Malware Analysis Report

2024-11-30 19:35

Sample ID 240920-padp2avgkf
Target iRemove Tools.exe
SHA256 45976558a9981e8585ddd71467845db26f225c4f518be36e11dd6be09a7da437
Tags
agilenet defense_evasion discovery evasion privilege_escalation themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

45976558a9981e8585ddd71467845db26f225c4f518be36e11dd6be09a7da437

Threat Level: Likely malicious

The file iRemove Tools.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet defense_evasion discovery evasion privilege_escalation themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Manipulates Digital Signatures

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Access Token Manipulation: Create Process with Token

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-20 12:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-20 12:07

Reported

2024-09-20 12:09

Platform

win10v2004-20240802-en

Max time kernel

41s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSIED47.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSIED47.tmp N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\usbaaplrc.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\usbaapl64.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\usbaapl64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAE.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\USBAAPL64.CAT C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaaplrc.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\USBAAPL64.CAT C:\Windows\system32\DrvInst.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libusb-1.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\CFNetwork.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicenotificationproxy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\plist.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\zlib1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\boot\lzma C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\libusbk\amd64\libusb0_x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libicuin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\jose-jwt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libssl-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicedebug.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicename.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceprovision.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\irecovery.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libcharset.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicerestore.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\imobiledevice.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libiconv.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\libusbk\x86\winusbcoinstaller2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\usbaapl\x64\usbaapl64.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\usbaapl\x64\usbaapl64.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicediagnostics.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libusb-1.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\boot\boot-old.raw C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\libusbk\x86\WdfCoInstaller01011.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\Foundation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceactivation.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceimagemounter.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libeay32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\libusbk\Apple_Mobile_Device_DFU_Mode.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceenterrecovery.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\plist_test.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\YSCrashDump.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\boot\boot.raw C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\bz2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\icudt62.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\usbmuxd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\libusbk\amd64\libusb0.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\CoreVideo.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\lzma.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\BouncyCastle.Crypto.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\ucrtbased.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceinstaller.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\MobileDevice.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\pthreadVC2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\usbaapl\x64\USBAAPL64.CAT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicecrashreport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libexslt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\readline.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\Newtonsoft.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\libusbk\amd64\libusbK.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\usbaapl\x86\usbaapl.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\APSDaemon_main.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\idevicebackup.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ios_webkit_debug_proxy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libusb-usbdk-1.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\usbmuxd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceactivation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\ideviceinfo.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\libusb0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\Renci.SshNet.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\usbaapl\x64\usbaaplrc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iRemoveTools\iRemove Tools\libs\CoreADI64.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIE4D2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE85E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57e418.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFC7E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE88E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE8FD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF0E3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{71621315-61C9-45BF-88FB-C215193E1BC9}\iRemoveTools.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{71621315-61C9-45BF-88FB-C215193E1BC9}\iRemoveTools.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF876.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEBAE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIECF8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Installer\e57e416.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIED47.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIE8DD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{71621315-61C9-45BF-88FB-C215193E1BC9} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57e416.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE82E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEC5B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEEEE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSIED47.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSIED47.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7DF25EFCECC07C94D876066DDDB8C306\513126179C16FB5488BF2C5191E3B19C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\Media\1 = "Disk1;Disk1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\ProductName = "iRemove Tools" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\iRemoveTools\\iRemove Tools 8.2.1\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\513126179C16FB5488BF2C5191E3B19C\C4FE6FD5B7C4D07B3A313E754A9A6A8 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\iRemoveTools\\iRemove Tools 8.2.1\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\PackageName = "iRemove Tools.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\Version = "134348801" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\513126179C16FB5488BF2C5191E3B19C\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\513126179C16FB5488BF2C5191E3B19C\A918597FE054CCCB65ABDBA0AD8F63C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\ProductIcon = "C:\\Windows\\Installer\\{71621315-61C9-45BF-88FB-C215193E1BC9}\\iRemoveTools.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\513126179C16FB5488BF2C5191E3B19C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\PackageCode = "32171618B9EC19D4C874219639EFC4A5" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7DF25EFCECC07C94D876066DDDB8C306 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\513126179C16FB5488BF2C5191E3B19C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 772 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 772 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 772 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe
PID 4392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe
PID 4392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe
PID 4052 wrote to memory of 4532 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4052 wrote to memory of 4532 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4052 wrote to memory of 5112 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 5112 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 5112 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 1200 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIED47.tmp
PID 4052 wrote to memory of 1200 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIED47.tmp
PID 4052 wrote to memory of 1200 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIED47.tmp
PID 1200 wrote to memory of 2848 N/A C:\Windows\Installer\MSIED47.tmp C:\Windows\SysWOW64\certutil.exe
PID 1200 wrote to memory of 2848 N/A C:\Windows\Installer\MSIED47.tmp C:\Windows\SysWOW64\certutil.exe
PID 1200 wrote to memory of 2848 N/A C:\Windows\Installer\MSIED47.tmp C:\Windows\SysWOW64\certutil.exe
PID 4052 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 772 wrote to memory of 2364 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe
PID 772 wrote to memory of 2364 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe
PID 4392 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2228 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2228 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 380 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2228 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2228 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2228 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2028 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2676 wrote to memory of 2028 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe

"C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9AF7790C98580D51A7365DC447310C52 C

C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe

"C:\Users\Admin\AppData\Local\Temp\iRemove Tools.exe" /i "C:\Users\Admin\AppData\Roaming\iRemoveTools\iRemove Tools 8.2.1\install\iRemove Tools.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\iRemoveTools\iRemove Tools" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iRemove Tools" SECONDSEQUENCE="1" CLIENTPROCESSID="4392" AI_MORE_CMD_LINE=1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2ABA9EC80747C0B99EE12C491ACA5258

C:\Windows\Installer\MSIED47.tmp

"C:\Windows\Installer\MSIED47.tmp" /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\8.0\simple.cer

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\8.0\simple.cer

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DE947846F4992763F8BD6C1EF4D4661C E Global\MSI0000

C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe

"C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE17DC.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE184A.bat" "

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\IREMOV~1\IREMOV~1.1\install\IREMOV~1.MSI"

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\IREMOV~1\IREMOV~1.1\install\IREMOV~1.MSI"

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE184A.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE184A.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" cls"

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE17DC.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE17DC.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" cls"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7d211ed4-6489-d845-b1fe-d6b4e4a612eb}\usbaapl64.inf" "9" "4dfd2ba0f" "0000000000000154" "WinSta0\Default" "00000000000000B8" "208" "C:\Program Files (x86)\iRemoveTools\iRemove Tools\drivers\usbaapl\x64"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 p01md.com udp
US 67.205.145.220:443 p01md.com tcp
US 8.8.8.8:53 220.145.205.67.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
N/A 127.0.0.1:49627 tcp
N/A 127.0.0.1:49629 tcp
N/A 127.0.0.1:27015 tcp

Files

C:\Users\Admin\AppData\Roaming\iRemoveTools\iRemove Tools 8.2.1\install\iRemove Tools.msi

MD5 0b9f947616ff91031d679a171d3fd6cc
SHA1 b56b0574053f17ab950d0282e1c16ac4d699a88d
SHA256 0f6411bbe235685348c21f41525d64de0fbb9740a49f7bff1825f68725429e36
SHA512 e86983f448de21854ecd3404abbd3a6e001728a0015fad742ecf83a2aa44e710e56d4b89bfdaec75838714f46fdecd56464a8888028f22af0a8ac38ecbd2c4e3

C:\Users\Admin\AppData\Local\Temp\MSIA26B.tmp

MD5 c39daeba173815516c180ca4361f7895
SHA1 db3ae54329834baa954569a35be5b947c86dc25e
SHA256 a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc
SHA512 e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

C:\Users\Admin\AppData\Local\Temp\MSIA2E9.tmp

MD5 b0b2090c4200fb19e335598969a40f26
SHA1 e31d5533f85ef03dd8eb21723df14ff71586bb60
SHA256 e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd
SHA512 177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4392\banner

MD5 8f9043fc58e4633543e6db260bc186d3
SHA1 c33f2d4c01b1dc630afa04ee79230407204a61c3
SHA256 ca8aeb2bb805b7352c2ecc913a717a3339d4e0116cf66f6a91887b315cfd1783
SHA512 7f23a0c3afbd4e9400981ba66882e4a5c33955bfc21fe3caf332a961d48ddeb6c24c56dd7e44d4501ac382195520c90ced362e91262b8dfc027c5ebb7bf98598

C:\Users\Admin\AppData\Local\Temp\MSIA550.tmp

MD5 1c62521f4ade74fe465aaf61049c3634
SHA1 758bd079f98c5f1153213a4c78ee25f89eb64fa6
SHA256 ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e
SHA512 4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

C:\Users\Admin\AppData\Local\Temp\MSIA5FE.tmp

MD5 b724950669ff45ab1d06969390d30ef3
SHA1 17e04af8ca9733805482465d3974622dd537ec7b
SHA256 2a0a8446a3d8270545aaae21901f21008b8059fc8e1e4c160d16d5b68b2c2aa9
SHA512 ff10d9f58215d50e5cace4578e040c64b078027f58872b574587f0a4089d95188700e1ad6f6729288404fcaf408c5daf7ccb83db117ca5451118c11943b6367d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4392\dialog

MD5 b034b79f2e4ea09a11e5dbcf122f5723
SHA1 c9637c49c437e4f8a79aeb728ec9f3e80bc653d2
SHA256 ce2867a9ff865dcb7bc81fe5c5dac7fa892bdad5445814eeb9791deb664ef443
SHA512 bf7e41cfac7b86c4815fb63e435417b73301ef48364f4cb34f76af7a92de82609901a928ac7c3605db9399cbf4f9ee09e69b75db4824aa1538e243315aa080f6

C:\Users\Admin\AppData\Local\Temp\shiB12F.tmp

MD5 77d6c08c6448071b47f02b41fa18ed37
SHA1 e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512 e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

C:\Users\Admin\AppData\Local\Temp\shiE8BA.tmp

MD5 fdce43712079c189e993ff27df2911bc
SHA1 6f0465aeedb699de995e1c3b25f8f902bc05545f
SHA256 47267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366
SHA512 c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71

C:\Windows\Installer\MSIECF8.tmp

MD5 985678fab5e6d4f2845e7d1a59967714
SHA1 8cff8754cfddc39188eca5efe3d3dbd5621fed68
SHA256 9fd93e954c5933b0dd6721bcf4142376c9bbcb5c8bf597f53b1580951f5b3f3d
SHA512 cf4ab89884554d067eedb845aaedb8876caf88263f6201eed4abe5c58586e513f9cd64e48c675f4fdefffdf8f7fa3a04d72fc80d55da4398bf36be64195824a4

C:\Windows\Installer\MSIED47.tmp

MD5 867b627b008d149f15e8df90d2648d41
SHA1 543fc2763f98378c5777f0dc1f11f54ee3a71733
SHA256 51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233
SHA512 9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44

C:\Users\Admin\AppData\Local\Temp\8.0\simple.cer

MD5 4ca7890d020b12b0d4817602f1a12ab8
SHA1 383cd7e8a57189826cc4143ca5c127514876ff93
SHA256 5722ff5c6b0889ad9680fc3a5eaeff6c87ea7fb45c5ebbba43eb798efccd7b10
SHA512 680f43ed02c502abf00905e7bd2f1806971637f760237be03dd128b61f046f14a6005c0a88cb6835d17794a6a534072ad87c06ebc9599d63ad4797845a28d1a4

C:\Program Files (x86)\iRemoveTools\iRemove Tools\iRemove Tools.exe

MD5 a42eda2311b035360dab2c05071ffcc9
SHA1 6aa4409c017249831984035c1f222454504bc3f1
SHA256 0ec8d4bd43d75e2048c522cfdcbf418aa8f5d662da0c7c410f6dea5a78384db5
SHA512 7592dc4ceebc493e40a53c518cedadbb8f5f0577945bdb1d09431e00ff3b860e9abbd3c6e94e252b9913b632bcf8abf320fe7206ce952497fa93cce2274094b0

C:\Users\Public\Desktop\iRemove Tools.lnk

MD5 6bba19174c4fe9b21ab7bfa3549204b1
SHA1 cdddc040f7adb0954b706399a306f3b12f963c1b
SHA256 77329e95f708d887b2217d24492ff9e12550f6729a002d970b1a6b89fba27a92
SHA512 c3a3ac330ec8441ecb0c437f217452a80846f97befca2a49787ecafa40f95e245bc410c64f19e72cee2df6535866f2dedc0d96fda47b714360cbf3f9b0451390

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iRemove Tools\iRemove Tools.lnk

MD5 a5a796c43a7b0c5ad5a7efb3f975dc0f
SHA1 dab910375c238a1d41df04bf0ff1d4652f15ac15
SHA256 60f5a140cf53d0f0dc13b64ec0ae3b8f420201b9d5f21c5a24347ed7388bb10a
SHA512 5dbd74785d6878fcff248742321f6013f8294831c30e588f4e1ce192880a2994ec48a7c0a1a8bd317528498f2a28b6a244f7cbff4f79ce15ade180fbc9f3ec8f

C:\Config.Msi\e57e417.rbs

MD5 e5f14b7969e8344c30fa6f67f42146bf
SHA1 40a5cabea15ad967f89c390a57c7b503228d160f
SHA256 7637be52a68b4a993ec5a69a41e3145a7298e8d7cd4c3a0a7deccb1092a4d53b
SHA512 5a8779c9c4e074bb679054f54a70609aa07d6fd11607a75434ca67d0c88b9508b69e01241beb0587145f7cee7e104728d8f924e4560872f317518d876eebb593

memory/2364-368-0x000002745B080000-0x000002745BFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8039480a-66d8-4166-a0b7-739a5de54ccb\AgileDotNetRT64.dll

MD5 5c1f504b4d399e02f48c20dda0419727
SHA1 a04fcddaf95121d21c3e85959faaad2165941398
SHA256 a4c4df55fa2e4d9ec9e1da89581801d492dab1dcc260bf579e411dff1083edd3
SHA512 0d95f9021a221b9914d1836aaff54e6dbae1a8d4940b07985a19135ce5960484c7758a1243ef6a5f38a74d8fcd5f23f09b79f239576bbde6cb4c0b480a916a4e

memory/2364-374-0x00007FFA8E510000-0x00007FFA8EDC4000-memory.dmp

memory/2364-376-0x00007FFA8E510000-0x00007FFA8EDC4000-memory.dmp

memory/2364-377-0x00007FFA8FA50000-0x00007FFA8FB9E000-memory.dmp

memory/2364-378-0x00000274774A0000-0x0000027477B1A000-memory.dmp

memory/2364-379-0x00000274764A0000-0x000002747656A000-memory.dmp

memory/2364-380-0x000002745DB40000-0x000002745DB52000-memory.dmp

memory/2364-381-0x0000027476F60000-0x0000027477098000-memory.dmp

memory/2364-382-0x0000027477460000-0x0000027477476000-memory.dmp

memory/2364-383-0x000002747AB80000-0x000002747AEAE000-memory.dmp

memory/2364-410-0x0000027478960000-0x0000027478978000-memory.dmp

memory/2364-411-0x000002747AEB0000-0x000002747B072000-memory.dmp

memory/2364-412-0x000002747BDB0000-0x000002747C2D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{7d211ed4-6489-d845-b1fe-d6b4e4a612eb}\usbaaplrc.dll

MD5 1428a8b3dbf4f73b257c4a461df9b996
SHA1 0fe85ab508bd44dfb2fa9830f98de4714dfce4fa
SHA256 5ed0d8f2066dd19d5aec42c5498fdd1db9cefab4d024a1015c707dfd0cfd5b20
SHA512 916a61feb9a36872a7c1adece8933599e55b46f7d113966ec4ad2af0e2568f1a339629ec48eca10bd1e071c88171fe88292dab27ce509ceea42afbd049599cc7

C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAD.tmp

MD5 f957092c63cd71d85903ca0d8370f473
SHA1 9d76d3df84ca8b3b384577cb87b7aba0ee33f08d
SHA256 4dec2fc20329f248135da24cb6694fd972dcce8b1bbea8d872fde41939e96aaf
SHA512 a43ca7f24281f67c63c54037fa9c02220cd0fa34a10b1658bae7e544236b939f26a1972513f392a5555dd97077bba91bbe920d41b19737f9960ef427599622bc

C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAC.tmp

MD5 2da3a91b71919d035d8fd17b6b90bbc2
SHA1 c2c6a29f3abc80fd992777a92df30699124d37c5
SHA256 edea577e694efceec5b26d745fff8125e9fc8a78cacd7365e77ef35031ebc49b
SHA512 71b98c884c338902110c83f6c858b906bd8d63e09e5f92d3e019f586d82961fdc71a459e6456a3e9a56b9b109838b4556aee91e0befb68c2ae505c93a41fe56b

C:\Windows\System32\DriverStore\Temp\{695ea267-fbff-0d43-bf66-37d2b79d00ef}\SET1CAB.tmp

MD5 26eee7af8aa1ef8c1bd7c9327c602844
SHA1 990a56215aac7000eac9371f489a0fc57d560078
SHA256 946b0a8150213d6a4dd3aef6248ebb923f8167c84c7ff1b10137e5030ec8bf30
SHA512 1cce53edb09f449720005ee9ca013fabb0be498991adf38ce738330a02b336790cb835e235e097c57a7cf983b4bf18664bc113b074cd94f9118901565d83e24d

memory/2364-482-0x0000027478E00000-0x0000027478E32000-memory.dmp

memory/2364-486-0x00007FFA8CCE0000-0x00007FFA8CDF3000-memory.dmp

memory/2364-488-0x00007FFA8CC50000-0x00007FFA8CCD8000-memory.dmp

memory/2364-487-0x00007FFA8BAE0000-0x00007FFA8BD8A000-memory.dmp

memory/2364-485-0x00007FFA8E510000-0x00007FFA8EDC4000-memory.dmp

memory/2364-491-0x00007FFA8CCE0000-0x00007FFA8CDF3000-memory.dmp

memory/2364-493-0x00007FFA8CC50000-0x00007FFA8CCD8000-memory.dmp

memory/2364-494-0x00007FFA8E510000-0x00007FFA8EDC4000-memory.dmp

memory/2364-492-0x00007FFA8BAE0000-0x00007FFA8BD8A000-memory.dmp