Analysis
-
max time kernel
322s -
max time network
328s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-es -
resource tags
-
submitted
03-06-2024 20:52
General
-
Target
uninstalltool_setup.exe
-
Size
5.7MB
-
MD5
7d4f589a7b7dc55150cde8e18e3df933
-
SHA1
b95891832dda69bc73e2e1808750390747cc8b0d
-
SHA256
8c893f0e38cfb93272f59f03a4beed05182bcb48ab3454531bfc24dde2110294
-
SHA512
2069f3d827f93f85bdfe36adb04592ba72792874101d89c7a46b159fea082a86183392cef5d8796cb879036c03a8f80be0bc02a8101540ce559ac5f6c6cc12e3
-
SSDEEP
98304:WkL6bnCk9uJ5ODZXADAO0RVZ/jse+OLZVCY5gt7eligWCkT+TBwclvu:h29lDZXRjjse++ZVCY5gtKla0u
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 52 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-9LUUR.tmp\uninstalltool_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9LUUR.tmp\uninstalltool_setup.tmp" /SL5="$501EA,4976488,845824,C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Uninstall Tool\PinToTaskbar.exe"C:\Program Files\Uninstall Tool\PinToTaskbar.exe" /pin UninstallTool.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /init4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Uninstall Tool\UninstallToolHelper.exe"C:\Program Files\Uninstall Tool\UninstallToolHelper.exe" /pid:13565⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --uninstall --msedge --system-level --verbose-logging5⤵
- Installs/modifies Browser Helper Object
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7bd365460,0x7ff7bd365470,0x7ff7bd3654806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --suspend-background-mode6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98e0b46f8,0x7ff98e0b4708,0x7ff98e0b47187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,8970432729727591220,11803862547666209627,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --uninstall6⤵
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98e0b46f8,0x7ff98e0b4708,0x7ff98e0b47187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8487003305290307644,8230460717487753647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,8487003305290307644,8230460717487753647,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4348" "1784" "1916" "1776" "0" "0" "0" "0" "0" "0" "0" "0"6⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://go.microsoft.com/fwlink/?linkid=2108824&hl=en&version=92.0.902.67&osVer=10.0.19041&ch=stable&deviceId=s:BDF5855B-F9B9-46CD-9F55-846E220B55F31⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\winver.exe"C:\Windows\System32\winver.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Browser Extensions
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Uninstall Tool\PinToTaskbar.exeFilesize
386KB
MD54de7220115fe537eaf6c5776e83f0064
SHA1e81a7feab77203266a8afb379ff93025c923f28b
SHA256e87288744cc29c5ab81d9c3fa78653cacd87bc74bf5a3abc4f38afcd6a1a5c16
SHA512b33113314636a491c35dea215c3cd75f74797223d5b6b7ca88b790b9ddc9969c8759b61e354e753db2476dd65953664cf321940be811c6c9fc01391f0490c02f
-
C:\Program Files\Uninstall Tool\PinToTaskbarHelper.dllFilesize
366KB
MD54c415adb0750fe1e1d2f52c3902274c0
SHA1001fc6dc3706f1596295e4e7a4eabb5a407dab52
SHA2567d0a990c0b976ff4d99abfa935eadebcece34e7d4e711ed86066ab7845d6a417
SHA512aaecb72a0ec6e28336bcf5cf83d8ff0e220302c76df2715186b7fd25891662588f27215b7043613472ed747908eec9169b51c035b1e069b2c2a95c999cbf8dab
-
C:\Program Files\Uninstall Tool\UninstallTool.exeFilesize
5.6MB
MD53314588abbe3e7e976ca664886e691b8
SHA191ab07ccf95e087c3878c3e2d93941e561ed979a
SHA2566095e41aed91326a12acd02ae988711befd3e3ad2d280ca5d0c2647cb0f781f1
SHA51277fbc216f0c6633f39ba6e0490358276e977e7dc981e7f164328a92f5a014d90b1aaf41819519bd3313b8ddfded4b98c069eaae15f2057e5f42d8177facc700f
-
C:\Program Files\Uninstall Tool\UninstallToolHelper.exeFilesize
463KB
MD5d82e0a3786dba17f88929d11d6b00b96
SHA1098f9b676677dc3a30530ad5254b7fb41e1391d9
SHA256ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8
SHA5124df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d
-
C:\Program Files\Uninstall Tool\languages\Spanish.xmlFilesize
43KB
MD5bfdcc2642f4f94e88f01440ee8e14fdf
SHA1722ffabab693a4fc036d3d8e1778cd3e7b443a58
SHA2563b4a6bfe05cd703ab3c57a7ee3f656779dc35d691f023d5f19aea96eac563cba
SHA512f7870a6935de59d9c9a8f7db6e854302e2823e77e561dc225689fb518296eb0443142fe907804d72da9db1ada9747a6821fbc7aed11fa25e1f9a25640fe8fa36
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool en la Web.lnkFilesize
651B
MD5342c1625bb428a11c97ae14501f5ee7b
SHA15a3642de1164bdc141c66ba9d56ac594d267f62f
SHA256becb9a8d5a5d5150550cb2461bb0429838406576e710b21dc94388c9239e7161
SHA5127cd9f7069afe26b3ad864ac48c52a9547ecacf301d51961f6b2a63177dafb849c097f1600f7942499f150e91ede9c2715a77c76d4408e63587cd2eca4f770820
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool.lnkFilesize
945B
MD5d668d187f97cd6c11a575f9046ed9e2b
SHA168467c9c684fdf8969ab4e4e532f10e1779e5c5c
SHA2562f6b3a74d98e3f109b3ab89e476cbe31bf46335e5c5acc6f67fc05719eac7ce6
SHA51286bb08dfd4a3701dd7ff6adeadde90a14fb06f6831380bf88c73b9317f47cd8318e32093710d93f42d9f04380878f90e6de42eccf67ca4f3475f1acefef63abf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52d0934c52eab20bc6784a7e39d0ca3e4
SHA14dc6bf36163aea8e77e40742d6f83fe0734069eb
SHA25699a91201c4f3eec07e3bde7f4cfcd57efc15a4f6fa366f2ef0653755cff4aaa0
SHA512b9023772cef77f06a6d4da29704486066465cc9ac8a1ae8f83e47dd222ceeb79b62b6557e9ac8ee3b59bb87b5eda680b7045a12f5a23cbbdf54cb9467793e703
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD5fe517b33d606ef477b5041ba650fe300
SHA10584a71c5536186538d74c5d89cfc39705977ed2
SHA256b41443dfa6efcc0fb0a01af1b64606fc11d2e5194b98cc4839316fc02f8ce397
SHA51268e89d71f1f2ab2cb13ede6792dab36bfaf19b31fa0cd5ddc33e7792177d43378aee38a21adbd9ffbd293ba775e325fecbdfa9f5033a75ef12ae491ae6ae4816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5fcca68aeae4b7cfef4c4bc8d125d1def
SHA1b9178e20c13bdf1fa784a65bce96e8d28944e122
SHA256a4784a224e376cbfb2cd192cd4b2ac5f8b5691164cf9350a33102ba73581370d
SHA51293e04a1a450aeb217608a8355e18e11db419db674a9bffa4a6f26f310ff305d2b64bb76e3dade9ead42f281bb60000e5d696970325d6e309adb00d310b180c51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD5fb8a025f831cda6c6b4d4f6055addeee
SHA17594f72e56bb98c8f9d76d0ec81983589223a2b9
SHA25697489aeefb4699c5894279aa480284457656d367e88f79f80661adc9d8856d5c
SHA5124d8ad8c102979a93f47b577485985556c9aa0d4ad60108aeb0006f46bb54a5708ceaa78ab6a91dc3cef395a57f326ed7cc91781f65f766c4d4e25d1429263b89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD543c26221cf932d9c6c5d44f31a790dfb
SHA19f3c05202b891fabb6559afceacd9784e975eb67
SHA25677d745789ea26749ba57ff3c2a3e3de5ac2728f50157ab8bb9d1069cc1721779
SHA5129adffef927dec3495ea888af473a7980fdf7f8a05a96d7f366745f6b0c68fcc8b7afdba60228a09de57d140e134c2a27bd0e7ba93bb1fc642131e3c4997cbafa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD522e10dc1ae10bd4a96e750d631b458b2
SHA1cc9b7d9c4fb0dc2fe914dc0aae4fca3cc4f662d1
SHA256ccef1ccb473fe56b1327c2d58a5f46e9468f31803f4078021ea1bd2027928881
SHA5120a7823eca5750a87bcb92feb2ce95cdf32e3fdc703c8a21d6ebc2c74a40ee55dc507c66acde5200e32397c302818a425318da60461658d3c7a22364cdece7d8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\vfj1rcp\imagestore.datFilesize
7KB
MD5dacd642b87d0bf9415d03b09610e8313
SHA129635b77ba1004ff9c675bc62923aac8cd65a4eb
SHA2567c7fd5a2dcbbde8c0dc437f4ad8d32bdcc73fd96344d8c28c2c6805e2f5861c7
SHA512a28d4354db3c3dcd12e9420463abbad15141be398ba7494f6d30440c54ed6fe01d294e50f0eda64c54fbaddde87ed417bed51a78f61c162498d21b71fe5adab5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\favicon[1].pngFilesize
7KB
MD59e3fe8db4c9f34d785a3064c7123a480
SHA10f77f9aa982c19665c642fa9b56b9b20c44983b6
SHA2564d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9
SHA51220d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1
-
C:\Users\Admin\AppData\Local\Temp\is-9LUUR.tmp\uninstalltool_setup.tmpFilesize
3.1MB
MD58e4b564a1579bec2d4f03f94d981f924
SHA12b792ecb1fce6782fb0ec0bd62a965ba4e1283cd
SHA2565e0ef33c16483b7190ea6c2b404d113d17882364a8cda97ff6bbc74b7f36ddcc
SHA5121885188de54488cdb2dc48afd738c6a86a69817ee408ce04b8c4680c491501b6ea92d1d6810ae434116ef0cf1faeeb9ee9a798fda049e7390cabd5e23e78f6e1
-
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\CachedData.datFilesize
2KB
MD5d2b803ba1f20c0a301176352e8b5c15c
SHA16c6549bc6feb31d98c465a9252ec7812a7bbba02
SHA256e7ce3ef3ca7c06ebe2edc95e52d7bf534f66489e02b7ceff08cfcfe6277cf1bb
SHA512c4fbe40fdfe099695279e7f3b19a52b5c84e0d5d7228bf6c208690fd6bcbdf659287ecbc94e029e69be5702d87cb2ac067fb5e96f599a5bb627f56f465747a0f
-
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xmlFilesize
1KB
MD5db45b805c2f16a090f219e13af6c4d98
SHA126cb55a5da0983e126c5a741d9e51825e79f5e3f
SHA25668fe6b2b09d4eed353a5e3a9dab28f902a0639dd1a2f8493f96c897de6968e07
SHA512f0a22c192085ed50322e977284996798e0cd44446f97a692030617b627592bc7a1555d6848525016b23b064b1d86d77acfe0a442986d680ab4660e49eaf4f305
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Tombstones\Microsoft Edge.lnkFilesize
2KB
MD51f056047c6ce684570b26e2ebd66f0de
SHA116362ee6fedb87809cbd5820b8ee65c3f2f7dcae
SHA256e5befc90a29245efb8a3cfce8b24821d814481c8e3877b53e252004c82490d5d
SHA512416e0ba6e3b70d098753dce3b41ae4ebf7b503d185215074e753045c578e3eb27da9557c160b327157e947bc0dea9ecb227072f668f1958bb65033179ddc2eaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Tool.lnkFilesize
1KB
MD5981108abd3203127142858895e0033ec
SHA12059b55da5e7dbd804edb28a417563918a84579c
SHA25650d3fd94b6e5a18139e2161cbccb3e4035b6f53a4db016a57e49ccd141538251
SHA5121573f16981d22217daf65397e96203bc54780002fca9b264c7a9d78277eef6f1ccde3f061cabc09d2f940cb02e2710ff053a53f26e0c6ec72bbd656b0ff27439
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-msFilesize
5KB
MD58d8138a363e58520e56cd8b70dcc9304
SHA1501d5d84d388768041f880706aa1100d45a032ff
SHA2563da09ec5086efa44438c7d0ae549f779b8472b9e63539076f97c98f831b3dccd
SHA512f69b591457013719cb517e5c04f4e5d3766ef40e5e8ed69872e61a38eb69e640c051c139011399128dc565408feb7e92423cd1f5cb75d693f364d896a05d868f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-msFilesize
5KB
MD5e1bab0aef8ed9c7be1a9dfd80e9e6085
SHA185d33cfab304966dd9625195e38a42936eda5b55
SHA256ac11e8845df918f67d1790252b6e817ba9c09afbf87655789be33aa130e971d4
SHA512b3b188946fbeff9293e72aa3f64abee336770475ae77f682c4a3edd5723e966a03873e4b60a66c399edcbf02d43c295d29be90714132e44be357e7bbb5c4b149
-
C:\Users\Admin\Desktop\Uninstall Tool.lnkFilesize
927B
MD5cb6901ecd16fc190e55c80287420c654
SHA12cde5af700afa0156cfded845c0a25d759968428
SHA2560ff8aedd091564e6cf8e0dbc67acd5fd125de56785430a678806594a9609fd69
SHA51299a63495242fc539b959e135750faba506af750974c648d4fa7beafdca4f8612698a2cbc30a3ac1be181f7cfa05bfb9c33b58b6fbab5857bd159923544ef8116
-
\??\pipe\LOCAL\crashpad_1052_NHROHPKYWLGFLJMPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2228-193-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2228-8-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2228-0-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2228-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/4044-6-0x0000000000400000-0x0000000000717000-memory.dmpFilesize
3.1MB
-
memory/4044-9-0x0000000000400000-0x0000000000717000-memory.dmpFilesize
3.1MB
-
memory/4044-37-0x0000000000400000-0x0000000000717000-memory.dmpFilesize
3.1MB
-
memory/4044-192-0x0000000000400000-0x0000000000717000-memory.dmpFilesize
3.1MB
-
memory/4804-197-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
