Malware Analysis Report

2024-10-23 16:16

Sample ID 240201-r5amzafgg4
Target WinIconMakerFreeSetup.msi
SHA256 474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045
Tags
netsupport evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045

Threat Level: Known bad

The file WinIconMakerFreeSetup.msi was found to be: Known bad.

Malicious Activity Summary

netsupport evasion persistence rat

NetSupport

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Blocklisted process makes network request

Enumerates connected drives

Adds Run key to start application

Maps connected drives based on registry

Drops file in Windows directory

Program crash

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 14:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 14:46

Reported

2024-02-01 14:49

Platform

win7-20231215-en

Max time kernel

163s

Max time network

174s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

Signatures

NetSupport

rat netsupport

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f777022.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777024.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI97E0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777022.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f777021.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777021.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 1528 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2636 wrote to memory of 1528 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2636 wrote to memory of 1528 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2636 wrote to memory of 1528 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1528 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1528 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1528 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1528 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "00000000000004AC"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 128.138.140.44:37 tcp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 128.138.140.44:37 tcp
N/A 127.0.0.1:49364 tcp
N/A 127.0.0.1:49499 tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabE458.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarE4F7.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8c0e0eb7ea6a94412043b04a31bbccd
SHA1 c4bc618072a968cf2f915daa18b1a7ed4f51a059
SHA256 6548d5e4cf19a9e24e2584c547804b1c590c88b2dc2209bea8e1a7261d132a1b
SHA512 b5d6d675b717d0d793633448d6fd38a62fc2ee65889d3eae8eb183e1e33b582d65d9c614b019a290fd03b586fe0080b21418c3a75abd9ca09fa62576fa6068aa

C:\Config.Msi\f777023.rbs

MD5 6d99b5795eddee6dc6747b70affa7b97
SHA1 29dfb6d024e3dfe9b3d4b8f706c485ec6368b8c3
SHA256 802a5a12b08d89c626773d969e8a05d5f46e1d4d47dbe051c4864386a8df5ef7
SHA512 ff12ce84d31f82b0c6bc3c1d56a0060e24197748888a1b70e8c760869e40c033fc323898fd24cfc2607ec786d14d6db5804017780323bd0b06aae44c2d3f31fc

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 63865737958c4cc0e26e0bc63126320b
SHA1 0ec16c83f988ef18314bfad82a0605d5d282851e
SHA256 38cee91fc73f7995aa52b7374e4ab3ee5c0f6b4ef5840d0c4e19a3340f1a9139
SHA512 385a12853ec751ed480c8b1476f456f3130e25fc500a56e0df74242f83ffb14e1b61f7e021f30c7c74d8d6e217727115f2d23e0bb608819ba001a6049b3e7f0c

C:\Windows\Installer\f777021.msi

MD5 57f93335715feb1be80795df85021f08
SHA1 15f6f9981f64b935981d70803b2b726733f1dc4b
SHA256 8c539c8c60f21ba4789e2abbf7bec73c7bd67280697e89fb184f49acd23b9a0a
SHA512 ee7e7f8901859c313b4e5bf99dd706c0b483e6169dd4a26008825384ccff847e03db1b3d34779bd895fea0507d1a266e939481915f9cf2ec33bee054fd96ec51

memory/1528-112-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 074091aef241b7eeb2e9d3c1a95a7b0d
SHA1 25f47619458ebc5183c6fa914a0a03c88e7439e9
SHA256 b179f958d4aaa99e0c7c1101b06e49c3001e7dc9796ffadfd65b96a5fdbeb538
SHA512 c20589c511016c804dc75a4d19bc162e2064bcfd5ad5755a960cf876b7a57ef0db385d7841c10e264a29270512da5648c740df7ecee6d81a04e427ab0f883ec5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 094f00fa6024b0c5b3c5e87e708030b4
SHA1 dd30f7fec4508fa82c021f93bd34d07096574bdc
SHA256 286858dfb5e5361383db3fb4c9ecf3cd8e74983b777dc720ac5886db68d3a152
SHA512 1cc4aa959f8f6aa22c0fa4e906cad3c6794559b1cb66625bc68eb0cce072df78fca9e37fc8ce53503947b444bc1bbcb36b6270dee8fee1193063d995cb546c23

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 19ee3844806815a353335ea445832b6c
SHA1 1e05e1642c9f788efa9298fecea77210cb821403
SHA256 27e7d40fc3496106359b9f189da073c92a3fc9da92d666fbc024f99f44bef6ed
SHA512 8f021c11dc4c3ab12cc113a5a86cec4ea27b9ab674ca208a6a2999227e80005f268964085c8b909a7fe23060cf952a11d4d6704e28d750a32bb404f324766608

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 0c36ea27f64a7da427ab112d50d2d42c
SHA1 2aa4a718eec953b8309503095834c94cf76fc6f1
SHA256 09081236918db3e0caf00ce7f4b1c93a796fc2aeda4216f5878fdfb8d0bcad63
SHA512 568b54eb129220ef2520bd9c46342de9240fa0e79a493c9498c64239c58dc40be4d99eafdb34e8f09f85e2f55eca80eeae69312ca03a275b73635a5dbdb1da77

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2eb70e48e3d2a33b0fd782739e0074d7
SHA1 b49408d9036d715493745343c735967f70754cd0
SHA256 9fa6b72f247e0317b9ed03a5eaea14d8bddc5d1acd301844e20135341d09cc99
SHA512 241df9fa8ff7c3dc675fd3ad9ae433d12075ffb7f45523c578a8ae00104ec94d97582cc4dcba0aec1905073c63f28a48f2d002dd7152b7ab6810ffc4e64e08e6

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 c3af226e81dd9b5d5d5ab08c67ca458a
SHA1 aa3007573ccb7d6526a9ac2453f0713355fdd236
SHA256 3c522331f81843b7f98de3b84009a3142ac0f3652d87308dc1452a026f311dd0
SHA512 296806d0857697dcb2f91ec60e02401871ea8ac9e104bac057faf0342897efd04e98b51148b415439808e218ac93ac3aba907263fea2f965a1b38d7c9efb34e8

memory/1528-141-0x0000000005AE0000-0x0000000005AF9000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 e0413b535363440ac5031db8ea9a75ed
SHA1 43328aa2000740416cf7f8475d573053a2f97adf
SHA256 1cc5468c0c16f24db435c2d21c0874b9ee26ab6b517c28366d43c51eea39a34d
SHA512 ed84a0ad8be20fed412a89d5020fa5079721206b6d1e7de62a6433b97d5ebee3d458d02791e54a1268a356e42e0ec6ddf7d6631dc1fcdda9e9e8b9f53b6e0bac

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 ee513613ea9ff54061753c9692e624f5
SHA1 5e9acd405d6ceca21e8c950a90105996306c0f46
SHA256 daf0272fdac6b5b49c6f73f14251180eac68bda29fc413bcf38085491702056e
SHA512 823ded107198d3b6e8cd4a03e419d96ed3b01c2a7429516d20fc4cdd2441de25d44fd3020beb070d7f016641ef5783dbd1840b91335a9a6759beb553aed1bff8

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 258c140a5e8f5189110ba52232ce7583
SHA1 9645136f8d75d0cc93629e7589880b29a56d1707
SHA256 2d1d2c2741dc8cc5cc0d92e5f4025b7f28ed834f15386c320e56b009bc94f3c2
SHA512 837616edf9238c2b969d6f60ecc97a32ed5e176df40a5b177e65c2d8c859891538bedb120b8da32efe6feb3b6f5bd547ac53c9ece6a3c049bc7f4ed035aa8274

memory/1528-138-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 9e137cbd50da2b9a4788f6cc1dcda62c
SHA1 4f38ef19170675bfb5b363196e712142bf90e7f8
SHA256 af49cc02f3063d95eac2ad2dcbec1c7361ed47a119a41e964ec7919d12258634
SHA512 4b9ab5a07d37cea841bffb178a682efb6dca728cc205ad081504bc1ead391bd1ca5f5a608e6cb673aadbc62247b0bfb99c7d15029c0091b6a2cb7e91bf2b1b2b

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

memory/1528-146-0x0000000005B20000-0x0000000005B3A000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 ed5746c87fc7c3925933de2df866e7bc
SHA1 0a567c7b7d3cfabdc4de7ba0cafa1311652034d4
SHA256 c2f48eb3727040de5b8ea76875292dc86915a04836ca41ad1b30a2cb86e3eeef
SHA512 ea32f04b1bac637686ce605d1fe7ceb7bdbc032e9d893197473016e62985f77245c9fffb691c6f24ee8483b12d89e976d12e027eb179ace18246bddca2737fc7

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 7370490e1da3b929ebd4287875ad5914
SHA1 a598d8c11905464414e8b741fe080be08507351c
SHA256 6602c4a3115a1b3a8a56cfbc7402936f8dad7627dcd6a9fa224dbe9b7ebb2434
SHA512 6f1cd820907e58b47ea0c4b36a7b7cb1fb45ff7393833daa424d51a52741957eb437dc33d1a61a77880069b4522fa777e0f84eb89e067da7e176db20f93bf887

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a0bf8f3ce050efcdc441a40fa146d12c
SHA1 c12814cf6cfbd329ec2c0281ee598f704e5e3335
SHA256 6203260bbf3cc6a85c868d2a0c617296bdd966422d5b1d132f487aff305544d0
SHA512 8e8bb4131f3bb3868d65be1ab4bf9b0cf8d5db04f4a5f598b43d0ecb3d0813238e2a9ade0911029fd65506048153a801758892d86a871989a9f8ef3a23bac26a

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 7707f9a473a8b76e2e45ecf9eca9373f
SHA1 8ab746e832a624a19accbc258826f3e9efa5b58d
SHA256 77ca67cf295ad97132717ddd0193c2fe2dfc78742ead75214bcf10362289fe3b
SHA512 ea134eeee5d07c96528f612089a42a902b5a02c9791de124edc702b4dd3f08088046c04b1d601a15d0c0fadda46c8edaf69031109f283336ebfd9d08fe78ba76

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 40d7fc3b2d0654937e3f90ca1132a2c1
SHA1 8766221aff314a4fb78fd32961206cd95ec494b9
SHA256 3d9b491cb3b98616a50885002daffdd4a0993276cb7b22d1d49f20a4ed64bcaa
SHA512 2edde540692a4a77622aa3d713e26a036c84af06c36c3f1ee7913e29318beb874367e0b49a9bccc03e71b62337e79bca60180d53b3c70e7bbb6f2ab3202f0293

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 a1be2e85f5e83eef973635da4a09d35c
SHA1 21b729ba1e660109ea894b8265e38228e45c3922
SHA256 3738697facd962bd399f72f39205bb68984976077f06aca5cc7468c3d85eec60
SHA512 06d47e2edd4b79200c6e12a1db9364d9509d1d85d44b8e92ec9f4e8493df322acad21dcd3376c13377494903e6670e14d4fbe5ba16785c5c4d13c1d953ed92da

memory/1528-153-0x00000000733C0000-0x0000000074268000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 cc1ae9416404f956d504e3097175418b
SHA1 fa6a0c4cc028dafdce90b75a1f5e4e7c57fe7e12
SHA256 23152750c57f33ee7647b182a33a28a9ec791800b4ff49b0210cfdba434c08f5
SHA512 8cd5bf544416ca6488478ade204ebcf12336a737e1579494a25bc47aaee7fd2eba6de74050065ceb4a7fe7f7f83958122eeaaf4d0436e84700885d4535e9f85e

memory/1528-154-0x0000000074D50000-0x000000007505E000-memory.dmp

memory/1528-135-0x0000000005AC0000-0x0000000005ACB000-memory.dmp

memory/1528-160-0x0000000074560000-0x00000000746EE000-memory.dmp

memory/1528-161-0x0000000072C50000-0x0000000072E0E000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 b2ee747e65d4f177c77b6a722e4a31a9
SHA1 04777f404901a07b7052d47e9633bc3c2c794770
SHA256 69a407d078e9210e0d812853482ff61284af988cf4252e147b96467b0d1350dd
SHA512 c6a40b145f537114ccf0d0677cf860aa3aa27ef02a1ca575b0ed963ed97bec400eb82704417f13517a1cfca748e2a75afe50979700b641b40151591aa9b0237d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 4929d4ac3a205dfd99442b3c8703a3bc
SHA1 4c103c3629a55998e3d3de5f8a40195221234d38
SHA256 1a4855fca2f0cb64cd9a78b3daf4dc2e17899192a0e42f9170255627ad5b1966
SHA512 9374d2aa9aa8331f7dea8e3dfdbb1e39b5deecdacb38345b31d78e7b215996168a650114bb72e8565ab4ba10fa6c49fa17c75de9875297c288a23cc4dc008b1f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 3df344eee0bc793e97eb81cf78e15257
SHA1 461d658ecf9a2a881126b51aafb05651244db60c
SHA256 f4858a2db9a3df91ec668cfa87a1e1339582c1fc8fb3da7d7f67562c9673fc86
SHA512 b8104dce314ca59e2522f7319663d1cfa2986dd3571d45bc0272def6eda09c1d5fe8e7fd38d95635067bbfc10e94f2ff380d0791881d7f9432bcc51a15701dcd

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 1df3587eb803ff1e6554cbaa1b1feec4
SHA1 f95eb66ac50bd3a03f714172624892c33b5148fc
SHA256 52bb164ea074ed61a5842ee596203100f4b553697bcb7035afe6871d67a96671
SHA512 a43b0b00dfc4e9cd5b3b91c5b716fd1dcf07b32e7219dc9d2f253c8c5da051725d9edc60d891468cf0b9507ff576b1300e755a72030c1aa7e45acac65d1bc9d5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 61e797e9c5e06798ecdbfc2e7e6ddf20
SHA1 c758d54447a870921021cc07fa8c611a73dabd8c
SHA256 fad4d2e938d97e3f999f2d9cd78d39e4587f3205d5abaa873db31bd53405de85
SHA512 300315bd625a458d8f91f44df4a7739824faa69c3110405d2a7582a1541e79f22af6cd00f0177263cca76507e42e2bbf888fed9082dd67353f0a39b0a9cf01a2

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

memory/1528-162-0x0000000007120000-0x0000000007279000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 fad029ba38baf5ae1093f03a5e101fff
SHA1 99505a53e9f96405e799724502faefe0658743ff
SHA256 e11a3baec584ff516fd07e6d013ac03f4477b871cc67d6803dbd3eaffc10a0e7
SHA512 2905c2fd0cbf695f465338760f5ee79887cdef1706d7897e704217d3a695fc88be0b6854bada87f9582d87677cad210edefad4a474efefe5d1dab818d17698df

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 aff1bc827c7d48cb647ddac23f5e09f3
SHA1 3d58299964ba60132d3627cb70bba8438d2831e1
SHA256 a223336cf22220752088b7a87bbb8d10f208737877500f82a72ab0547f9cbe66
SHA512 8e3d041cf5d1b3187243fec1b13f2d00b412d29feeb03dabb525d0cceb96e755c586fe613bdecb6d6e1e39a6aaf9bd645d516875a4131f66abfd3faabde537c7

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 3c68bc2d1250f670213e4480a470e6fd
SHA1 295e6c4e54847b822364f49918186fa6f6656787
SHA256 2c3d8100cb48e764d5caa16a20295d23990a40b2bc0e2c39c882b61d16f709af
SHA512 0bc48e7e66f224f03db6bdc6f4a75228483128d207c7c27c7ead8de1aaa788578898066980ebf1e3947dba5f638800a037678876bbcc9790157c4cdbae865f1c

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 5fb3a0307fe16f27c4ca1f6e38560fb5
SHA1 70781f6ac942bcce18b06f871ac4d19b48f6cc45
SHA256 2b1c3aa93401e90678e3274fe5163da96d461b54fcce11fe62dc7f41b5eb2261
SHA512 49619ffa35bef4e46407aa091c8d12040a02b1bf3da6df16d0f1f86261b953c586b88f051b1ce8fc3051aaf78289b6fddfc3f75ad398bdf61ca784f699e840c2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 bae531c937ad52ae47854e27524b13cd
SHA1 7d19daea3db4c02e7cf69ade8eb8bcd1c1f4685e
SHA256 82cc263696dd1012f42ef0f95d68e99fbf9adfd2efead650d3ce7984032f7e68
SHA512 9754a497cdbb8bebc7a18a2fd6095d9f7ee4b28d72f83f567a9b951c5615433c04083e31389d9f173798c3cefe45239fd605631c3f419b2b07040846de350514

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 338e5391aed284646a4ec00e3d2b20a4
SHA1 dba92fe5ed4231e9e16294f8aa37d8a4b71a71aa
SHA256 13de7a2a1aba1fc808d61b6fffd67146472a1791a9332cd7b8c0598f4c3d820f
SHA512 5f9e4ef1d0180a173bac590b2cd209abf5267bfd6432ef8dbc7227f811a1d78c2ce4035a0079a6bfdee59fcc4813ee2bbb2257d3e0ee613c0d96653451c44f84

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 3e98c3e0de47ccf36c1af7eebe5969ef
SHA1 ec781765ae9b074f8d0993a0d890b071f3c4439d
SHA256 dcbad205fecd66dd4e0b249f6cb938c6aa4db288f5e225061cb029b1be85c574
SHA512 66d4edccf5fa1b50d595656adf4099d12d9f09b107c1bd84a8aae95e1f89134dafd59e9c74ff79591dc9ab2549fcf4e52758741b84ff5a342d999b522a257216

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 d708b3958ea4960cab57e998702c2710
SHA1 1920bd82c4dea8e07fb910b50c99974370b11648
SHA256 d00310bd7be306bc5d8c1515dfb0ee2ff9a6d4d5a4c0dd2f519c0614f353e752
SHA512 28e13ce7a0b0d1d3a88d42ec7ab07c89334a1ca361746efd04755da71503cc03a8b8dff897d08dab395c1118090e633b5164a1a9b1ae88dcaa3378629a9cfbba

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 b8b1f7b230ff3d7d4151e561734a8b89
SHA1 9baf58b394e3330f2dfa823068cd5ddc07f0a39b
SHA256 ca9fda28cad39b1c66e6c28541d6e73c3a6c8a98ebfb8380ff99af2f07ac8470
SHA512 fcf9d13a27adcf0a74685f152385b62efaf7823857683a837f8fdc98cdadd05f716e5806ff49fd95729ef998b3f705620556a98d4bf8bbd6409a9af9a28895e2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 7e49fd08fecf1d32777431ce57fae981
SHA1 c215805ae915be0e9908e3d0ef25006aeb710756
SHA256 40a8c6b7c684072bd4fe2511571c9846c26b5c2b10a0e185347243dda02052b3
SHA512 3f554275c6d9dceea8766063027a04bbba30efef8965dbfc579b78fbbf617f843111db34a50f4f213e13b28dbd01333e301f5938f891ef99a925af158b942894

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/1528-173-0x0000000007120000-0x0000000007279000-memory.dmp

memory/1528-175-0x0000000007120000-0x0000000007279000-memory.dmp

memory/1528-178-0x0000000000400000-0x0000000001554000-memory.dmp

memory/1528-183-0x00000000746F0000-0x0000000074713000-memory.dmp

memory/1528-182-0x0000000074720000-0x000000007478A000-memory.dmp

memory/1528-186-0x00000000742A0000-0x000000007432B000-memory.dmp

memory/1528-185-0x0000000074520000-0x0000000074557000-memory.dmp

memory/1528-193-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1528-208-0x0000000007120000-0x0000000007279000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

memory/1528-222-0x0000000007120000-0x0000000007279000-memory.dmp

memory/1528-224-0x0000000007120000-0x0000000007279000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 94f12483485c17df15de92e2fbc45d83
SHA1 61b8350e8ae9ecf08687217d06dc5a54863e2a80
SHA256 275d6cc02a70460afabc273bee90818e5cf1631a1292295511899f5e36adf2d4
SHA512 697f8e5021eae8d54b52d51fb3e0d2aa86b076ccc2f39d5c33169c18e2b04b02cd54e1a4a4b959237643612773382cb2c0dc5acb9db9437a6e880a1f4936cce6

memory/1528-234-0x00000000064C0000-0x00000000064DB000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 3f674d98c51dddc948b460c49e291223
SHA1 17915cf6668cf9712c3c9e3f631b20d0c79b95cf
SHA256 5602f0d72d519041434bea902a4fe7b5970bc844ad8cfb5378e2dda8036b9fb2
SHA512 dd98c1dba35e4f74772d75996fc11f5162809fbbdd506ed6d26600748c345376ad3e296bc2bfbc2eb96bc0a10b12cf2073b6b2463b9c4858f8a97f8e3f531476

memory/1528-244-0x0000000007120000-0x0000000007279000-memory.dmp

memory/1528-245-0x0000000007120000-0x0000000007279000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 e8798daef7e0c7895563ea617cc413ea
SHA1 8f6cf6ead9a99b8dac26ad6c60bd5bf6cdb611e3
SHA256 949a86ab77380051ee57d48591a4d41440551a9aebcbb6bed2ab38b6e0b80c6a
SHA512 bf9be5164e5e4a082aa4f1cd1a98f07c99c938f7b4456f97f98d3f421e6635c7a413e4feb14b8ebc3feb8421c62987b5fbc1943267498d440549c712de25a1e0

memory/1528-250-0x0000000007120000-0x0000000007279000-memory.dmp

memory/1528-254-0x0000000007120000-0x0000000007279000-memory.dmp

memory/1964-267-0x0000000000400000-0x0000000001554000-memory.dmp

memory/1964-278-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1964-289-0x0000000005D40000-0x0000000005D4B000-memory.dmp

memory/1964-292-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

memory/1964-291-0x0000000005D60000-0x0000000005D79000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

memory/1964-290-0x0000000005D50000-0x0000000005D60000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 dc2794d7a15488990bde6768c0e0c49f
SHA1 a07d0e61500ef10d15ee74a55ad2a78a238a24c6
SHA256 dc4434162b4f1e94b205c67efdfdd0bf1db9f876fd224b6d83974c7aca409496
SHA512 ef4eb12c47da38c1d42712be2c3a0406e7d28c4d8c644ee0a9049862e51cbf59b117179f7d0027289a7476516af6a69b4437d7e58fa3587362bb1d6cf7c75524

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 105f1422d855dfa6e4569383d17e50e3
SHA1 7c0b7246a3313430e330bb27cf0550324f199d56
SHA256 843cd53a13e51259997cdcd0a0f5bc9b86d6da8cf9eda22e3bb46855956b1161
SHA512 d33c0bc5e73fa1fc015908cbff2b91cf6ae16fb3fd0d93e2a2396b60a7fc0037a895b98ea1e295a5866ff1c577c7fd199dd91184c7381ed1edd63d71ca91699c

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 5e269d64045e0df6668063e6df02014d
SHA1 f572aef6a0fa5eb3ac58e29b3f2f8063101a28f9
SHA256 861c6e12dc1dac24a41851ac728c1e1fb9cdab5286c4fcb9474b5c04878db3b8
SHA512 fa3c295cbc0737e09771caa1ad99a2cc8d43b87941a3ca8935a3efeeae31a5cac213679ea105b2e9ae1351f19a85d2f7537ab13a0ae90bc9f51c034b21614131

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 30b7fdf2c773349ba048f9ff5e576c49
SHA1 24eeaf7534b1f83bd4502aecf5fbe7116ed8c7d0
SHA256 a1207efb566aa4b0993b8f2bf55fa2ac0e46db3a6c2671e3e8e180aae3ac2297
SHA512 5cabef903a71600fdb0bd0f922d6cecf013b41a3f2aa29a245114eb5d84c865db319dec40a48a0c32886bb06862e55df7f41c6a70c024abb00c6ff1dd4e4687d

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 5f6154154abdad46889e47b993f87647
SHA1 d18f4fef21f531b0392bb9fe0a2063aa7c4dd47b
SHA256 aee692ac10e2a2f87da38c9b97714fea21a55c06915a298c0a5d242659338a41
SHA512 9f7783ee2de60a559473ad8235ad64d801d27f5b2e428408f29d10773c4ac95eabe2c8a9e6e145db1ce1ee694fd696e0396797415ebecc91946f335e0a93a909

memory/1964-293-0x00000000733C0000-0x0000000074268000-memory.dmp

memory/1964-311-0x0000000072C50000-0x0000000072E0E000-memory.dmp

memory/1964-310-0x0000000074560000-0x00000000746EE000-memory.dmp

memory/1964-309-0x0000000074D50000-0x000000007505E000-memory.dmp

memory/1964-322-0x0000000006600000-0x0000000006601000-memory.dmp

memory/1964-321-0x0000000007ED0000-0x0000000007F5B000-memory.dmp

memory/1964-332-0x0000000072C50000-0x0000000072E0E000-memory.dmp

memory/2596-363-0x0000000071AD0000-0x000000007207B000-memory.dmp

memory/2596-364-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2596-365-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2596-366-0x0000000071AD0000-0x000000007207B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 14:46

Reported

2024-02-01 14:49

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

154s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

Signatures

NetSupport

rat netsupport

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI95D2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e589027.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e589025.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e589025.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DCE33C24-54AC-4134-8C0C-AA3D26865F9C} C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 4236 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3240 wrote to memory of 4236 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3240 wrote to memory of 2920 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3240 wrote to memory of 2920 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3240 wrote to memory of 2920 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2920 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2920 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2920 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2920 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4fc 0x50c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4336 -ip 4336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1608

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 44.140.138.128.in-addr.arpa udp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 118.156.181.5.in-addr.arpa udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 172.67.132.181:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 181.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 188.114.97.2:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 188.114.97.2:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 172.67.182.52:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Config.Msi\e589026.rbs

MD5 7bd67021a175dc357019fe5f5934a97e
SHA1 e0439fdc1fbcd06a52926262b6f16b6a4c48456a
SHA256 52dea92d7d7a962b46272fe01d9a262e47fffbbee0e9250de0359c41fab44660
SHA512 9d17b692e9e03a0995d34704b3f2b6792887fbb59436cef20a337a1b5df7bb07b5c1213fb4740cb8e382ebe54e80ff69ce562be39434ab26d37ead2f81c06e75

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 b39fb3cf854f8628c2f38298e0965687
SHA1 5931c9f88231e2cbb86010224a4d8604809e7fc7
SHA256 fa203e315d9cf5190da708dea03ff34c1df172c992df671aa3db2f5513a70d76
SHA512 133c98145e4bc2012198593bfe23c0b3b965a69e3bec7eab4718832daf9013cbe96f040acd64ea0b1d46631ef96c1f779b7f0d5b1b5ca32c14b20c5b8995c2b2

C:\Windows\Installer\e589025.msi

MD5 1414b254f44bba8e17b01983dc22adde
SHA1 a12059b028647968a03d9483815dc5c13bb4b841
SHA256 474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045
SHA512 1ea087707ab1f63af26950714d11376bd284984dca4069ab5adf5e35b766b82c6f65447d770ada792a4d1e334e6f5952c0f917e227f3b318986bea819f33e899

memory/2920-65-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 00098438ab2cc364ce45d98902fb2b2a
SHA1 2a88a24a659f9a7962a4b6602b96d12249d2c790
SHA256 bffea8bdb7811b3d52473c07ef2c539dcac00df6bce60c7cafebf8c7beefa52b
SHA512 ca430ad171f53bbf3e7d670a9ba2961e3a0777abb640fa64cb722a1eb434f4c86bb71e2b3f6be9f1e3081e13a21fb38fb491a53134e9ac84f71c5fec237abf5b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 fb9763ac3b3f51551b4a77e833c395fb
SHA1 9a3f8e9225f214b31b4e703fe428b0537a7cac63
SHA256 c0fb1896ee5838e9f8bd1e4495367baffa0e71aa2d3785944d5b470f29aec53a
SHA512 6eecdf0d290e259fcb1c8aa9da5f3ca32f760c9039b84b11f40b63b39b1119152bde54d2c6e1c7d0a1af9f64c6a340501f934000a2f3e232612f525dd9b0c7fd

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 54b0221dc97992b5170cac659aa60ae6
SHA1 8a0df459f134cee59cc442c3d98386fc2f6a532c
SHA256 b66dadc8e64a0179e7af465800092937ecb020dba8f0b12efe7001d004b9ca7b
SHA512 cecea736365373a5ebfecf18e2fd4d8a0052cb14e31247461cac99d8b0d50c50139fb610e68553379aba3e6839cb314b02b4c84e2313f44758d864066078f464

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 bfcb8be288b3b1535c878fac14033351
SHA1 9a2af6064e694f7d58f078a9e52e24e0a9448de9
SHA256 0c1310f92e0bd207d6c2b1e7d45d527038612849d94a1f97ce0290fb4916a711
SHA512 e9c0a86f25118af21f3227c17f8d803f4623221481cf9ab5b8c7c9929681044ae0955df1b4d8c0cc004f71a3c74c56c2fea888e25ae5f9ce0fa0124eead5ffc5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 6b007bedabaa20fb6d445bc62f1091d3
SHA1 d3905661051c4415ac92bd5492100a5f2df6f659
SHA256 bfc20232c4ecf4aece403d005624c82a64a2d54d5d84720341dc6d45b3522ba5
SHA512 7b0cb0959434437f31ab3e6df721be412de003979f19a66d3855ee4c87fe8a79d5cc4b42e6cf453be9289575854d2176d2bfff88a9308f5ab9f0895c0a899cfa

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 3e837b82501aa2f90cc774890656d02b
SHA1 a62e967c006f6bf77fbe489b01ea30993e55fe5d
SHA256 c85ca44b1ff1ad0af0ca3daf5f2302498846f3fdc2f48c6c7262f08280c6f5fc
SHA512 a4a55fc0ef6ae87c5c73489993e2dc6e0e36f783de79dd7894966df3ebe13ae8341a5fe15dd0e26c72865b4a936247f34b08342769edd0a94ba2b90164b0d27d

memory/2920-102-0x0000000006E30000-0x0000000006E49000-memory.dmp

memory/2920-100-0x0000000006E20000-0x0000000006E30000-memory.dmp

\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{230d841a-a5b3-41d5-b8b8-8fc8bd059e50}_OnDiskSnapshotProp

MD5 ce3d5fd91a2c9e2b0124bdcda2431cd4
SHA1 b4d9dc40f6edb2b17781a1b242ab800be6aee454
SHA256 1687862435229bce82c8eaccc97c9349d49f883e28aa8464efeaf3fa9ea200b0
SHA512 0d30cd1be1e76fa81a95dc33a240a08cf53dcc585b4bf58b6d8906f130374a4eec38bc6e8c92c87be2f251f6f8c076b8741b7cb0ddcaa74fd5ab0571ed49d841

memory/2920-98-0x0000000006E10000-0x0000000006E1B000-memory.dmp

memory/2920-107-0x00000000071F0000-0x000000000720A000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 9e9b13c1cb03e80f533ff20148e5788b
SHA1 1d5c06d4dedde17ca80700ec75843b0249e9bb7e
SHA256 a1c6e7026d4fadf6b03ff6f12d8e9fd654c1e75adbe1f0bfcf357cf4c5d607d5
SHA512 a981c8bdd1990815ce7fbad157c5e960d7e2a1ef68b36aedc795e80552ffafa6ecdeeec077c2ece48027c584279ff65e217f7a4b156139194b6a09df99ad312e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 b01a100820095dc05fdaa0d1c3b5ca14
SHA1 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0
SHA256 ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad
SHA512 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 71e603e402afd0fdba84a781c9934446
SHA1 b3a529f7e470e478a77404846d17c1ad2ff017cb
SHA256 5ff3186465a347ce8a13991fdb659f77ee21ae5dc9813b9fb2aadafda8a86491
SHA512 45aba98b564e4c18bc8fccb71ad4cf1f03770a916c074c1cbf8546f1385dba6e041c67fd870f792a5eec233b8d19bbbe4c4d047015266ac5c060caf037af9c28

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 0e77bfad6b92733c3296a04719375901
SHA1 982674869e2e76ee10937e946aad828ebea818ff
SHA256 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af
SHA512 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 3f7663206ef2069d0cc16cc1e813d7aa
SHA1 2ef1cc5457cb36b4e50de36a9a86b8c7ddf02092
SHA256 7896a7429e431a74eb43be3a235dfd1d6625e8634f6ad247c2eb13e8d3d298ff
SHA512 2e9f33bb0f776168e600d90a1fea188bc30d587e140b0cb2479384b347aa034152f242ff61e26f8e3fccaf473a2e940641e3db16570dfb1c15b5bc80f8593e34

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 a60d3072a719260abb73a4011ff30642
SHA1 cfbf6fac5fdedd793c902b31359c7c94d8e85b52
SHA256 523e7e3cc6be48a5f8ac28517a68557ce7d051d047c84d868a00e21ca600c1c8
SHA512 425d425e78829b98476fe72b82204423aa52b64b7a0aca92550b371291e557118b3445c28d5494980539e894e1126380dd837eebcaaedfffddd36aaddaf717b9

memory/2920-120-0x0000000073990000-0x0000000074838000-memory.dmp

memory/2920-121-0x0000000074840000-0x0000000074B4E000-memory.dmp

memory/2920-122-0x0000000073790000-0x000000007391E000-memory.dmp

memory/2920-123-0x00000000723F0000-0x00000000725AE000-memory.dmp

memory/2920-125-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-124-0x0000000000400000-0x0000000001554000-memory.dmp

memory/2920-128-0x0000000073920000-0x000000007398A000-memory.dmp

memory/2920-132-0x0000000073700000-0x000000007378B000-memory.dmp

memory/2920-134-0x00000000736D0000-0x00000000736F3000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 67565ca5e464eb4cf970fcff3d73d28a
SHA1 9ad642857222691f9e532727233d42a2ffa98330
SHA256 f8f5766d57653559927075c6328e613ea292a4da0e185feafbe3d353ef9cb27b
SHA512 7123d2177ec3250c85870f4ab51799ae506ad711528c298963396d5b90d93260bbeacc085b4d7a93c640a35b0d2de3873e72a8f23f75ada3378fe7ab34cc422c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/2920-143-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-145-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-144-0x00000000732D0000-0x0000000073307000-memory.dmp

memory/2920-146-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-167-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 d6f540f866ff3036054a48242a2a3683
SHA1 8f92bcbacb1638b4f08113a6b47df42b20e15f40
SHA256 f093783dea9ee740bf130cf9fc18f03522f5f7aa08e847273e339e754dcf0ab9
SHA512 a29b2889cd0f41efa2dc940bdac70892c8f3f2866318f0f3f68493a56f4fc091a6f94fc712595e613613f2186d08f919f5fb6be703cb66b8ee8fdb3cc0a4582d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

memory/2920-180-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-182-0x0000000006990000-0x00000000069AB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/2920-207-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-210-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 1162d5dd4c516bf2a942a64dfed19859
SHA1 739c3ece91d29189ef98cd0e6dbf1a52c6b295c3
SHA256 c1218f70f6b8e17bcfb4c683acd2c090a330537014418217699b2c27887542a5
SHA512 8987dcdba0bbb393ca4c9c03f356dcdbf4da263a0cc05ffc0b9ff73649a42fe0e95bb2255a552e940c36c52db6f74553ca634e9cb8e5d94e162f4ab5d54932e7

memory/2920-213-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-214-0x0000000006820000-0x0000000006979000-memory.dmp

memory/2920-216-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 5ee738a85936240e5418a45af62fe52e
SHA1 47afe3b0380ff0ce3800a23f296fb4fb9a1f278b
SHA256 ec03b8e72f35200fba291c0b197812ebb61057b165edb5daedbe0a9fc2ca7756
SHA512 7a37dd770e3ef3321ed27294263c05f60dd950ed623cdd7830b0f07693f5b62f0876b8ec1f0edc91f726f9bf4a9a3246d7e1f919c524f43e7c03ded4f9d850ca

memory/4336-229-0x0000000006C40000-0x0000000006C4B000-memory.dmp

memory/4336-230-0x0000000006C60000-0x0000000006C79000-memory.dmp

memory/4336-231-0x0000000006C50000-0x0000000006C60000-memory.dmp

memory/4336-233-0x0000000007200000-0x000000000721A000-memory.dmp

memory/4336-235-0x0000000000400000-0x0000000001554000-memory.dmp

memory/4336-236-0x0000000074840000-0x0000000074B4E000-memory.dmp

memory/2920-250-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

memory/4336-284-0x0000000003560000-0x0000000003561000-memory.dmp

memory/4336-285-0x0000000073990000-0x0000000074838000-memory.dmp

memory/4336-286-0x0000000073790000-0x000000007391E000-memory.dmp

memory/4336-289-0x0000000006970000-0x0000000006971000-memory.dmp

memory/4336-288-0x0000000009350000-0x00000000093DB000-memory.dmp

memory/4336-287-0x00000000723F0000-0x00000000725AE000-memory.dmp

memory/4336-311-0x00000000723F0000-0x00000000725AE000-memory.dmp

memory/4336-312-0x0000000009350000-0x00000000093DB000-memory.dmp