Malware Analysis Report

2024-10-23 16:16

Sample ID 240201-tn4wlabeek
Target WinIconMakerFreeSetup.zip
SHA256 34695d42d3d51e9099a78c92e578b38ad46e2eefc6953ab45727c66ba75559cc
Tags
netsupport evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34695d42d3d51e9099a78c92e578b38ad46e2eefc6953ab45727c66ba75559cc

Threat Level: Known bad

The file WinIconMakerFreeSetup.zip was found to be: Known bad.

Malicious Activity Summary

netsupport evasion persistence rat

NetSupport

Modifies Windows Firewall

Blocklisted process makes network request

Enumerates connected drives

Maps connected drives based on registry

Adds Run key to start application

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 16:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 16:13

Reported

2024-02-01 16:16

Platform

win7-20231215-en

Max time kernel

146s

Max time network

150s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

Signatures

NetSupport

rat netsupport

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI3373.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763160.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76315d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76315d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76315e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76315e.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2720 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2916 wrote to memory of 2720 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2916 wrote to memory of 2720 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2916 wrote to memory of 2720 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2720 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2720 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2720 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2720 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2720 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 296 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 296 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 296 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000005BC"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 128.138.140.44:37 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
MD 5.181.156.118:443 tcp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
N/A 127.0.0.1:49364 tcp
US 128.138.140.44:37 tcp
N/A 127.0.0.1:49504 tcp
US 8.8.8.8:53 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1576.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1615.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2adfa3502611f2ebbd1a13995748b14
SHA1 e5ecd6a8168f6b5b7b32284f67830e0a0092b459
SHA256 772b43c387f5f7f05006f6662153d6280c2b19d5822ca06cd8fbbbfbecf3ed02
SHA512 677039ddc846b97b16f4406290526082650beef36b596b1d0827f63a1e1f162df52dfd55ad54b51ce1b61099820ec3940baafd3bc7e163cf9676ab688196d4fa

C:\Config.Msi\f76315f.rbs

MD5 0336026df7b45575bf724e0e8ff49a54
SHA1 1528dee73b8bac473386910c22282aca228561db
SHA256 a4afe8d5dbefd2f7d90c7d95fc25a8d2b17daed1b617147144659559c72ef42f
SHA512 e3699722b93c7a6c785f696bd3978d8f1333b71bef86b203c59d4b6546d2ee28a1d71dc12c60f294ae89bc7dfe1fc743478118928747203e0c47d2e31055ae9f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 fface80400a0b1af30180f97b18f8197
SHA1 e254f2aeb4798e279c6ffcfe4f8a483cd4c4765d
SHA256 d624d373db4b0f0ac9b794c09c63b8b0b341601a68f87e758f70576b91d0d9b0
SHA512 dff1160ab3b7cb6bd80e1e468aa5dd21e7a251ed2f3b36d331c55fcb52151e4f0ca01cf862d55e737b461c9311d7b24844116c4e500c5b974d97945e34b2f75e

C:\Windows\Installer\f76315d.msi

MD5 aaac45f0543dfd7175ce3c22a39d5591
SHA1 81342b7bf24ab0aec2a5328b7d2bf9fabc6890d5
SHA256 64983b383b0cd01bf567f6d54120f34e87aba30b3d7049c4fc3299d1f6488eb5
SHA512 7bbfa35892f13eb3da22c05f4e6f74f8ce629f5b6defd6b35a45ee7933d53114fb979602fbc025e462ccd37fe577557d085b31c1627cd015ef76eba193023232

memory/2720-111-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 f366a4e73d6b075f9e1d640be7aca0f3
SHA1 5846dfc6a8997b90d76ce43f3aa7357a2c996826
SHA256 4c871531c4dc0a618fb48ab1349af655f5fbfee0db7513588b7e179c551270bd
SHA512 e4c36ce028de2f4816c213c07f47ef5ddb8bc7a2364df2276c0f89056d62ed6d8e293b14004968d5c5f61f1f1a94f8afa994c6f967520e1554671d8437df022e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 03bd793859607f418b9efe5082a2f9bc
SHA1 38e87c8991e9baffa83bb981482d72d5aed1bf55
SHA256 bdf8d1e587a998c23f4b37f017236fae621d389c27302e5ecf59034e3905f84f
SHA512 1b503d06951ce73c22a57b30416983cd02fdce2d76c23b95e98b79887f5a6fea439b81355447c585ef1a657af7f58a9a947c0c6061ac488354a900cff247c52b

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 ec6c5648fcc7e7f094040ba42216a072
SHA1 64e0add1580329093a0a8139878c3cd97d20427d
SHA256 aba3b629a3a95d9a539b889d4f4af82dbea2feb09a35b32bda1c91fe708d0108
SHA512 c45ab4a92a31b7226eb20a95527a17672d3be7f10610963f4f068e62ad947b97b7cf5cbb5237f419f2869f15ee89187b2afb6dac2883ec4a34ff7513169cd3cd

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 adc017f3283426b53e28737f959d3b83
SHA1 974338560f93222a097dbe23255c0d8161b7a14d
SHA256 a4a40232c80430a911b4be4ebf35694dbd1b530fc3c8428d1ca92039ca34528b
SHA512 cd52bc260b41a969a2f6395395797b7e59663feefad4f59c64410bce7caae31c01b04b37e2449b73c51db720c95e2a2619dbddf8ebafd871d236ed14a563c31a

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 afc69a24aa7759960dcd4a171ae0cc52
SHA1 65214018ecee6d847c00ea6027c4052d209f0322
SHA256 54a3d8828992dd8e23ac51f660f32522f80f4489b173ff241668b736913d3180
SHA512 62b02afbbd0d4a7e712997749d44a2abcf195f4e34f7d4dae143214125f70c6d77207c6f112a07960185dfc464895399fb7ccc070524d807cfdc5a8f37906b76

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 bbd1bcf9c93d99eb2c0dde607e6d9bca
SHA1 efa956d6e7db6a4209ce22e6968a8cfa2f5df831
SHA256 812494bdd197b3291c0712d39821cc61630be861ce31ad3f6a0d2ac5408cfde5
SHA512 16b8910102929d918456a4481a86ac18037f03a974977934d409b3c5b8d0b9fc82bc0da6106e82774b7e522df15d3c49755eef42f2d866efe246398f59d84323

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 a7881a0afdc32297a3e5dda3f7740a81
SHA1 7fb34510d0cdf3e1e4b9c6ac082928314094987f
SHA256 a9308d1daa967c2ca4b635e735f2d61d3c141afb22ac0740751aad8299758a81
SHA512 137085a4a387ce0adbed737c9cef4daa7db8868ec633c87ca3c05189d275a2d77db2cf1086d800b87c31f1a351803af4bdbc940c492c80fc6b9f5eef2b3413bf

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 3e837b82501aa2f90cc774890656d02b
SHA1 a62e967c006f6bf77fbe489b01ea30993e55fe5d
SHA256 c85ca44b1ff1ad0af0ca3daf5f2302498846f3fdc2f48c6c7262f08280c6f5fc
SHA512 a4a55fc0ef6ae87c5c73489993e2dc6e0e36f783de79dd7894966df3ebe13ae8341a5fe15dd0e26c72865b4a936247f34b08342769edd0a94ba2b90164b0d27d

memory/2720-140-0x0000000005EC0000-0x0000000005ED9000-memory.dmp

memory/2720-145-0x0000000005EF0000-0x0000000005F0A000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

memory/2720-147-0x0000000073130000-0x0000000073FD8000-memory.dmp

memory/2720-153-0x00000000742B0000-0x000000007443E000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 b01a100820095dc05fdaa0d1c3b5ca14
SHA1 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0
SHA256 ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad
SHA512 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 f1e5a1b32f7df572c98effef4aad4f0b
SHA1 a91853c28345fc6be278323d778c26b069f785fb
SHA256 31a02f62727bd52d10cbdcb944efdb110e6b6442771e37a6f0935dcf3cad36ae
SHA512 17bfbf269d05a27b9baf9e8388ca4d579c68adea19859151192110445b69bc0ba2eac62d05e4f0648489127260cbc93def2d84adc04d6a3116b2c4473ae8dd49

memory/2720-148-0x0000000074A90000-0x0000000074D9E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 511e6705a69e977eaa2eaaf88ec708e4
SHA1 e33e678e27cc7fe58d14f5df92e74e24df5a927f
SHA256 562224031baaadcc6ecd552bbbc1b025247d34b118478b51f3750bb7c57ad1e7
SHA512 c1c60d28b326165d215d9baff18512e9081e07b523c512ebcb55cd963c42430ab198190d8c15566d230e74e87be1ba8d1d82bc15eb64da7aa5544e0f37a9247e

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 0e77bfad6b92733c3296a04719375901
SHA1 982674869e2e76ee10937e946aad828ebea818ff
SHA256 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af
SHA512 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf

memory/2720-160-0x00000000729A0000-0x0000000072B5E000-memory.dmp

memory/2720-161-0x00000000074E0000-0x0000000007639000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 1c4379d0104843f1709e785657537a26
SHA1 656b26ec415dab00c39d9b83aa06cc75c22e8941
SHA256 2409ff01fc945ea56513dfc21ad299bd9688b660a059328d2dc7dae0f23cd28f
SHA512 528c62f61c25fb5c481c573450a58bb9cdd106b704776645a76eee5d5b9e8d4b8a1cd65ba19920d38c1fcb9b7975d0d5ffa5cf08e71e3938e2f552ac4ec4b23a

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 afa8bcf04df7d8d0a657e5cedae188db
SHA1 367bc65de869368986fee7004efec2342b436d03
SHA256 c406691900e4ee726534dfe20b4cd2d38683f10c6bf464b146d6553411d0285d
SHA512 07e95915355f058de0d62e7ca3f1d04e419359a375fda0fb5dd17d150a16fdc0415d1db29d0d4d599a9fa74429a52ea5ece9799b301bbac9f7d7890a646f144f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 f19d1d83df0e4e5fca0afbb6a3ef73af
SHA1 6fd02bc6a9ca72295303b5361fb08b8f25d7934f
SHA256 c7c3af517e59e883f8fb3fc921c00f5a682860a3905331dc14db183a5d60e647
SHA512 e1de664fbeda95f9b69c6dc0d1fd7c167377ce2820777de14dfaa13b6ae475c375b6b9b2c5311a0136d3efed73519f1ac3131b92e977b03537794c9e1cc26cd5

memory/2720-137-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

memory/2720-134-0x0000000005EA0000-0x0000000005EAB000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 db139ba3660bb08ed6a485b47eb5ca59
SHA1 dc46fabb7ea3cca197cd8e42b640fc0ed2ceab25
SHA256 7fab224f47ec9069395dd62d401acbe138cd80a9cbbd0830ee0b909dddb7932e
SHA512 d4ccbf27461748801bffe3581adc8969b90cca0ddc36ccc21cd5a1005d0ec4b0980d10e7135473ca5a825dd1b9d9f6ca8a5796fe4fa6f4e367b235888d5910b6

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 3e35c4d41a7224e44218057f3f91243c
SHA1 932927c584271b7aea1cbb05d22ed5a1509420ee
SHA256 6a63a8b8f7e1bd8d3dfabb43e06c1ff970a7f57e59c6e886dcb57e68a9fd6acc
SHA512 b0020c8a85fc3b2839b759daac91b9842f64d215ed3366865f6dcd4f1f93b07fc9f18868302180e4baa1c43532ae815b80673eff0bf437fe2b78bdb470406479

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 6074595d4174e3241a223b7fdf61826f
SHA1 78d58c4ab8ab729706b06ed9258e978a3033764a
SHA256 ea5ec3d2132e80a2e8a9449bf7219bad43f26dddecb3e8a2001458827f56fd7f
SHA512 33df11572fd29199067a3f671a15db9a43591fd2f825396d0167f057cf9d58b756e3577efd3c31989ecdb56a73bfac8555454b0862bf371e8b6b32f26f84b81d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 9d75270acda1b926711e556321f575e3
SHA1 5b12e96cf09cb02e440a677b0820e7d423349b52
SHA256 29bd43908f4a26050dc1d8e27ffc36b5a8d90724cf0d9dc46408941f97645d7d
SHA512 361d28fcb7f7886f31b3471b9f3eae396ede1bbfe11190dfc78ca7bf054efc01f735ea9ad53bbbf6ce1438f496a04ab163aa3f555b6d2d8acabfe1eafb74de01

memory/2720-174-0x00000000074E0000-0x0000000007639000-memory.dmp

memory/2720-172-0x00000000074E0000-0x0000000007639000-memory.dmp

memory/2720-173-0x00000000074E0000-0x0000000007639000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/2720-177-0x0000000000400000-0x0000000001554000-memory.dmp

memory/2720-185-0x0000000074000000-0x000000007408B000-memory.dmp

memory/2720-184-0x0000000074270000-0x00000000742A7000-memory.dmp

memory/2720-182-0x0000000074440000-0x0000000074463000-memory.dmp

memory/2720-181-0x0000000074470000-0x00000000744DA000-memory.dmp

memory/2720-196-0x00000000074E0000-0x0000000007639000-memory.dmp

memory/2720-208-0x00000000074E0000-0x0000000007639000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

memory/2720-209-0x00000000074E0000-0x0000000007639000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 ec54f862601c0dea19147bce824ef291
SHA1 e313241be2aa3c1967c6dd651d02a1670fa4b746
SHA256 d45ab7666da097dbcfae98f3c32aa14d464140a0b31ea5803f43ca6aa7a6064b
SHA512 b2d3b3e8fc6e07d0deed7824b0dc63ba74859975b581e0ecf4a13011f937c4f7d9be6a296af662b3ad5c565f283518f47d39246ddedbd52f1f597fd6720f957a

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/2720-222-0x00000000068C0000-0x00000000068DB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

memory/2720-211-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 b3ba577902036fd56725620791bbb69a
SHA1 1299b8e7a2e0e2bf3e65f4fbf7f9a560eae59f0c
SHA256 979202bb80a7abd91dd99fe20fe9c9742b0d296e79d58296b129509710539a6f
SHA512 1b15c74c9d3337081d02cd0e8c6d0e24053d427515f9545be0018f103a397e46b7fe85877053f477f4f28c140416bf2a967eecc6d5540ba838bfefde6c80091c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 c3f7f61aa17290b2970c27a5d25dfb7f
SHA1 dbf867a4ac9bc1d159c15373a1c04f56dc1132ed
SHA256 8155be5491d85354076e17891ad0c9b15f704896d2f711de6a8a631d835b37b1
SHA512 414378de8379bcedba6dbbed0f93ec7878389432fa515f3db5fa801c2047f2cc0766c866943d0b09b897dc9396a011d40767d641a68d0dbf6425ff27783986d3

memory/2720-237-0x00000000074E0000-0x0000000007639000-memory.dmp

memory/2720-239-0x00000000074E0000-0x0000000007639000-memory.dmp

memory/2720-244-0x00000000074E0000-0x0000000007639000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 21200862c6bc45d1b6487fb8d8d899e9
SHA1 8f3667c5491b9c615b4b257c2c08320c3053906c
SHA256 c929407e63868eeaf5ef7f6988459af0de385fcbf7d388de593f3e14d4053e10
SHA512 ab258fe0c76f79e254791992fee556a35ae8a9be4aa4ecb91d74b41b3f83344e8614b5d742d45b328a0d7b4b85ee15ad7a299706b2089fa8b921363ab0dd5092

memory/1676-264-0x0000000006120000-0x000000000612B000-memory.dmp

memory/1676-266-0x0000000006130000-0x0000000006140000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2e4cee5472a0d5a809bffb52f4e7fc67
SHA1 4d4bfdb33af59456d98eef3538b5f9372ac24232
SHA256 c9c8887821316a781a92f11ee49d92f08b296b178a8e6f67b768611f810398be
SHA512 39fe6cc1cbc234957f14d091c04a8f1d48463bdc8b9e92554e217666c707a1b0a7b06ce221601f4a363511089aec0f50be76e6747a3347c9d7fec87bcbca8667

memory/1676-268-0x0000000006140000-0x0000000006159000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 129ccaec602d3502c310a9f839c3d6f5
SHA1 de1a51a6b2c6af0c23970e63d0cdc322b60b32cb
SHA256 b02df92df123d64a4ed28eb01aa5f716c7d2ae25b2731ef3dbe6eaea71d8fae3
SHA512 638f29def1bf356b598615100b7e5422f8d3164e695e56325107c975167ae372bb331e1ff7652d6bd68f89af71b500c95f2653d30d297952b8b24eb5f7f727d0

memory/1676-270-0x00000000063B0000-0x00000000063CA000-memory.dmp

memory/1676-273-0x0000000074A90000-0x0000000074D9E000-memory.dmp

memory/1676-272-0x0000000000400000-0x0000000001554000-memory.dmp

memory/1676-275-0x0000000073130000-0x0000000073FD8000-memory.dmp

memory/1676-280-0x0000000074000000-0x000000007408B000-memory.dmp

memory/1676-279-0x0000000074270000-0x00000000742A7000-memory.dmp

memory/1676-278-0x00000000742B0000-0x000000007443E000-memory.dmp

memory/1676-277-0x0000000074440000-0x0000000074463000-memory.dmp

memory/1676-276-0x0000000074470000-0x00000000744DA000-memory.dmp

memory/1676-290-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 6dba131006fa9fe0d23034dcdcf25242
SHA1 59cf30650fd5988cecdb0806d4b47f2cefe64380
SHA256 3c94e69a162563f8f9f760ce977707ff92e4c990cedf82959df5161f8f578198
SHA512 89721a320a746cf5d66eab6fcb915bbd7962ce0a9685d4b3adae4977d6917803f1ab760545598940040cb65c0bfe786fc3d4e83a0ecaab12585ba33ff8f556b0

memory/1676-291-0x00000000729A0000-0x0000000072B5E000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 0b724ae3e435463bb4d812bf464d4214
SHA1 476f941dfefe1c49ef1aa9cb702b0d2c6c2f92ef
SHA256 188dfa7e6e73cd97f9546538a6d76e7f089a6eb8ceb4cc7ce386fa13cdf284b1
SHA512 18a1b8e8c63245761da3b2077f521b65d84dc7d4afcc7a4d8f51bb2b998205de00113754ec762bb1adc26f17c16a6c4e9e4685e8b7f95b705ead6e7078e8a0ae

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 d1db179d63ea72694984b32ad8ba4d57
SHA1 2e533ef472b87bb2785da5ef8ee5def79f7d3d14
SHA256 8f3b1b04a0d980d4eac5bdd1cbab5e54a5ecf0c535b62a6f1796286155e9810c
SHA512 e63581df4809e9f60f93876773dd7215c5ea81d68067f15bd3718f41356db3032f9362aca0470baa20666fad07dd4e17b40f38af4005a33485c0f74775dfb798

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 d312d28d3796b277f88aa56aa6e066a7
SHA1 3292753f54b8f22a5a23366085aac2b37f584f02
SHA256 8ac9ba29d3381a11e61cbd4d2fe91f3d0924c672c95e0325363e09b72692f7bb
SHA512 ec7a3995f233b748945a2a3029906594d50057de0793ed21669f33a0324d335ec563d39857a10c7dabb04ef2dbd6dcf45e7adab17d88e5d6ac29806dffe76f7b

memory/1676-316-0x0000000008270000-0x00000000082FB000-memory.dmp

memory/1676-318-0x00000000067D0000-0x00000000067D1000-memory.dmp

memory/1676-327-0x00000000729A0000-0x0000000072B5E000-memory.dmp

memory/2064-367-0x0000000070A90000-0x000000007103B000-memory.dmp

memory/2064-369-0x0000000002FB0000-0x0000000002FF0000-memory.dmp

memory/2064-371-0x0000000002FB0000-0x0000000002FF0000-memory.dmp

memory/2064-370-0x0000000002FB0000-0x0000000002FF0000-memory.dmp

memory/2064-368-0x0000000070A90000-0x000000007103B000-memory.dmp

memory/2064-372-0x0000000070A90000-0x000000007103B000-memory.dmp

memory/2720-386-0x00000000729A0000-0x0000000072B5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 16:13

Reported

2024-02-01 16:16

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

163s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e599745.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e599745.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DCE33C24-54AC-4134-8C0C-AA3D26865F9C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E59.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e599747.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x2c8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 44.140.138.128.in-addr.arpa udp

Files

C:\Config.Msi\e599746.rbs

MD5 09a4f87773874ee39d6bba5fd9fc5740
SHA1 ed9b5339faa78e3440acebeb232a6c0864c10a88
SHA256 04a63fc62029ad22e1fe267ae4cb4853b45608ec57152250e67abe327c4150ce
SHA512 0002c6d078f6570b6e9dcdf57b24f8fd8c13e69d3d48af4ebce898d023bb2be287a3024e4fd13050fbd2a048258988f6b2cfbcc878c6f992394feb1459ffd178

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 b39fb3cf854f8628c2f38298e0965687
SHA1 5931c9f88231e2cbb86010224a4d8604809e7fc7
SHA256 fa203e315d9cf5190da708dea03ff34c1df172c992df671aa3db2f5513a70d76
SHA512 133c98145e4bc2012198593bfe23c0b3b965a69e3bec7eab4718832daf9013cbe96f040acd64ea0b1d46631ef96c1f779b7f0d5b1b5ca32c14b20c5b8995c2b2

C:\Windows\Installer\e599745.msi

MD5 1414b254f44bba8e17b01983dc22adde
SHA1 a12059b028647968a03d9483815dc5c13bb4b841
SHA256 474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045
SHA512 1ea087707ab1f63af26950714d11376bd284984dca4069ab5adf5e35b766b82c6f65447d770ada792a4d1e334e6f5952c0f917e227f3b318986bea819f33e899

memory/1384-67-0x0000000001740000-0x0000000001741000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 00098438ab2cc364ce45d98902fb2b2a
SHA1 2a88a24a659f9a7962a4b6602b96d12249d2c790
SHA256 bffea8bdb7811b3d52473c07ef2c539dcac00df6bce60c7cafebf8c7beefa52b
SHA512 ca430ad171f53bbf3e7d670a9ba2961e3a0777abb640fa64cb722a1eb434f4c86bb71e2b3f6be9f1e3081e13a21fb38fb491a53134e9ac84f71c5fec237abf5b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 80f62731b82aa5931296957d40642e45
SHA1 c22970049da19835cd34dd921ba2050b14332003
SHA256 f34d2d4417d85775d275a94ee8fe7a92832edc05a86bdb96669d869cfefbee3a
SHA512 8f1c4d370891e161f765fd6226347d840e0095438795c999154ea6a01d1d214affeae1022a41487dc1c777844396ebdc6fabc6c2c30b1f69ef03911439ed7c4d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 a96e92ad76bc8611f5ea30f41f2a29ed
SHA1 d670228fb2a75f283d7824de2e9386d1361206e3
SHA256 cea72c9c4ca13869e87f1f08d157c403b0620d6108f141436c7ff93b8ff50eb4
SHA512 9d8627bfa0975b66f16cf37b9383bffb6f059634913b4394e2bd14943b224dcb757736afd3e78125c6a5732e011c1bde44269c3c3781af14c45e9344c3156723

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 977c024c0d72dd6cb5261fa7ea4270d3
SHA1 07a47547dd5ba980132b7d3149b21bc58164399a
SHA256 b1eaa24faff0030197c411a78edb17054591638aab14e6e716c8ad52ac832490
SHA512 dde60a85adf890af914546a462c2c6e73b14da334d35930d7d426c91dec8c2af4909242dc61e1b97efaaf18f5fa0efd52264535a7efb8a923eff79c2c94a7a3e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 effb49b87af8fd83cb8bfb7f459d12ea
SHA1 b37534f95317a09994e25090236470aa576e0ce0
SHA256 a5b48cb35fdc6574d6727386f861d797db38f90731c5bf93db74506f11c41e4f
SHA512 bc30333e61a972e259d7778603664985aaad7ef5683115de8ca867b610ca1003bdc8b8369877a0e3e741366be2497a5a2ff5698861f1c221f2d790a5b913a73e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 167cae09a71fa46febe0a2cb522db79a
SHA1 f6d158bcf00242182c7845000d7aebdeddaf7518
SHA256 18c53d1c428652a490062716bdf3f0506b99b32ae5c1e474263c436218e1c9ac
SHA512 8e3fd84851952c95654a93beb74cfbc35ff51c5aaf49997e15607e6d1b0802c5bd995119046919c6f82991d5f34273c71f84c041179f6ac5c6758cd97b627ef9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 6b007bedabaa20fb6d445bc62f1091d3
SHA1 d3905661051c4415ac92bd5492100a5f2df6f659
SHA256 bfc20232c4ecf4aece403d005624c82a64a2d54d5d84720341dc6d45b3522ba5
SHA512 7b0cb0959434437f31ab3e6df721be412de003979f19a66d3855ee4c87fe8a79d5cc4b42e6cf453be9289575854d2176d2bfff88a9308f5ab9f0895c0a899cfa

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 40a07cb8bdaf977efec40f317e740cab
SHA1 50096e564d19a8799b4eb136f3282c4ed6aa59e8
SHA256 3a57bc0b97b9b376e75dc674e3a58303db2cb3bfd4a3933e1a75f16bd6bc31c8
SHA512 c64e866365f0bd94ecd588f886429df9387b985fee2d03d8fb03bae799266a14d4f02249c01aff6214f7072cd678700a9ad3abedb8c3e81977837255a4741bc2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 54b0221dc97992b5170cac659aa60ae6
SHA1 8a0df459f134cee59cc442c3d98386fc2f6a532c
SHA256 b66dadc8e64a0179e7af465800092937ecb020dba8f0b12efe7001d004b9ca7b
SHA512 cecea736365373a5ebfecf18e2fd4d8a0052cb14e31247461cac99d8b0d50c50139fb610e68553379aba3e6839cb314b02b4c84e2313f44758d864066078f464

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 fb9763ac3b3f51551b4a77e833c395fb
SHA1 9a3f8e9225f214b31b4e703fe428b0537a7cac63
SHA256 c0fb1896ee5838e9f8bd1e4495367baffa0e71aa2d3785944d5b470f29aec53a
SHA512 6eecdf0d290e259fcb1c8aa9da5f3ca32f760c9039b84b11f40b63b39b1119152bde54d2c6e1c7d0a1af9f64c6a340501f934000a2f3e232612f525dd9b0c7fd

\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{af1c25b7-61ba-4f68-810c-87667473f5b7}_OnDiskSnapshotProp

MD5 7b6e600369e1adeb53aacfe2e2a6c43e
SHA1 68503d1e77f06ca3c02bd422222b7db00696d043
SHA256 b686c1ff746598d1a34ff6ce77ac651504c763eb06b057995fabe997100117b4
SHA512 46671e4098f159af22aa0ec6acf904f19c2ba40e869d8aa3fd1c1763e83d4e4ea31aa71aba3cb35ab070f28f1a179269b64404538d2c9c7b828aa3736dd44e09

memory/1384-103-0x0000000006D80000-0x0000000006D99000-memory.dmp

memory/1384-101-0x0000000006D70000-0x0000000006D80000-memory.dmp

memory/1384-99-0x0000000006D60000-0x0000000006D6B000-memory.dmp

memory/1384-107-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 72a2c5e7b9f1fc17755d89fc86715a66
SHA1 8a65380c0c8aba0068c628840e4a51c1cf8e9519
SHA256 af3ea8aae21a13ac89ae224dfb00d4289bde46698892d2d6f3f706ff8af84446
SHA512 ea8ff88b812fc8d77ecd61ccc9b0bcde986fc0f1fa0fdf9ec02ed46f8e9989538472223aea9640ca6bcb2ccc3a3999ac3e72adf3b2d02a76ed67c1c5f96bf766

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 b01a100820095dc05fdaa0d1c3b5ca14
SHA1 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0
SHA256 ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad
SHA512 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 71e603e402afd0fdba84a781c9934446
SHA1 b3a529f7e470e478a77404846d17c1ad2ff017cb
SHA256 5ff3186465a347ce8a13991fdb659f77ee21ae5dc9813b9fb2aadafda8a86491
SHA512 45aba98b564e4c18bc8fccb71ad4cf1f03770a916c074c1cbf8546f1385dba6e041c67fd870f792a5eec233b8d19bbbe4c4d047015266ac5c060caf037af9c28

memory/1384-115-0x0000000073280000-0x0000000074128000-memory.dmp

memory/1384-116-0x00000000741A0000-0x00000000744AE000-memory.dmp

memory/1384-117-0x0000000000400000-0x0000000001554000-memory.dmp

memory/1384-120-0x00000000730F0000-0x000000007327E000-memory.dmp

memory/1384-121-0x0000000074130000-0x000000007419A000-memory.dmp

memory/1384-122-0x0000000073060000-0x00000000730EB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 3f7663206ef2069d0cc16cc1e813d7aa
SHA1 2ef1cc5457cb36b4e50de36a9a86b8c7ddf02092
SHA256 7896a7429e431a74eb43be3a235dfd1d6625e8634f6ad247c2eb13e8d3d298ff
SHA512 2e9f33bb0f776168e600d90a1fea188bc30d587e140b0cb2479384b347aa034152f242ff61e26f8e3fccaf473a2e940641e3db16570dfb1c15b5bc80f8593e34

memory/1384-128-0x0000000073030000-0x0000000073053000-memory.dmp

memory/1384-130-0x0000000072C30000-0x0000000072C67000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 a60d3072a719260abb73a4011ff30642
SHA1 cfbf6fac5fdedd793c902b31359c7c94d8e85b52
SHA256 523e7e3cc6be48a5f8ac28517a68557ce7d051d047c84d868a00e21ca600c1c8
SHA512 425d425e78829b98476fe72b82204423aa52b64b7a0aca92550b371291e557118b3445c28d5494980539e894e1126380dd837eebcaaedfffddd36aaddaf717b9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 0e77bfad6b92733c3296a04719375901
SHA1 982674869e2e76ee10937e946aad828ebea818ff
SHA256 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af
SHA512 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf

memory/1384-131-0x0000000006820000-0x0000000006979000-memory.dmp

memory/1384-133-0x0000000071D50000-0x0000000071F0E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 67565ca5e464eb4cf970fcff3d73d28a
SHA1 9ad642857222691f9e532727233d42a2ffa98330
SHA256 f8f5766d57653559927075c6328e613ea292a4da0e185feafbe3d353ef9cb27b
SHA512 7123d2177ec3250c85870f4ab51799ae506ad711528c298963396d5b90d93260bbeacc085b4d7a93c640a35b0d2de3873e72a8f23f75ada3378fe7ab34cc422c

memory/1384-144-0x0000000006820000-0x0000000006979000-memory.dmp

memory/1384-143-0x0000000006820000-0x0000000006979000-memory.dmp

memory/1384-145-0x0000000006820000-0x0000000006979000-memory.dmp

memory/1384-147-0x0000000000400000-0x0000000001554000-memory.dmp