fe387f7a7d06f3a8649767ee53417ae188d5b9a1fb3db6e94df3849fa35e3cc5

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-06-2022 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agent_Uninstall.exe
Size

303KB
MD5

430c0f64dcd945d415192101dc8b11cb
SHA1

c1eae7c0efa2626bbf8f778007c3105abe68f0e1
SHA256

07e989f5a298a037293487bd0d89ed4c37aa50b2b5985e6e63983f337f3aa688
SHA512

4af7a307f0d1ddff2676eeca93f456729402cc9cfe21a38a98482896c8a86b37a58716ade6e1c2568d589aa4dce70d7d279900a28b813059b9b3b17a4dd774ee

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Uninstall.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "0" Uninstall.exe
Executes dropped EXE 2 IoCs

Processes:

Uninstall.exeUninstall.exe

pid process

3884 Uninstall.exe
4832 Uninstall.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "0"	Uninstall.exe

pid	process
3884	Uninstall.exe
4832	Uninstall.exe

Modifies Windows Firewall 1 TTPs 21 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4980	netsh.exe
4944	netsh.exe
3228	netsh.exe
4244	netsh.exe
864	netsh.exe
3536	netsh.exe
736	netsh.exe
4156	netsh.exe
1872	netsh.exe
2344	netsh.exe
400	netsh.exe
3720	netsh.exe
2512	netsh.exe
5032	netsh.exe
1660	netsh.exe
640	netsh.exe
3752	netsh.exe
2240	netsh.exe
4804	netsh.exe
4268	netsh.exe
4296	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Agent_Uninstall.exeUninstall.exeUninstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Agent_Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Uninstall.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "0" Uninstall.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "0"	Uninstall.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Uninstall.exe

pid	process
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe
4832	Uninstall.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Uninstall.exeUninstall.exe

description pid process

Token: SeDebugPrivilege 3884 Uninstall.exe
Token: SeDebugPrivilege 4832 Uninstall.exe

description	pid	process
Token: SeDebugPrivilege	3884	Uninstall.exe
Token: SeDebugPrivilege	4832	Uninstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Agent_Uninstall.exeUninstall.exeUninstall.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3328 wrote to memory of 3884	3328	Agent_Uninstall.exe	Uninstall.exe
PID 3328 wrote to memory of 3884	3328	Agent_Uninstall.exe	Uninstall.exe
PID 3884 wrote to memory of 4832	3884	Uninstall.exe	Uninstall.exe
PID 3884 wrote to memory of 4832	3884	Uninstall.exe	Uninstall.exe
PID 4832 wrote to memory of 4700	4832	Uninstall.exe	installutil.exe
PID 4832 wrote to memory of 4700	4832	Uninstall.exe	installutil.exe
PID 4832 wrote to memory of 4268	4832	Uninstall.exe	installutil.exe
PID 4832 wrote to memory of 4268	4832	Uninstall.exe	installutil.exe
PID 4832 wrote to memory of 1260	4832	Uninstall.exe	installutil.exe
PID 4832 wrote to memory of 1260	4832	Uninstall.exe	installutil.exe
PID 4832 wrote to memory of 3036	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 3036	4832	Uninstall.exe	cmd.exe
PID 3036 wrote to memory of 640	3036	cmd.exe	netsh.exe
PID 3036 wrote to memory of 640	3036	cmd.exe	netsh.exe
PID 4832 wrote to memory of 2304	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 2304	4832	Uninstall.exe	cmd.exe
PID 2304 wrote to memory of 4944	2304	cmd.exe	netsh.exe
PID 2304 wrote to memory of 4944	2304	cmd.exe	netsh.exe
PID 4832 wrote to memory of 4428	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 4428	4832	Uninstall.exe	cmd.exe
PID 4428 wrote to memory of 3752	4428	cmd.exe	netsh.exe
PID 4428 wrote to memory of 3752	4428	cmd.exe	netsh.exe
PID 4832 wrote to memory of 2160	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 2160	4832	Uninstall.exe	cmd.exe
PID 2160 wrote to memory of 2344	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 2344	2160	cmd.exe	netsh.exe
PID 4832 wrote to memory of 3840	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 3840	4832	Uninstall.exe	cmd.exe
PID 3840 wrote to memory of 3228	3840	cmd.exe	netsh.exe
PID 3840 wrote to memory of 3228	3840	cmd.exe	netsh.exe
PID 4832 wrote to memory of 2152	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 2152	4832	Uninstall.exe	cmd.exe
PID 2152 wrote to memory of 400	2152	cmd.exe	netsh.exe
PID 2152 wrote to memory of 400	2152	cmd.exe	netsh.exe
PID 4832 wrote to memory of 656	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 656	4832	Uninstall.exe	cmd.exe
PID 656 wrote to memory of 1872	656	cmd.exe	netsh.exe
PID 656 wrote to memory of 1872	656	cmd.exe	netsh.exe
PID 4832 wrote to memory of 3780	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 3780	4832	Uninstall.exe	cmd.exe
PID 3780 wrote to memory of 4244	3780	cmd.exe	netsh.exe
PID 3780 wrote to memory of 4244	3780	cmd.exe	netsh.exe
PID 4832 wrote to memory of 732	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 732	4832	Uninstall.exe	cmd.exe
PID 732 wrote to memory of 864	732	cmd.exe	netsh.exe
PID 732 wrote to memory of 864	732	cmd.exe	netsh.exe
PID 4832 wrote to memory of 1064	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 1064	4832	Uninstall.exe	cmd.exe
PID 1064 wrote to memory of 3720	1064	cmd.exe	netsh.exe
PID 1064 wrote to memory of 3720	1064	cmd.exe	netsh.exe
PID 4832 wrote to memory of 948	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 948	4832	Uninstall.exe	cmd.exe
PID 948 wrote to memory of 2240	948	cmd.exe	netsh.exe
PID 948 wrote to memory of 2240	948	cmd.exe	netsh.exe
PID 4832 wrote to memory of 2136	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 2136	4832	Uninstall.exe	cmd.exe
PID 2136 wrote to memory of 3536	2136	cmd.exe	netsh.exe
PID 2136 wrote to memory of 3536	2136	cmd.exe	netsh.exe
PID 4832 wrote to memory of 4716	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 4716	4832	Uninstall.exe	cmd.exe
PID 4716 wrote to memory of 2512	4716	cmd.exe	netsh.exe
PID 4716 wrote to memory of 2512	4716	cmd.exe	netsh.exe
PID 4832 wrote to memory of 1368	4832	Uninstall.exe	cmd.exe
PID 4832 wrote to memory of 1368	4832	Uninstall.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Agent_Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Agent_Uninstall.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" 2
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Checks computer location settings
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /name=LTService /u C:\Windows\LTSvc\LTSVC.exe
      4⤵
      PID:4700
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /ServiceName=LTServiceMon /u C:\Windows\LTSvc\LTSVCMon.exe
      4⤵
      PID:4268
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /ServiceName=LTSvcMon /u C:\Windows\LTSvc\LTSVCMon.exe
      4⤵
      PID:1260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
        5⤵
        Modifies Windows Firewall
        
        PID:640
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="Allow Local VNC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="Allow Local VNC"
        5⤵
        Modifies Windows Firewall
        
        PID:4944
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="Allow Local Redir"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="Allow Local Redir"
        5⤵
        Modifies Windows Firewall
        
        PID:3752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
        5⤵
        Modifies Windows Firewall
        
        PID:2344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="Allow Tunnel"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="Allow Tunnel"
        5⤵
        Modifies Windows Firewall
        
        PID:3228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="AgentService"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="AgentService"
        5⤵
        Modifies Windows Firewall
        
        PID:400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="AgentMonitor"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="AgentMonitor"
        5⤵
        Modifies Windows Firewall
        
        PID:1872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall Delete rule name="AgentTray"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall Delete rule name="AgentTray"
        5⤵
        Modifies Windows Firewall
        
        PID:4244
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening udp 42000
      4⤵
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening udp 42000
        5⤵
        Modifies Windows Firewall
        
        PID:864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening udp 42001
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening udp 42001
        5⤵
        Modifies Windows Firewall
        
        PID:3720
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening udp 42002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening udp 42002
        5⤵
        Modifies Windows Firewall
        
        PID:2240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening udp 42003
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening udp 42003
        5⤵
        Modifies Windows Firewall
        
        PID:3536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening udp 42004
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening udp 42004
        5⤵
        Modifies Windows Firewall
        
        PID:2512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening udp 162
      4⤵
      PID:1368
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening udp 162
        5⤵
        Modifies Windows Firewall
        
        PID:736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening tcp 4999
      4⤵
      PID:2808
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening tcp 4999
        5⤵
        Modifies Windows Firewall
        
        PID:4156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening tcp 4998
      4⤵
      PID:4592
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening tcp 4998
        5⤵
        Modifies Windows Firewall
        
        PID:4804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening tcp 4997
      4⤵
      PID:1704
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening tcp 4997
        5⤵
        Modifies Windows Firewall
        
        PID:5032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete portopening tcp 4996
      4⤵
      PID:4784
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete portopening tcp 4996
        5⤵
        Modifies Windows Firewall
        
        PID:1660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete allowedprogram C:\Windows\LTSvc\LTSVC.exe
      4⤵
      PID:552
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete allowedprogram C:\Windows\LTSvc\LTSVC.exe
        5⤵
        Modifies Windows Firewall
        
        PID:4268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete allowedprogram C:\Windows\LTSvc\LTSVCmon.exe
      4⤵
      PID:2568
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete allowedprogram C:\Windows\LTSvc\LTSVCmon.exe
        5⤵
        Modifies Windows Firewall
        
        PID:4296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh firewall delete allowedprogram C:\Windows\LTSvc\LTTray.exe
      4⤵
      PID:4384
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall delete allowedprogram C:\Windows\LTSvc\LTTray.exe
        5⤵
        Modifies Windows Firewall
        
        PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\installutil.exe.log

Filesize
231B

MD5
a1288bcad712fdef8bae381110eb2e23

SHA1
3b1de76d54abb2174cef7cebe8ca10ddbd79b0af

SHA256
b964a2970d2e8b2a44615d57a1c7a9cb3ef1331728b573d9ddb5a71f6ef9b62c

SHA512
4ddc4d3ae73e22b4b6fa6a2925d5bd9448d48ad067a004de35785cca7940d792f2f0998157fee9a41af63a579158e68922832286904f5c62948f9dff646e0eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uninstall.exe.log

Filesize
882B

MD5
e6cf3b69f09d7d7ef88fbb8015c87a9b

SHA1
80939f7f68cf4d5b67a44d2a496189750013b276

SHA256
48dd342c7db47fbc787613a7c5c0ee375d9a8a961d1646b5beae68482e32748e

SHA512
a51e7b6d32d4395bdd6f181f80abffa59f2902eac28af044bdb6dc7703786e45c1522ba84faaee14a0572f0e01128e69fff6481fb32d557b06c3a991a06ff0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

Filesize
145KB

MD5
18f30ab813994a3558d51f35c05f60e4

SHA1
3dcb70637aaa2d86ae0c8aa2599a84c1ca41b516

SHA256
bdf683ef579e1cd687fb913e9b21a01347bf023adc9a12f7778dd31323883f41

SHA512
6a5872f22f14ea653b0bd82673487f63de170aa0726a877f9773cfee768a861c58f3a4b64e650d46e93631ba050fa49ec45f6e3d8140bc82e98645f46efa34da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

Filesize
145KB

MD5
18f30ab813994a3558d51f35c05f60e4

SHA1
3dcb70637aaa2d86ae0c8aa2599a84c1ca41b516

SHA256
bdf683ef579e1cd687fb913e9b21a01347bf023adc9a12f7778dd31323883f41

SHA512
6a5872f22f14ea653b0bd82673487f63de170aa0726a877f9773cfee768a861c58f3a4b64e650d46e93631ba050fa49ec45f6e3d8140bc82e98645f46efa34da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

Filesize
145KB

MD5
18f30ab813994a3558d51f35c05f60e4

SHA1
3dcb70637aaa2d86ae0c8aa2599a84c1ca41b516

SHA256
bdf683ef579e1cd687fb913e9b21a01347bf023adc9a12f7778dd31323883f41

SHA512
6a5872f22f14ea653b0bd82673487f63de170aa0726a877f9773cfee768a861c58f3a4b64e650d46e93631ba050fa49ec45f6e3d8140bc82e98645f46efa34da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe.config

Filesize
225B

MD5
33fe764842364eaf5c475d826f4e63a2

SHA1
64fff09368e1449849f9238dda178ae9b88c7810

SHA256
eac45d4b2f9c25333736a9a56a398497a62f5a7d49d8ce8bc87db376f3135f56

SHA512
1ae44101add340826fb3be1c59de72bb72f19095cdd7769acddec88c5a98819bd542bd70fbab8db377367abd625c1a9cabf2eaade2c35e68a6853815ae8781aa

Download Submit
memory/400-160-0x0000000000000000-mapping.dmp

Download
memory/552-185-0x0000000000000000-mapping.dmp

Download
memory/640-150-0x0000000000000000-mapping.dmp

Download
memory/656-161-0x0000000000000000-mapping.dmp

Download
memory/732-165-0x0000000000000000-mapping.dmp

Download
memory/736-176-0x0000000000000000-mapping.dmp

Download
memory/864-166-0x0000000000000000-mapping.dmp

Download
memory/948-169-0x0000000000000000-mapping.dmp

Download
memory/1064-167-0x0000000000000000-mapping.dmp

Download
memory/1260-147-0x0000000000000000-mapping.dmp

Download
memory/1260-148-0x00007FFB88A80000-0x00007FFB894B6000-memory.dmp

Filesize
10.2MB

Download
memory/1368-175-0x0000000000000000-mapping.dmp

Download
memory/1660-184-0x0000000000000000-mapping.dmp

Download
memory/1704-181-0x0000000000000000-mapping.dmp

Download
memory/1872-162-0x0000000000000000-mapping.dmp

Download
memory/2136-171-0x0000000000000000-mapping.dmp

Download
memory/2152-159-0x0000000000000000-mapping.dmp

Download
memory/2160-155-0x0000000000000000-mapping.dmp

Download
memory/2240-170-0x0000000000000000-mapping.dmp

Download
memory/2304-151-0x0000000000000000-mapping.dmp

Download
memory/2344-156-0x0000000000000000-mapping.dmp

Download
memory/2512-174-0x0000000000000000-mapping.dmp

Download
memory/2568-187-0x0000000000000000-mapping.dmp

Download
memory/2808-177-0x0000000000000000-mapping.dmp

Download
memory/3036-149-0x0000000000000000-mapping.dmp

Download
memory/3228-158-0x0000000000000000-mapping.dmp

Download
memory/3536-172-0x0000000000000000-mapping.dmp

Download
memory/3720-168-0x0000000000000000-mapping.dmp

Download
memory/3752-154-0x0000000000000000-mapping.dmp

Download
memory/3780-163-0x0000000000000000-mapping.dmp

Download
memory/3840-157-0x0000000000000000-mapping.dmp

Download
memory/3884-140-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/3884-134-0x0000000000E30000-0x0000000000E56000-memory.dmp

Filesize
152KB

Download
memory/3884-130-0x0000000000000000-mapping.dmp

Download
memory/3884-138-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/4156-178-0x0000000000000000-mapping.dmp

Download
memory/4244-164-0x0000000000000000-mapping.dmp

Download
memory/4268-186-0x0000000000000000-mapping.dmp

Download
memory/4268-146-0x00007FFB88A80000-0x00007FFB894B6000-memory.dmp

Filesize
10.2MB

Download
memory/4268-144-0x0000000000000000-mapping.dmp

Download
memory/4296-188-0x0000000000000000-mapping.dmp

Download
memory/4384-189-0x0000000000000000-mapping.dmp

Download
memory/4428-153-0x0000000000000000-mapping.dmp

Download
memory/4592-179-0x0000000000000000-mapping.dmp

Download
memory/4700-141-0x0000000000000000-mapping.dmp

Download
memory/4700-143-0x00007FFB88A80000-0x00007FFB894B6000-memory.dmp

Filesize
10.2MB

Download
memory/4716-173-0x0000000000000000-mapping.dmp

Download
memory/4784-183-0x0000000000000000-mapping.dmp

Download
memory/4804-180-0x0000000000000000-mapping.dmp

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download
memory/4832-139-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/4832-142-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/4832-191-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/4944-152-0x0000000000000000-mapping.dmp

Download
memory/4980-190-0x0000000000000000-mapping.dmp

Download
memory/5032-182-0x0000000000000000-mapping.dmp

Download