Malware Analysis Report

2024-11-15 05:27

Sample ID 240613-brastayfnd
Target uninstalltool_setup.exe
SHA256 66b696e76af8e72272883e22e7f5e42e168195c2e42fddf6d9e4e59c8a003ee4
Tags
discovery execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

66b696e76af8e72272883e22e7f5e42e168195c2e42fddf6d9e4e59c8a003ee4

Threat Level: Likely malicious

The file uninstalltool_setup.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution persistence spyware stealer

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Modifies system executable filetype association

Registers COM server for autorun

Checks installed software on the system

Drops file in Program Files directory

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:22

Reported

2024-06-13 01:23

Platform

win11-20240611-en

Max time kernel

90s

Max time network

94s

Command Line

C:\Windows\Explorer.EXE

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\CisUtMonitor.sys C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
File opened for modification C:\Windows\system32\drivers\CisUtMonitor.sys C:\Program Files\Uninstall Tool\UninstallTool.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Tool\languages\is-TBV6O.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-U4ATB.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-KHMKF.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-23UAB.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-GB070.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-AR8CJ.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-IJVM3.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-FG0QQ.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-3CNIQ.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-HGQAT.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-BOEKK.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-TH7CT.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-BLTBM.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-992K5.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-8MOMD.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-6E9TQ.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-9MECH.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-PTRIE.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-E8SED.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-LLSK0.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File opened for modification C:\Program Files\Uninstall Tool\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-DM58Q.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-BFS55.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-J4I8F.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File opened for modification C:\Program Files\Uninstall Tool\UninstallTool.url C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-9N12V.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-ABMRV.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-JFF8C.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-0PETA.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-2LHS9.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-CF2DH.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-MFJ0C.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-020GI.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-69F9J.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-1HE5D.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-CU4FE.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-1B0FF.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-NA63E.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-V2QH3.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-LUDPG.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-KV0NI.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-4C5PH.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-8ERLU.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-E5DQ0.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-KHMBF.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-528D6.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-AORUU.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-922A1.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-TGVA8.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-5L7OM.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-4FVIK.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-2PJ9V.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\languages\is-FSBMT.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A
File created C:\Program Files\Uninstall Tool\is-28NIB.tmp C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\System.ControlPanel.Category = "5,8" C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\DefaultIcon C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command\ = "C:\\Program Files\\Uninstall Tool\\UninstallTool.exe" C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\ = "Uninstall Tool" C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\DefaultIcon\ = "C:\\Program Files\\Uninstall Tool\\UninstallTool.exe" C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657} C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs" C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs" C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt_x86.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell C:\Program Files\Uninstall Tool\UninstallTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Uninstall Tool\UninstallTool.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Tool\PinToTaskbar.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp
PID 4896 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp
PID 4896 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp
PID 3636 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Windows\system32\regsvr32.exe
PID 3636 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Windows\system32\regsvr32.exe
PID 3636 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Windows\system32\regsvr32.exe
PID 3636 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Windows\system32\regsvr32.exe
PID 3728 wrote to memory of 4936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3728 wrote to memory of 4936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3728 wrote to memory of 4936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3636 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\PinToTaskbar.exe
PID 3636 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\PinToTaskbar.exe
PID 1088 wrote to memory of 3332 N/A C:\Program Files\Uninstall Tool\PinToTaskbar.exe C:\Windows\Explorer.EXE
PID 3636 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 752 wrote to memory of 1568 N/A C:\Program Files\Uninstall Tool\UninstallTool.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1568 N/A C:\Program Files\Uninstall Tool\UninstallTool.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 3636 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp C:\Program Files\Uninstall Tool\UninstallTool.exe
PID 724 wrote to memory of 4608 N/A C:\Program Files\Uninstall Tool\UninstallTool.exe C:\Program Files\Uninstall Tool\UninstallToolHelper.exe
PID 724 wrote to memory of 4608 N/A C:\Program Files\Uninstall Tool\UninstallTool.exe C:\Program Files\Uninstall Tool\UninstallToolHelper.exe
PID 724 wrote to memory of 4608 N/A C:\Program Files\Uninstall Tool\UninstallTool.exe C:\Program Files\Uninstall Tool\UninstallToolHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe

"C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp" /SL5="$4021A,4977297,845824,C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"

C:\Program Files\Uninstall Tool\PinToTaskbar.exe

"C:\Program Files\Uninstall Tool\PinToTaskbar.exe" /pin UninstallTool.exe

C:\Program Files\Uninstall Tool\UninstallTool.exe

"C:\Program Files\Uninstall Tool\UninstallTool.exe" /install_service_silent

C:\Program Files\Uninstall Tool\UninstallTool.exe

"C:\Program Files\Uninstall Tool\UninstallTool.exe" /init

C:\Program Files\Uninstall Tool\UninstallTool.exe

"C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon

C:\Program Files\Uninstall Tool\UninstallTool.exe

"C:\Program Files\Uninstall Tool\UninstallTool.exe" /skip_uac

C:\Program Files\Uninstall Tool\UninstallTool.exe

"C:\Program Files\Uninstall Tool\UninstallTool.exe" /msix_register

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -c "Add-AppxPackage 'C:\Program Files\Uninstall Tool\UTShellExt2.msix' -ExternalLocation 'C:\Program Files\Uninstall Tool\'"

C:\Program Files\Uninstall Tool\UninstallTool.exe

"C:\Program Files\Uninstall Tool\UninstallTool.exe"

C:\Program Files\Uninstall Tool\UninstallToolHelper.exe

"C:\Program Files\Uninstall Tool\UninstallToolHelper.exe" /pid:724

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 173.230.144.164:443 crystalidea.com tcp
GB 2.18.66.75:443 tcp
US 20.44.10.123:443 browser.pipe.aria.microsoft.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
BE 88.221.83.187:443 r.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 150.171.27.254:443 ax-ring.msedge.net tcp
QA 20.21.56.51:443 dc78c36cdfb67bb325589bd289010cb7.azr.footprintdns.com tcp

Files

memory/4896-0-0x0000000000400000-0x00000000004DC000-memory.dmp

memory/4896-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp

MD5 8c1451188764f81954e6d4672100433a
SHA1 c01d90c825b3ed029eeb45017fa37d40bd1fd32b
SHA256 5fe7888a8a41638e457a1d52369701f33b2084aeeb32a3c4fc996b1487a8fadd
SHA512 a2a4d1b8801893cb1a6820233c8b78f272869224471f72aee82b18aa1001cd3b68955121c6f38b9318c6093f0089bf6afac89979668381eaa587241af8824164

memory/3636-6-0x0000000000400000-0x0000000000717000-memory.dmp

memory/4896-8-0x0000000000400000-0x00000000004DC000-memory.dmp

memory/3636-9-0x0000000000400000-0x0000000000717000-memory.dmp

C:\Program Files\Uninstall Tool\UninstallTool.exe

MD5 3314588abbe3e7e976ca664886e691b8
SHA1 91ab07ccf95e087c3878c3e2d93941e561ed979a
SHA256 6095e41aed91326a12acd02ae988711befd3e3ad2d280ca5d0c2647cb0f781f1
SHA512 77fbc216f0c6633f39ba6e0490358276e977e7dc981e7f164328a92f5a014d90b1aaf41819519bd3313b8ddfded4b98c069eaae15f2057e5f42d8177facc700f

C:\Program Files\Uninstall Tool\UTShellExt.dll

MD5 c836d4008d50fdbb49101eea1d49a57f
SHA1 ebfc097ecde12532d0ac8d76dd67df79c8007e77
SHA256 157b1afebd03b3325bb13bb229caebe2e3c73360250fe689af1635a670487e17
SHA512 eab2b799a2ac670dcce82429139ec7482c1ac9d9c2ed028f926add1c462d8347bd293f284fba3fb91a61d0c48b9a63829c895ba300d3f6ff07cfa1977ba138f3

C:\Program Files\Uninstall Tool\UTShellExt_x86.dll

MD5 7460a0e0c7cd0d14649eec1688322505
SHA1 e7b1fc34362123f8bd95eac5996d7788e618c0da
SHA256 6a9e6a25e9fe6c5503dfcc606e0392f6dcbe71a1e9dec010cde7ff82b7cd52f7
SHA512 44e1bcac6f4cac6ca39aea60da403bd09e8eaf82e40984bb1c676828373e5af160b99aea186b71e9be69f4ecf2090de9fa5d79cf50c3c348545f25454d361e40

C:\Program Files\Uninstall Tool\PinToTaskbar.exe

MD5 4de7220115fe537eaf6c5776e83f0064
SHA1 e81a7feab77203266a8afb379ff93025c923f28b
SHA256 e87288744cc29c5ab81d9c3fa78653cacd87bc74bf5a3abc4f38afcd6a1a5c16
SHA512 b33113314636a491c35dea215c3cd75f74797223d5b6b7ca88b790b9ddc9969c8759b61e354e753db2476dd65953664cf321940be811c6c9fc01391f0490c02f

C:\Program Files\Uninstall Tool\PinToTaskbarHelper.dll

MD5 4c415adb0750fe1e1d2f52c3902274c0
SHA1 001fc6dc3706f1596295e4e7a4eabb5a407dab52
SHA256 7d0a990c0b976ff4d99abfa935eadebcece34e7d4e711ed86066ab7845d6a417
SHA512 aaecb72a0ec6e28336bcf5cf83d8ff0e220302c76df2715186b7fd25891662588f27215b7043613472ed747908eec9169b51c035b1e069b2c2a95c999cbf8dab

C:\Program Files\Uninstall Tool\languages\English.xml

MD5 955f262f1ab8f37793ad91945a01d01d
SHA1 859828af13645c29878b67f300820b4d31fac352
SHA256 bbd3c410b5519170b3c002e9c8c4eb3a5599439f00f5e1d3c3037a484c35c907
SHA512 c8e120533e41f7e02ac0368c0a06b6bfc4da2192bb2282daaba1d27a81780ae6001834fbe1333fca89da1db137941fcf6be80924359031b0ba6289b3c8cfceb1

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Tool.lnk

MD5 20143876b0f0048e8c104ea396980f92
SHA1 0cd8811215a4d6d3b860bf47b69924d0582a8b0f
SHA256 06c9e1fd83aa15a5df6bd0dea28d406e288038cedcd56a1444360850d144a068
SHA512 714b719fa5d820fb472133dc0cfb85f6b0c5fbeb0d380b38ef287b5e78dda0dbd76398aed416a48e571447245f4cb617a0f8c1c0493f84c3cf353d606f8613ac

C:\Users\Admin\Desktop\Uninstall Tool.lnk

MD5 7e162008b9fe2d5de997c2571ffbcd21
SHA1 8bb5126a2377c3d713ca566337f65ca6eed9a08a
SHA256 48130b48ad2391d563e40ff31008a5a07c7ae5c7d0547655b0101608c1ca9216
SHA512 7f7016856171692a2b0d99fc69a8ab6329f31f7cbc19cb6506c93c7bc0ec37c2dbbb2008485aecd3651214b24908e255062b10ab5df7a86e76cbb2cbb6247522

C:\Users\Admin\AppData\Local\Temp\CisUtMonitor.sys

MD5 1b16fa25136adb7b3c41a3f1d474c901
SHA1 d6d0fc8367c3939fedc45474c37ed16b83b53f15
SHA256 917572f2a45f7b8312ed09d783418534e95888c10f3e0b6cf40c5df58a7c390d
SHA512 e67e214b87b7b5ff9a678d4ccf4c65f8f828e46969498e8163b565658baccb3d72c60c43e8b5a459ec0215e079949182c92c750484f1b3dfd0e5af21634cf236

C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

MD5 23618daa6d7d186c500d713997df0031
SHA1 aec490f22c95101f8dc2f6c7d6c6d04bb32b966f
SHA256 0237bf82b7610c21bf77e99037ba18d73c9fccec531b49f08e9b821825cbfa00
SHA512 fc2045ae65cb289ea1a89a908f0598ba6c78279ae092e41e4966504a5aef6927ad4825d142f4a88c1c54da6f531e6ace0a9588930f037416fe154256dffedf73

memory/1568-175-0x000001F421610000-0x000001F421632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmysxaaq.tyj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1568-184-0x000001F421A20000-0x000001F421A3C000-memory.dmp

memory/1568-185-0x000001F421800000-0x000001F42180A000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool on the Web.lnk

MD5 342c1625bb428a11c97ae14501f5ee7b
SHA1 5a3642de1164bdc141c66ba9d56ac594d267f62f
SHA256 becb9a8d5a5d5150550cb2461bb0429838406576e710b21dc94388c9239e7161
SHA512 7cd9f7069afe26b3ad864ac48c52a9547ecacf301d51961f6b2a63177dafb849c097f1600f7942499f150e91ede9c2715a77c76d4408e63587cd2eca4f770820

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool.lnk

MD5 398056af197de168302f8041ac148761
SHA1 8ca2d0e2c0c0e6cc1cae3de1802f354343647a2d
SHA256 89321a2f1068cfc3dc7f9e3d8ce3fc552ecd02cd976f04026c1801672b5ce882
SHA512 4256ef61b317916fcc5351e9a6612d935fe3835f35bf6c218298f0764def20daeee7b0b07277d7f33feb33f6542ecb7ca05bb1e6469787d51da7d24d971224a4

memory/3636-193-0x0000000000400000-0x0000000000717000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms

MD5 bb844b7e95e9c2abe561213b0da05a1e
SHA1 854b56bbbe10387a6183430084e80934f6b2a73c
SHA256 8d753b234b883adeb7678d8bb637f886ba0a7c2b393b06988efd520391423e0c
SHA512 cb6c6b6cf71268bd4df2ab490c9177e34238d98b474fd9c90c58c2ff528558c0a0fd2eb869073af53aff2c18cb9eccd725d07d8ca72da03ca4635347c4a5cebe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms

MD5 e09d7e340448e0ff92e857dbbde2e2c4
SHA1 3920f5e6f8bbe7d0f4927aaccaf26b35e077f989
SHA256 890cda88968e3d9f7740c4dd7054930718e16b31d21922ed450f9bb8fe034af5
SHA512 df8b2ce55cbc7b046bc5e916fcb4a43f54b53ae6a74f0a4d7fea10674a7fbde991356de6b96a52e44dc9b5ca924e4af4749c69490377b5d000ffdb3b9d4f8d1b

memory/3636-205-0x0000000000400000-0x0000000000717000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\CachedData.dat

MD5 aadc51577335d88ce808a6eda9698834
SHA1 07ecb289a6a3fdb267ff98647e4868ca8ab62900
SHA256 bcfd650a8ec7c6da4492be7993c815675c407ec9f59a1991609713c45de88524
SHA512 0b54fbc26c44113e4229b1d84a3b37915c91123ad5c879b566edea3f6eee43330e901889febcd0552bccc0003a64917a03b6d6bf6c6f2bf5aa860786de6608e0

memory/4896-206-0x0000000000400000-0x00000000004DC000-memory.dmp

C:\Program Files\Uninstall Tool\UninstallToolHelper.exe

MD5 d82e0a3786dba17f88929d11d6b00b96
SHA1 098f9b676677dc3a30530ad5254b7fb41e1391d9
SHA256 ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8
SHA512 4df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d

memory/4608-209-0x0000000000400000-0x0000000000474000-memory.dmp

memory/4608-219-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3332-221-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-222-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-223-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-226-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-225-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-224-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-227-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-228-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-232-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-231-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-230-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-229-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-233-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-234-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-235-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-236-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-237-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-238-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-239-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-241-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-242-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-240-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-243-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-244-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-248-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-247-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-246-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-245-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-250-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-249-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-252-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-251-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-253-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-254-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-255-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-258-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-256-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-257-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-259-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-260-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-262-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-264-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-261-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-263-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-265-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-266-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-268-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-267-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-269-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-270-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-274-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-273-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-272-0x00000000063C0000-0x00000000063D0000-memory.dmp

memory/3332-271-0x00000000063C0000-0x00000000063D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

MD5 f3154c236c6d83b608538be27acf0063
SHA1 0330d902d0c2c484e8ea12389727cf8f88e8428b
SHA256 33d1a491ecde710b768fc366670df967f35eeab79aded68b3313e6837e49eddd
SHA512 5c0605e81e73006122f4001c54d72b31c3c025ef31c1d153965e78d7f874abdd669b51f1cb8f77bbf2fb565fbd9a8210293c462dd37ac2b5bf832a106e21f91a

memory/4608-301-0x0000000000400000-0x0000000000474000-memory.dmp