24a7869b1b222cc2eae561421b7f0c83048ca4c157d44718102a3e674a412e99

Analysis

max time kernel
556s
max time network
561s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24-01-2023 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows 7 IconPack By 2013Windows8.1.exe
Size

15.2MB
MD5

d54c644994f501358b6074a0ce2f331b
SHA1

863d56e70d675eab6e83909fb587ad9e802bcce2
SHA256

24a7869b1b222cc2eae561421b7f0c83048ca4c157d44718102a3e674a412e99
SHA512

404910ea4caad2d05d9a2292b62d46355d98fb9c9577c4fc5838c6507deb84aabde02ec6557fa36d25ce4829322ef8da315f2573268117da07490bee49f51d7a
SSDEEP

393216:sCBY2ekC/ialj+VaCVeNnCrPYFjvnfIlclildwvki/rsJwN1N:p7+iat+4CkNCEF7fIlldwPrsaTN

Score

8^/10

discovery exploit persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

iPack_Installer.exe7z.exePatcher.exePatcher.exe

pid process

1356 iPack_Installer.exe
3964 7z.exe
4804 Patcher.exe
4352 Patcher.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Possible privilege escalation attempt 15 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1304	icacls.exe
4052	icacls.exe
4840	icacls.exe
3524	icacls.exe
3764	icacls.exe
3872	takeown.exe
2884	icacls.exe
4964	takeown.exe
2740	takeown.exe
4948	takeown.exe
4712	icacls.exe
4416	icacls.exe
4244	icacls.exe
1416	icacls.exe
3960	icacls.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2376-132-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2376-138-0x0000000000400000-0x0000000000447000-memory.dmp	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe	upx
behavioral1/memory/3964-148-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/3964-149-0x0000000000400000-0x000000000045A000-memory.dmp	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe	upx
behavioral1/memory/4804-162-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4804-165-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4804-166-0x0000000000400000-0x0000000000521000-memory.dmp	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe	upx
behavioral1/memory/4352-183-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4352-184-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4352-185-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/2376-238-0x0000000000400000-0x0000000000447000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Windows 7 IconPack By 2013Windows8.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	iPack_Installer.exe

Modifies file permissions 1 TTPs 15 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
3524	icacls.exe
4244	icacls.exe
3872	takeown.exe
2884	icacls.exe
4840	icacls.exe
4712	icacls.exe
3764	icacls.exe
4052	icacls.exe
4964	takeown.exe
1304	icacls.exe
3960	icacls.exe
4948	takeown.exe
1416	icacls.exe
4416	icacls.exe
2740	takeown.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 40 IoCs

Processes:

Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exePatcher.exePatcher.exeattrib.exe7z.exeicacls.exeicacls.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Uninstall iPack.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Windows 7 IconPack By 2013Windows8.1.log	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.ini	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.log	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Uninstall iPack.exe.config	attrib.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\SysWOW64\imageres.dll	Patcher.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Uninstall iPack.exe.config	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.ini	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\System32\imageres.dll	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\System32\imageres.dll	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.ini	Patcher.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\ACL\SysWOW64\imageres.dll.AclFile	icacls.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\reload.bat	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files	7z.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\ACL\System32\imageres.dll.AclFile	icacls.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.log	Patcher.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Backup\SysWOW64\imageres.dll	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\SysWOW64\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe	Windows 7 IconPack By 2013Windows8.1.exe

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\INF\vhdmp.PNF explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\vhdmp.PNF	explorer.exe

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3840 taskkill.exe

pid	process
3840	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "775"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "56738"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9857"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3712"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "47204"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "65768"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "20177"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2214"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "16590"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "211"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "15130"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "16634"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "16590"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2699"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9857"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8600"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1568"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2290"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "56738"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2132"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2146"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "20177"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10866"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "38568"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exe

pid process

3608 explorer.exe
3608 explorer.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid process

2536 chrome.exe
2536 chrome.exe
1876 chrome.exe
1876 chrome.exe
2788 chrome.exe
2788 chrome.exe
1364 chrome.exe
1364 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

iPack_Installer.exeexplorer.exe

pid process

1356 iPack_Installer.exe
3608 explorer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe

pid	process
2536	chrome.exe
2536	chrome.exe
1876	chrome.exe
1876	chrome.exe
2788	chrome.exe
2788	chrome.exe
1364	chrome.exe
1364	chrome.exe

pid	process
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeTakeOwnershipPrivilege	4948	takeown.exe
Token: SeRestorePrivilege	3524	icacls.exe
Token: SeSecurityPrivilege	4244	icacls.exe
Token: SeTakeOwnershipPrivilege	4964	takeown.exe
Token: SeRestorePrivilege	3764	icacls.exe
Token: SeSecurityPrivilege	4052	icacls.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Windows 7 IconPack By 2013Windows8.1.exeexplorer.exe

pid	process
2376	Windows 7 IconPack By 2013Windows8.1.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exe

pid	process
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

iPack_Installer.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exe

pid	process
1356	iPack_Installer.exe
1356	iPack_Installer.exe
1972	StartMenuExperienceHost.exe
3608	explorer.exe
1732	SearchApp.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
1732	SearchApp.exe
1732	SearchApp.exe
1732	SearchApp.exe
1732	SearchApp.exe
1732	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.execmd.execmd.execmd.execmd.execmd.execmd.exeexplorer.exe

description	pid	process	target process
PID 2376 wrote to memory of 1356	2376	Windows 7 IconPack By 2013Windows8.1.exe	iPack_Installer.exe
PID 2376 wrote to memory of 1356	2376	Windows 7 IconPack By 2013Windows8.1.exe	iPack_Installer.exe
PID 1356 wrote to memory of 3964	1356	iPack_Installer.exe	7z.exe
PID 1356 wrote to memory of 3964	1356	iPack_Installer.exe	7z.exe
PID 1356 wrote to memory of 3964	1356	iPack_Installer.exe	7z.exe
PID 1356 wrote to memory of 3840	1356	iPack_Installer.exe	taskkill.exe
PID 1356 wrote to memory of 3840	1356	iPack_Installer.exe	taskkill.exe
PID 1356 wrote to memory of 4840	1356	iPack_Installer.exe	icacls.exe
PID 1356 wrote to memory of 4840	1356	iPack_Installer.exe	icacls.exe
PID 1356 wrote to memory of 4752	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 4752	1356	iPack_Installer.exe	cmd.exe
PID 4752 wrote to memory of 4948	4752	cmd.exe	takeown.exe
PID 4752 wrote to memory of 4948	4752	cmd.exe	takeown.exe
PID 4752 wrote to memory of 4712	4752	cmd.exe	icacls.exe
PID 4752 wrote to memory of 4712	4752	cmd.exe	icacls.exe
PID 4752 wrote to memory of 4416	4752	cmd.exe	icacls.exe
PID 4752 wrote to memory of 4416	4752	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4804	1356	iPack_Installer.exe	Patcher.exe
PID 1356 wrote to memory of 4804	1356	iPack_Installer.exe	Patcher.exe
PID 1356 wrote to memory of 4804	1356	iPack_Installer.exe	Patcher.exe
PID 1356 wrote to memory of 4320	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 4320	1356	iPack_Installer.exe	cmd.exe
PID 4320 wrote to memory of 3524	4320	cmd.exe	icacls.exe
PID 4320 wrote to memory of 3524	4320	cmd.exe	icacls.exe
PID 4320 wrote to memory of 4244	4320	cmd.exe	icacls.exe
PID 4320 wrote to memory of 4244	4320	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4976	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 4976	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 1416	1356	iPack_Installer.exe	icacls.exe
PID 1356 wrote to memory of 1416	1356	iPack_Installer.exe	icacls.exe
PID 1356 wrote to memory of 2116	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 2116	1356	iPack_Installer.exe	cmd.exe
PID 2116 wrote to memory of 4964	2116	cmd.exe	takeown.exe
PID 2116 wrote to memory of 4964	2116	cmd.exe	takeown.exe
PID 2116 wrote to memory of 1304	2116	cmd.exe	icacls.exe
PID 2116 wrote to memory of 1304	2116	cmd.exe	icacls.exe
PID 2116 wrote to memory of 3960	2116	cmd.exe	icacls.exe
PID 2116 wrote to memory of 3960	2116	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4352	1356	iPack_Installer.exe	Patcher.exe
PID 1356 wrote to memory of 4352	1356	iPack_Installer.exe	Patcher.exe
PID 1356 wrote to memory of 4352	1356	iPack_Installer.exe	Patcher.exe
PID 1356 wrote to memory of 3248	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 3248	1356	iPack_Installer.exe	cmd.exe
PID 3248 wrote to memory of 3764	3248	cmd.exe	icacls.exe
PID 3248 wrote to memory of 3764	3248	cmd.exe	icacls.exe
PID 3248 wrote to memory of 4052	3248	cmd.exe	icacls.exe
PID 3248 wrote to memory of 4052	3248	cmd.exe	icacls.exe
PID 1356 wrote to memory of 3904	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 3904	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 3428	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 3428	1356	iPack_Installer.exe	cmd.exe
PID 3428 wrote to memory of 3872	3428	cmd.exe	takeown.exe
PID 3428 wrote to memory of 3872	3428	cmd.exe	takeown.exe
PID 3428 wrote to memory of 2884	3428	cmd.exe	icacls.exe
PID 3428 wrote to memory of 2884	3428	cmd.exe	icacls.exe
PID 3428 wrote to memory of 2740	3428	cmd.exe	takeown.exe
PID 3428 wrote to memory of 2740	3428	cmd.exe	takeown.exe
PID 3428 wrote to memory of 3608	3428	cmd.exe	explorer.exe
PID 3428 wrote to memory of 3608	3428	cmd.exe	explorer.exe
PID 1356 wrote to memory of 1512	1356	iPack_Installer.exe	cmd.exe
PID 1356 wrote to memory of 1512	1356	iPack_Installer.exe	cmd.exe
PID 1512 wrote to memory of 3776	1512	cmd.exe	attrib.exe
PID 1512 wrote to memory of 3776	1512	cmd.exe	attrib.exe
PID 3608 wrote to memory of 1876	3608	explorer.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3776 attrib.exe

pid	process
3776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe
"C:\Users\Admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe
"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe
"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe" x -y -bd "C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3964

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\system32\takeown.exe
takeown /a /F "C:\Windows\System32\imageres.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\imageres.dll" /grant:r "Admin":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4712

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4416

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe
"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe" -addoverwrite "Resource Files\Patch\System32\imageres.dll", "Resource Files\Patch\System32\imageres.dll", "Resource Files\imageres.dll.res" ,,,
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C && icacls "C:\Windows\System32" /restore "Resource Files\ACL\System32\imageres.dll.AclFile" && exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /restore "Resource Files\ACL\System32\imageres.dll.AclFile"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\imageres.dll.iPtemp" && exit
3⤵
PID:4976

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\imageres.dll" /save "Resource Files\ACL\SysWOW64\imageres.dll.AclFile"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
PID:1416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\SysWOW64\imageres.dll" && icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "administrators":F && exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\takeown.exe
takeown /a /F "C:\Windows\SysWOW64\imageres.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "Admin":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1304

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "administrators":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe
"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe" -addoverwrite "Resource Files\Patch\SysWOW64\imageres.dll", "Resource Files\Patch\SysWOW64\imageres.dll", "Resource Files\imageres.dll.res" ,,,
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\SysWOW64\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C && icacls "C:\Windows\SysWOW64" /restore "Resource Files\ACL\SysWOW64\imageres.dll.AclFile" && exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64" /restore "Resource Files\ACL\SysWOW64\imageres.dll.AclFile"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\imageres.dll.iPtemp" && exit
3⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\reload.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\takeown.exe
TAKEOWN /f "C:\Users\Admin\AppData\Local\IconCache.db"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3872

C:\Windows\system32\icacls.exe
ICACLS "C:\Users\Admin\AppData\Local\IconCache.db" /grant:r "Admin":F /T
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2884

C:\Windows\system32\takeown.exe
TAKEOWN /f "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2740

C:\Windows\explorer.exe
C:\Windows\explorer.exe
4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa752f4f50,0x7ffa752f4f60,0x7ffa752f4f70
6⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1752 /prefetch:2
6⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
6⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
6⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
6⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
6⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
6⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
6⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
6⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
6⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:8
6⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:8
6⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
6⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
6⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
6⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
6⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
6⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
6⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
6⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,6180173742359458186,10901259630137439262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
6⤵
PID:4836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ATTRIB +H "C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Uninstall iPack.exe.config" /S /D && exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\attrib.exe
ATTRIB +H "C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Uninstall iPack.exe.config" /S /D
4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe
Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe
Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe
Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.ini
Filesize
311B

MD5
796935772ac839e1d1efe29ae87a87f8

SHA1
24fe87b39d5f0065584d9167bb2a0a534d200dce

SHA256
c856b849708f175d087a09cd0b1fdf2b64e8a6de77f9dfdb9ae85640e642c62a

SHA512
1f0d62370694c6216e0325d61446cd63247d1a64b0270d91f1e20eda6df6c577555c6611aa63a048f4ba2019e045af34c855340f9d07d164216c2ac56791fc76

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.ini
Filesize
353B

MD5
db8ae8cba03575d3c41b6a45035eaab6

SHA1
087500bafbd3440f8b27395d3b912a0576c9f1b1

SHA256
db1886fb043041d9ea25ec44381cd6fce28f14bd311b3facf22848dbfa86653a

SHA512
34cf8c1a01be542b093fbcfb6eadaf5ac4723dfbf03d1a4cc71cddb6181cf74ec7fe4c1be2ce7ddbee6cbee575eb1779281498ec56eab92077ac495fcf13b063

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.log
Filesize
245B

MD5
d4e6a8afe40d7a70242c4937762532fe

SHA1
0e44781fcda9ad86a640b55871f6aabf3521227d

SHA256
a8a4865c7f8a4b73d972e07bc0040628d0e86fd2f43e3393bcebf4c545b48c6d

SHA512
7a773a37f370370d9d5671291b9b63d242fa439f907d23f91ae1ac5f584ebe6b3c0a42f347404a7a6392296249fba34cf6659da077dd5add357d1f3aca563a0d

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.log
Filesize
6KB

MD5
2070400ba79f382e4e0f84f9b0a193b3

SHA1
65e0ce49117ea649d958bd3d2720cea5f9c8fbfa

SHA256
8707ae3cc3b128c34e224139c730b66e297fd2f478c6b090f638befb087ec8ab

SHA512
207308d5d69915289c7cce8fa1df2be644eae2b2082042ae84a97fd5c703b0b2b8f75c6088da00a948681c1d57eef0ec849643b80f92e0883b5c23d1eff3c823

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\ACL\SysWOW64\imageres.dll.AclFile
Filesize
390B

MD5
0dbcf628914e6d007f553668995aa555

SHA1
c1bc5955e9f2340e8256ff431967753285b40c1f

SHA256
8621c8681046aaace6e389d3894789d874a077bbda9d71151a877a1cb1a8325b

SHA512
fdc394e077a745d79af05778b9649d5202c6c9017eba3936691270ba067b28d36935b74922afaef1fac6c2fcdec9df58da75570ddae56511b20b4a8727bab15c

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\ACL\System32\imageres.dll.AclFile
Filesize
390B

MD5
0dbcf628914e6d007f553668995aa555

SHA1
c1bc5955e9f2340e8256ff431967753285b40c1f

SHA256
8621c8681046aaace6e389d3894789d874a077bbda9d71151a877a1cb1a8325b

SHA512
fdc394e077a745d79af05778b9649d5202c6c9017eba3936691270ba067b28d36935b74922afaef1fac6c2fcdec9df58da75570ddae56511b20b4a8727bab15c

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\SysWOW64\imageres.dll
Filesize
2KB

MD5
5e2199b806a530e069afbe9228b8c8a5

SHA1
561736141049d76f76d2c433d27cf1fed451472f

SHA256
b86520c4ef54b8d21e67cdecc085892a482901d36258173d526751edcec17229

SHA512
658c28c14cbadd28c58008ff0b68241c7b14c423aaa2694e72e9ac677065a50118a02e8a8da49d41c0804f4fbfb798cd3df75880845ca0544f55189bb80c3b68

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\SysWOW64\imageres.dll
Filesize
15.9MB

MD5
67974d74af0b0115264951ee90e93a91

SHA1
9202275c6efca37d6610bb92ee8d7335f010af7e

SHA256
31744c3990c44620e00bc9225b23b993eee99591702889644be2812a299356c9

SHA512
d905a1a2ecb30a37a0c086e9cb6219a72a0a6cfa506ca5451300408965c118644e7f5bed82e279d6271a24965f1fa1e599da54f65aee784a060f5ca7a14d3a2c

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\System32\imageres.dll
Filesize
2KB

MD5
620c454d6138083f146cd718cf3003e2

SHA1
155c86d26602058d21ce2cb0ba097292f4374d4a

SHA256
67c93e5c99187db024be2ddbf26020911d1f6e8836ddb2da2e51a87228c3182b

SHA512
c5cc55a32d29ed228982b16c1599e3293cd4540c67307837aab3dd5b7f46d5f858c60a7dc205fd2ef62e2464ffc1da22a0949dd6cd861cccd477e1cc2596b258

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\Patch\System32\imageres.dll
Filesize
15.9MB

MD5
b74249d36da6b2411d79419a0a8f7030

SHA1
9695e2251d94f2bc892fb3519927ad1295d0d8ae

SHA256
4a6d13f854e44f40886116f44ab54bc24c64eb2d674fd4d663142363e7036fff

SHA512
d80fbbe288d752f5a127b803a524488ea59657b805eb8e8ceb48a88bb454011f7837f8da02eebecd37f2cd16815a702dd9af27f249f6403139a92fc137c282fe

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res
Filesize
15.9MB

MD5
979419b95904af2c75d8cc1b1b858902

SHA1
ce2c2591de19a17c362482413404d3eed3a5ccba

SHA256
202e44a6f11640133cc92910d0d09239d39c6ee8c5c7b88273756269900e4240

SHA512
5e835cc6c5973a0f9a9d8be370f8173e9241fd24e4b1a53634199d207cd829c902e9fe5bc4e7af109d548a7fe135eb7176e8e6cfc819e3119c26ce46b246c77f

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\reload.bat
Filesize
627B

MD5
50a07ee683b320659268a73f82447c84

SHA1
c3211db99b4542f838b862fb8729b09cbb92d023

SHA256
a01128b17fa92074723e1289a5af6efe203194d606ec60d729312b28e36d0746

SHA512
b0b26e4c8f293635dc693b624bb5b772ffbd7bfd54956236fd9ec85b8b50264a25ca92a6ba1728d9abec6e709217b89ee794bda10eac4c14a015de496385fa04

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z
Filesize
9.7MB

MD5
4ec5c7ca5206ae238d7a2f7b55aeed2e

SHA1
7c9445c8106682b1ce456243ce3c18b5abfe7c44

SHA256
31ca0230eda657fe8e6f209c9deb1571fc95512b893bfe0116bdc6d0f35802f1

SHA512
386d55a500df61d6dfb2830ce5ef6676411237ccfb3cdaeb24db4e409397c0d2965a72e0fe8c25917baf19fd15e92bb0a64e6bbf7c1e691bfede7e3021fe3a46

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack
Filesize
9.7MB

MD5
dc6c5d162fae32d6229e4da762666798

SHA1
2f669cc75232fbeea5a1c4cc09f6397a150f507b

SHA256
d880ddb3ccb5c69157110261c07cc82fbfe20f27b3f0d90aa4188d896d7b8975

SHA512
b71f7f0588cc82e4f96b9e76bd6e385b7f6a222b597f71c48611639240e2b3e9fd6278a425524d6f7b7281ddce790918cfba41dcc47b037c30264b8b360873d2

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config
Filesize
286B

MD5
c9e1b70c730db807d4e9924bbdea2573

SHA1
cff0d57521342679a25663c116da38e09535560a

SHA256
68027f8091caeab585f116a7bc4a65f189a606307c7d5d4e74ccb57ed168728b

SHA512
005a4a30c2d5953def563002d6ada28bdc098e83fb2a4c3a16ed8d4aa12f966a804344d83ac3f84ed9f26040b9edf3877545f510faad9121ae3363dc5ef09a21

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt
Filesize
389B

MD5
0057dea0b6d12eef90b4186178543111

SHA1
0f645e97722d115730d51b77dae2b419dea88df5

SHA256
863d1d7a3f6f817466123ae55c786e55605939df4e88fdebf07431201557c7df

SHA512
8b141452a0332ff60d64d72aa8af3a99ef8671a6bd38b3b6eb260b6d9a98154ec7aae2f78e6e8c03acaf17ac6a0b1ff4b68c3000c4f032f88178685c25c0c696

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png
Filesize
23.9MB

MD5
93273432646e79bcd2ea81b52e4e0bcd

SHA1
d1cbd4aba73a007f36073552b929632bc0610caf

SHA256
0042f299bc571706dd92af6e5592cd4244e796fc3c595754becf668755023888

SHA512
70947aff18cb8168f5219c80d4d7bd4f8a79c67968799206d05e5a3c6cab544a0cb27aeaa1f035ec7e47dd14b1e8adee26b0c3bc9269a3d0c9bcae34466ef5bd

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png
Filesize
23.9MB

MD5
417da0345c8842aa733dadb90e385c46

SHA1
0ef8152a4e976f2588ce1e43f73e2fa23b72afa1

SHA256
2a146d4c1c2bfd115f76a094efaaaa871b47e2175b02f55ecbfb2e7c84684851

SHA512
9fb72b5cfa65e29c0b3ad8f51b2313782358fd326def7519d25991135495f94dad13dfc48e0db7a8a64d287caaa6ab7377d6ed682e8b0353683b59ac7eca6142

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Uninstall iPack.exe.config
Filesize
177B

MD5
b27d6f3bc5c260039dfbbc04e44df551

SHA1
e8f26a7311a5d36a78aa1b8fbfa56628a5f7e9aa

SHA256
26e734571c8e9785dd123a0fbee1a1591635492b087f0626cd37f7bd02ddb577

SHA512
73a1a2e05b23106988dce5e136840eeb05bd56ac67133c247f0f123ff98e4fec62f416a09e1456c5f256a80b901e6c25690e83dfe4ba2ce8e7ef0a593d1b5d9c

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe
Filesize
966KB

MD5
06582ed92cb413e0e26229b34d471a51

SHA1
9fbfc90fe44c5a80a0b41e4f7848aa7e7e5dc36e

SHA256
d8c6ce39d337a997133d7c3175e554b5615039ce12fde1014c284acf3bdb8893

SHA512
e122f88dbc9d0d2dbb9168fbc5fd1ab18b349acb8e327ac28a20f72d7ae74c846c6d00b32bed95570db6b00a220d4d17ad858487b15a82bae18fa5aa8d606363

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe
Filesize
966KB

MD5
06582ed92cb413e0e26229b34d471a51

SHA1
9fbfc90fe44c5a80a0b41e4f7848aa7e7e5dc36e

SHA256
d8c6ce39d337a997133d7c3175e554b5615039ce12fde1014c284acf3bdb8893

SHA512
e122f88dbc9d0d2dbb9168fbc5fd1ab18b349acb8e327ac28a20f72d7ae74c846c6d00b32bed95570db6b00a220d4d17ad858487b15a82bae18fa5aa8d606363

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config
Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
\??\pipe\crashpad_1876_PPOHMKIGDOOPGIAV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1304-176-0x0000000000000000-mapping.dmp

Download
memory/1356-236-0x0000000000ECA000-0x0000000000ECF000-memory.dmp

Filesize
20KB

Download
memory/1356-237-0x0000000023130000-0x0000000023133000-memory.dmp

Filesize
12KB

Download
memory/1356-137-0x00007FFA734F0000-0x00007FFA73F26000-memory.dmp

Filesize
10.2MB

Download
memory/1356-161-0x0000000023130000-0x0000000023133000-memory.dmp

Filesize
12KB

Download
memory/1356-139-0x0000000000ECA000-0x0000000000ECF000-memory.dmp

Filesize
20KB

Download
memory/1356-133-0x0000000000000000-mapping.dmp

Download
memory/1356-151-0x0000000000ECA000-0x0000000000ECF000-memory.dmp

Filesize
20KB

Download
memory/1416-173-0x0000000000000000-mapping.dmp

Download
memory/1512-200-0x0000000000000000-mapping.dmp

Download
memory/1732-290-0x00000229F7CC0000-0x00000229F7DC0000-memory.dmp

Filesize
1024KB

Download
memory/1732-219-0x00000229DD52C000-0x00000229DD530000-memory.dmp

Filesize
16KB

Download
memory/1732-272-0x00000229DD540000-0x00000229DD543000-memory.dmp

Filesize
12KB

Download
memory/1732-295-0x00000229DD58C000-0x00000229DD58F000-memory.dmp

Filesize
12KB

Download
memory/1732-234-0x00000229DA6D8000-0x00000229DA6E0000-memory.dmp

Filesize
32KB

Download
memory/1732-273-0x00000229DD540000-0x00000229DD543000-memory.dmp

Filesize
12KB

Download
memory/1732-277-0x00000229DD597000-0x00000229DD59A000-memory.dmp

Filesize
12KB

Download
memory/1732-271-0x00000229DD540000-0x00000229DD543000-memory.dmp

Filesize
12KB

Download
memory/1732-256-0x00000229DD535000-0x00000229DD538000-memory.dmp

Filesize
12KB

Download
memory/1732-278-0x00000229DD597000-0x00000229DD59A000-memory.dmp

Filesize
12KB

Download
memory/1732-281-0x00000229DD5A0000-0x00000229DD5A3000-memory.dmp

Filesize
12KB

Download
memory/1732-282-0x00000229DD5A0000-0x00000229DD5A3000-memory.dmp

Filesize
12KB

Download
memory/1732-285-0x00000229F7CC0000-0x00000229F7DC0000-memory.dmp

Filesize
1024KB

Download
memory/1732-257-0x00000229DD535000-0x00000229DD538000-memory.dmp

Filesize
12KB

Download
memory/1732-258-0x00000229DD535000-0x00000229DD538000-memory.dmp

Filesize
12KB

Download
memory/1732-233-0x00000229DA720000-0x00000229DA820000-memory.dmp

Filesize
1024KB

Download
memory/1732-283-0x00000229DD5A0000-0x00000229DD5A3000-memory.dmp

Filesize
12KB

Download
memory/1732-232-0x00000229F05B0000-0x00000229F06B0000-memory.dmp

Filesize
1024KB

Download
memory/1732-246-0x00000229DD52E000-0x00000229DD531000-memory.dmp

Filesize
12KB

Download
memory/1732-248-0x00000229DD52E000-0x00000229DD531000-memory.dmp

Filesize
12KB

Download
memory/1732-286-0x00000229F7CC0000-0x00000229F7DC0000-memory.dmp

Filesize
1024KB

Download
memory/1732-247-0x00000229DD52E000-0x00000229DD531000-memory.dmp

Filesize
12KB

Download
memory/1732-230-0x00000229DD541000-0x00000229DD544000-memory.dmp

Filesize
12KB

Download
memory/1732-288-0x00000229DD5AA000-0x00000229DD5AD000-memory.dmp

Filesize
12KB

Download
memory/1732-243-0x00000229DD52A000-0x00000229DD52E000-memory.dmp

Filesize
16KB

Download
memory/1732-229-0x00000229DD541000-0x00000229DD544000-memory.dmp

Filesize
12KB

Download
memory/1732-228-0x00000229DD541000-0x00000229DD544000-memory.dmp

Filesize
12KB

Download
memory/1732-242-0x00000229DD52A000-0x00000229DD52E000-memory.dmp

Filesize
16KB

Download
memory/1732-240-0x00000229DD52A000-0x00000229DD52E000-memory.dmp

Filesize
16KB

Download
memory/1732-291-0x00000229DD5AA000-0x00000229DD5AD000-memory.dmp

Filesize
12KB

Download
memory/1732-289-0x00000229DD5AA000-0x00000229DD5AD000-memory.dmp

Filesize
12KB

Download
memory/1732-241-0x00000229DD52A000-0x00000229DD52E000-memory.dmp

Filesize
16KB

Download
memory/1732-294-0x00000229DD58C000-0x00000229DD58F000-memory.dmp

Filesize
12KB

Download
memory/1732-215-0x00000229DD52C000-0x00000229DD530000-memory.dmp

Filesize
16KB

Download
memory/1732-217-0x00000229DD52C000-0x00000229DD530000-memory.dmp

Filesize
16KB

Download
memory/1732-218-0x00000229DD52C000-0x00000229DD530000-memory.dmp

Filesize
16KB

Download
memory/1732-216-0x00000229DD52C000-0x00000229DD530000-memory.dmp

Filesize
16KB

Download
memory/1732-276-0x00000229DD597000-0x00000229DD59A000-memory.dmp

Filesize
12KB

Download
memory/1732-222-0x00000229DD532000-0x00000229DD536000-memory.dmp

Filesize
16KB

Download
memory/1732-223-0x00000229DD532000-0x00000229DD536000-memory.dmp

Filesize
16KB

Download
memory/1732-225-0x00000229DD532000-0x00000229DD536000-memory.dmp

Filesize
16KB

Download
memory/1732-224-0x00000229DD532000-0x00000229DD536000-memory.dmp

Filesize
16KB

Download
memory/1732-227-0x00000229DD541000-0x00000229DD544000-memory.dmp

Filesize
12KB

Download
memory/2116-174-0x0000000000000000-mapping.dmp

Download
memory/2376-132-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2376-138-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2376-238-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2740-196-0x0000000000000000-mapping.dmp

Download
memory/2884-195-0x0000000000000000-mapping.dmp

Download
memory/3248-187-0x0000000000000000-mapping.dmp

Download
memory/3428-192-0x0000000000000000-mapping.dmp

Download
memory/3524-169-0x0000000000000000-mapping.dmp

Download
memory/3608-252-0x000000000A330000-0x000000000A340000-memory.dmp

Filesize
64KB

Download
memory/3608-266-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/3608-197-0x0000000000000000-mapping.dmp

Download
memory/3608-269-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/3608-268-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/3608-267-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/3608-265-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/3608-250-0x000000000A330000-0x000000000A340000-memory.dmp

Filesize
64KB

Download
memory/3608-251-0x000000000A340000-0x000000000A350000-memory.dmp

Filesize
64KB

Download
memory/3608-264-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/3608-253-0x000000000A350000-0x000000000A360000-memory.dmp

Filesize
64KB

Download
memory/3608-254-0x000000000A350000-0x000000000A360000-memory.dmp

Filesize
64KB

Download
memory/3608-263-0x000000000A330000-0x000000000A340000-memory.dmp

Filesize
64KB

Download
memory/3608-262-0x000000000A350000-0x000000000A360000-memory.dmp

Filesize
64KB

Download
memory/3608-261-0x000000000A350000-0x000000000A360000-memory.dmp

Filesize
64KB

Download
memory/3608-260-0x000000000A340000-0x000000000A350000-memory.dmp

Filesize
64KB

Download
memory/3764-188-0x0000000000000000-mapping.dmp

Download
memory/3776-201-0x0000000000000000-mapping.dmp

Download
memory/3840-152-0x0000000000000000-mapping.dmp

Download
memory/3872-194-0x0000000000000000-mapping.dmp

Download
memory/3904-191-0x0000000000000000-mapping.dmp

Download
memory/3960-177-0x0000000000000000-mapping.dmp

Download
memory/3964-142-0x0000000000000000-mapping.dmp

Download
memory/3964-148-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3964-149-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4052-189-0x0000000000000000-mapping.dmp

Download
memory/4244-170-0x0000000000000000-mapping.dmp

Download
memory/4320-168-0x0000000000000000-mapping.dmp

Download
memory/4352-178-0x0000000000000000-mapping.dmp

Download
memory/4352-183-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4352-184-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4352-185-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4416-157-0x0000000000000000-mapping.dmp

Download
memory/4712-156-0x0000000000000000-mapping.dmp

Download
memory/4752-154-0x0000000000000000-mapping.dmp

Download
memory/4804-165-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4804-158-0x0000000000000000-mapping.dmp

Download
memory/4804-162-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4804-166-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4840-153-0x0000000000000000-mapping.dmp

Download
memory/4948-155-0x0000000000000000-mapping.dmp

Download
memory/4964-175-0x0000000000000000-mapping.dmp

Download
memory/4976-172-0x0000000000000000-mapping.dmp

Download

pid	process
1356	iPack_Installer.exe
3964	7z.exe
4804	Patcher.exe
4352	Patcher.exe