File name:

RevoUninPro.exe

Full analysis: https://app.any.run/tasks/9e9f18c9-ada3-4eb4-9340-37524f52fd2c
Verdict: Malicious activity
Analysis date: March 19, 2025, 08:26:14
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

564ED65281196979CC0A3D00A7A9F1EB

SHA1:

090A70A19A156FBB6ADA5233C6583E4446DCB9CD

SHA256:

B1A3272297AA673463AC33CCAB762F1A94C12E066A90EAE2E2AA22691324AB5C

SSDEEP:

98304:PGdDhwOLV9pBO3n1p/KVaGrhhX7sGNG9NP6qtX1wGCNjBRd/lbLKQv+qm3Yb2tgP:iO4t3OeRO+OKjkFh/kI0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • RevoUninPro.exe (PID: 2588)
      • RevoUninPro.exe (PID: 1212)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files or folders in the user directory

      • RevoUninPro.exe (PID: 1212)

    • Checks supported languages

      • RevoUninPro.exe (PID: 1212)

    • Reads the computer name

      • RevoUninPro.exe (PID: 1212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:13 06:24:43+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 8933888
InitializedDataSize: 16870912
UninitializedDataSize: -
EntryPoint: 0x509470
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.3.5.0
ProductVersionNumber: 5.3.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 5.3.5.0
ProductVersion: 5.3.5.0
CompanyName: VS Revo Group
LegalCopyright: (c) 2025 VS Revo Group Ltd. All rights reserved.
ProductName: Revo Uninstaller Pro
FileDescription: Revo Uninstaller Pro
InternalName: RevoUninPro.exe
OriginalFileName: RevoUninPro.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
2
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start revouninpro.exe revouninpro.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1212"C:\Users\admin\Desktop\RevoUninPro.exe" C:\Users\admin\Desktop\RevoUninPro.exe
explorer.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
HIGH
Description:
Revo Uninstaller Pro
Exit code:
0
Version:
5.3.5.0
Modules
Images
c:\users\admin\desktop\revouninpro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\advapi32.dll
2588"C:\Users\admin\Desktop\RevoUninPro.exe" C:\Users\admin\Desktop\RevoUninPro.exeexplorer.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
MEDIUM
Description:
Revo Uninstaller Pro
Exit code:
3221226540
Version:
5.3.5.0
Modules
Images
c:\users\admin\desktop\revouninpro.exe
c:\windows\system32\ntdll.dll
Total events
118
Read events
101
Write events
13
Delete events
4

Modification events

(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\Uninstaller\RunCache
Operation:writeName:Run Version
Value:
1
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
BC040000CA634E9EA898DB01
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A683EBD331A14EC12F6D69FD024BF489D5064F4258286E449F08E36F3F9580D2
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\General
Operation:writeName:Log Level
Value:
1
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\General
Operation:writeName:Language file
Value:
english.ini
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\General
Operation:writeName:WebLang
Value:
ENG
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\View
Operation:writeName:Show Startup Splash
Value:
1
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\General
Operation:writeName:VFR
Value:
0
(PID) Process:(1212) RevoUninPro.exeKey:HKEY_CURRENT_USER\Software\VS Revo Group\Revo Uninstaller Pro\RUExt
Operation:writeName:in
Value:
Install the selected program with Revo Uninstaller Pro
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1212RevoUninPro.exeC:\Users\admin\AppData\Local\VS Revo Group\Revo Uninstaller Pro\logFile.vslogtext
MD5:8F21A9E61FBB93FDB11109D932D1A493
SHA256:06BF198A24BDB1B26B49EE2DBA30CB22BF78529600C575E791657EBEF2D8A4CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
20
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
4432
MoUsoCoreWorker.exe
GET
200
217.20.57.20:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?542f8fdeec82186f
unknown
whitelisted
HEAD
200
23.199.214.10:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e938189df1ea2ab1
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?01658cdb802755c3
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a8c6c6b5c44ac3f8
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?85bdfca370ee5867
unknown
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
88.221.110.216:80
Akamai International B.V.
DE
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4432
MoUsoCoreWorker.exe
217.20.57.20:80
ctldl.windowsupdate.com
US
whitelisted
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2776
svchost.exe
20.42.65.85:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
868
smartscreen.exe
172.211.159.152:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
3424
svchost.exe
23.199.214.10:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted
2768
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 217.20.57.20
  • 84.201.210.23
  • 217.20.57.19
  • 217.20.57.35
  • 84.201.210.39
  • 217.20.57.34
  • 217.20.57.36
  • 199.232.214.172
  • 199.232.210.172
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.131
  • 20.190.160.128
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.74
whitelisted
v10.events.data.microsoft.com
  • 20.42.65.85
whitelisted
checkappexec.microsoft.com
  • 172.211.159.152
whitelisted
fs.microsoft.com
  • 23.199.214.10
whitelisted
self.events.data.microsoft.com
  • 13.78.111.198
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RevoUninPro.exe