Malware Analysis Report

2024-10-19 01:39

Sample ID 240203-bqsl8sfhhm
Target 512ac6847421bbfc027322074ca009a1.bin
SHA256 3bee17c7d5dd6c2bb4a8e691679d6a5aac5f5b4400c4f68d9c1a37d35a39670a
Tags
netsupport evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bee17c7d5dd6c2bb4a8e691679d6a5aac5f5b4400c4f68d9c1a37d35a39670a

Threat Level: Known bad

The file 512ac6847421bbfc027322074ca009a1.bin was found to be: Known bad.

Malicious Activity Summary

netsupport evasion persistence rat

NetSupport

Enumerates connected drives

Maps connected drives based on registry

Blocklisted process makes network request

Modifies Windows Firewall

Adds Run key to start application

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Program crash

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 01:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 01:21

Reported

2024-02-03 01:24

Platform

win7-20231215-en

Max time kernel

135s

Max time network

131s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

Signatures

NetSupport

rat netsupport

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76b168.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76b165.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICA93.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b165.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b166.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b166.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3064 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3064 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3064 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1240 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1240 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1240 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1240 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 1240 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\netsh.exe
PID 1240 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "00000000000003B0"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="CPPlayer Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 128.138.140.44:37 tcp
N/A 127.0.0.1:49361 tcp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 128.138.140.44:37 tcp
N/A 127.0.0.1:49493 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab52E3.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar53A1.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1489765ea18799d1b19baff78b1c7b1
SHA1 b0ca9b106c7eda8c0e4b92ce85da2a8d2a60ae16
SHA256 858b68fb5ad2fc266ba53bdc80f09ce4588d02d534b2a51d0c32afd6ee5a57c7
SHA512 c7278697b973b7b14dca9c0f758cef32a758d5e0331cee30ae4c52a75e77050c3d7e8e6bc2801b89312a238220460912fc102f6d9df2a507832d719f0dfa5db8

C:\Config.Msi\f76b167.rbs

MD5 e06163886428da7f09f0eed802d5e513
SHA1 a52ba9f4da5f0be579eee352ced9b4e48b917ec1
SHA256 954e0dd3f5386aa39fb3a828e72e83450f510fdeebcc7770c52cb245c48b9c60
SHA512 2155302735080a74540b96911110a07b355dd98db4ecf40c2a5f923583e8d77e45f6ca1d2f8bafc25d08ac985d038f005ebe9e0a5e60b402924ff47b0adc90bc

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 2c90a5f4e9f6c1d904f0954911b0e9f3
SHA1 bab4656dc9c6df392b0df9328d43a9151bae05ec
SHA256 b2c094182699e50eacb69288c3e25146a209e42548baeeb6ca9ff97b5732bf1a
SHA512 01c360dc8638b6b227b55101e78a61f193d6b33dd9ae76036cb0c8447ce47d336abb5b317f4be6d9881964a87cbfc8eee450426939012d315626af119d74f85e

C:\Windows\Installer\f76b165.msi

MD5 cfa8953e5635ed863a8b555effa4d65a
SHA1 5b93104612633a23e0ce09bf8ac9136a80b5c22d
SHA256 2ba819611c3bb280588c0cd15a10557f6ca708389e33434f888c42f1b687809c
SHA512 4ea5fd65264606d998b8cca0024dc58d8bb22537bb8126f0a71a2017d20da5e3a17a97f6606657ad94d6be276c894e3b9505b8692352ad01f322a3e2a210e67c

memory/1240-112-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 00098438ab2cc364ce45d98902fb2b2a
SHA1 2a88a24a659f9a7962a4b6602b96d12249d2c790
SHA256 bffea8bdb7811b3d52473c07ef2c539dcac00df6bce60c7cafebf8c7beefa52b
SHA512 ca430ad171f53bbf3e7d670a9ba2961e3a0777abb640fa64cb722a1eb434f4c86bb71e2b3f6be9f1e3081e13a21fb38fb491a53134e9ac84f71c5fec237abf5b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 838c607a755449a885f6be7069c8efed
SHA1 62957b0d6fc212b7cc9b67a4d0ce354e1fc36561
SHA256 9ba2e6519c665f4c5f28630be9fce63fb513424cf72640dba4b4f18f45a4faac
SHA512 ee0a48c5a58ff08e8402120bf2428951af9db754494a01137e76292d91f86c87f445b9274c1a99c5272bea8d73d4628e52aaf54d7e5382662fc785c1377889a2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 839fd32343a2134bbf9edc1d5ccebdde
SHA1 ffbb761c55ee5f4b3b82864e686099aa51da6a8b
SHA256 c91e4f0b46e80b286df63df3ecb789baa4acb7abe4f6ed9f3ca59083ee115cc2
SHA512 20aa82e9bf4ed4d3c5cac4290b9c0b54c39e35ca8b7a6daac65438fa6ca6331f11de25e9925cc1a4e98dc21cd6204eab72856b68cef7fb83f4ec9f59ea410163

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 a57f086032de4aab2a2c69993218f644
SHA1 93a85057c822bb3cc19ead5c80bf738fdc2080cb
SHA256 eacee14294a5917de033f0a5112a87e9b1345e81f727fa8ba72538b7274f83bc
SHA512 54aa2a129241818fd1eb369b99ba255f0e41742dbc6730755a184e831e36d7eaeeea6c492967336833b87c40099e7325ef93369de1bfbcb3868d82e936edf7ab

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 bfcb8be288b3b1535c878fac14033351
SHA1 9a2af6064e694f7d58f078a9e52e24e0a9448de9
SHA256 0c1310f92e0bd207d6c2b1e7d45d527038612849d94a1f97ce0290fb4916a711
SHA512 e9c0a86f25118af21f3227c17f8d803f4623221481cf9ab5b8c7c9929681044ae0955df1b4d8c0cc004f71a3c74c56c2fea888e25ae5f9ce0fa0124eead5ffc5

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 25d3ba579cf9097b5d0095b53670a972
SHA1 7d10a21e8e2587dcf0d231eb8e146da41c1e7ea7
SHA256 a54c662fa25d83459d617d9a82afd41b4a9a435e9920b0158c2431ad0e43a82f
SHA512 ed74723d678b4735dca5706384e5944c0935bf2471b0bf7656abe36c569d0b000d32dd22a0d6b0dd6d0f47f1f3f6eda544d2e3a33fcfd55d774e42b3424c4b52

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 6b007bedabaa20fb6d445bc62f1091d3
SHA1 d3905661051c4415ac92bd5492100a5f2df6f659
SHA256 bfc20232c4ecf4aece403d005624c82a64a2d54d5d84720341dc6d45b3522ba5
SHA512 7b0cb0959434437f31ab3e6df721be412de003979f19a66d3855ee4c87fe8a79d5cc4b42e6cf453be9289575854d2176d2bfff88a9308f5ab9f0895c0a899cfa

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

memory/1240-141-0x0000000005D60000-0x0000000005D79000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 3e837b82501aa2f90cc774890656d02b
SHA1 a62e967c006f6bf77fbe489b01ea30993e55fe5d
SHA256 c85ca44b1ff1ad0af0ca3daf5f2302498846f3fdc2f48c6c7262f08280c6f5fc
SHA512 a4a55fc0ef6ae87c5c73489993e2dc6e0e36f783de79dd7894966df3ebe13ae8341a5fe15dd0e26c72865b4a936247f34b08342769edd0a94ba2b90164b0d27d

memory/1240-138-0x0000000005D50000-0x0000000005D60000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

memory/1240-135-0x0000000005D40000-0x0000000005D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 a1068bd2b2d26508e745b513d10a48bd
SHA1 2c97f15ab052272065994bfb74880815861ace98
SHA256 b635fa99267c741b3478c82acd3d3f5acc9bb2d244237323b4f46cc758094275
SHA512 6239821d7baa93a58a95e12e66a444ab0b9d1eb9f82041d93ca92bb4a52383ba5e82181d9b28291f4d746c37a20e3d07b31351cc703743e0356958ba7f1cb805

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

memory/1240-146-0x0000000005EE0000-0x0000000005EFA000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 71e603e402afd0fdba84a781c9934446
SHA1 b3a529f7e470e478a77404846d17c1ad2ff017cb
SHA256 5ff3186465a347ce8a13991fdb659f77ee21ae5dc9813b9fb2aadafda8a86491
SHA512 45aba98b564e4c18bc8fccb71ad4cf1f03770a916c074c1cbf8546f1385dba6e041c67fd870f792a5eec233b8d19bbbe4c4d047015266ac5c060caf037af9c28

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

memory/1240-153-0x00000000730C0000-0x0000000073F68000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 b01a100820095dc05fdaa0d1c3b5ca14
SHA1 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0
SHA256 ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad
SHA512 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a

memory/1240-154-0x0000000074A50000-0x0000000074D5E000-memory.dmp

memory/1240-155-0x0000000074260000-0x00000000743EE000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 3f7663206ef2069d0cc16cc1e813d7aa
SHA1 2ef1cc5457cb36b4e50de36a9a86b8c7ddf02092
SHA256 7896a7429e431a74eb43be3a235dfd1d6625e8634f6ad247c2eb13e8d3d298ff
SHA512 2e9f33bb0f776168e600d90a1fea188bc30d587e140b0cb2479384b347aa034152f242ff61e26f8e3fccaf473a2e940641e3db16570dfb1c15b5bc80f8593e34

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 a60d3072a719260abb73a4011ff30642
SHA1 cfbf6fac5fdedd793c902b31359c7c94d8e85b52
SHA256 523e7e3cc6be48a5f8ac28517a68557ce7d051d047c84d868a00e21ca600c1c8
SHA512 425d425e78829b98476fe72b82204423aa52b64b7a0aca92550b371291e557118b3445c28d5494980539e894e1126380dd837eebcaaedfffddd36aaddaf717b9

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 0e77bfad6b92733c3296a04719375901
SHA1 982674869e2e76ee10937e946aad828ebea818ff
SHA256 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af
SHA512 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf

memory/1240-161-0x0000000072930000-0x0000000072AEE000-memory.dmp

memory/1240-162-0x0000000006BC0000-0x0000000006D19000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 9563f57718f1ea259bd62b4de0ec1682
SHA1 c270f75095a4251d42f7d9947d3369af92c5ed7e
SHA256 9e57baeaaf4ea29c340558730646db9e45a9e1fc70426906bbffba32dd455025
SHA512 45adc4f64d3053107da03aa8e564f34b3b72a8272952124d12b17b0441b64e8b4790923107cc0f18155d5ffebb0a1bef07f11579921f9778d3d7195cd17278bb

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/1240-173-0x0000000006BC0000-0x0000000006D19000-memory.dmp

memory/1240-174-0x0000000006BC0000-0x0000000006D19000-memory.dmp

memory/1240-175-0x0000000006BC0000-0x0000000006D19000-memory.dmp

memory/1240-178-0x0000000000400000-0x0000000001554000-memory.dmp

memory/1240-182-0x0000000074420000-0x000000007448A000-memory.dmp

memory/1240-183-0x00000000743F0000-0x0000000074413000-memory.dmp

memory/1240-185-0x0000000074220000-0x0000000074257000-memory.dmp

memory/1240-186-0x0000000073F90000-0x000000007401B000-memory.dmp

memory/1240-197-0x0000000006BC0000-0x0000000006D19000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 c634eb1e856f3b5f14e09891a0301038
SHA1 36067c048d0b17b198b99c88d09c68b40947d122
SHA256 a0150cdf67140bfa6e4e4e768f16c983a1e07f9eb4a0455e572698c4cd1cd571
SHA512 2871dce6d24b10d443a53df919a662da2f0ec15c4c1e16b17ef4f58584489c838b3b579028a6aee4c896b2981b7e08346556bdb490cbbb42874d506bf6172301

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 a58b534a65e9727fd5ca618316a8eca1
SHA1 4b1b4837753727723cdac308a043358484298ed5
SHA256 733999c43a9b46ebdb1e22291ca7407c9122638c2b395cd5e86db2c7f96e280d
SHA512 0c23dae4e62627d6b8c34dfc9ae699760e4c273a62614902ec51c5a124c28ea84f9f3c3a51f6694d70c05588fa323f75ff73db0c10768ac0a4d51476712c3268

memory/1240-209-0x0000000006BC0000-0x0000000006D19000-memory.dmp

memory/1240-212-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/1240-223-0x00000000064A0000-0x00000000064BB000-memory.dmp

memory/1240-238-0x0000000006BC0000-0x0000000006D19000-memory.dmp

memory/1240-240-0x0000000006BC0000-0x0000000006D19000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 87486e2a69c91123a6aeec69b3481b90
SHA1 53982fc795c00a5bff19c6a223a3a8cf47831406
SHA256 c5f4b4cf3eab65416b9b56818db951d2957a34a0bb5882e83ac94d8d3e40995c
SHA512 866553350d5abf58f06123bc3ff3347769b7a683a405bb64a04aa9cc5d8e395fd51b65a78efb08fb263f67226a028159e4e972c0f89c463652aee4f5ca041284

memory/1240-242-0x0000000006BC0000-0x0000000006D19000-memory.dmp

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 bda2f535c4a6003138ffeb1b52ab601c
SHA1 4ea2c6f27e376975abaef0af58b43da0591248b2
SHA256 2f63e3897860eb57b04cc63ff7a0c89d2896db9e28cb8d01f76497c5974734e4
SHA512 97690400203e43db999ddd006a707d75454f9fd5e98958a5c10404bd3d301aa545d0c4223c7dcdfb47bf4b0ee58eece1dfefe9a67d4a830dd2e9fa778281c239

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 76db03c6f7d3a73df1b21b53aa23eba3
SHA1 0718150962eb3792adfd0e59792c165625452057
SHA256 eca3444c6d0727139fb3ef44f07a94d460e7252905c88b58bab62cd1b2aa0873
SHA512 f7232862ac12b5312a24902e314bc58e028d42e923117bb17a2789213a01b00d98a0cc3cc12b4029288e84375a4e44ea4dc2722ac2660d0af73a29f8d4310568

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 d46028df00ce4a9e48eab511fedfb665
SHA1 0602fb4a4df79db1965de37a9d647f5047737f02
SHA256 52f0886e8cb2ddf6e8950264e6bc0a8978db1e817e6f60bccd59c136901fd709
SHA512 a8af5d0ce8ca0d3a891fdcf6a15d8e991371f4a1801c5dda5dbf252520fff5ce4f533c3335725b453ed3ad9f20fe69367bb9aa449b6014e4df2c11e4b2cb5e2e

\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 5e173ed2bec3442f68b897e836c4ce8e
SHA1 90af9b5d5a223c60a7695d9b3c4b9075174cd33c
SHA256 f5d89b8b28f17817152c1a5777c2f98c48e6ff5db2260f695677c7a4516dd40f
SHA512 e0dbe99daa0be6a88e12667a30491dedb5a7e7b73e2cf12a303e9fffaddd4c7594d523f84764f9fddc3f2bcc704c4bf2072bac551fbe329ed18bcc340e177e80

memory/872-278-0x0000000005FF0000-0x000000000600A000-memory.dmp

memory/872-281-0x0000000000400000-0x0000000001554000-memory.dmp

memory/872-282-0x0000000074A50000-0x0000000074D5E000-memory.dmp

memory/872-284-0x00000000730C0000-0x0000000073F68000-memory.dmp

memory/872-285-0x0000000074420000-0x000000007448A000-memory.dmp

memory/872-286-0x00000000743F0000-0x0000000074413000-memory.dmp

memory/872-289-0x0000000073F90000-0x000000007401B000-memory.dmp

memory/872-288-0x0000000074220000-0x0000000074257000-memory.dmp

memory/872-287-0x0000000074260000-0x00000000743EE000-memory.dmp

memory/872-299-0x0000000000230000-0x0000000000231000-memory.dmp

memory/872-300-0x0000000072930000-0x0000000072AEE000-memory.dmp

memory/872-317-0x00000000074D0000-0x000000000755B000-memory.dmp

memory/872-319-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

memory/872-328-0x0000000072930000-0x0000000072AEE000-memory.dmp

memory/2088-445-0x00000000717A0000-0x0000000071D4B000-memory.dmp

memory/2088-446-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2088-447-0x00000000717A0000-0x0000000071D4B000-memory.dmp

memory/2088-448-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2088-449-0x00000000717A0000-0x0000000071D4B000-memory.dmp

memory/1240-472-0x0000000072930000-0x0000000072AEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 01:21

Reported

2024-02-03 01:24

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

153s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

Signatures

NetSupport

rat netsupport

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57e0ea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57e0ea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DCE33C24-54AC-4134-8C0C-AA3D26865F9C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE3E8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57e0ec.msi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008bec060def88e6600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008bec060d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008bec060d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8bec060d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008bec060d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 3912 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4692 wrote to memory of 3912 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4692 wrote to memory of 3168 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 4692 wrote to memory of 3168 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 4692 wrote to memory of 3168 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3168 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3168 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3168 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
PID 3168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1100 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1100 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x390 0x2f4

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1784

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 44.140.138.128.in-addr.arpa udp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.0.26.104.in-addr.arpa udp
US 128.138.140.44:37 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 104.21.5.9:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 172.67.152.52:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 9.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 172.67.182.52:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 168.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.182.67.172.in-addr.arpa udp
MD 5.181.156.118:443 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Config.Msi\e57e0eb.rbs

MD5 56d0129d168cb73a82f313db14e7e010
SHA1 3d90a5f82f89277692798556809db7eefe41571b
SHA256 eb1c9215cb5563ee3007a91f38a26dfb5ce47f58d432713421f5498083f016cc
SHA512 ba63e73a9072500e1e16e4e0c199f1a32fca86eef9bd963cf68a6cde664804cf5107c1d991f984006d38881953c640588a78f2fd74fb5011d35248564a3b04c1

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 1c2dbf2a31e5bbd9679cb04d03528d25
SHA1 d94492ae082aff52be225e533bd225b02b3fe615
SHA256 a8897d852578c6e0eb286aa6a0ad80751083fdf1c80e78b37dd1f9f1d6775ccc
SHA512 1ac29897ee3686d88316bf300133e292ed921ccb4ae5615d75f0744709a0b9660efe9da913ebf6d8c878e56fe345d7ac34de41639f747129ace206363642c791

C:\Windows\Installer\e57e0ea.msi

MD5 5662547f9179a112729d966af8550d15
SHA1 e627b6818a09beb32b90ac9ba3b5cc5f3c68cd9f
SHA256 df9caad309dc7144e7bb99770b9aaf0796174d53ed4b1819d0ed3f1d532be16a
SHA512 2acf6c6cc3d3caa1a1a70acd3e560e20f5a781a1d9a83ac18264f481c255681a4498f018db8ce885a35d026d6dfa48e4df42f8bc91662d953c56e91dcaeef4e6

memory/3168-60-0x00000000035A0000-0x00000000035A1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 1aa1d5994dfdae139b3ab0c4b29ed8dc
SHA1 49f95902cbe0aabbcdde35e661e4509a96ee67a1
SHA256 645578e698b79acfecb46b12d6ba282822e464a8001981ee5bed86a45ad72a92
SHA512 cb5582e616f09e62a3cb5d5d5e9541ba9ec7b5e64ee1e78d93a7556a41db47572d35caf4488b8128e964a94b4470eca0663a877966ea76070e223adb46a36e92

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 b1380f55206de7ab621ec09702352940
SHA1 e7318fbf5c3ac1a3c7c091ff5a8dc9dcccbc283f
SHA256 d3d9a45dc56f450ec70820e1180df0a1a9b08d83d6305ab754ca0bbf2449f385
SHA512 0efd226ddef6dc130261ea6267baacb77ed093bc8f0324cb26fec6d919fe79df3044fbff2bb09653c0741436ec5a0990e19c0a6a6a2b6c34f85a2c5cb409f2d3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 3d198a55bd49590065dbab1644034bf5
SHA1 576b4dda592905f308bb7a6ad2b4452a59771ea1
SHA256 f818e0752e1cf06dd802b5007221f05baf3e921cce4e53e084423abb958d6b07
SHA512 af9a218792fd02646069c31ef85f06cf8bd692f063e31b5bcdb02ceeebb193f89ff0b4f80fa4b86c035bb3b4a2abeade5ebf6a0fac91d11b53f817c38b21ed90

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 8a347b6fdc8c5f4faa3dfe48dc9be78d
SHA1 ee861809aceae7e80a3693b3e0ea643f0db8a21f
SHA256 de011bf4922ebf051870c1de9b4e66768620b8a383abc67adab911e41929a6c5
SHA512 38abbc88f720d8d675360a87ff1c827ca45049c4b5d934eddf6d0c2ec2a2a35eebee4334ed4396159eb68a939b4cf9f2c06cdbfad5b7aa094a7e270ea2bc30c2

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 403faa8f2d71a7d600d87a95a675cf92
SHA1 615d2caf5397efb8f6aff9749b9cf473f647fd97
SHA256 aee333d438489d373d69642e4b603eae744b4595be129ee40850984324062350
SHA512 28f849aa599de6a5b93856c8bd855209d8580d6ad41afc9c46d7271ec1fde269002511e54103c5bc697c7242858c5bfa99339f882386b23208c518ac0b4459c6

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 0c40fc474a25632396d92a7f7bf56221
SHA1 a58cd872c92c2b571ab64c3b8ac5ed915c556543
SHA256 379e89ebbcb1d1235e572c0fa2217b91616e6f8ebc669b9dc22bcc86c32c4c8c
SHA512 11594e3f611295ff6dee37ee7f504a4b45a015bb70d66ee3900e3f1dfdfbaa7b26041b716b475d5a4db1bd5f015d5d0b18276de067448ae87d3e1df98d63d4ef

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll

MD5 b3043b2a65fbb07884511e63ba370536
SHA1 91607db44776dc02c40cc6545bb8f14858715484
SHA256 f7a62a5baa72a3344ba056ffc98af45fa968a9b775831cffbf3d478576b0bf5c
SHA512 5f995be9719e23c10030196a160addf4d4531b71ed52b9cec50150bf83f7bce35855fca6df596353ce8d266a90a1979dcada491f6d11629ae72c6e33dd05c861

memory/3168-92-0x0000000006DF0000-0x0000000006DFB000-memory.dmp

memory/3168-94-0x0000000006E00000-0x0000000006E10000-memory.dmp

memory/3168-96-0x0000000006E10000-0x0000000006E29000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll

MD5 355f1b97cad97743a8e70dd2803e2f9d
SHA1 c7c12bc74483874cbdd39343d149509be355c2d9
SHA256 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f
SHA512 eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll

MD5 71f601f8151e34ef31307ab4e46e902d
SHA1 1f3d312e2f4755b7f2decca1dedb91bc795288ea
SHA256 deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698
SHA512 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll

MD5 54aeddc619eed2faeee9533d58f778b9
SHA1 ca9d723b87e0c688450b34f2a606c957391fbbf4
SHA256 ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7
SHA512 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 e7ccfed8b28b03d16941836ea2745987
SHA1 f68bfe41c15f78dea340c7409bbdfc2d123dfd0c
SHA256 bda41170087ad6f79405f59de66e25423978e6741e234bbc25c08eac2dbd7cdb
SHA512 19010b07d683d00c96c5dbf06364440dee2a0135a2588b2d8cd486155519280d2cc5ed40b2cb8927fe5eac7f26023931fd809e3fce30e85f57125e9b084f639c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 e658070a70283f8331e60d531af28704
SHA1 e5628e133526748eb137491c34cf681b5fb93134
SHA256 bf6d478e9c61adb428b471d99354f91135d7a26c6c0f1802cc7d4eb0f014d0ca
SHA512 d001c486c7315f383d6318f2f07114eaee45f554aad660082575e72b0bfece3ebb0b2e167ecde71b5d4998c484446cb6a3e660c334417994a5ff51538783f626

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll

MD5 efd5014cc7a9a03934eb5377a55f2b43
SHA1 397397bd4918e6c588f7c63a48178d27472522ef
SHA256 d1e341d89c92e36c621ad942ec209bce4e74ce0844e28380b62a3e999944ce07
SHA512 30eba65e05ed4fe9e67bf114c1088a060bc09607ddc05d8f3c06361ad1b0889181e14a23f35487f7b3c64602b79bdb5cf2af44a7e8b6524982e099c0743672dd

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 dc0a14c294f63185571c9007ca356ca4
SHA1 cdd254808296734283e1aa98b7861f80eb02419a
SHA256 8c63b19936fb14a50c07f64cb1ae0bb070d43667ae1261905d14fb128cabac3e
SHA512 0ad003a9da7b67a9c4fa2dd1387deb15c44512b06bf7ab113ff6b04c1f8d929c3a7d729d776c03f0ab5572f5cb866e6e081508b136414013e2b15810f10cf5aa

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll

MD5 dda25cc8771a7ef6efe9797c079bc442
SHA1 79d58fcc091ce865a05ed9281e9ad8c95f48e00b
SHA256 a5b39358edd5a5e84b38603d3cb6959b517759fd8591de0f3a79fcf34cde274e
SHA512 0405b792cc36db9824e89854d2e210d7325ad77cec855680bc650fee3d9fb11d9a58c55a7e29f678b33d1dc2b407454dad10762b7b50a914e96ecefe999c5b77

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll

MD5 f75d1b175e1687ee0a9b9e4a7abd123b
SHA1 026f4db79aa8db651964acf17233302d1809de1e
SHA256 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f
SHA512 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll

MD5 6f346d712c867cf942d6b599adb61081
SHA1 24d942dfc2d0c7256c50b80204bb30f0d98b887a
SHA256 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3
SHA512 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 ab6df580d07c63aef3cea19ccd1a9747
SHA1 6aa0a286a96051880906e8b0430cef1c36041b89
SHA256 aae6745363b1a7937aaf752ff98d11994d0448774fbfc5586bc2381b95a6aa56
SHA512 940f0e4190839303a8eb3f32659ea0bb45d4856495469676f1c63d538104ba00aea5821a855b8d81c25185e8d3e0095993f6e0290b80d758f3269f0f812fc2b0

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll

MD5 08c68e4121ceeac71745015bf17126cc
SHA1 103792ab800377092aabefbf4b94d0a882afdc3c
SHA256 e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a
SHA512 d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce

memory/3168-100-0x0000000007200000-0x000000000721A000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 a555f73041756d249093a1d6a6f28448
SHA1 bc75a0047342fb157047c19193c02a8149187656
SHA256 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60
SHA512 cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll

MD5 37dd4e0b35a15780ef305d5b1b959e68
SHA1 988ae2d176e8723f2714b18dcde46f266cd10f8f
SHA256 9e1002adc03b32d233be2d1d0f1fda0e5f689c121c749e130cd34998f86bbad0
SHA512 d2328a22ed5e8096584ab74d2bbd6270977ccc85d1d84fcc9acb607ea74d36213f1f54a85e5b8b4abcc5570b292aa31df4653749d8458c949087cccc3aaac034

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll

MD5 b01a100820095dc05fdaa0d1c3b5ca14
SHA1 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0
SHA256 ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad
SHA512 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 b495e2743615df92c1488a7927dbf807
SHA1 3348e2c7aec07a3c0e55a10078c5856d06bac229
SHA256 1ceaa683236e388f043ace59a6b80eb7a7593b3bdec34a0c5784db459b67013b
SHA512 d352429864888ebb831b63ea7f0119fe989567bbb1c061eb751e4a8a49af2304ff958f0500c419515720d1448993edd53c76c33014befbb9bcb7140a57ac1fcd

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll

MD5 079955aedc3192cc88e1c5fbddd67c1b
SHA1 c942d698ca6fd6401183f2981dc2f2938fbe6e2f
SHA256 41419d64235b2e9ea8a8f7a19ded5a593d7de0d80ad7e9a92c7bde27b579d91d
SHA512 42354fecf18fde1333df9076595a103e73e2324bcb8e81641876af000c04b2054668c68e9ebbe5433a6ba9d6c3ab070c9c3677c28fbccd0036a56549e4669ea1

memory/3168-107-0x0000000073680000-0x0000000074528000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll

MD5 77bceb240f65c91d26299a334a0cf8e1
SHA1 de9d588a25252d9660fe0247508eadfa6f8a7834
SHA256 d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c
SHA512 b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll

MD5 2985c39796fb4a5f4357a1a7a134ad45
SHA1 305dc537a03e0137a529dc30bfd2fc6c185402a3
SHA256 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca
SHA512 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 edae9002fefb06b952d7f9a49c1618e1
SHA1 d410d4a42540c1ece21ef5f317e9ee50ec464b6c
SHA256 256d4acfeafec73024cd076c86bafbbe2e4b55556b895368f8b19316ea5aa303
SHA512 4597d54a5aec085547d55e11e147eff3177070639cdbd87c86517db35faf8491f496a4b94f4a8edfea2d4249f3e210ce2da29eceaf168101b5b03fec37b5c4e5

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 6635b96ff17ac97c38763e15079f63e0
SHA1 a3de56051e762436bd1f3d18383ef626eebf5b8c
SHA256 ca60fe2ab14c271b7242c18f67b30c6631848713e86cf73a476bf405964b171b
SHA512 c09cff451cc8628a6dc8f7ade8949e77da002d2d3475cbfb44e503cceddf6fcce008384c1ab41fc8d31622eb719e22cb9c8e77af98936cb1edcbb9738123cab7

memory/3168-114-0x00000000746C0000-0x000000007484E000-memory.dmp

memory/3168-113-0x00000000748C0000-0x0000000074BCE000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 1d911e7be5b1e99d40d0ff393faefb6a
SHA1 20c7850ce996aed4a0575a4e973f5edd56f0d600
SHA256 165a6bb0311c0a172dec0f5a3a67b0d9e4c27e158edda72ab1f964f2e0f310c7
SHA512 ecf71fb902d594a5e8e3f7a05dd37f0d81927a81d7158162945d4143383376464f6ba6c6d04bd2a01cfdeb4dc6deb13c9b027174af85fc6b0be3279c07efd18f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav

MD5 7f8f43b88ace2aa68da97b37361ae90c
SHA1 61db9d81694af8ca02839c7bef9421133bfdaa14
SHA256 bb6a26507581f6074a63689a770670a20ab7c0567b3a6cc76f85c4e35110ce83
SHA512 c6baaf4be1aa9d39e1ea1711f1f3b9d09560066b33e97f89e67cb1bec7d46f1be6d2b97782d02d8ab67dd07f54cd6af7d7e5699f532f69c2852f681537b06970

memory/3168-115-0x0000000072470000-0x000000007262E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll

MD5 814809dc3e61b2a8847e0dc9ea7ec67c
SHA1 6fa4c9b770ea56eb1b10447c70bc9fa5d37cdb3b
SHA256 362356d815db5202ced7d1ee67ea7c3a453534f8ba25d6abcede8f1ff23fa247
SHA512 6fe5683b5bb14bda89290e403e514c05f1075402733c646b91dc4ca312cf76fa0f54ec13d6c9abf6d917343a22ddb49e08421740c71ccadf7dd815d37446f673

memory/3168-116-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll

MD5 0e77bfad6b92733c3296a04719375901
SHA1 982674869e2e76ee10937e946aad828ebea818ff
SHA256 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af
SHA512 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll

MD5 6451a46bdc225d7f094c4f9ec0629439
SHA1 6eba348004e02b93a54cb11186c14d05756ee75c
SHA256 61f64b06f3087ebd8576c93d49dcce346897939ba7bc5702b994274f52bd5847
SHA512 790ce1d6bcbf5f6e0027fe06eebdfcb7941f8f534327db14375b5c3a0fd01f1e975b25653fcf3e23565b20417ac9b7b1de4a936afcb3a485fd488970f7cce76e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll

MD5 f832d24b70a2f4583c57a5fa9b6f0d68
SHA1 092ce5cb6bfe6eadde62c4cfb911eab2474196f8
SHA256 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc
SHA512 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 4b68321dff7aeea53b342a2b788a221d
SHA1 2e48e687530f421e35b7c2aab1775efdb1614517
SHA256 812a379fd31ca32bde952118eccf764972310c5ab7a9453569960fe3c6612284
SHA512 bc39a78b4bbfa90df0f80dec14e7a240411813de9644484661ab634c547833c05e865d61cdea8040af726490ccfdad7b455c4035bc15c45cdc11a897dd80acd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw

MD5 752faece444d0009542dcd0ed4574fc9
SHA1 b997f08ee368b69ce44af13413a7bca06a5958d1
SHA256 44eb0d89849ad5a9499aa798e2a1693ce7fdd330b61e81d3c1a8b439b31ab71f
SHA512 dfb2b38edd12c342a858e57f0057dbb84a168f579afb166452599e356a58e9a672e75baece9a46f47d1241859c54abd563a26e6be406c25edd8f48cf308cc24a

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt

MD5 cc5d000307075f7c16eb5cf2c8606c8d
SHA1 0169dbed302b8a3d142522e6bcb6040609d07232
SHA256 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4
SHA512 d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt

MD5 969c656269ca1f8437d76200e7620bcd
SHA1 80c6b239567b19e358250c8cbda9f100e6b0c28a
SHA256 dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc
SHA512 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

MD5 ce3ab3bd3ff80fce88dcb0ea3d48a0c9
SHA1 c6ba2c252c6d102911015d0211f6cab48095931c
SHA256 f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b
SHA512 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

MD5 6bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA1 70f7482f5f5c89ce09e26d745c532a9415cd5313
SHA256 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA512 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

memory/3168-128-0x0000000006820000-0x0000000006979000-memory.dmp

memory/3168-129-0x0000000006820000-0x0000000006979000-memory.dmp

memory/3168-127-0x0000000006820000-0x0000000006979000-memory.dmp

\??\Volume{0d06ec8b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{616d4e31-fb7e-4615-a7cf-fbbc1b3a3bc5}_OnDiskSnapshotProp

MD5 a7fb043c8da8cc52d38b9b0704a7a62f
SHA1 be5aab1f6ebf7f20f2db0e549157da684caf54e9
SHA256 93657c34a91ae384a387b861e8f71093016860077a1d50dd5d12cc9a6f810829
SHA512 87b26fe7ce84734ff07b86768a241cee382a5958a1ceb7505f084dd0b9b98eefdf4f9327865f144c34c123694ab818e70a9bed37c5d7022c61d14f7024cf401a

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a18b354937b09098617208a81acdd3b5
SHA1 e6f02effbcc7655b9827d9362470948722f979ae
SHA256 724ecbe7eb40163625c6103b2e7019999f81eb2e16c79815f9d118fd9ec976e8
SHA512 8f8afd022ae9ab0003aebfb68941993f04a7a3d0a49ceed232dbda0c7d344fab0e7d5dd6b390a6241a8d5298c9bb02b79773baa375bb9d52ccc757fc2005067a

memory/3168-133-0x0000000000400000-0x0000000001554000-memory.dmp

memory/3168-137-0x0000000074600000-0x0000000074623000-memory.dmp

memory/3168-140-0x0000000074530000-0x0000000074567000-memory.dmp

memory/3168-136-0x0000000074630000-0x00000000746BB000-memory.dmp

memory/3168-134-0x0000000074850000-0x00000000748BA000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 a7edb3c517001bf2764ceeb898790b51
SHA1 2c035fca92779a0c9fa66fb477f6a1d68da5c1c5
SHA256 192d8054740220f1eab138233a737a530d9f9cc16c8e82f6623b4160104edef7
SHA512 b885a437c81e707c2d84638643a470caa0a3a7013532600c42acbb257b1b3cb86d3ea7ed03926d710edf6784cbecbc6df6ebaed8cd740673a05f421310370537

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll

MD5 5c07c7a992cdd266346ca4fdd8f7fc8e
SHA1 a9f415e1c0b2b542dfddcf7e26026ef8831244b0
SHA256 1484587de04f035d8b16cf783e78c78f4d475530673f577933d2454aa6703222
SHA512 23c448b4b6c99d398ef1a35a7da444eea404ccba5dd4ea0afca8a5491090d3fa15abdebc1cef473117ef7235f6085fab6413175f11f3ba75d0d33e7080783854

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

memory/3168-166-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/3168-168-0x0000000007A70000-0x0000000007A8B000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll

MD5 009ee989752f09bf61f943a4a549e877
SHA1 9796abc909ac47ca0dee4790c2bc422f86b80675
SHA256 fd7c6620cafb623aa47b1393ecf0d9805a1f366ab61da027045994ad649c5423
SHA512 bd2448b400660947be143db8cdbc7bb628f64994d5b097ca8080f65c39c3e89928ca654f00486f152d39d0ca78865790357a01ebda6be545934da4b0bacbdaac

memory/3168-152-0x0000000006820000-0x0000000006979000-memory.dmp

memory/3168-192-0x00000000035A0000-0x00000000035A1000-memory.dmp

memory/3168-198-0x0000000006820000-0x0000000006979000-memory.dmp

memory/3168-195-0x0000000006820000-0x0000000006979000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe

MD5 0fd9ff2ae20e9ba60c9632ce1a379e11
SHA1 d5e3aefdf62fccf557ef9b7c58dafa770e069cdd
SHA256 9cc081dcdb932ef5f8dfb007039a33444633f71e6b9c18a8599bfa2d4559f27e
SHA512 5a41eecd7ecaf030ebdbc47e34dc613462cb90a54d43095a9a11cf01d7f5738628df5684084ca464b0c19ddc87c0368a12e31ca785cb4e40c59f1b68e41e3a38

memory/3168-202-0x0000000006820000-0x0000000006979000-memory.dmp

memory/3168-209-0x0000000006820000-0x0000000006979000-memory.dmp

memory/4392-216-0x0000000006E70000-0x0000000006E7B000-memory.dmp

memory/4392-218-0x0000000006C80000-0x0000000006C99000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll

MD5 08b1007bb0dd53e3250932704ad02ac4
SHA1 9ebd00e4feda31179244ed216ab743e7884613d5
SHA256 294c0113e10f9411ef07cc79a69c75ac5f6c339c18c1aba5d67beca9c194a925
SHA512 8cea6ffa17a481e0751d630a85d74bb139509b262fbdc3b7ffac0b3e662e23abac2d71ea0c38533bb1f8cb4ddfaafbf2ce4cec8d9e056b4dc981f7e5cb3de393

memory/4392-221-0x00000000070C0000-0x00000000070DA000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll

MD5 a7a96e6dedf66a592ab7d43511e91000
SHA1 3c0ec5442c846c14bb0bb9aaae8314be3e9c23e8
SHA256 5faa5611bf8dc707fdfbe250152d92905b95e03703796b1b327cedb0d5b63bf5
SHA512 0443fc35136b0952941c5ec9afce46e68079742c8b84b1239f87b5ac9805438c10473d5d6480f49daa9bb1fff60a7d4947444a21479ec10630308870d3616da5

memory/4392-217-0x0000000006C20000-0x0000000006C30000-memory.dmp

memory/4392-225-0x0000000000400000-0x0000000001554000-memory.dmp

memory/4392-226-0x00000000748C0000-0x0000000074BCE000-memory.dmp

memory/4392-227-0x0000000073680000-0x0000000074528000-memory.dmp

memory/4392-229-0x00000000746C0000-0x000000007484E000-memory.dmp

memory/4392-228-0x0000000074850000-0x00000000748BA000-memory.dmp

memory/4392-230-0x0000000074630000-0x00000000746BB000-memory.dmp

memory/4392-231-0x0000000007B10000-0x0000000007C69000-memory.dmp

memory/4392-232-0x0000000074600000-0x0000000074623000-memory.dmp

memory/4392-294-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4392-304-0x0000000072470000-0x000000007262E000-memory.dmp

memory/4392-310-0x0000000008130000-0x00000000081BB000-memory.dmp

memory/4392-311-0x0000000007130000-0x0000000007131000-memory.dmp

memory/4392-313-0x0000000007130000-0x0000000007131000-memory.dmp

memory/4392-314-0x0000000007130000-0x0000000007131000-memory.dmp

memory/4392-316-0x0000000007130000-0x0000000007131000-memory.dmp

memory/4392-329-0x0000000072470000-0x000000007262E000-memory.dmp

memory/4392-330-0x0000000008130000-0x00000000081BB000-memory.dmp

memory/1864-333-0x0000000070A50000-0x0000000071200000-memory.dmp

memory/1864-332-0x0000000002B40000-0x0000000002B76000-memory.dmp

memory/1864-334-0x0000000001220000-0x0000000001230000-memory.dmp

memory/1864-335-0x0000000001220000-0x0000000001230000-memory.dmp

memory/1864-336-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/1864-337-0x0000000005430000-0x0000000005452000-memory.dmp

memory/1864-339-0x0000000005DE0000-0x0000000005E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bha4a3as.eke.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1864-338-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/1864-349-0x0000000006060000-0x00000000063B4000-memory.dmp

memory/1864-350-0x0000000006460000-0x000000000647E000-memory.dmp

memory/1864-351-0x00000000064A0000-0x00000000064EC000-memory.dmp

memory/1864-352-0x0000000001220000-0x0000000001230000-memory.dmp

memory/1864-353-0x000000007F380000-0x000000007F390000-memory.dmp

memory/1864-355-0x000000006D370000-0x000000006D3BC000-memory.dmp

memory/1864-354-0x0000000006A40000-0x0000000006A72000-memory.dmp

memory/1864-365-0x00000000069F0000-0x0000000006A0E000-memory.dmp

memory/1864-366-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/1864-368-0x0000000007770000-0x000000000778A000-memory.dmp

memory/1864-367-0x0000000007DB0000-0x000000000842A000-memory.dmp

memory/1864-369-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/1864-370-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/1864-371-0x0000000007970000-0x0000000007981000-memory.dmp

memory/1864-372-0x00000000079A0000-0x00000000079AE000-memory.dmp

memory/1864-373-0x00000000079B0000-0x00000000079C4000-memory.dmp

memory/1864-374-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

memory/1864-375-0x0000000007A90000-0x0000000007A98000-memory.dmp

memory/1864-378-0x0000000070A50000-0x0000000071200000-memory.dmp