Malware Analysis Report

2024-10-23 16:16

Sample ID 240203-bdwhcsffeq
Target 1414b254f44bba8e17b01983dc22adde.bin
SHA256 e180a6af920dd1910d277e1d969d0d3367d221ee7dd84331b2f98b98be3b853b
Tags
netsupport evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e180a6af920dd1910d277e1d969d0d3367d221ee7dd84331b2f98b98be3b853b

Threat Level: Known bad

The file 1414b254f44bba8e17b01983dc22adde.bin was found to be: Known bad.

Malicious Activity Summary

netsupport evasion persistence rat

NetSupport

Maps connected drives based on registry

Modifies Windows Firewall

Enumerates connected drives

Blocklisted process makes network request

Adds Run key to start application

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 01:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 01:02

Reported

2024-02-03 01:05

Platform

win7-20231215-en

Max time kernel

137s

Max time network

154s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045.msi

Signatures

NetSupport

rat netsupport

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2C9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f769cfc.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f769cfb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f769cfb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f769cfc.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f769cfe.msi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2752 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2752 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2752 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3016 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3016 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3016 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3016 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3016 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 3016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000003C4"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 128.138.140.44:37 tcp
N/A 127.0.0.1:49364 tcp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 128.138.140.44:37 tcp
N/A 127.0.0.1:49480 tcp
MD 5.181.156.118:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4AB8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4B86.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42cdddb939ecd4b92fe7c9c28cdda96c
SHA1 fd0ac6af4008a2fb4e52bded0022bce9fd2c5c05
SHA256 2216f73d73c7e412836c89cbe8a19d0564d571e6ca39dd532fab6dcb03163dab
SHA512 baf1f7d89524775dc9ff88c10c1bc6efb6474a63c5d4a3f5f67a03050fab257277db2a9a12360c592b207f58125523a8f1e3ae33c21715fc08c63f2d1e701d84

C:\Config.Msi\f769cfd.rbs

MD5 4479ba9a62af112db37c0eb20c40161f
SHA1 aa419cdbfc309c15ec603bc62dc28bc36ec8a9c0
SHA256 e820a8a39f65bcba1528fa5b3cffb69a624aa367b4d9791fd899c57469d96d38
SHA512 e68486f55ef3d4e6c84e39d6d064574c37b0146c388c2565b9cf9a5d25b29c2cb21c6ba14a1fc71f9f1dc408c0ef1ffa9772095ce6d08fb805c85f04d20b423e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 bf4f582955a63e6f5bd77cf29be0f175
SHA1 6ad9ac5a6df06123cdd9069618b3018204d70d68
SHA256 9551fad7beaa93e763dcba13c15a754c505d1700654d39dcc8d0418f65ef6d23
SHA512 9b04a9c02b248b8e401fbac9df7ee5463768ce2491f863fac987358fa6bffc8519554f6ac08711fc4afc90461b4512030d037c1bb7d75eb6e817ad825ba776c4

C:\Windows\Installer\f769cfb.msi

MD5 b974b02a6874bf2fee34f15cd7b7253e
SHA1 7994892d3104d9645ae8119c3becad03d8a1e5a9
SHA256 374f9f28c448424774dd3b3d24c11fc437e372f45c48855c18f3a84f5f585dcb
SHA512 baa13d89c129ad87d4ebd5672763af206be61879126383508b65aaddc98c1a5506de8852a429e744362bc803126ce844300bd58b8f253681b32968662467b48d

memory/3016-111-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 a9c41f8d5882f9652cf6df7fe9faf4c3
SHA1 f8fa29fbc9aefe16c11c03811d17f32bbdd38f8e
SHA256 a447946b0d66d261834f864c93a6f716107c4542b9a1699547d6aa9ad8afd223
SHA512 00f966d9cac5b84bec52105455834ec94be3916c805ad1b8202599c4595d4551f67ff5c3d10d1523d7f30fa6b8d14a303a9ef5532b5e0fed7b25b476fae62e0e

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 e2193bba2b20854758ad129c97a37037
SHA1 ab6e5bf4dd6fe138d00e4168b2b3086cb27899cb
SHA256 b38c1d50f4560bf2748a15f20e21d04062fdae7c697326abe7a78d24a813cdbf
SHA512 3e387a39792ea9f896b6e60772352419ab92a084a5b57a67caf30aefa546854027967e6d53af50fa3e500a60ac117f7f81b030b3d639d3e7ae9ff2d49ac31f46

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 3dd935dee99f1c6e39b33cf5078cb0a6
SHA1 9a8bfe1a3d9fed51329fdd892839885294d2e926
SHA256 50359d692db0a3e7fbf37f112964e48d18997761ebaf3db355b00e5bb8257497
SHA512 51706ee2c78f6519debea13967200e300f473edd27772f1c4b1a57bfe4dc2b89ec30d43bba61094fc7fda99776b4aa306ab519e1f846c23e0ef7ea3c1295dd2d

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 7cc1bb46f4150478eb2c204f9a4ee21b
SHA1 ab5f46761c911870e32431de92d0071f06b92ab0
SHA256 14fd3db89c06363e8aae25b2ab304cf93b13938f857c9ab5c2754e4be0a4cdf0
SHA512 16c68509d6f89ba48b08fe208625c32be013c51e1b87355120e29d78cbeb58cba94f1dc5987b87942c19e5b3e116d06485bb215129fd6ec6970f9cf144558a55

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 c8a868ef16c4b8af1f11d2ece91a933a
SHA1 cbf5ad08482c51dcfa249e110e3de8459d274e92
SHA256 f6a94ae34f369b9dda2cfaa469d34f418c6aa22ef14b163892240c2755716ec9
SHA512 4368fcc16fba9c80f67ba5b3ad32f772dfdd2fb4aebe1007bbe86ff7f216e4476c8f2ca831f4efe970d4d51e6f669bf1a54f8cc9830f2daab138b6a37fd0b759

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 fcb2fdfac9c0371f27914af2e8bf7db5
SHA1 06f405668a7f08c81df660c2a61cdd4d2e492798
SHA256 d6ad6a32bcec409d56e4391ac27d5a1c70c083e319824b95cdd48454cf286238
SHA512 666728a0e4cf8430df347918606467d41b7ca360e73b96dcbdbf7675d26d66779928d5d02506213a33036fa3ed967e4a56874a26b4693f5a914c7c368814fa34

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 63c4a9ec3ea194bddeff7e3c49745d33
SHA1 25b3fd09a969a90f0b7fa5bd2cf011ffbe26d3f0
SHA256 8c2aac49c0c789f3fe97e4123651b2aff27973529367bbcd9d1a41db052342f5
SHA512 f813799752052d527d9114118f7cda9b90e076a901288d5b8f285e1c30edc2f5c8b5a103347629a0e034841101be316b24be9b2584a47535eb387fe1c11f67fb

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 c59aac37d518bf39d15fbf74b3070b03
SHA1 b9db3d05619e564345584a5c144e604e18cfdc05
SHA256 1be603a8cf22cb6d0d8aef08e4047cb87af55eb64774e6fc24c343d3369711ba
SHA512 55eb242ec8cf00492f65f51a27f2f06c318ce0818980c2d0fdca72b7dc3cf3f0e96139224d6618a35be7f63511fe73d7de425c0ea127316df11aa2c5caf97252

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 ed21cb2fb7260cc5b204a2dcca0882ec
SHA1 fc94e2a5786b435139a0e8c5c7e9f8047742972c
SHA256 da8e315c0082a56f578e0b17a8b9ad32ad28de8c8904e163543c1c46ce5fdd9f
SHA512 2c6f88a762cb166ba5249c585866dae73907e19d2803a469f5c892f8b8d4f02d83aaa4141e5337ab0ced8d08bf189494d10466e595c11e016b6c25402e1a4bf0

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 abe5ff1117f8ffe63ca9eda95c689e96
SHA1 e9fe4ccaacbd6ef9eb73bd5ce489869cf9828dfb
SHA256 cfd8445dc4bb85f5d8b3fafe2d05ad4cda25c931d574d69e86f3a3995b49646f
SHA512 ef816f700dd6840d5ac7743bc1021bfdb2c4e7999fde9942cb569a752c8bab3eb1b3a33c2f6816d82c54f3aa168aec5226b89fde14cc1055e10aaaa3b1acfa70

memory/3016-134-0x0000000005AC0000-0x0000000005ACB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 b1599f49643217e9e71d2ab67b557a74
SHA1 bd2c49422fbbbc7d6c5dd4b1bdd7c5fdfb44ddbd
SHA256 be173ca97cd23e82146d80060da16947fd3bed8ba586dee6ddb0a202f4a2702c
SHA512 6e9ac9a3d6e0ed73c02421ed24218991b04637445f93e74bfd5b19a9c5b246126e47b0a5173a8cd067901a1fae6fed964271a912fb3abcf857ef7a3e3667dc5e

memory/3016-140-0x0000000005D60000-0x0000000005D79000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 1cf5aff7cf078a12c8b61d939344137d
SHA1 a80a4f3fa234c28d7f7ec7098a2ba595666bed42
SHA256 ac77248649a3ead28ecf0b92468c199e73e6d3d79797121deffbb56a3618b2e2
SHA512 d4d0a1b19455e5d51159e1c6d91e2916a8614ac7ac0e962316c9219972ceac991aa63d73c752c6a8b5808786366c58e16927b39f80ed7b7923663d571a447c9e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 2bfde296a36314cf1a5debef1c53750f
SHA1 bf9e8dfabe5ce130595a5f40d96ab48b20418cd5
SHA256 7d5ff07ef899a861a66deece8d0b879df8d29d08457e0ebefb08116a59b0271b
SHA512 ea6e3488dbe2d9b316c7900bb6519f867e3397b565c022d01ed53e4892c9c1809b5652a38619838194b2de211541368e13cfa6f9da8d6c72114ce5e33f9042a5

memory/3016-137-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 a18318cd9b29a755adb1d14db06ea527
SHA1 eadddd96a981a0d81d6906962d48a0a5197d15c2
SHA256 0d9da879ac5d4c8702a84d3b54e41631da32433b1d9d5e1b5e527699d5fec10a
SHA512 938120c2ec7cd96da6cac8a2dcf4f2ce84aedb1848b39803e27bb1c249e9ab279a23ca5c254ef793c92e91929ea60eacdcbc5cbb8b894bebf6c42ed83a9f16b5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 2fe28fef080213035f0bb5ee70b6d715
SHA1 cd5616deecb67545b06f78eccfe35b2348b84cad
SHA256 f3ce65b391bb78b5bf0b6eaac213f83261b39882ca292917b33f2b896d8e14e1
SHA512 3434b9ef29bcf862e06d7cb133da5db86b9610a489482c9c86da7d8069bc5e0a75744ef2c38d7b0ea5821649eaeb9cea00d2b1c9ca0a5b051f5f208f2d91bfb0

memory/3016-150-0x0000000072DE0000-0x0000000073C88000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 66317d9d2656b3997ec9a291c6097e6a
SHA1 9f6643289df92d0eb18e7d648c323bc976d178b1
SHA256 cd06b42da99fd4f70e8de7387c324ba1d1934341e404673a7865f000e86f8ccf
SHA512 d9c01477bedb93f07015e7462f2b531bd2ecb5b9f923c11e3a3745527fcac161855a508d17d5cf7759f3c4cc63067c55086fc8f78900d4f4acc39d961ceaf581

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 d2769ec79a5dd9581fc936e7df72e5f9
SHA1 2829a06662e31147f920a82fe8184319204bb86d
SHA256 0d5ef6fea41ccf163f4f46742516e9960fab0454f2fc89117a9e073d745c4285
SHA512 d910c25cb94c35f9c27f320e6ba4c4886e30e5e87887a322a3fe78f98509eae2842e7eae8181006967439b7f315e21caa2783b248183c1f0f79aec46e99d6075

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

memory/3016-151-0x0000000074770000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 71e603e402afd0fdba84a781c9934446
SHA1 b3a529f7e470e478a77404846d17c1ad2ff017cb
SHA256 5ff3186465a347ce8a13991fdb659f77ee21ae5dc9813b9fb2aadafda8a86491
SHA512 45aba98b564e4c18bc8fccb71ad4cf1f03770a916c074c1cbf8546f1385dba6e041c67fd870f792a5eec233b8d19bbbe4c4d047015266ac5c060caf037af9c28

memory/3016-145-0x0000000005EE0000-0x0000000005EFA000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

memory/3016-154-0x0000000073F80000-0x000000007410E000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 6b007bedabaa20fb6d445bc62f1091d3
SHA1 d3905661051c4415ac92bd5492100a5f2df6f659
SHA256 bfc20232c4ecf4aece403d005624c82a64a2d54d5d84720341dc6d45b3522ba5
SHA512 7b0cb0959434437f31ab3e6df721be412de003979f19a66d3855ee4c87fe8a79d5cc4b42e6cf453be9289575854d2176d2bfff88a9308f5ab9f0895c0a899cfa

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 0e77bfad6b92733c3296a04719375901
SHA1 982674869e2e76ee10937e946aad828ebea818ff
SHA256 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af
SHA512 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 b03cf8fe42c2ee29087c799a04c08749
SHA1 134af6acb27b3d5b5290fdb2b24802de7bdb6e2e
SHA256 b4cc3e7a263e6c40df546724cecac5b916024f74b1ee7b4cc599bc7bf5c0d974
SHA512 ac29cc227e796017330d9f35d85dd4b11b60b052ba7a2cf6e691dcc74fc20c888e3dbba365e222fc1d2c0dc7c0d49285d99c0bc047a272d40d7586dc601c55a4

memory/3016-160-0x0000000072670000-0x000000007282E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 c4a030541c00965596af0cd4795865b1
SHA1 23c8a71836e999649c151a205cea1eeac0f69492
SHA256 3d6d9809d1b3691fe3c5501d4262fada7f882fe4d1555aaa51a532c329c00635
SHA512 9ff867d97912e30f1a48156a19f52e19623c0c057d067230019712c3d2ed3a6c033d5519111a6b8e4f9b82fd9f1703ef74c52d41a72a5af0ced45f7e25066bc9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 9199dae281cb793f8e3446a5ce1d53af
SHA1 719b055c066b08d488bd8086888077c96c6cfcea
SHA256 dc8c343cc72ea6c0875a8e17d9aa81b5dac847a16d36cf8ad61d3f2099bab392
SHA512 913fa880bcb3b57180a405a59b669e6065018de1ce5e6e1c7dbe0749e7cb7a06e42b60ac156e84137d8f2b7b4918bb754cae96697fd4cdcd5991269338b371ae

memory/3016-161-0x0000000007250000-0x00000000073A9000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 700b118ad080616eb90b48fbc58b922d
SHA1 581acd1a2c42fdf5a9c04bc1a358062da0dfc44e
SHA256 cfebb00eeacccf259812262a204c0b5c06d91caa40ab4890cb4d99eb9a70e32c
SHA512 97476d0600aafafaaed1f6049e1802cb2e5d8393d59dc582d221b03c8358f5161d8237cb8a6374d3f5737a8ff4c3a46a0d2232ad078516acddd0f90f06145ac9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/3016-172-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/3016-174-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/3016-173-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/3016-177-0x0000000000400000-0x0000000001554000-memory.dmp

memory/3016-182-0x0000000074110000-0x0000000074133000-memory.dmp

memory/3016-184-0x0000000073F40000-0x0000000073F77000-memory.dmp

memory/3016-185-0x0000000073CB0000-0x0000000073D3B000-memory.dmp

memory/3016-181-0x0000000074140000-0x00000000741AA000-memory.dmp

memory/3016-196-0x0000000007250000-0x00000000073A9000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

memory/3016-207-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/3016-210-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3016-212-0x00000000062A0000-0x00000000062BB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 e8798daef7e0c7895563ea617cc413ea
SHA1 8f6cf6ead9a99b8dac26ad6c60bd5bf6cdb611e3
SHA256 949a86ab77380051ee57d48591a4d41440551a9aebcbb6bed2ab38b6e0b80c6a
SHA512 bf9be5164e5e4a082aa4f1cd1a98f07c99c938f7b4456f97f98d3f421e6635c7a413e4feb14b8ebc3feb8421c62987b5fbc1943267498d440549c712de25a1e0

memory/3016-238-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/3016-239-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/3016-244-0x0000000007250000-0x00000000073A9000-memory.dmp

memory/668-274-0x0000000005D40000-0x0000000005D4B000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 31980dfba9e1f25fb243131c3b1ea877
SHA1 f5a115bf24ea4c2cf289df74644de9ef2691b611
SHA256 87e6ec9896c296786d1baeb2716a8a56036a81cb1bbad34dfdfc138ce3e69099
SHA512 902501947ed738eb47b5d64692ab0eac93ce375203f44ce11871602b97ec8391ed7841ce99b0dea7ebe79b610a263bae8979e38acf5d24b9f06b2fb7435e1bdc

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 57daec207c981b9175e411173aea716b
SHA1 1776b4a3c568a94c2310361244828f0de87c439f
SHA256 75f24fcad76b8647c28032204593534d0bf0025db40d6f1a22f6bcdea6d7917e
SHA512 eb16cd8ade3c0c4378331b8a37bba56bdc42ebb669fab787948600e8bb30897e7bc583eeff7c255cc08fb6c2579435eb5278d45b6315c5f4ba38511ae386bf85

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 9b3d5e889bee7c66beed89dd7773de8f
SHA1 7396aa1425b535601a5fedba0fb04732d4a867e7
SHA256 83caa588105d6ffd0c8ba366e0f62de3b8f5f9789ab3db6548996340a9143a4f
SHA512 18612c1a6963e06df92798bbc1a4a645c50c65a8d832142c23b82f28524bf259337fa56d96629c205a9d4caf84d493926e220efa967a696e6e4d7f5fa88332e0

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 da676bd98323ec610486963481e8b37b
SHA1 2d391527a345f9cff787c6ff6221163cffe25f09
SHA256 d1994e8b0bcee72f8012d30e24d0237d982099070faf794dda01e41c8be64b57
SHA512 6a009398d0a04d8eac23e7b1fc73edae7f2cbdf0e99c76fbb9dab7a1d6652f32154a0c323bee48af0ba2075605ca06755eed099f1ae987fdf31731ebf82d0066

memory/668-275-0x0000000005D50000-0x0000000005D60000-memory.dmp

memory/668-278-0x0000000005FF0000-0x000000000600A000-memory.dmp

memory/668-280-0x0000000007100000-0x0000000007259000-memory.dmp

memory/668-286-0x0000000007100000-0x0000000007259000-memory.dmp

memory/668-287-0x0000000007100000-0x0000000007259000-memory.dmp

memory/668-288-0x0000000007100000-0x0000000007259000-memory.dmp

memory/668-289-0x0000000007100000-0x0000000007259000-memory.dmp

memory/668-291-0x0000000007100000-0x0000000007259000-memory.dmp

memory/668-305-0x0000000072DE0000-0x0000000073C88000-memory.dmp

memory/668-306-0x0000000074770000-0x0000000074A7E000-memory.dmp

memory/668-307-0x0000000073F80000-0x000000007410E000-memory.dmp

memory/668-308-0x0000000072670000-0x000000007282E000-memory.dmp

memory/668-309-0x0000000007B70000-0x0000000007BFB000-memory.dmp

memory/2220-313-0x0000000071560000-0x0000000071B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 01:02

Reported

2024-02-03 01:05

Platform

win10v2004-20231215-en

Max time kernel

155s

Max time network

164s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045.msi

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DCE33C24-54AC-4134-8C0C-AA3D26865F9C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F7A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e581be2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e581be0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e581be0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006c2b12180e4adb550000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006c2b12180000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006c2b1218000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6c2b1218000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006c2b121800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2156 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2648 wrote to memory of 2156 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2648 wrote to memory of 4872 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2648 wrote to memory of 4872 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 2648 wrote to memory of 4872 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 4872 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 4872 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 4872 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 4872 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2c8 0x4c8

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 44.140.138.128.in-addr.arpa udp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 212.68.67.172.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 104.21.5.9:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 104.21.80.171:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 104.21.16.152:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 9.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 152.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
MD 5.181.156.118:443 tcp

Files

C:\Config.Msi\e581be1.rbs

MD5 3759dcf9ef56e35ffcbef6fa89b34f2e
SHA1 c353ac3a969d1a27e20b0d5ba948e6c35d8e8d65
SHA256 a4239c62d3027abf60cf4db181b617d71ce69769680aec3fbc1d9c2136919703
SHA512 3cdc83d33ecbf4c14dda121d1c5c22369d464c494bd5ab4b163f90a0149db3e0d3ec93ef675fbcaac0b23df7ef67a1d1e9d4d39f095bca43d66e283bdd07d3c4

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 cbcd3c3dc29a8e47388aa17dd1281258
SHA1 4581c75abb73a76fb8c65346a6f0f651ad672df8
SHA256 2243647e813bcf3de1277e5b3c6a20c47106d252a3214bb57279cd9d81c30a96
SHA512 d3590d76d6868390363d758c9a5b612e8c1753e1219dc8783a58914124c7dc8f82e84699ddc0a73d8b4fc8b16ab87c571f47cc83f8a1fbabfaf6f7ca59c8932e

C:\Windows\Installer\e581be0.msi

MD5 d6f2e938a0685fb5f149031dc39ab725
SHA1 5c6a895a1b70e9a94f82f59231e0379c983fed19
SHA256 e0241eb5e24ece8398939d05a2b0ed8dc0118f67c55f2f4e65aa2b06c0c2c8d5
SHA512 182f01e719fd41fc807c06fbac827d3450c7e2f5864e09400084248a6d7cd3bd958f1b4571c23307ea081278a656aa5dd04ab9a7b3bba1309c613d7dd5aecc72

memory/4872-62-0x00000000016A0000-0x00000000016A1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 7c8e9f0afd0f3ce1d6ed59a9c3cde901
SHA1 68315edec882d05de09f1e1942d4ca84a497dcba
SHA256 6a2b43665d879eec9b20781fec9d7775e9d92aa151de0b4c2f83f01f7ed7ef2f
SHA512 d24c5c0c5b1d187668e4e425f08948a75059f1deb115a225d5a1eef18847724d82db9000239b5c187edcf19c1f4a34872ace2d1e23fea0b9e1f8759d1b703d23

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 dbdb5903c27f3bca64720171078b7429
SHA1 c9232c75af45d6dbf04d7b58969d7c2a4cdd9398
SHA256 49617860f595f7d29716a4957f21a4c780d75b9429caca8c7aca697c98aa4232
SHA512 3915608722c9222b2f93069a8f07d9d31d1884e6eabfafd8aa0cc298df03d0a011bf03556127df38aef4965721ae3e644bba1e05725dac98fcf97cff626e9924

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 5e44863c4103e1d7c29a9043c208d78c
SHA1 df664bc5d56c11fe27a04addd1630352080b0b09
SHA256 74d0c361d7375d1773afc4a909092a30a3f58cb207f1e5b991cad2c059937b69
SHA512 8877941a83e78d86c250a3d343b91eb188e35c65d8fba1c5d0dadadd6b0bd181182c5908bce1645dd7a9c90a5e37c38a8ea00fcc0d540cae5ac3665e49926a8c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 3a44ff16930e21d0c0ee90f7d7b08dd3
SHA1 aba1324eb8b42ec4860cce0f907540e790afe9bf
SHA256 4057b1ab2fff01852b2c829720929e9194ff59602f95da0c4173483edea86361
SHA512 96ddbb5687f328d6c8191b9d07a393306e0eb9ae04ba94a73f77fac75f7dde44343b6d792228d9eb871be7c11d17da58cf770521b79b58ded2d64420df3463e4

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 3e837b82501aa2f90cc774890656d02b
SHA1 a62e967c006f6bf77fbe489b01ea30993e55fe5d
SHA256 c85ca44b1ff1ad0af0ca3daf5f2302498846f3fdc2f48c6c7262f08280c6f5fc
SHA512 a4a55fc0ef6ae87c5c73489993e2dc6e0e36f783de79dd7894966df3ebe13ae8341a5fe15dd0e26c72865b4a936247f34b08342769edd0a94ba2b90164b0d27d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 4c846a970700b8b6bb6ede515bc379a9
SHA1 3c30739f46094b34357ac27411e2cc1d14e2c26e
SHA256 33b5b93206d36105c84e30fb080d643cbfcdd4b2a084952578a21c1afb514929
SHA512 7a4d0d492be56007dda825f80b8a7083e76eb2c3d64885f57a227cdd347f7835fa885ca5d21ff032becd3585eaaca5f06675cf52ad236d997734ae4ed4be5c52

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 b5a893d0d363e013dbf144b56042d6d4
SHA1 b1b837518f73668fcb0375bbf25f80e7accd2a50
SHA256 d85b26096b79557d975de3b463088d289a5f0aa5564c5d4416727bc119c93d97
SHA512 fc6473da03ea415615be8ac9cb3914719c376d04b8e326c4ee86c52eca1b1f7d12e2f5f13022a356859672423289519cf7338ac14635cbe6d690b5793a366581

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 1cc51620d532c15b3a4ba84a113328bf
SHA1 0d1a22b301ad9cb18a82fc1046a64d98c64304ec
SHA256 f15bf963da43dc20265bd43a694e1eced126c92df39dbbe396ed7b96f27e0eb5
SHA512 8e162573386551fff33f2a13e9d6ebdc50a17feaab38ee3ae3f8cc74f2142b216492a5f9e5e3124eb4f1cc4889a56394d8e3d1ffcc0997d8055e35545e07f3cb

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 446a4ed2307c91075817d21d48de5841
SHA1 dc923247fad4b4ca397277247256f3ac2df142b1
SHA256 a850be808a098be21f139585e0809a03f96a13431c9501bf004cadb1d0336af4
SHA512 3c333c247184c9b07c1981bbb78937b5c5efe6ba825b7c8040277814da948fa1cbd28de6df05af9191346bcc680846dcf29f6a9541ad6f3863b7236c0e11adf5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 96a14349ab803fa52c4a0517340634cf
SHA1 75fa2782aa24fee96658dce259923d440834f24f
SHA256 3e9112234b1f990cb16c4229d08b9ef2f04cc00511d0bc8e31a413e357dfed0f
SHA512 1310b54078f5d7d6c4628fa3ed54caabde7408142fab3c312f4168a86b0111ef7a4f4c73e52f8f5ce3fc0771daa8b722a978a21e1b969fbf1e8bad6b0aa83988

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 c52a212ef61694015bc08d54bc9f7097
SHA1 9e3da2dce930fea5076663ba11a4ece0322381fa
SHA256 b040ba055b899b6d7fa8faf4bcb0333023558fd8fc4d79fcee2a6c2340b07578
SHA512 8bca48addb9e20f96793679fc53bcded3c285924d85789d2f67016903b20ec0a2bd07f4ba40d7df7674717a4fa7c54af92a7f7b20dca4bce275cd18ef696988f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 1a0071702d427a9b124696aa0873c4c1
SHA1 3132517036ce36dc3bbdd51121d0ee24973ba928
SHA256 cb70db06942f250f56f42918021740efa91e43b3eda500eda3a8051fde66d6a1
SHA512 282521701da0735413302ff2f8b4a7dc1767a3425e33a512fa58cffd9cc4afea4ccb0cd856f474ed6d41f7726c522e109774f5dc1d38741a552757d3234a53e9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 002b6bb0bb83fe702f99deb0daa6420d
SHA1 6ac0c913f9961b27444d574147cd64a760f21f55
SHA256 f0cdfa81f41cbb5dc619299ad7548f567ffb35c73586c12208c88e39b7036928
SHA512 f04af10f45715fca2bae099c238ddf7301adbf749fc41aef65879b5a85e5793fe1939123a5495bdd35eba81d747533ad81cc0418c5197c81ce2b14df6249bce1

memory/4872-94-0x0000000006DE0000-0x0000000006DEB000-memory.dmp

memory/4872-97-0x0000000006F70000-0x0000000006F89000-memory.dmp

memory/4872-98-0x0000000006F60000-0x0000000006F70000-memory.dmp

memory/4872-102-0x00000000071F0000-0x000000000720A000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 90a9c2e3f316705e6fa783d9b83212a3
SHA1 93e379d410c6cc74b1ffdfa111459449106651c4
SHA256 c141d3f7c5aa1db290c824f32e1d552e3192b2b9970cbc98c40f4e9af97e6f35
SHA512 ac1ceef13bd78b6c93be426d5b35209d1a0289abaf3e30ce364fd47ea9f11f94e736302ded4a45d0f2102b7dbcca7949ded794788778a32d8f2932dba4117843

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 b01a100820095dc05fdaa0d1c3b5ca14
SHA1 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0
SHA256 ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad
SHA512 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 8c7af48b328d48a3d77bdfb752d53f75
SHA1 e7b14bfa5043c90fcca9ddf13f045612c72edc38
SHA256 1530a033a8ff67f1a35570157ff54e75c844e05d9b2d0d13cb3f10d8cd214b45
SHA512 a48ba28419c2ee17e49dcb9837cd71a898b6e56634c19c6e133d46afdfde0f0618e406a03c47a696654b891af9efc802961b0e2624a1b41ebb198232f14ec655

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

memory/4872-109-0x0000000073950000-0x00000000747F8000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 45cdf6f89a44a6657fa3f4bc8765c272
SHA1 4ea708ce5d5f849768b8c5495b0696c9e060425d
SHA256 63106c7e177d6a758772aa4086b1d172b8e030f390d5444377616246720c488e
SHA512 d542971b289169ed368fd2d69e64777b4876f178848343b2ca1a499b5c856bfbdd16c18c39b8f788f8b2ba6cc3f4855630ac450919c06b56e5a5c291779eacf5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 a08a7ab131b6a1175ce99729084200cd
SHA1 d9a496556c9454735598f518b82f224cbd4cd308
SHA256 61870f26cfe8bae984ea1b74bcd4ae76210eaf439f5b8d2932724f369a78f646
SHA512 b38e44a9658ad7a2532baccd11273144deffb505c160ed5d505aa12a57c443225c5551c5d937e9e67d8b8ddbc08cb5880c799f5441c46aa405ba8b95e5235c96

memory/4872-115-0x0000000074B90000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 eac7bf8fb5a54164e0c629acfdd3dcd4
SHA1 a258b0bea374c6c1e38777b27bf69d13e58609c2
SHA256 413bfdf7c856fdbde4a267047ef8fe88af73d1a3066bc5ce53a6e31240035ec6
SHA512 bdcedc54812aa93468eb40cffc2ff61dc6ec8c80729c424ab4b79b4bbdb74eb408bffea1f961ebb43573db561c689a415710a73488ca97d0e93af428c970148b

memory/4872-116-0x0000000074990000-0x0000000074B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 ec65ec9068a0d26945b00e23f25f620b
SHA1 2747d715e23ddb2bd028e18cddfa08245d016742
SHA256 c0feaa7f5f57669433b80d76ddb75eca1073f37d000505c3d9f54bab5a7b8020
SHA512 9ee6b13bdd5f9664d3c3b9fe129021a5936120364a4c5fcd80dcff6a6865cb44e128f3cd7c5e887c9cf795f347fa393246518e8f5057946f4bd598fcf063d8f5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 7d024eaf9d9e7a38900f665aecc531b9
SHA1 fb0453e4b81d1e4b5d9bf5ab56dde12ddea43c00
SHA256 4cb55b45b6cc5beb7886aa828d1efffe1355d8081c31a20834caff9172ba280d
SHA512 f8fa47d9e304a10dcbbe22c034cdd91a3382a49f5f67396f79ff546f509f622fc276047b628930278fef8248d9938a96b114c731fe09076c7c933ed96faff308

memory/4872-117-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-118-0x0000000072740000-0x00000000728FE000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 aba81aad8d97d6195b34c4469b884852
SHA1 39da62ceb8129b28bd737ed37a76ee4565920589
SHA256 b5b4b2227a381b5ad6bc8f71f050845259dc5cd4065da34273fc1978a6849db9
SHA512 029bb736106e25d073d71d806643056402b285474d866686e963ac8c91c5c0625dcdaa1d6ead3be99a3c9e55200ece446dd7e04e2d6f2b4a45fc18dda83973fe

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/4872-129-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-131-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-130-0x0000000006820000-0x0000000006979000-memory.dmp

\??\Volume{18122b6c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f0ff6695-d9e1-4cfd-b5e1-2f793b9adcb0}_OnDiskSnapshotProp

MD5 8f0b0c09228270e5e8fe77bd69142a53
SHA1 3fbad79cef7d4c0ccabd42755f04bd8c51bdffdd
SHA256 a34ec109a5a2fc2ea12eb788512fb4dcf2c5975ef7b6939bb941ac4512de4dfa
SHA512 22036ad28728d14f1240052a425d08cbb37411558501d0c01e07de56cf1198acf7fbc9842475df1c2f1731075bdfe3df0d34df21162a72ddb70109faeb218823

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b5a17aec450bd5f1933333edcf2e574c
SHA1 7c69d946283907b4afc84f017a88e555f555291c
SHA256 34f2d93e245fab5c764799d6faf1ba2fad61330decbe2374f7135bd4aa32f3f2
SHA512 cfc34c178158e91d56ea817d163061b80bfba1b67e0ef7d71f9af136dc174a196f406018195a32bca564ddc866f9c223e06c95d13a3cac85f712ba5f40dc6fdd

memory/4872-138-0x0000000074900000-0x000000007498B000-memory.dmp

memory/4872-142-0x0000000074800000-0x0000000074837000-memory.dmp

memory/4872-139-0x00000000748D0000-0x00000000748F3000-memory.dmp

memory/4872-137-0x0000000074B20000-0x0000000074B8A000-memory.dmp

memory/4872-135-0x0000000000400000-0x0000000001554000-memory.dmp

memory/4872-154-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 8f8bf31cc21f2bea82af9ea0cb881c01
SHA1 5c6c431faa85c2742ff2efd306dc55b738392dfe
SHA256 86b915b86b076488404605da1e6bf43bc7b730e3000dfeca52ff1316de928ae9
SHA512 38e83963cea77aaa1e7fc2fc321e5ec487eca2de933076f3d540b8bd394b801dce63891b94e6c2fa0f3bbcfdef42d46341fdd9f5272466e6e3a50a490ed60d98

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 f55986f4cd4c675d2bddc5e5c6e1d9d6
SHA1 ac2808d5f7f54b96ea9430213384d086bec92ada
SHA256 f6fd5a6f4944b6a49eccef6aac1738701fe70c7bdb66d2cc2a4b3f10fe2ccf49
SHA512 697995e42ea263041daa7c2c323c32739b1126713df9b8f4c77c055cef36cf51b4c0f55d7e5db9508b3b49430ade76039de18f90d49303a600fb03b67bf3f44d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 ec684c179ba89160c180cbbc795bedb6
SHA1 c52350e9807d5a2f0f32fd9ab9325897f07308c4
SHA256 799ce2beaf81cbaf677e5f9755162a5d30461dbacedc343255e2f8363b71e021
SHA512 9f19a1f9584105a6d2030ea4ec5499f3129024a98be4e2140c5d8308e1edb117d11a7f8d50e2ddafca269531c158998ae85b20f1d3c8d5063c474c647e9f64e4

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

memory/4872-167-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-170-0x0000000007950000-0x000000000796B000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 bdae04bb43583744839d656fdb6b0c46
SHA1 d03188974b97a1c42f66d6d8601dc69fbf059fae
SHA256 cf196050f83a7af23e8f5da72ad10d9539936d6b5eb684c9cd8b93fbce68395e
SHA512 629b65147f39ae22ea286585bfa27939acd115c1b6d2e849f1e8ec5e04090725cb8f440fd804f4a00f0964e1a0de812dcc9d581d260d91da9bc395c4258883d4

memory/4872-194-0x00000000016A0000-0x00000000016A1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 87486e2a69c91123a6aeec69b3481b90
SHA1 53982fc795c00a5bff19c6a223a3a8cf47831406
SHA256 c5f4b4cf3eab65416b9b56818db951d2957a34a0bb5882e83ac94d8d3e40995c
SHA512 866553350d5abf58f06123bc3ff3347769b7a683a405bb64a04aa9cc5d8e395fd51b65a78efb08fb263f67226a028159e4e972c0f89c463652aee4f5ca041284

memory/4872-200-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-197-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-203-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-204-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4872-209-0x0000000006820000-0x0000000006979000-memory.dmp

memory/3332-225-0x0000000006F80000-0x0000000006F99000-memory.dmp

memory/3332-224-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/3332-223-0x0000000006E70000-0x0000000006E7B000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 ca2d01c0367373f63419e752bc35b160
SHA1 af788baed58d45716d2aadc6007e276bf41e4208
SHA256 19ff14ef2e7d59722556b4dc483d1fb386340678234acb78178d2c33e5ef4bcf
SHA512 96f05fff8c1e88a30127a7b67a20c1eb1d6e1d651de46b685dcf5e85a61cd9dc927358164c63002c6af1348494102f27d2d828f014beb8fc2c0f5b7153ee8130

memory/3332-227-0x0000000007200000-0x000000000721A000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 0c6e5ca2f36b29406f68e19634fc66df
SHA1 cbfdb21b25516c3a708352bab4ebe2bb9ebc5c14
SHA256 ca3caf771b85e4283f85afa3efc047d5e88b68bdd624051073b3359e3554c327
SHA512 6489d05d3df967c539b228617da696fdddd92f6b89367d91e24ec4e31eefdc8351fcf4cc59608d770d4c4f3aae23b0909276872cdbe30b0b9155cacdb54d69c3

memory/3332-226-0x0000000000400000-0x0000000001554000-memory.dmp

memory/3332-228-0x0000000074B90000-0x0000000074E9E000-memory.dmp

memory/3332-229-0x0000000073950000-0x00000000747F8000-memory.dmp

memory/3332-230-0x0000000074B20000-0x0000000074B8A000-memory.dmp

memory/3332-231-0x0000000074990000-0x0000000074B1E000-memory.dmp

memory/3332-232-0x0000000074900000-0x000000007498B000-memory.dmp

memory/3332-233-0x00000000748D0000-0x00000000748F3000-memory.dmp

memory/3332-235-0x0000000074800000-0x0000000074837000-memory.dmp

memory/4016-297-0x0000000003200000-0x0000000003236000-memory.dmp

memory/4016-303-0x0000000005A70000-0x0000000006098000-memory.dmp

memory/4016-308-0x0000000005730000-0x0000000005752000-memory.dmp

memory/4016-311-0x0000000006140000-0x00000000061A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubox20ac.ed0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4016-318-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/4016-326-0x0000000006320000-0x0000000006674000-memory.dmp

memory/3332-337-0x0000000001810000-0x0000000001811000-memory.dmp

memory/4016-338-0x0000000006800000-0x000000000681E000-memory.dmp

memory/4016-339-0x0000000006840000-0x000000000688C000-memory.dmp

memory/4016-340-0x0000000070D20000-0x00000000714D0000-memory.dmp

memory/4016-341-0x0000000005430000-0x0000000005440000-memory.dmp

memory/3332-342-0x0000000009250000-0x00000000092DB000-memory.dmp

memory/3332-343-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

memory/4016-344-0x0000000005430000-0x0000000005440000-memory.dmp

memory/3332-345-0x0000000072740000-0x00000000728FE000-memory.dmp

memory/3332-360-0x0000000009250000-0x00000000092DB000-memory.dmp

memory/4016-368-0x0000000005430000-0x0000000005440000-memory.dmp

memory/4016-370-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

memory/4016-371-0x000000006D500000-0x000000006D54C000-memory.dmp

memory/4016-369-0x00000000079D0000-0x0000000007A02000-memory.dmp

memory/4016-381-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

memory/4016-382-0x0000000007AA0000-0x0000000007B43000-memory.dmp

memory/4016-383-0x00000000081D0000-0x000000000884A000-memory.dmp

memory/4016-384-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/4016-385-0x0000000007B90000-0x0000000007B9A000-memory.dmp

memory/4016-386-0x0000000007D80000-0x0000000007E16000-memory.dmp

memory/4016-387-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/4016-388-0x0000000007D40000-0x0000000007D4E000-memory.dmp

memory/4016-389-0x0000000007D50000-0x0000000007D64000-memory.dmp

memory/4016-390-0x0000000007E40000-0x0000000007E5A000-memory.dmp

memory/4016-391-0x0000000007E30000-0x0000000007E38000-memory.dmp

memory/4016-394-0x0000000070D20000-0x00000000714D0000-memory.dmp