Analysis Overview
SHA256
66b696e76af8e72272883e22e7f5e42e168195c2e42fddf6d9e4e59c8a003ee4
Threat Level: Likely malicious
The file uninstalltool_setup.exe was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Modifies system executable filetype association
Registers COM server for autorun
Checks installed software on the system
Drops file in Program Files directory
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:22
Reported
2024-06-13 01:23
Platform
win11-20240611-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\CisUtMonitor.sys | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\CisUtMonitor.sys | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Uninstall Tool\languages\is-TBV6O.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-U4ATB.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-KHMKF.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-23UAB.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-GB070.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-AR8CJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-IJVM3.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-FG0QQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-3CNIQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-HGQAT.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-BOEKK.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-TH7CT.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-BLTBM.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-992K5.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-8MOMD.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-6E9TQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-9MECH.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-PTRIE.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-E8SED.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-LLSK0.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File opened for modification | C:\Program Files\Uninstall Tool\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-DM58Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-BFS55.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-J4I8F.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File opened for modification | C:\Program Files\Uninstall Tool\UninstallTool.url | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-9N12V.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-ABMRV.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-JFF8C.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-0PETA.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-2LHS9.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-CF2DH.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-MFJ0C.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-020GI.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-69F9J.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-1HE5D.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-CU4FE.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-1B0FF.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-NA63E.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-V2QH3.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-LUDPG.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-KV0NI.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-4C5PH.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-8ERLU.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-E5DQ0.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-KHMBF.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-528D6.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-AORUU.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-922A1.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-TGVA8.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-5L7OM.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-4FVIK.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-2PJ9V.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\languages\is-FSBMT.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| File created | C:\Program Files\Uninstall Tool\is-28NIB.tmp | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\PinToTaskbar.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallToolHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\System.ControlPanel.Category = "5,8" | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\DefaultIcon | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command\ = "C:\\Program Files\\Uninstall Tool\\UninstallTool.exe" | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\ = "Uninstall Tool" | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\DefaultIcon\ = "C:\\Program Files\\Uninstall Tool\\UninstallTool.exe" | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657} | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs" | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs" | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt_x86.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Uninstall Tool\PinToTaskbar.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\PinToTaskbar.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Program Files\Uninstall Tool\UninstallTool.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Uninstall Tool\PinToTaskbar.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe
"C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp" /SL5="$4021A,4977297,845824,C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"
C:\Program Files\Uninstall Tool\PinToTaskbar.exe
"C:\Program Files\Uninstall Tool\PinToTaskbar.exe" /pin UninstallTool.exe
C:\Program Files\Uninstall Tool\UninstallTool.exe
"C:\Program Files\Uninstall Tool\UninstallTool.exe" /install_service_silent
C:\Program Files\Uninstall Tool\UninstallTool.exe
"C:\Program Files\Uninstall Tool\UninstallTool.exe" /init
C:\Program Files\Uninstall Tool\UninstallTool.exe
"C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon
C:\Program Files\Uninstall Tool\UninstallTool.exe
"C:\Program Files\Uninstall Tool\UninstallTool.exe" /skip_uac
C:\Program Files\Uninstall Tool\UninstallTool.exe
"C:\Program Files\Uninstall Tool\UninstallTool.exe" /msix_register
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -c "Add-AppxPackage 'C:\Program Files\Uninstall Tool\UTShellExt2.msix' -ExternalLocation 'C:\Program Files\Uninstall Tool\'"
C:\Program Files\Uninstall Tool\UninstallTool.exe
"C:\Program Files\Uninstall Tool\UninstallTool.exe"
C:\Program Files\Uninstall Tool\UninstallToolHelper.exe
"C:\Program Files\Uninstall Tool\UninstallToolHelper.exe" /pid:724
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 173.230.144.164:443 | crystalidea.com | tcp |
| GB | 2.18.66.75:443 | tcp | |
| US | 20.44.10.123:443 | browser.pipe.aria.microsoft.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 150.171.27.254:443 | ax-ring.msedge.net | tcp |
| QA | 20.21.56.51:443 | dc78c36cdfb67bb325589bd289010cb7.azr.footprintdns.com | tcp |
Files
memory/4896-0-0x0000000000400000-0x00000000004DC000-memory.dmp
memory/4896-2-0x0000000000401000-0x00000000004B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp
| MD5 | 8c1451188764f81954e6d4672100433a |
| SHA1 | c01d90c825b3ed029eeb45017fa37d40bd1fd32b |
| SHA256 | 5fe7888a8a41638e457a1d52369701f33b2084aeeb32a3c4fc996b1487a8fadd |
| SHA512 | a2a4d1b8801893cb1a6820233c8b78f272869224471f72aee82b18aa1001cd3b68955121c6f38b9318c6093f0089bf6afac89979668381eaa587241af8824164 |
memory/3636-6-0x0000000000400000-0x0000000000717000-memory.dmp
memory/4896-8-0x0000000000400000-0x00000000004DC000-memory.dmp
memory/3636-9-0x0000000000400000-0x0000000000717000-memory.dmp
C:\Program Files\Uninstall Tool\UninstallTool.exe
| MD5 | 3314588abbe3e7e976ca664886e691b8 |
| SHA1 | 91ab07ccf95e087c3878c3e2d93941e561ed979a |
| SHA256 | 6095e41aed91326a12acd02ae988711befd3e3ad2d280ca5d0c2647cb0f781f1 |
| SHA512 | 77fbc216f0c6633f39ba6e0490358276e977e7dc981e7f164328a92f5a014d90b1aaf41819519bd3313b8ddfded4b98c069eaae15f2057e5f42d8177facc700f |
C:\Program Files\Uninstall Tool\UTShellExt.dll
| MD5 | c836d4008d50fdbb49101eea1d49a57f |
| SHA1 | ebfc097ecde12532d0ac8d76dd67df79c8007e77 |
| SHA256 | 157b1afebd03b3325bb13bb229caebe2e3c73360250fe689af1635a670487e17 |
| SHA512 | eab2b799a2ac670dcce82429139ec7482c1ac9d9c2ed028f926add1c462d8347bd293f284fba3fb91a61d0c48b9a63829c895ba300d3f6ff07cfa1977ba138f3 |
C:\Program Files\Uninstall Tool\UTShellExt_x86.dll
| MD5 | 7460a0e0c7cd0d14649eec1688322505 |
| SHA1 | e7b1fc34362123f8bd95eac5996d7788e618c0da |
| SHA256 | 6a9e6a25e9fe6c5503dfcc606e0392f6dcbe71a1e9dec010cde7ff82b7cd52f7 |
| SHA512 | 44e1bcac6f4cac6ca39aea60da403bd09e8eaf82e40984bb1c676828373e5af160b99aea186b71e9be69f4ecf2090de9fa5d79cf50c3c348545f25454d361e40 |
C:\Program Files\Uninstall Tool\PinToTaskbar.exe
| MD5 | 4de7220115fe537eaf6c5776e83f0064 |
| SHA1 | e81a7feab77203266a8afb379ff93025c923f28b |
| SHA256 | e87288744cc29c5ab81d9c3fa78653cacd87bc74bf5a3abc4f38afcd6a1a5c16 |
| SHA512 | b33113314636a491c35dea215c3cd75f74797223d5b6b7ca88b790b9ddc9969c8759b61e354e753db2476dd65953664cf321940be811c6c9fc01391f0490c02f |
C:\Program Files\Uninstall Tool\PinToTaskbarHelper.dll
| MD5 | 4c415adb0750fe1e1d2f52c3902274c0 |
| SHA1 | 001fc6dc3706f1596295e4e7a4eabb5a407dab52 |
| SHA256 | 7d0a990c0b976ff4d99abfa935eadebcece34e7d4e711ed86066ab7845d6a417 |
| SHA512 | aaecb72a0ec6e28336bcf5cf83d8ff0e220302c76df2715186b7fd25891662588f27215b7043613472ed747908eec9169b51c035b1e069b2c2a95c999cbf8dab |
C:\Program Files\Uninstall Tool\languages\English.xml
| MD5 | 955f262f1ab8f37793ad91945a01d01d |
| SHA1 | 859828af13645c29878b67f300820b4d31fac352 |
| SHA256 | bbd3c410b5519170b3c002e9c8c4eb3a5599439f00f5e1d3c3037a484c35c907 |
| SHA512 | c8e120533e41f7e02ac0368c0a06b6bfc4da2192bb2282daaba1d27a81780ae6001834fbe1333fca89da1db137941fcf6be80924359031b0ba6289b3c8cfceb1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Tool.lnk
| MD5 | 20143876b0f0048e8c104ea396980f92 |
| SHA1 | 0cd8811215a4d6d3b860bf47b69924d0582a8b0f |
| SHA256 | 06c9e1fd83aa15a5df6bd0dea28d406e288038cedcd56a1444360850d144a068 |
| SHA512 | 714b719fa5d820fb472133dc0cfb85f6b0c5fbeb0d380b38ef287b5e78dda0dbd76398aed416a48e571447245f4cb617a0f8c1c0493f84c3cf353d606f8613ac |
C:\Users\Admin\Desktop\Uninstall Tool.lnk
| MD5 | 7e162008b9fe2d5de997c2571ffbcd21 |
| SHA1 | 8bb5126a2377c3d713ca566337f65ca6eed9a08a |
| SHA256 | 48130b48ad2391d563e40ff31008a5a07c7ae5c7d0547655b0101608c1ca9216 |
| SHA512 | 7f7016856171692a2b0d99fc69a8ab6329f31f7cbc19cb6506c93c7bc0ec37c2dbbb2008485aecd3651214b24908e255062b10ab5df7a86e76cbb2cbb6247522 |
C:\Users\Admin\AppData\Local\Temp\CisUtMonitor.sys
| MD5 | 1b16fa25136adb7b3c41a3f1d474c901 |
| SHA1 | d6d0fc8367c3939fedc45474c37ed16b83b53f15 |
| SHA256 | 917572f2a45f7b8312ed09d783418534e95888c10f3e0b6cf40c5df58a7c390d |
| SHA512 | e67e214b87b7b5ff9a678d4ccf4c65f8f828e46969498e8163b565658baccb3d72c60c43e8b5a459ec0215e079949182c92c750484f1b3dfd0e5af21634cf236 |
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml
| MD5 | 23618daa6d7d186c500d713997df0031 |
| SHA1 | aec490f22c95101f8dc2f6c7d6c6d04bb32b966f |
| SHA256 | 0237bf82b7610c21bf77e99037ba18d73c9fccec531b49f08e9b821825cbfa00 |
| SHA512 | fc2045ae65cb289ea1a89a908f0598ba6c78279ae092e41e4966504a5aef6927ad4825d142f4a88c1c54da6f531e6ace0a9588930f037416fe154256dffedf73 |
memory/1568-175-0x000001F421610000-0x000001F421632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmysxaaq.tyj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1568-184-0x000001F421A20000-0x000001F421A3C000-memory.dmp
memory/1568-185-0x000001F421800000-0x000001F42180A000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool on the Web.lnk
| MD5 | 342c1625bb428a11c97ae14501f5ee7b |
| SHA1 | 5a3642de1164bdc141c66ba9d56ac594d267f62f |
| SHA256 | becb9a8d5a5d5150550cb2461bb0429838406576e710b21dc94388c9239e7161 |
| SHA512 | 7cd9f7069afe26b3ad864ac48c52a9547ecacf301d51961f6b2a63177dafb849c097f1600f7942499f150e91ede9c2715a77c76d4408e63587cd2eca4f770820 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool.lnk
| MD5 | 398056af197de168302f8041ac148761 |
| SHA1 | 8ca2d0e2c0c0e6cc1cae3de1802f354343647a2d |
| SHA256 | 89321a2f1068cfc3dc7f9e3d8ce3fc552ecd02cd976f04026c1801672b5ce882 |
| SHA512 | 4256ef61b317916fcc5351e9a6612d935fe3835f35bf6c218298f0764def20daeee7b0b07277d7f33feb33f6542ecb7ca05bb1e6469787d51da7d24d971224a4 |
memory/3636-193-0x0000000000400000-0x0000000000717000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms
| MD5 | bb844b7e95e9c2abe561213b0da05a1e |
| SHA1 | 854b56bbbe10387a6183430084e80934f6b2a73c |
| SHA256 | 8d753b234b883adeb7678d8bb637f886ba0a7c2b393b06988efd520391423e0c |
| SHA512 | cb6c6b6cf71268bd4df2ab490c9177e34238d98b474fd9c90c58c2ff528558c0a0fd2eb869073af53aff2c18cb9eccd725d07d8ca72da03ca4635347c4a5cebe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms
| MD5 | e09d7e340448e0ff92e857dbbde2e2c4 |
| SHA1 | 3920f5e6f8bbe7d0f4927aaccaf26b35e077f989 |
| SHA256 | 890cda88968e3d9f7740c4dd7054930718e16b31d21922ed450f9bb8fe034af5 |
| SHA512 | df8b2ce55cbc7b046bc5e916fcb4a43f54b53ae6a74f0a4d7fea10674a7fbde991356de6b96a52e44dc9b5ca924e4af4749c69490377b5d000ffdb3b9d4f8d1b |
memory/3636-205-0x0000000000400000-0x0000000000717000-memory.dmp
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\CachedData.dat
| MD5 | aadc51577335d88ce808a6eda9698834 |
| SHA1 | 07ecb289a6a3fdb267ff98647e4868ca8ab62900 |
| SHA256 | bcfd650a8ec7c6da4492be7993c815675c407ec9f59a1991609713c45de88524 |
| SHA512 | 0b54fbc26c44113e4229b1d84a3b37915c91123ad5c879b566edea3f6eee43330e901889febcd0552bccc0003a64917a03b6d6bf6c6f2bf5aa860786de6608e0 |
memory/4896-206-0x0000000000400000-0x00000000004DC000-memory.dmp
C:\Program Files\Uninstall Tool\UninstallToolHelper.exe
| MD5 | d82e0a3786dba17f88929d11d6b00b96 |
| SHA1 | 098f9b676677dc3a30530ad5254b7fb41e1391d9 |
| SHA256 | ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8 |
| SHA512 | 4df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d |
memory/4608-209-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4608-219-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3332-221-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-222-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-223-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-226-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-225-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-224-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-227-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-228-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-232-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-231-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-230-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-229-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-233-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-234-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-235-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-236-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-237-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-238-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-239-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-241-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-242-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-240-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-243-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-244-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-248-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-247-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-246-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-245-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-250-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-249-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-252-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-251-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-253-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-254-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-255-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-258-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-256-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-257-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-259-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-260-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-262-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-264-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-261-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-263-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-265-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-266-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-268-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-267-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-269-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-270-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-274-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-273-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-272-0x00000000063C0000-0x00000000063D0000-memory.dmp
memory/3332-271-0x00000000063C0000-0x00000000063D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml
| MD5 | f3154c236c6d83b608538be27acf0063 |
| SHA1 | 0330d902d0c2c484e8ea12389727cf8f88e8428b |
| SHA256 | 33d1a491ecde710b768fc366670df967f35eeab79aded68b3313e6837e49eddd |
| SHA512 | 5c0605e81e73006122f4001c54d72b31c3c025ef31c1d153965e78d7f874abdd669b51f1cb8f77bbf2fb565fbd9a8210293c462dd37ac2b5bf832a106e21f91a |
memory/4608-301-0x0000000000400000-0x0000000000474000-memory.dmp