File name:

RevoUninstaller_Portable (1).zip

Full analysis: https://app.any.run/tasks/8ee52dfd-1aa9-43dd-b6a1-fe2c4125302a
Verdict: Malicious activity
Analysis date: April 19, 2024, 11:15:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

5178AEBA4F6DF6D3286DB3279EA5EA42

SHA1:

2AE1E2B7715EE5558CAC80118A8BEF638348055D

SHA256:

FD8B2FB37D0F146FEF98DD7B6079FE40A4E04879E247F4A37EF12443CCF6C2B3

SSDEEP:

196608:+CIWZpaF8TmKnviC6c8OVET4H8odWAPmBzaUZuTE4j6p+:BprnviCVLV24HBd+Bzyj6p+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3768)
      • uninstall.exe (PID: 980)
      • Un_A.exe (PID: 1340)

    • Actions looks like stealing of personal data

      • RevoUn.exe (PID: 2880)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3768)

    • Searches for installed software

      • RevoUn.exe (PID: 2880)
      • dllhost.exe (PID: 3612)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3592)

    • Executable content was dropped or overwritten

      • uninstall.exe (PID: 980)
      • Un_A.exe (PID: 1340)

    • Starts itself from another location

      • uninstall.exe (PID: 980)

    • Creates file in the systems drive root

      • AcroRd32.exe (PID: 3348)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 1340)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 1340)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3768)

    • Checks supported languages

      • RevoUPort.exe (PID: 3472)
      • RevoUn.exe (PID: 2880)
      • uninstall.exe (PID: 980)
      • Un_A.exe (PID: 1340)

    • Create files in a temporary directory

      • RevoUn.exe (PID: 2880)
      • uninstall.exe (PID: 980)
      • Un_A.exe (PID: 1340)

    • Reads the computer name

      • RevoUn.exe (PID: 2880)
      • uninstall.exe (PID: 980)
      • Un_A.exe (PID: 1340)

    • Reads the machine GUID from the registry

      • RevoUn.exe (PID: 2880)

    • Application launched itself

      • AcroRd32.exe (PID: 3568)
      • RdrCEF.exe (PID: 3976)

    • Reads Microsoft Office registry keys

      • AcroRd32.exe (PID: 3348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:06:05 08:37:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: RevoUninstaller_Portable/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
17
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe revouport.exe no specs revouport.exe revoun.exe vssvc.exe no specs SPPSurrogate no specs uninstall.exe un_a.exe acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980"C:\Program Files\FileZilla FTP Client\uninstall.exe"C:\Program Files\FileZilla FTP Client\uninstall.exe
RevoUn.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.65.0
Modules
Images
c:\program files\filezilla ftp client\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1340"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\FileZilla FTP Client\C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
uninstall.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.65.0
Modules
Images
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1388"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1192,8616878794216911130,15951319002936007925,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3700187326105810158 --renderer-client-id=2 --mojo-platform-channel-handle=1200 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
1696"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1192,8616878794216911130,15951319002936007925,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=10446997704203319307 --mojo-platform-channel-handle=1392 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
1880"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1192,8616878794216911130,15951319002936007925,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=2948035190915776681 --mojo-platform-channel-handle=1236 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
2440"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1192,8616878794216911130,15951319002936007925,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=14615971174450497506 --mojo-platform-channel-handle=1468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
2624"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1192,8616878794216911130,15951319002936007925,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3443009867929001587 --renderer-client-id=7 --mojo-platform-channel-handle=1408 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
2880C:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\x86\RevoUn.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\x86\RevoUn.exe
RevoUPort.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
HIGH
Description:
Revo Uninstaller
Version:
2.4.5.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3768.14971\revouninstaller_portable\x86\revoun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3348"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\Rar$DIa3768.19474\Revo Uninstaller Help.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3472"C:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\RevoUPort.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\RevoUPort.exe
WinRAR.exe
User:
admin
Company:
VS Revo Group
Integrity Level:
HIGH
Exit code:
0
Version:
2, 0, 0, 0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3768.14971\revouninstaller_portable\revouport.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
27 311
Read events
27 061
Write events
224
Delete events
26

Modification events

(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3768) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RevoUninstaller_Portable (1).zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
8
Suspicious files
2
Text files
48
Unknown types
6

Dropped files

PID
Process
Filename
Type
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\albanian.initext
MD5:CD86D5DF4564A5D91934B3383A2B342E
SHA256:09FE4F2A0D1D54C5D374DB235F07F06642404A630F8B981461B0F7998B7C753B
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\georgian.initext
MD5:198F4E61DFCEF0808B8EDE2ACBC2B5A0
SHA256:A37876448B2EA24F5FBF964130485BC7A5B7669D6FA5D1DFEFEBE98EA3A967F2
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\hrvatski.initext
MD5:FEB1E88105E492FCBDD1D6DB74E0E1EA
SHA256:7FD712396D175D5FC694D78FDBD5149C955944E7B343143B5215EC6305FA0B71
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\hebrew.initext
MD5:9D97E4DA88F7417381E9271B2A5FACC0
SHA256:6AFA576FEADAF7AABE5FC735155523ED724ABC7871A899FBCA7A3F5AA1CFB8A8
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\finnish.initext
MD5:A3D974340201C1D00AF3A87F4D3DA6DC
SHA256:FEDCC719AC22D45A77F117372E0E124AA0EDE73DFC0768E7CDF7420539140731
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\hindi.initext
MD5:B60047B3D741996398758836EF7C27B5
SHA256:79575B64A5B2A340D0BB5E9C0499FC47EE704748B182374EB1A916CC448704F3
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\german.initext
MD5:00155578B98E07FC6288870E2AECCA68
SHA256:8CEF19D9D89BE0528643C45647085A85B136DF74987F7D25483732D431C70D12
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\gujarati.initext
MD5:A6A6DB6E56550D0B4CF20C1786C7CB63
SHA256:CB52898DE275EFDECA666D5DC8B6CA70CE272D5903F54CFA675EC4A60A17E59F
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\hellenic.initext
MD5:2750A46C066CE37250BE338D2D4B2C28
SHA256:1FBFEE3E9FB3D7E4BAC9AB89C49B25B1D93D65389A1DB3D9276C0B8C1A9C363B
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3768.14971\RevoUninstaller_Portable\lang\dutch.initext
MD5:484AAB4E4A291B4C2F2D1718B3754D2B
SHA256:7A47C9E44EF1E4CE0D5FC678DDF505D8213995E55599D7F4779E10462C002880
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RevoUninstaller_Portable (1).zip