Malware analysis revo-uninstaller-portable-2-4-5.zip.7z Malicious activity

Add for printing

File name:	revo-uninstaller-portable-2-4-5.zip.7z
Full analysis:	https://app.any.run/tasks/573fd1a0-7431-4dba-a3d5-c00462328d17
Verdict:	Malicious activity
Analysis date:	December 17, 2024, 09:07:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	C55DA5DB0955205756F8ABCC03EBE37A
SHA1:	D1C71D4EA00EFC9F433B2DD3B8ACAFF950B4D9C9
SHA256:	7B0A43859BBB5433EBE80C28B99E736508425E9913C8CD43F0943BC53E6ABC2D
SSDEEP:	98304:yZFM7/+pfB48aWhVWC1VA0zhDfHBmBB/mF4gPFEyv9QKHWwlvF97aHGeFYxI4e5U:wIGEdRmofi+Xi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - RevoUn.exe (PID: 4556)
  - RevoUn.exe (PID: 3832)
  - RevoUn.exe (PID: 5544)
SUSPICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 6236)
- Searches for installed software
  - RevoUn.exe (PID: 4556)
  - RevoUn.exe (PID: 3832)
  - dllhost.exe (PID: 6532)
  - dllhost.exe (PID: 2728)
  - Un_A.exe (PID: 7000)
- Reads security settings of Internet Explorer
  - RevoUn.exe (PID: 4556)
  - RevoUn.exe (PID: 3832)
  - Un_A.exe (PID: 7000)
- Executes as Windows Service
  - VSSVC.exe (PID: 6516)
- Starts itself from another location
  - uninst.exe (PID: 7124)
- Executable content was dropped or overwritten
  - uninst.exe (PID: 7124)
  - Un_A.exe (PID: 7000)
- Malware-specific behavior (creating "System.dll" in Temp)
  - Un_A.exe (PID: 7000)
- Starts CMD.EXE for commands execution
  - Un_A.exe (PID: 7000)
  - cmd.exe (PID: 4128)
- Application launched itself
  - cmd.exe (PID: 4128)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 396)
  - schtasks.exe (PID: 4164)
  - schtasks.exe (PID: 4816)
- Lists all scheduled tasks in specific format
  - schtasks.exe (PID: 6796)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 6656)
- Checks Windows Trust Settings
  - Un_A.exe (PID: 7000)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 3828)
- Reads the date of Windows installation
  - msiexec.exe (PID: 3828)
INFO
- Manual execution by a user
  - WinRAR.exe (PID: 6968)
  - WinRAR.exe (PID: 7160)
  - RevoUPort.exe (PID: 3076)
  - RevoUPort.exe (PID: 5872)
  - RevoUn.exe (PID: 5544)
  - RevoUn.exe (PID: 3832)
- The process uses the downloaded file
  - WinRAR.exe (PID: 6236)
  - WinRAR.exe (PID: 7160)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7160)
  - msiexec.exe (PID: 3828)
- Checks supported languages
  - RevoUPort.exe (PID: 3076)
  - RevoUn.exe (PID: 4556)
  - RevoUn.exe (PID: 3832)
  - uninst.exe (PID: 7124)
  - Un_A.exe (PID: 7000)
  - CCUpdate.exe (PID: 1752)
  - msiexec.exe (PID: 3828)
  - msiexec.exe (PID: 6604)
- Reads the computer name
  - RevoUn.exe (PID: 4556)
  - Un_A.exe (PID: 7000)
  - msiexec.exe (PID: 3828)
  - msiexec.exe (PID: 6604)
  - CCUpdate.exe (PID: 1752)
- Process checks computer location settings
  - RevoUn.exe (PID: 4556)
- Create files in a temporary directory
  - uninst.exe (PID: 7124)
  - Un_A.exe (PID: 7000)
- The sample compiled with english language support
  - uninst.exe (PID: 7124)
  - Un_A.exe (PID: 7000)
  - msiexec.exe (PID: 3828)
- Reads Environment values
  - Un_A.exe (PID: 7000)
  - msiexec.exe (PID: 3828)
- Manages system restore points
  - SrTasks.exe (PID: 5076)
  - SrTasks.exe (PID: 6508)
  - SrTasks.exe (PID: 2456)
- Reads the software policy settings
  - Un_A.exe (PID: 7000)
- Reads the machine GUID from the registry
  - Un_A.exe (PID: 7000)
- Checks proxy server information
  - Un_A.exe (PID: 7000)
- Application launched itself
  - msiexec.exe (PID: 3828)
- Write to the desktop.ini file (may be used to cloak folders)
  - msiexec.exe (PID: 3828)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion:	7z v0.04
ModifyDate:	2024:12:17 09:06:29+00:00
ArchivedFileName:	revo-uninstaller-portable-2-4-5.zip

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

163

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

396

C:\WINDOWS\system32\schtasks /delete /tn "CCleanerSkipUAC - admin" /f

C:\Windows\SysWOW64\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

880

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1752

"C:\Program Files\CCleaner\ccupdate.exe" /unreg

C:\Program Files\CCleaner\CCUpdate.exe

—

Un_A.exe

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

HIGH

Description:

CCleaner CCleaner emergency updater

Exit code:

Version:

23.3.12.0

Modules

Images
c:\program files\ccleaner\ccupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

2148

findstr /i CCleanerSkipUAC

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2200

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2456

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:14

C:\Windows\System32\SrTasks.exe

—

dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

2147942487

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2728

C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

3076

"C:\Users\admin\Desktop\RevoUninstaller_Portable\RevoUPort.exe"

C:\Users\admin\Desktop\RevoUninstaller_Portable\RevoUPort.exe

explorer.exe

User:

admin

Company:

VS Revo Group

Integrity Level:

HIGH

Exit code:

Version:

2, 0, 0, 0

Modules

Images
c:\users\admin\desktop\revouninstaller_portable\revouport.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

3828

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3832

"C:\Users\admin\Desktop\RevoUninstaller_Portable\x64\RevoUn.exe"

C:\Users\admin\Desktop\RevoUninstaller_Portable\x64\RevoUn.exe

explorer.exe

User:

admin

Company:

VS Revo Group

Integrity Level:

HIGH

Description:

Revo Uninstaller

Version:

2.4.5.0

Modules

Images
c:\users\admin\desktop\revouninstaller_portable\x64\revoun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

35 631

Read events

34 266

Write events

633

Delete events

732

Modification events


(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\revo-uninstaller-portable-2-4-5.zip.7z
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	13
Value:
(PID) Process:	(6236) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	12
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6236	WinRAR.exe	C:\Users\admin\Desktop\revo-uninstaller-portable-2-4-5.zip		compressed
		MD5:5178AEBA4F6DF6D3286DB3279EA5EA42	SHA256:FD8B2FB37D0F146FEF98DD7B6079FE40A4E04879E247F4A37EF12443CCF6C2B3
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\albanian.ini		text
		MD5:CD86D5DF4564A5D91934B3383A2B342E	SHA256:09FE4F2A0D1D54C5D374DB235F07F06642404A630F8B981461B0F7998B7C753B
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\english.ini		text
		MD5:5F57E969CB8F3AD0BBD859207A283BD5	SHA256:F2E8F9E5CF4F057E3399FF66485A485CBA419881AEEAC997049941396BDF63D8
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\bulgarian.ini		text
		MD5:29C6FA77CAFF22CEBEF89FE7CBB7E564	SHA256:8AD919E2DF77256C9DE97E5AB3BCB62669517360051E1F8C3444D2BDCDC9E824
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\dutch.ini		text
		MD5:484AAB4E4A291B4C2F2D1718B3754D2B	SHA256:7A47C9E44EF1E4CE0D5FC678DDF505D8213995E55599D7F4779E10462C002880
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\finnish.ini		text
		MD5:A3D974340201C1D00AF3A87F4D3DA6DC	SHA256:FEDCC719AC22D45A77F117372E0E124AA0EDE73DFC0768E7CDF7420539140731
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\french.ini		text
		MD5:267BCE0C687901EF0C9B94853164FF22	SHA256:F7B544068FCFE69F5A718A9EE0B790620F85477AFBF0C5DB5215A318C67E3B7F
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\hellenic.ini		text
		MD5:2750A46C066CE37250BE338D2D4B2C28	SHA256:1FBFEE3E9FB3D7E4BAC9AB89C49B25B1D93D65389A1DB3D9276C0B8C1A9C363B
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\german.ini		text
		MD5:00155578B98E07FC6288870E2AECCA68	SHA256:8CEF19D9D89BE0528643C45647085A85B136DF74987F7D25483732D431C70D12
7160	WinRAR.exe	C:\Users\admin\Desktop\RevoUninstaller_Portable\lang\georgian.ini		text
		MD5:198F4E61DFCEF0808B8EDE2ACBC2B5A0	SHA256:A37876448B2EA24F5FBF964130485BC7A5B7669D6FA5D1DFEFEBE98EA3A967F2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2356	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7012	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7012	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7000	Un_A.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1380	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.163:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
google.com	172.217.16.142	whitelisted
www.bing.com	104.126.37.163 104.126.37.170 104.126.37.168 104.126.37.177 104.126.37.184 104.126.37.171 104.126.37.179 104.126.37.178 104.126.37.185	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.64 20.190.159.71 40.126.31.67 40.126.31.69 20.190.159.68 20.190.159.0 40.126.31.71 20.190.159.23	whitelisted
go.microsoft.com	23.35.238.131 184.28.89.167	whitelisted
arc.msn.com	20.31.169.57	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

revo-uninstaller-portable-2-4-5.zip.7z

C55DA5DB0955205756F8ABCC03EBE37A

D1C71D4EA00EFC9F433B2DD3B8ACAFF950B4D9C9

7B0A43859BBB5433EBE80C28B99E736508425E9913C8CD43F0943BC53E6ABC2D

98304:yZFM7/+pfB48aWhVWC1VA0zhDfHBmBB/mF4gPFEyv9QKHWwlvF97aHGeFYxI4e5U:wIGEdRmofi+Xi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Generic archive extractor

Searches for installed software

Reads security settings of Internet Explorer

Executes as Windows Service

Starts itself from another location

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

Starts CMD.EXE for commands execution

Application launched itself

Deletes scheduled task without confirmation

Lists all scheduled tasks in specific format

Using 'findstr.exe' to search for text patterns in files and output

Checks Windows Trust Settings

Process drops legitimate windows executable

Reads the date of Windows installation

INFO

Manual execution by a user

The process uses the downloaded file

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Process checks computer location settings

Create files in a temporary directory

The sample compiled with english language support

Reads Environment values

Manages system restore points

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Application launched itself

Write to the desktop.ini file (may be used to cloak folders)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity