| File name: | revosetup.exe |
| Full analysis: | https://app.any.run/tasks/5c0b24a3-f3f7-449d-984c-645c5d779db6 |
| Verdict: | Malicious activity |
| Analysis date: | May 01, 2024, 23:17:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 63150C4846BFBCF27FA70CCAA8A01943 |
| SHA1: | BFE32DCC00B041E0007A883AF1588F354BB9F032 |
| SHA256: | A05ACC9172E98EC6A6A7F923F5C648CC7A7C4E02BBCAAA5A6D9663229E662C24 |
| SSDEEP: | 98304:MPyYn2kIIR7ABl27MwarecfhZzwStzDtAVl3gaSZmg4MPyDv0bSpkmmf6osFQaic:q7Vty27MJzw6z8X4mgJSyNyos6ac4l1 |
MALICIOUS
Drops the executable file immediately after the start
- revosetup.exe (PID: 3968)
- revosetup.exe (PID: 752)
- revosetup.tmp (PID: 1136)
- unins000.exe (PID: 1432)
Actions looks like stealing of personal data
- _iu14D2N.tmp (PID: 1132)
- RevoUnin.exe (PID: 2316)
SUSPICIOUS
Executable content was dropped or overwritten
- revosetup.exe (PID: 3968)
- revosetup.exe (PID: 752)
- revosetup.tmp (PID: 1136)
- unins000.exe (PID: 1432)
Reads the Windows owner or organization settings
- revosetup.tmp (PID: 1136)
- _iu14D2N.tmp (PID: 1132)
Reads the Internet Settings
- revosetup.tmp (PID: 1136)
- _iu14D2N.tmp (PID: 1132)
- RevoUnin.exe (PID: 2316)
Searches for installed software
- RevoUnin.exe (PID: 2316)
- dllhost.exe (PID: 4056)
Executes as Windows Service
- VSSVC.exe (PID: 3476)
Starts itself from another location
- unins000.exe (PID: 1432)
Starts application with an unusual extension
- unins000.exe (PID: 1432)
Reads security settings of Internet Explorer
- _iu14D2N.tmp (PID: 1132)
Uses TASKKILL.EXE to kill process
- _iu14D2N.tmp (PID: 1132)
Reads the date of Windows installation
- _iu14D2N.tmp (PID: 1132)
INFO
Create files in a temporary directory
- revosetup.exe (PID: 3968)
- revosetup.exe (PID: 752)
- revosetup.tmp (PID: 1136)
- unins000.exe (PID: 1432)
Reads the computer name
- revosetup.tmp (PID: 4016)
- revosetup.tmp (PID: 1136)
- RevoUnin.exe (PID: 2316)
- wmpnscfg.exe (PID: 2812)
- _iu14D2N.tmp (PID: 1132)
Checks supported languages
- revosetup.tmp (PID: 4016)
- revosetup.exe (PID: 3968)
- revosetup.exe (PID: 752)
- revosetup.tmp (PID: 1136)
- RevoUnin.exe (PID: 2316)
- wmpnscfg.exe (PID: 2812)
- unins000.exe (PID: 1432)
- _iu14D2N.tmp (PID: 1132)
Creates files in the program directory
- revosetup.tmp (PID: 1136)
Creates a software uninstall entry
- revosetup.tmp (PID: 1136)
Reads the machine GUID from the registry
- RevoUnin.exe (PID: 2316)
Application launched itself
- msedge.exe (PID: 1580)
- msedge.exe (PID: 2364)
- msedge.exe (PID: 1580)
Manual execution by a user
- wmpnscfg.exe (PID: 2812)
- msedge.exe (PID: 2364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (57.2) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (18.2) |
| .exe | | | Win16/32 Executable Delphi generic (8.3) |
| .exe | | | Generic Win/DOS Executable (8) |
| .exe | | | DOS Executable Generic (8) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:06:14 13:27:46+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 66560 |
| InitializedDataSize: | 198656 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1181c |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.4.5.0 |
| ProductVersionNumber: | 2.4.5.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | VS Revo Group |
| FileDescription: | Revo Uninstaller |
| FileVersion: | 2.4.5.0 |
| LegalCopyright: | VS Revo Group, Ltd. |
| ProductName: | Revo Uninstaller |
| ProductVersion: | 2.4.5 |
Total processes
80
Monitored processes
38
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 580 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1240 --field-trial-handle=1248,i,8517191030004466643,17975141785101464998,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 664 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1620 --field-trial-handle=1352,i,15332757413744069284,15566109975014068521,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 752 | "C:\Users\admin\Desktop\revosetup.exe" /SPAWNWND=$1013A /NOTIFYWND=$3012C | C:\Users\admin\Desktop\revosetup.exe | revosetup.tmp | ||||||||||||
User: admin Company: VS Revo Group Integrity Level: HIGH Description: Revo Uninstaller Exit code: 0 Version: 2.4.5.0 Modules
| |||||||||||||||
| 1132 | "C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Microsoft\Skype for Desktop\unins000.exe" /FIRSTPHASEWND=$10280 | C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp | unins000.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1136 | "C:\Users\admin\AppData\Local\Temp\is-0RBLG.tmp\revosetup.tmp" /SL5="$2013C,6355320,266240,C:\Users\admin\Desktop\revosetup.exe" /SPAWNWND=$1013A /NOTIFYWND=$3012C | C:\Users\admin\AppData\Local\Temp\is-0RBLG.tmp\revosetup.tmp | revosetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1368 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6e05f598,0x6e05f5a8,0x6e05f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1432 | "C:\Program Files\Microsoft\Skype for Desktop\unins000.exe" | C:\Program Files\Microsoft\Skype for Desktop\unins000.exe | RevoUnin.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1480 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1352,i,15332757413744069284,15566109975014068521,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1548 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1248,i,8517191030004466643,17975141785101464998,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1552 | "C:\Windows\System32\taskkill.exe" /f /im Skype.exe | C:\Windows\System32\taskkill.exe | — | _iu14D2N.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
30 601
Read events
30 074
Write events
482
Delete events
45
Modification events
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller\General |
| Operation: | write | Name: | WebLang |
Value: ENG | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller\General |
| Operation: | write | Name: | Language file |
Value: english.ini | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.6.1 (u) | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\VS Revo Group\Revo Uninstaller | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\VS Revo Group\Revo Uninstaller\ | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Revo Uninstaller | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: Selected Tasks |
Value: desktopicon | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: Deselected Tasks |
Value: | |||
| (PID) Process: | (1136) revosetup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1 |
| Operation: | write | Name: | Inno Setup: Language |
Value: ENG | |||
Executable files
9
Suspicious files
109
Text files
141
Unknown types
69
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3968 | revosetup.exe | C:\Users\admin\AppData\Local\Temp\is-520E2.tmp\revosetup.tmp | executable | |
MD5:7B77E7C3EBD213D95C4D909716F10030 | SHA256:A1BAB1631135A982DFEC6024B1EF8EB1EA2BCE519CD832D9151E95E8DEF916D2 | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\armenian.ini | text | |
MD5:C2E52ABF76949AC22C6A1065B6B31C26 | SHA256:1DA3E26753481F5B8C46D4FAE24DE4C64272B94E5F8EFBA57D023D95D45AF71C | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.exe | executable | |
MD5:7B77E7C3EBD213D95C4D909716F10030 | SHA256:A1BAB1631135A982DFEC6024B1EF8EB1EA2BCE519CD832D9151E95E8DEF916D2 | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-KK7J4.tmp | text | |
MD5:2952EBFB627A4E0ECA6AE36179FB77E8 | SHA256:104F10070994CA92176913A71726590DF2487BA756512CE6B3ABAA50CED8679B | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\bulgarian.ini | text | |
MD5:29C6FA77CAFF22CEBEF89FE7CBB7E564 | SHA256:8AD919E2DF77256C9DE97E5AB3BCB62669517360051E1F8C3444D2BDCDC9E824 | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\arabic.ini | text | |
MD5:C75676D808ED8D88ADD598CC51F79769 | SHA256:D8D0C60EAD40825B14D3218AD5A17870F51D602653A397F2162F31B0150E6915 | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-8DAPJ.tmp | text | |
MD5:C2E52ABF76949AC22C6A1065B6B31C26 | SHA256:1DA3E26753481F5B8C46D4FAE24DE4C64272B94E5F8EFBA57D023D95D45AF71C | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\is-3PQAA.tmp | executable | |
MD5:7B77E7C3EBD213D95C4D909716F10030 | SHA256:A1BAB1631135A982DFEC6024B1EF8EB1EA2BCE519CD832D9151E95E8DEF916D2 | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\albanian.ini | text | |
MD5:CD86D5DF4564A5D91934B3383A2B342E | SHA256:09FE4F2A0D1D54C5D374DB235F07F06642404A630F8B981461B0F7998B7C753B | |||
| 1136 | revosetup.tmp | C:\Program Files\VS Revo Group\Revo Uninstaller\lang\azerbaijani.ini | text | |
MD5:2952EBFB627A4E0ECA6AE36179FB77E8 | SHA256:104F10070994CA92176913A71726590DF2487BA756512CE6B3ABAA50CED8679B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
75
DNS requests
98
Threats
4
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2620 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2364 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
2620 | msedge.exe | 146.20.152.114:443 | www.revouninstaller.com | RACKSPACE | US | unknown |
2620 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2620 | msedge.exe | 172.217.16.195:443 | fonts.gstatic.com | GOOGLE | US | whitelisted |
2620 | msedge.exe | 104.18.10.207:443 | stackpath.bootstrapcdn.com | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
www.revouninstaller.com |
| unknown |
edge.microsoft.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
stackpath.bootstrapcdn.com |
| whitelisted |
ajax.googleapis.com |
| whitelisted |
cdn.jsdelivr.net |
| whitelisted |
static.zdassets.com |
| whitelisted |
widget.trustpilot.com |
| shared |
f057a20f961f56a72089-b74530d2d26278124f446233f95622ef.ssl.cf1.rackcdn.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2620 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net) |
2620 | msedge.exe | Misc activity | ET INFO MailJet URL Shortening Service Domain in DNS Lookup (mjt .lu) |
2620 | msedge.exe | Misc activity | ET INFO MailJet URL Shortening Service Domain in DNS Lookup (mjt .lu) |
2620 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Network Error Logging (NEL) |
Process | Message |
|---|---|
msedge.exe | [0502/001958.745:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
|