File name:

RevoUninstaller_Portable.zip

Full analysis: https://app.any.run/tasks/8323cbd3-3dc9-492b-a4ca-9336c3aadd9e
Verdict: Malicious activity
Analysis date: January 24, 2025, 22:41:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

40FAC0F5E146262081EF07DE6D4E147E

SHA1:

27CE2B17481B97465454A602BF12D29ABB4D77D0

SHA256:

D78B285E2CE510DA99FB773C70193ED0AC0D4403D8C7A1AE961021B32155E94D

SSDEEP:

196608:dnmhdOAfFOGFpLBZz0EBhO+UP2spGV7eigf//We:RmhdOAfFOGFpNZHScspseoe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 3608)

    • Executing a file with an untrusted certificate

      • RevoUPort.exe (PID: 188)
      • RevoUPort.exe (PID: 5308)
      • RevoUn.exe (PID: 1804)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3608)
      • RevoUn.exe (PID: 1804)

    • Searches for installed software

      • RevoUn.exe (PID: 1804)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3608)

    • Checks supported languages

      • RevoUn.exe (PID: 1804)
      • RevoUPort.exe (PID: 188)

    • Create files in a temporary directory

      • RevoUn.exe (PID: 1804)

    • Reads the computer name

      • RevoUn.exe (PID: 1804)

    • Local mutex for internet shortcut management

      • RevoUn.exe (PID: 1804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:10:04 12:02:12
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: RevoUninstaller_Portable/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe revouport.exe no specs revouport.exe revoun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\RevoUPort.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\RevoUPort.exe
WinRAR.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
HIGH
Exit code:
0
Version:
2, 0, 0, 0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3608.34944\revouninstaller_portable\revouport.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1804C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\x64\RevoUn.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\x64\RevoUn.exeRevoUPort.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
HIGH
Description:
Revo Uninstaller
Version:
2.5.7.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3608.34944\revouninstaller_portable\x64\revoun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3608"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\RevoUninstaller_Portable.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5308"C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\RevoUPort.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\RevoUPort.exeWinRAR.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
2, 0, 0, 0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3608.34944\revouninstaller_portable\revouport.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 439
Read events
3 431
Write events
8
Delete events
0

Modification events

(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RevoUninstaller_Portable.zip
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
2
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\czech.initext
MD5:EDF65AA9E3901E57E6290C53D9B18F19
SHA256:AA6B1D30A2ADC755A44122ACA13C7CA56C740C6E69F9B799EA6FD5CA7109DC4E
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\danish.initext
MD5:B460A1121BDB6806E308212EB9F63F8F
SHA256:7A2F9651F01898D76E4B0AD81272D12602162AAB0AF87EB7E0294ED345C1A6B2
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\bengali.initext
MD5:3D0C6A7E12CF9D492E37B231439E3F23
SHA256:605DFB69449453C5D483F0AC7B7C69483CE012C702809E0DBA858B8B645F1261
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\albanian.initext
MD5:CD86D5DF4564A5D91934B3383A2B342E
SHA256:09FE4F2A0D1D54C5D374DB235F07F06642404A630F8B981461B0F7998B7C753B
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\armenian.initext
MD5:C2E52ABF76949AC22C6A1065B6B31C26
SHA256:1DA3E26753481F5B8C46D4FAE24DE4C64272B94E5F8EFBA57D023D95D45AF71C
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\azerbaijani.initext
MD5:18E801F08761E514A93C053D8C32EDE6
SHA256:124F3510C54120F22ABD6118A35F9260558973005F9F05053C4300D3235ECFCE
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\bulgarian.initext
MD5:9878D084C0A72935DCDD9E4988BE4887
SHA256:60A69BC350B5C0ABF21AB39E6671B40BDF75C3D1B06D28421EE0DA91AAE73302
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\dutch.initext
MD5:4C575E945BC2A52D62E7AC07821DD647
SHA256:C8E7B65B0AF19FA198F0796A8C4F4487B163DE9909682D26EF2FF782E1E0A503
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\english.initext
MD5:1651A9BF604BCF190C8340F3FAF26CED
SHA256:4EDF9B5FBD5FBFD613E75D7D57CE6F328F7B58F65C95CCDDA6744D84B926C9AA
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3608.34944\RevoUninstaller_Portable\lang\arabic.initext
MD5:C75676D808ED8D88ADD598CC51F79769
SHA256:D8D0C60EAD40825B14D3218AD5A17870F51D602653A397F2162F31B0150E6915
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6060
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5200
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2728
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6060
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5200
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6060
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4704
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6060
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6060
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6060
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.137
  • 104.126.37.139
  • 104.126.37.160
  • 104.126.37.155
  • 104.126.37.154
  • 104.126.37.146
  • 104.126.37.145
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.140
  • 20.190.160.14
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.136
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RevoUninstaller_Portable.zip