Users\user\Desktop\revosetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1348392
Entropy (8bit):	6.530593804695602
Encrypted:	false
SSDEEP:
MD5:	7B77E7C3EBD213D95C4D909716F10030
SHA1:	1C00EB97B4F154E209162BEE83A84A6F1D1EF034
SHA-256:	A1BAB1631135A982DFEC6024B1EF8EB1EA2BCE519CD832D9151E95E8DEF916D2
SHA-512:	FB6F95D42A936911B66861280CDEEE77E2125C6B30141EB66DAFF402453D635A87A7F8EC9435CEB7AD4FDDB473D6347A787BEDB5649AA3ABB234ACEEEAAF8DCD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[.....................8.......%.......0....@..................................m....@......@..............................@8...@...............R..(A...................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......L...................idata..@8.......:...L..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 12:03:35 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.985883681835673
Encrypted:	false
SSDEEP:
MD5:	085164EA22696AFE7CF079D9E21761B2
SHA1:	4026D829DB34A41C7BD1DCF6C53B1A69EA1D6AFC
SHA-256:	5FD099A64C5E6FCFD80055813EDBEB007C96CD0D37FC3A3F090F669923A0D6E4
SHA-512:	429AB0720285DEA25547454BE87A347768B67C3F930EF69532A80A63F4D33CCDBDDDF44C292410F348A240C620880431E329AED45CDA7869600EB154D28CAF2E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....".%.......y... w......................1....P.O. .:i.....+00.../C:\.....................1......Xnh..PROGRA~1..t......O.I.Xoh....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xqh....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Xqh....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Xqh...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Xrh...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........~.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x41181c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Signature Valid:	true
Signature Issuer:	CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	27/07/2021 02:00:00 07/08/2024 01:59:59
Subject Chain	CN=VS Revo Group Ltd., O=VS Revo Group Ltd., L=Ruse, C=BG, SERIALNUMBER=200204019, OID.1.3.6.1.4.1.311.60.2.1.3=BG, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	1884464E49C1DFC765B837961EA25568
Thumbprint SHA-1:	68A7EC9C14F45C97E8A743552672971C2DCB0A29
Thumbprint SHA-256:	8DBF178B186FD778052FF6AF8D168C71912553561FD9B8B8A643F97C9EC4607B
Serial:	07ED134B1ECF561A9EB5B05388BFF047

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x2e6e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6a19f0	0x4130
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf25c	0xf400	0da5d73ffbc41792fa65a09058a91476	False	0.5482197745901639	data	6.375879013420213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xfa4	0x1000	2eb275566563c3f1d0099a0da7345b74	False	0.563720703125	data	5.778765357049134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc8c	0xe00	73b859e23f5fd17e00c08db2e0e73dfe	False	0.25362723214285715	data	2.3028287433175367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x13000	0x56bc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x19000	0xe04	0x1000	e9b9c0328fd9628ad4d6ab8283dcb20e	False	0.321533203125	data	4.597812557707959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1a000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x18	0x200	3dffc444ccc131c9dcee18db49ee6403	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x2e6e4	0x2e800	451e566b9d13b35598cd40ce2ba20326	False	0.5272334929435484	data	6.5036107166389385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c47c	0xc301	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9996995252498948
RT_ICON	0x28780	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.38365077487282623
RT_ICON	0x38fa8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5286372224846481
RT_ICON	0x3d1d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5776970954356846
RT_ICON	0x3f778	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7035647279549718
RT_ICON	0x40820	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8430851063829787
RT_STRING	0x40c88	0x68	data			0.6538461538461539
RT_STRING	0x40cf0	0xd4	data			0.5283018867924528
RT_STRING	0x40dc4	0xa4	data			0.6524390243902439
RT_STRING	0x40e68	0x2ac	data			0.45614035087719296
RT_STRING	0x41114	0x34c	data			0.4218009478672986
RT_STRING	0x41460	0x294	data			0.4106060606060606
RT_RCDATA	0x416f4	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x499dc	0x10	data			1.5
RT_RCDATA	0x499ec	0x150	data			0.8392857142857143
RT_RCDATA	0x49b3c	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x49b68	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0x49bc4	0x4f4	data	English	United States	0.2807570977917981
RT_MANIFEST	0x4a0b8	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report revosetup.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files\VS Revo Group\Revo Uninstaller\License.txt (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\Revo Uninstaller Help.pdf (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\is-3D3RB.tmp

C:\Program Files\VS Revo Group\Revo Uninstaller\is-3UJFV.tmp

C:\Program Files\VS Revo Group\Revo Uninstaller\is-UKQ9R.tmp

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\albanian.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\arabic.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\armenian.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\azerbaijani.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\bengali.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\bulgarian.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\czech.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\danish.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\dutch.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\english.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\estonian.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\finnish.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\french.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\german.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\gujarati.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\hebrew.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\hellenic.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\hindi.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\hrvatski.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\hungarian.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\indonesian.ini (copy)

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-03S2V.tmp

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1GMMQ.tmp

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-20FHR.tmp

C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-2JR70.tmp

Windows Analysis Report
revosetup.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre