Analysis Overview
SHA256
3bee17c7d5dd6c2bb4a8e691679d6a5aac5f5b4400c4f68d9c1a37d35a39670a
Threat Level: Known bad
The file 512ac6847421bbfc027322074ca009a1.bin was found to be: Known bad.
Malicious Activity Summary
NetSupport
Enumerates connected drives
Maps connected drives based on registry
Blocklisted process makes network request
Modifies Windows Firewall
Adds Run key to start application
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Program crash
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-03 01:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-03 01:21
Reported
2024-02-03 01:24
Platform
win7-20231215-en
Max time kernel
135s
Max time network
131s
Command Line
Signatures
NetSupport
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f76b168.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f76b165.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICA93.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76b165.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76b166.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76b166.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Loads dropped DLL
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "00000000000003B0"
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="CPPlayer In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="CPPlayer Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 128.138.140.44:37 | tcp | |
| N/A | 127.0.0.1:49361 | tcp | |
| MD | 5.181.156.118:443 | tcp | |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 104.26.1.231:80 | geo.netsupportsoftware.com | tcp |
| US | 128.138.140.44:37 | tcp | |
| N/A | 127.0.0.1:49493 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab52E3.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar53A1.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1489765ea18799d1b19baff78b1c7b1 |
| SHA1 | b0ca9b106c7eda8c0e4b92ce85da2a8d2a60ae16 |
| SHA256 | 858b68fb5ad2fc266ba53bdc80f09ce4588d02d534b2a51d0c32afd6ee5a57c7 |
| SHA512 | c7278697b973b7b14dca9c0f758cef32a758d5e0331cee30ae4c52a75e77050c3d7e8e6bc2801b89312a238220460912fc102f6d9df2a507832d719f0dfa5db8 |
C:\Config.Msi\f76b167.rbs
| MD5 | e06163886428da7f09f0eed802d5e513 |
| SHA1 | a52ba9f4da5f0be579eee352ced9b4e48b917ec1 |
| SHA256 | 954e0dd3f5386aa39fb3a828e72e83450f510fdeebcc7770c52cb245c48b9c60 |
| SHA512 | 2155302735080a74540b96911110a07b355dd98db4ecf40c2a5f923583e8d77e45f6ca1d2f8bafc25d08ac985d038f005ebe9e0a5e60b402924ff47b0adc90bc |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
| MD5 | 2c90a5f4e9f6c1d904f0954911b0e9f3 |
| SHA1 | bab4656dc9c6df392b0df9328d43a9151bae05ec |
| SHA256 | b2c094182699e50eacb69288c3e25146a209e42548baeeb6ca9ff97b5732bf1a |
| SHA512 | 01c360dc8638b6b227b55101e78a61f193d6b33dd9ae76036cb0c8447ce47d336abb5b317f4be6d9881964a87cbfc8eee450426939012d315626af119d74f85e |
C:\Windows\Installer\f76b165.msi
| MD5 | cfa8953e5635ed863a8b555effa4d65a |
| SHA1 | 5b93104612633a23e0ce09bf8ac9136a80b5c22d |
| SHA256 | 2ba819611c3bb280588c0cd15a10557f6ca708389e33434f888c42f1b687809c |
| SHA512 | 4ea5fd65264606d998b8cca0024dc58d8bb22537bb8126f0a71a2017d20da5e3a17a97f6606657ad94d6be276c894e3b9505b8692352ad01f322a3e2a210e67c |
memory/1240-112-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll
| MD5 | 00098438ab2cc364ce45d98902fb2b2a |
| SHA1 | 2a88a24a659f9a7962a4b6602b96d12249d2c790 |
| SHA256 | bffea8bdb7811b3d52473c07ef2c539dcac00df6bce60c7cafebf8c7beefa52b |
| SHA512 | ca430ad171f53bbf3e7d670a9ba2961e3a0777abb640fa64cb722a1eb434f4c86bb71e2b3f6be9f1e3081e13a21fb38fb491a53134e9ac84f71c5fec237abf5b |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll
| MD5 | 6f346d712c867cf942d6b599adb61081 |
| SHA1 | 24d942dfc2d0c7256c50b80204bb30f0d98b887a |
| SHA256 | 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3 |
| SHA512 | 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll
| MD5 | 838c607a755449a885f6be7069c8efed |
| SHA1 | 62957b0d6fc212b7cc9b67a4d0ce354e1fc36561 |
| SHA256 | 9ba2e6519c665f4c5f28630be9fce63fb513424cf72640dba4b4f18f45a4faac |
| SHA512 | ee0a48c5a58ff08e8402120bf2428951af9db754494a01137e76292d91f86c87f445b9274c1a99c5272bea8d73d4628e52aaf54d7e5382662fc785c1377889a2 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll
| MD5 | 839fd32343a2134bbf9edc1d5ccebdde |
| SHA1 | ffbb761c55ee5f4b3b82864e686099aa51da6a8b |
| SHA256 | c91e4f0b46e80b286df63df3ecb789baa4acb7abe4f6ed9f3ca59083ee115cc2 |
| SHA512 | 20aa82e9bf4ed4d3c5cac4290b9c0b54c39e35ca8b7a6daac65438fa6ca6331f11de25e9925cc1a4e98dc21cd6204eab72856b68cef7fb83f4ec9f59ea410163 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll
| MD5 | a57f086032de4aab2a2c69993218f644 |
| SHA1 | 93a85057c822bb3cc19ead5c80bf738fdc2080cb |
| SHA256 | eacee14294a5917de033f0a5112a87e9b1345e81f727fa8ba72538b7274f83bc |
| SHA512 | 54aa2a129241818fd1eb369b99ba255f0e41742dbc6730755a184e831e36d7eaeeea6c492967336833b87c40099e7325ef93369de1bfbcb3868d82e936edf7ab |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll
| MD5 | bfcb8be288b3b1535c878fac14033351 |
| SHA1 | 9a2af6064e694f7d58f078a9e52e24e0a9448de9 |
| SHA256 | 0c1310f92e0bd207d6c2b1e7d45d527038612849d94a1f97ce0290fb4916a711 |
| SHA512 | e9c0a86f25118af21f3227c17f8d803f4623221481cf9ab5b8c7c9929681044ae0955df1b4d8c0cc004f71a3c74c56c2fea888e25ae5f9ce0fa0124eead5ffc5 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | 25d3ba579cf9097b5d0095b53670a972 |
| SHA1 | 7d10a21e8e2587dcf0d231eb8e146da41c1e7ea7 |
| SHA256 | a54c662fa25d83459d617d9a82afd41b4a9a435e9920b0158c2431ad0e43a82f |
| SHA512 | ed74723d678b4735dca5706384e5944c0935bf2471b0bf7656abe36c569d0b000d32dd22a0d6b0dd6d0f47f1f3f6eda544d2e3a33fcfd55d774e42b3424c4b52 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll
| MD5 | 6b007bedabaa20fb6d445bc62f1091d3 |
| SHA1 | d3905661051c4415ac92bd5492100a5f2df6f659 |
| SHA256 | bfc20232c4ecf4aece403d005624c82a64a2d54d5d84720341dc6d45b3522ba5 |
| SHA512 | 7b0cb0959434437f31ab3e6df721be412de003979f19a66d3855ee4c87fe8a79d5cc4b42e6cf453be9289575854d2176d2bfff88a9308f5ab9f0895c0a899cfa |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll
| MD5 | 54aeddc619eed2faeee9533d58f778b9 |
| SHA1 | ca9d723b87e0c688450b34f2a606c957391fbbf4 |
| SHA256 | ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7 |
| SHA512 | 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll
| MD5 | 71f601f8151e34ef31307ab4e46e902d |
| SHA1 | 1f3d312e2f4755b7f2decca1dedb91bc795288ea |
| SHA256 | deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698 |
| SHA512 | 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9 |
memory/1240-141-0x0000000005D60000-0x0000000005D79000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll
| MD5 | 355f1b97cad97743a8e70dd2803e2f9d |
| SHA1 | c7c12bc74483874cbdd39343d149509be355c2d9 |
| SHA256 | 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f |
| SHA512 | eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll
| MD5 | 3e837b82501aa2f90cc774890656d02b |
| SHA1 | a62e967c006f6bf77fbe489b01ea30993e55fe5d |
| SHA256 | c85ca44b1ff1ad0af0ca3daf5f2302498846f3fdc2f48c6c7262f08280c6f5fc |
| SHA512 | a4a55fc0ef6ae87c5c73489993e2dc6e0e36f783de79dd7894966df3ebe13ae8341a5fe15dd0e26c72865b4a936247f34b08342769edd0a94ba2b90164b0d27d |
memory/1240-138-0x0000000005D50000-0x0000000005D60000-memory.dmp
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll
| MD5 | 2985c39796fb4a5f4357a1a7a134ad45 |
| SHA1 | 305dc537a03e0137a529dc30bfd2fc6c185402a3 |
| SHA256 | 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca |
| SHA512 | 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll
| MD5 | f75d1b175e1687ee0a9b9e4a7abd123b |
| SHA1 | 026f4db79aa8db651964acf17233302d1809de1e |
| SHA256 | 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f |
| SHA512 | 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b |
memory/1240-135-0x0000000005D40000-0x0000000005D4B000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | a1068bd2b2d26508e745b513d10a48bd |
| SHA1 | 2c97f15ab052272065994bfb74880815861ace98 |
| SHA256 | b635fa99267c741b3478c82acd3d3f5acc9bb2d244237323b4f46cc758094275 |
| SHA512 | 6239821d7baa93a58a95e12e66a444ab0b9d1eb9f82041d93ca92bb4a52383ba5e82181d9b28291f4d746c37a20e3d07b31351cc703743e0356958ba7f1cb805 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll
| MD5 | 77bceb240f65c91d26299a334a0cf8e1 |
| SHA1 | de9d588a25252d9660fe0247508eadfa6f8a7834 |
| SHA256 | d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c |
| SHA512 | b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll
| MD5 | f832d24b70a2f4583c57a5fa9b6f0d68 |
| SHA1 | 092ce5cb6bfe6eadde62c4cfb911eab2474196f8 |
| SHA256 | 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc |
| SHA512 | 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185 |
memory/1240-146-0x0000000005EE0000-0x0000000005EFA000-memory.dmp
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll
| MD5 | 08c68e4121ceeac71745015bf17126cc |
| SHA1 | 103792ab800377092aabefbf4b94d0a882afdc3c |
| SHA256 | e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a |
| SHA512 | d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll
| MD5 | 71e603e402afd0fdba84a781c9934446 |
| SHA1 | b3a529f7e470e478a77404846d17c1ad2ff017cb |
| SHA256 | 5ff3186465a347ce8a13991fdb659f77ee21ae5dc9813b9fb2aadafda8a86491 |
| SHA512 | 45aba98b564e4c18bc8fccb71ad4cf1f03770a916c074c1cbf8546f1385dba6e041c67fd870f792a5eec233b8d19bbbe4c4d047015266ac5c060caf037af9c28 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll
| MD5 | a555f73041756d249093a1d6a6f28448 |
| SHA1 | bc75a0047342fb157047c19193c02a8149187656 |
| SHA256 | 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60 |
| SHA512 | cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d |
memory/1240-153-0x00000000730C0000-0x0000000073F68000-memory.dmp
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll
| MD5 | b01a100820095dc05fdaa0d1c3b5ca14 |
| SHA1 | 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0 |
| SHA256 | ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad |
| SHA512 | 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a |
memory/1240-154-0x0000000074A50000-0x0000000074D5E000-memory.dmp
memory/1240-155-0x0000000074260000-0x00000000743EE000-memory.dmp
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll
| MD5 | 3f7663206ef2069d0cc16cc1e813d7aa |
| SHA1 | 2ef1cc5457cb36b4e50de36a9a86b8c7ddf02092 |
| SHA256 | 7896a7429e431a74eb43be3a235dfd1d6625e8634f6ad247c2eb13e8d3d298ff |
| SHA512 | 2e9f33bb0f776168e600d90a1fea188bc30d587e140b0cb2479384b347aa034152f242ff61e26f8e3fccaf473a2e940641e3db16570dfb1c15b5bc80f8593e34 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav
| MD5 | a60d3072a719260abb73a4011ff30642 |
| SHA1 | cfbf6fac5fdedd793c902b31359c7c94d8e85b52 |
| SHA256 | 523e7e3cc6be48a5f8ac28517a68557ce7d051d047c84d868a00e21ca600c1c8 |
| SHA512 | 425d425e78829b98476fe72b82204423aa52b64b7a0aca92550b371291e557118b3445c28d5494980539e894e1126380dd837eebcaaedfffddd36aaddaf717b9 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll
| MD5 | 0e77bfad6b92733c3296a04719375901 |
| SHA1 | 982674869e2e76ee10937e946aad828ebea818ff |
| SHA256 | 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af |
| SHA512 | 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf |
memory/1240-161-0x0000000072930000-0x0000000072AEE000-memory.dmp
memory/1240-162-0x0000000006BC0000-0x0000000006D19000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt
| MD5 | cc5d000307075f7c16eb5cf2c8606c8d |
| SHA1 | 0169dbed302b8a3d142522e6bcb6040609d07232 |
| SHA256 | 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4 |
| SHA512 | d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw
| MD5 | 9563f57718f1ea259bd62b4de0ec1682 |
| SHA1 | c270f75095a4251d42f7d9947d3369af92c5ed7e |
| SHA256 | 9e57baeaaf4ea29c340558730646db9e45a9e1fc70426906bbffba32dd455025 |
| SHA512 | 45adc4f64d3053107da03aa8e564f34b3b72a8272952124d12b17b0441b64e8b4790923107cc0f18155d5ffebb0a1bef07f11579921f9778d3d7195cd17278bb |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt
| MD5 | 969c656269ca1f8437d76200e7620bcd |
| SHA1 | 80c6b239567b19e358250c8cbda9f100e6b0c28a |
| SHA256 | dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc |
| SHA512 | 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest
| MD5 | ce3ab3bd3ff80fce88dcb0ea3d48a0c9 |
| SHA1 | c6ba2c252c6d102911015d0211f6cab48095931c |
| SHA256 | f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b |
| SHA512 | 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest
| MD5 | 6bb5d2aad0ae1b4a82e7ddf7cf58802a |
| SHA1 | 70f7482f5f5c89ce09e26d745c532a9415cd5313 |
| SHA256 | 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582 |
| SHA512 | 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b |
memory/1240-173-0x0000000006BC0000-0x0000000006D19000-memory.dmp
memory/1240-174-0x0000000006BC0000-0x0000000006D19000-memory.dmp
memory/1240-175-0x0000000006BC0000-0x0000000006D19000-memory.dmp
memory/1240-178-0x0000000000400000-0x0000000001554000-memory.dmp
memory/1240-182-0x0000000074420000-0x000000007448A000-memory.dmp
memory/1240-183-0x00000000743F0000-0x0000000074413000-memory.dmp
memory/1240-185-0x0000000074220000-0x0000000074257000-memory.dmp
memory/1240-186-0x0000000073F90000-0x000000007401B000-memory.dmp
memory/1240-197-0x0000000006BC0000-0x0000000006D19000-memory.dmp
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll
| MD5 | c634eb1e856f3b5f14e09891a0301038 |
| SHA1 | 36067c048d0b17b198b99c88d09c68b40947d122 |
| SHA256 | a0150cdf67140bfa6e4e4e768f16c983a1e07f9eb4a0455e572698c4cd1cd571 |
| SHA512 | 2871dce6d24b10d443a53df919a662da2f0ec15c4c1e16b17ef4f58584489c838b3b579028a6aee4c896b2981b7e08346556bdb490cbbb42874d506bf6172301 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll
| MD5 | a58b534a65e9727fd5ca618316a8eca1 |
| SHA1 | 4b1b4837753727723cdac308a043358484298ed5 |
| SHA256 | 733999c43a9b46ebdb1e22291ca7407c9122638c2b395cd5e86db2c7f96e280d |
| SHA512 | 0c23dae4e62627d6b8c34dfc9ae699760e4c273a62614902ec51c5a124c28ea84f9f3c3a51f6694d70c05588fa323f75ff73db0c10768ac0a4d51476712c3268 |
memory/1240-209-0x0000000006BC0000-0x0000000006D19000-memory.dmp
memory/1240-212-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic
| MD5 | 7067af414215ee4c50bfcd3ea43c84f0 |
| SHA1 | c331d410672477844a4ca87f43a14e643c863af9 |
| SHA256 | 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12 |
| SHA512 | 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
memory/1240-223-0x00000000064A0000-0x00000000064BB000-memory.dmp
memory/1240-238-0x0000000006BC0000-0x0000000006D19000-memory.dmp
memory/1240-240-0x0000000006BC0000-0x0000000006D19000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
| MD5 | 87486e2a69c91123a6aeec69b3481b90 |
| SHA1 | 53982fc795c00a5bff19c6a223a3a8cf47831406 |
| SHA256 | c5f4b4cf3eab65416b9b56818db951d2957a34a0bb5882e83ac94d8d3e40995c |
| SHA512 | 866553350d5abf58f06123bc3ff3347769b7a683a405bb64a04aa9cc5d8e395fd51b65a78efb08fb263f67226a028159e4e972c0f89c463652aee4f5ca041284 |
memory/1240-242-0x0000000006BC0000-0x0000000006D19000-memory.dmp
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll
| MD5 | bda2f535c4a6003138ffeb1b52ab601c |
| SHA1 | 4ea2c6f27e376975abaef0af58b43da0591248b2 |
| SHA256 | 2f63e3897860eb57b04cc63ff7a0c89d2896db9e28cb8d01f76497c5974734e4 |
| SHA512 | 97690400203e43db999ddd006a707d75454f9fd5e98958a5c10404bd3d301aa545d0c4223c7dcdfb47bf4b0ee58eece1dfefe9a67d4a830dd2e9fa778281c239 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll
| MD5 | 76db03c6f7d3a73df1b21b53aa23eba3 |
| SHA1 | 0718150962eb3792adfd0e59792c165625452057 |
| SHA256 | eca3444c6d0727139fb3ef44f07a94d460e7252905c88b58bab62cd1b2aa0873 |
| SHA512 | f7232862ac12b5312a24902e314bc58e028d42e923117bb17a2789213a01b00d98a0cc3cc12b4029288e84375a4e44ea4dc2722ac2660d0af73a29f8d4310568 |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll
| MD5 | d46028df00ce4a9e48eab511fedfb665 |
| SHA1 | 0602fb4a4df79db1965de37a9d647f5047737f02 |
| SHA256 | 52f0886e8cb2ddf6e8950264e6bc0a8978db1e817e6f60bccd59c136901fd709 |
| SHA512 | a8af5d0ce8ca0d3a891fdcf6a15d8e991371f4a1801c5dda5dbf252520fff5ce4f533c3335725b453ed3ad9f20fe69367bb9aa449b6014e4df2c11e4b2cb5e2e |
\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | 5e173ed2bec3442f68b897e836c4ce8e |
| SHA1 | 90af9b5d5a223c60a7695d9b3c4b9075174cd33c |
| SHA256 | f5d89b8b28f17817152c1a5777c2f98c48e6ff5db2260f695677c7a4516dd40f |
| SHA512 | e0dbe99daa0be6a88e12667a30491dedb5a7e7b73e2cf12a303e9fffaddd4c7594d523f84764f9fddc3f2bcc704c4bf2072bac551fbe329ed18bcc340e177e80 |
memory/872-278-0x0000000005FF0000-0x000000000600A000-memory.dmp
memory/872-281-0x0000000000400000-0x0000000001554000-memory.dmp
memory/872-282-0x0000000074A50000-0x0000000074D5E000-memory.dmp
memory/872-284-0x00000000730C0000-0x0000000073F68000-memory.dmp
memory/872-285-0x0000000074420000-0x000000007448A000-memory.dmp
memory/872-286-0x00000000743F0000-0x0000000074413000-memory.dmp
memory/872-289-0x0000000073F90000-0x000000007401B000-memory.dmp
memory/872-288-0x0000000074220000-0x0000000074257000-memory.dmp
memory/872-287-0x0000000074260000-0x00000000743EE000-memory.dmp
memory/872-299-0x0000000000230000-0x0000000000231000-memory.dmp
memory/872-300-0x0000000072930000-0x0000000072AEE000-memory.dmp
memory/872-317-0x00000000074D0000-0x000000000755B000-memory.dmp
memory/872-319-0x0000000006DC0000-0x0000000006DC1000-memory.dmp
memory/872-328-0x0000000072930000-0x0000000072AEE000-memory.dmp
memory/2088-445-0x00000000717A0000-0x0000000071D4B000-memory.dmp
memory/2088-446-0x0000000002530000-0x0000000002570000-memory.dmp
memory/2088-447-0x00000000717A0000-0x0000000071D4B000-memory.dmp
memory/2088-448-0x0000000002530000-0x0000000002570000-memory.dmp
memory/2088-449-0x00000000717A0000-0x0000000071D4B000-memory.dmp
memory/1240-472-0x0000000072930000-0x0000000072AEE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-03 01:21
Reported
2024-02-03 01:24
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
NetSupport
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Workshop Ultimate = "C:\\Users\\Admin\\AppData\\Local\\Programs\\WinIcon Maker Free\\CPPlayer.exe" | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57e0ea.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57e0ea.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{DCE33C24-54AC-4134-8C0C-AA3D26865F9C} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE3E8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57e0ec.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Loads dropped DLL
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008bec060def88e6600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008bec060d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008bec060d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8bec060d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008bec060d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinIconMakerFreeSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x2f4
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
"C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1784
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 128.138.140.44:37 | tcp | |
| US | 8.8.8.8:53 | 44.140.138.128.in-addr.arpa | udp |
| MD | 5.181.156.118:443 | tcp | |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 231.0.26.104.in-addr.arpa | udp |
| US | 128.138.140.44:37 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telldruggcommitetter.shop | udp |
| US | 104.21.5.9:443 | telldruggcommitetter.shop | tcp |
| US | 8.8.8.8:53 | gemcreedarticulateod.shop | udp |
| US | 172.67.152.52:443 | gemcreedarticulateod.shop | tcp |
| US | 8.8.8.8:53 | 9.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | secretionsuitcasenioise.shop | udp |
| US | 172.67.213.168:443 | secretionsuitcasenioise.shop | tcp |
| US | 8.8.8.8:53 | claimconcessionrebe.shop | udp |
| US | 104.21.58.31:443 | claimconcessionrebe.shop | tcp |
| US | 8.8.8.8:53 | liabilityarrangemenyit.shop | udp |
| US | 172.67.182.52:443 | liabilityarrangemenyit.shop | tcp |
| US | 8.8.8.8:53 | 168.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.182.67.172.in-addr.arpa | udp |
| MD | 5.181.156.118:443 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Config.Msi\e57e0eb.rbs
| MD5 | 56d0129d168cb73a82f313db14e7e010 |
| SHA1 | 3d90a5f82f89277692798556809db7eefe41571b |
| SHA256 | eb1c9215cb5563ee3007a91f38a26dfb5ce47f58d432713421f5498083f016cc |
| SHA512 | ba63e73a9072500e1e16e4e0c199f1a32fca86eef9bd963cf68a6cde664804cf5107c1d991f984006d38881953c640588a78f2fd74fb5011d35248564a3b04c1 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
| MD5 | 1c2dbf2a31e5bbd9679cb04d03528d25 |
| SHA1 | d94492ae082aff52be225e533bd225b02b3fe615 |
| SHA256 | a8897d852578c6e0eb286aa6a0ad80751083fdf1c80e78b37dd1f9f1d6775ccc |
| SHA512 | 1ac29897ee3686d88316bf300133e292ed921ccb4ae5615d75f0744709a0b9660efe9da913ebf6d8c878e56fe345d7ac34de41639f747129ace206363642c791 |
C:\Windows\Installer\e57e0ea.msi
| MD5 | 5662547f9179a112729d966af8550d15 |
| SHA1 | e627b6818a09beb32b90ac9ba3b5cc5f3c68cd9f |
| SHA256 | df9caad309dc7144e7bb99770b9aaf0796174d53ed4b1819d0ed3f1d532be16a |
| SHA512 | 2acf6c6cc3d3caa1a1a70acd3e560e20f5a781a1d9a83ac18264f481c255681a4498f018db8ce885a35d026d6dfa48e4df42f8bc91662d953c56e91dcaeef4e6 |
memory/3168-60-0x00000000035A0000-0x00000000035A1000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll
| MD5 | 1aa1d5994dfdae139b3ab0c4b29ed8dc |
| SHA1 | 49f95902cbe0aabbcdde35e661e4509a96ee67a1 |
| SHA256 | 645578e698b79acfecb46b12d6ba282822e464a8001981ee5bed86a45ad72a92 |
| SHA512 | cb5582e616f09e62a3cb5d5d5e9541ba9ec7b5e64ee1e78d93a7556a41db47572d35caf4488b8128e964a94b4470eca0663a877966ea76070e223adb46a36e92 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll
| MD5 | b1380f55206de7ab621ec09702352940 |
| SHA1 | e7318fbf5c3ac1a3c7c091ff5a8dc9dcccbc283f |
| SHA256 | d3d9a45dc56f450ec70820e1180df0a1a9b08d83d6305ab754ca0bbf2449f385 |
| SHA512 | 0efd226ddef6dc130261ea6267baacb77ed093bc8f0324cb26fec6d919fe79df3044fbff2bb09653c0741436ec5a0990e19c0a6a6a2b6c34f85a2c5cb409f2d3 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | 3d198a55bd49590065dbab1644034bf5 |
| SHA1 | 576b4dda592905f308bb7a6ad2b4452a59771ea1 |
| SHA256 | f818e0752e1cf06dd802b5007221f05baf3e921cce4e53e084423abb958d6b07 |
| SHA512 | af9a218792fd02646069c31ef85f06cf8bd692f063e31b5bcdb02ceeebb193f89ff0b4f80fa4b86c035bb3b4a2abeade5ebf6a0fac91d11b53f817c38b21ed90 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll
| MD5 | 8a347b6fdc8c5f4faa3dfe48dc9be78d |
| SHA1 | ee861809aceae7e80a3693b3e0ea643f0db8a21f |
| SHA256 | de011bf4922ebf051870c1de9b4e66768620b8a383abc67adab911e41929a6c5 |
| SHA512 | 38abbc88f720d8d675360a87ff1c827ca45049c4b5d934eddf6d0c2ec2a2a35eebee4334ed4396159eb68a939b4cf9f2c06cdbfad5b7aa094a7e270ea2bc30c2 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll
| MD5 | 403faa8f2d71a7d600d87a95a675cf92 |
| SHA1 | 615d2caf5397efb8f6aff9749b9cf473f647fd97 |
| SHA256 | aee333d438489d373d69642e4b603eae744b4595be129ee40850984324062350 |
| SHA512 | 28f849aa599de6a5b93856c8bd855209d8580d6ad41afc9c46d7271ec1fde269002511e54103c5bc697c7242858c5bfa99339f882386b23208c518ac0b4459c6 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll
| MD5 | 0c40fc474a25632396d92a7f7bf56221 |
| SHA1 | a58cd872c92c2b571ab64c3b8ac5ed915c556543 |
| SHA256 | 379e89ebbcb1d1235e572c0fa2217b91616e6f8ebc669b9dc22bcc86c32c4c8c |
| SHA512 | 11594e3f611295ff6dee37ee7f504a4b45a015bb70d66ee3900e3f1dfdfbaa7b26041b716b475d5a4db1bd5f015d5d0b18276de067448ae87d3e1df98d63d4ef |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\GImageView.dll
| MD5 | b3043b2a65fbb07884511e63ba370536 |
| SHA1 | 91607db44776dc02c40cc6545bb8f14858715484 |
| SHA256 | f7a62a5baa72a3344ba056ffc98af45fa968a9b775831cffbf3d478576b0bf5c |
| SHA512 | 5f995be9719e23c10030196a160addf4d4531b71ed52b9cec50150bf83f7bce35855fca6df596353ce8d266a90a1979dcada491f6d11629ae72c6e33dd05c861 |
memory/3168-92-0x0000000006DF0000-0x0000000006DFB000-memory.dmp
memory/3168-94-0x0000000006E00000-0x0000000006E10000-memory.dmp
memory/3168-96-0x0000000006E10000-0x0000000006E29000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corez.dll
| MD5 | 355f1b97cad97743a8e70dd2803e2f9d |
| SHA1 | c7c12bc74483874cbdd39343d149509be355c2d9 |
| SHA256 | 00d4986dfff92cfdd45576da9100d49f374a8dba1a476cfc8dc7cf50f5a6735f |
| SHA512 | eb7f8d7b68ab01a95de5aad0023fc4c51c3828138610b488c92ca3ab5c320305f295467972b542c7fe436d08e21ba7926a997702e4383ce5f4cbc674f62479b7 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\corem.dll
| MD5 | 71f601f8151e34ef31307ab4e46e902d |
| SHA1 | 1f3d312e2f4755b7f2decca1dedb91bc795288ea |
| SHA256 | deac6221d0abe480012e836e5e9dd915828ae55401f0c46fb7ce8049c380c698 |
| SHA512 | 377e6c9540616cad77cf151a31f6461338910d441a12b26175d8bcc2020eba83f621b0df1756123b58fb4358786fcb6a3e187af11123f100a91255218a616aa9 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadVC2.dll
| MD5 | 54aeddc619eed2faeee9533d58f778b9 |
| SHA1 | ca9d723b87e0c688450b34f2a606c957391fbbf4 |
| SHA256 | ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7 |
| SHA512 | 7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll
| MD5 | e7ccfed8b28b03d16941836ea2745987 |
| SHA1 | f68bfe41c15f78dea340c7409bbdfc2d123dfd0c |
| SHA256 | bda41170087ad6f79405f59de66e25423978e6741e234bbc25c08eac2dbd7cdb |
| SHA512 | 19010b07d683d00c96c5dbf06364440dee2a0135a2588b2d8cd486155519280d2cc5ed40b2cb8927fe5eac7f26023931fd809e3fce30e85f57125e9b084f639c |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | e658070a70283f8331e60d531af28704 |
| SHA1 | e5628e133526748eb137491c34cf681b5fb93134 |
| SHA256 | bf6d478e9c61adb428b471d99354f91135d7a26c6c0f1802cc7d4eb0f014d0ca |
| SHA512 | d001c486c7315f383d6318f2f07114eaee45f554aad660082575e72b0bfece3ebb0b2e167ecde71b5d4998c484446cb6a3e660c334417994a5ff51538783f626 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ax.mem.dll
| MD5 | efd5014cc7a9a03934eb5377a55f2b43 |
| SHA1 | 397397bd4918e6c588f7c63a48178d27472522ef |
| SHA256 | d1e341d89c92e36c621ad942ec209bce4e74ce0844e28380b62a3e999944ce07 |
| SHA512 | 30eba65e05ed4fe9e67bf114c1088a060bc09607ddc05d8f3c06361ad1b0889181e14a23f35487f7b3c64602b79bdb5cf2af44a7e8b6524982e099c0743672dd |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | dc0a14c294f63185571c9007ca356ca4 |
| SHA1 | cdd254808296734283e1aa98b7861f80eb02419a |
| SHA256 | 8c63b19936fb14a50c07f64cb1ae0bb070d43667ae1261905d14fb128cabac3e |
| SHA512 | 0ad003a9da7b67a9c4fa2dd1387deb15c44512b06bf7ab113ff6b04c1f8d929c3a7d729d776c03f0ab5572f5cb866e6e081508b136414013e2b15810f10cf5aa |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avcodec-55.dll
| MD5 | dda25cc8771a7ef6efe9797c079bc442 |
| SHA1 | 79d58fcc091ce865a05ed9281e9ad8c95f48e00b |
| SHA256 | a5b39358edd5a5e84b38603d3cb6959b517759fd8591de0f3a79fcf34cde274e |
| SHA512 | 0405b792cc36db9824e89854d2e210d7325ad77cec855680bc650fee3d9fb11d9a58c55a7e29f678b33d1dc2b407454dad10762b7b50a914e96ecefe999c5b77 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\postproc-52.dll
| MD5 | f75d1b175e1687ee0a9b9e4a7abd123b |
| SHA1 | 026f4db79aa8db651964acf17233302d1809de1e |
| SHA256 | 72180a408b13b7d98c0bc2395b886a5c3aa0b2dea39ef081e193f60ef373365f |
| SHA512 | 200aec20c95b1ec2e7d1bb33ed89d846a128847b82c9d09aa2788b258967e750718414f05bdec0cf2e4f9c7af697404e19caccac354a1a62db52e76c6a45886b |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pthreadGC2.dll
| MD5 | 6f346d712c867cf942d6b599adb61081 |
| SHA1 | 24d942dfc2d0c7256c50b80204bb30f0d98b887a |
| SHA256 | 72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3 |
| SHA512 | 1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll
| MD5 | ab6df580d07c63aef3cea19ccd1a9747 |
| SHA1 | 6aa0a286a96051880906e8b0430cef1c36041b89 |
| SHA256 | aae6745363b1a7937aaf752ff98d11994d0448774fbfc5586bc2381b95a6aa56 |
| SHA512 | 940f0e4190839303a8eb3f32659ea0bb45d4856495469676f1c63d538104ba00aea5821a855b8d81c25185e8d3e0095993f6e0290b80d758f3269f0f812fc2b0 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Player.dll
| MD5 | 08c68e4121ceeac71745015bf17126cc |
| SHA1 | 103792ab800377092aabefbf4b94d0a882afdc3c |
| SHA256 | e18254dd1e074eb57971d91ab62502611dee96aba1203f2b21810d8d0e761b3a |
| SHA512 | d66c9db8a876260f4b86604dd71a52b72dd91d79b7d1da711c45577b0dddbda8e46802f6184c2cd63a202f58cdb04d51da865968b7b203b8c5c2a76a8cfb5bce |
memory/3168-100-0x0000000007200000-0x000000000721A000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll
| MD5 | a555f73041756d249093a1d6a6f28448 |
| SHA1 | bc75a0047342fb157047c19193c02a8149187656 |
| SHA256 | 2ad9292c875cb8b71a437b0da803d07867d2ed8deae4568f2be1f623755d5b60 |
| SHA512 | cb2166fcf3a73e60fef9b90102f6aba3a913cc0e84ca0a5c4cd43c52d21ad1696040215b302d2a46d61599024679cb2477fdaffedcc88396ae9c7ff1c649c84d |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SharpWnd.dll
| MD5 | 37dd4e0b35a15780ef305d5b1b959e68 |
| SHA1 | 988ae2d176e8723f2714b18dcde46f266cd10f8f |
| SHA256 | 9e1002adc03b32d233be2d1d0f1fda0e5f689c121c749e130cd34998f86bbad0 |
| SHA512 | d2328a22ed5e8096584ab74d2bbd6270977ccc85d1d84fcc9acb607ea74d36213f1f54a85e5b8b4abcc5570b292aa31df4653749d8458c949087cccc3aaac034 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\ImageZoom.dll
| MD5 | b01a100820095dc05fdaa0d1c3b5ca14 |
| SHA1 | 70af3c7337248cd4dc8c65d5ba1d18d3fba926b0 |
| SHA256 | ee7205fa96539f9d9e62f5a403a06004c6c7235b7caee368dcb0db3a765c21ad |
| SHA512 | 883891959202294edceb3a6360f450182d59e097bb4b0f9fe18b5316c6591aee04d0cd5bf01c1b23d1727b59eeee7c148e56eea2a7436902170993318386933a |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll
| MD5 | b495e2743615df92c1488a7927dbf807 |
| SHA1 | 3348e2c7aec07a3c0e55a10078c5856d06bac229 |
| SHA256 | 1ceaa683236e388f043ace59a6b80eb7a7593b3bdec34a0c5784db459b67013b |
| SHA512 | d352429864888ebb831b63ea7f0119fe989567bbb1c061eb751e4a8a49af2304ff958f0500c419515720d1448993edd53c76c33014befbb9bcb7140a57ac1fcd |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\SDL2.dll
| MD5 | 079955aedc3192cc88e1c5fbddd67c1b |
| SHA1 | c942d698ca6fd6401183f2981dc2f2938fbe6e2f |
| SHA256 | 41419d64235b2e9ea8a8f7a19ded5a593d7de0d80ad7e9a92c7bde27b579d91d |
| SHA512 | 42354fecf18fde1333df9076595a103e73e2324bcb8e81641876af000c04b2054668c68e9ebbe5433a6ba9d6c3ab070c9c3677c28fbccd0036a56549e4669ea1 |
memory/3168-107-0x0000000073680000-0x0000000074528000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swresample-0.dll
| MD5 | 77bceb240f65c91d26299a334a0cf8e1 |
| SHA1 | de9d588a25252d9660fe0247508eadfa6f8a7834 |
| SHA256 | d179c01c646d821cf745ae5e66ffc7ed394a61a595ecc2bccf27dc144ba91a2c |
| SHA512 | b380b592c39fd22302fc4a36aa6f773a79253230f0dd73ad129500654dbdf24c5a0b0ae3b2a4ffd762da4f9705a0c8e48ad4372d85cdb6271c5d3f315c82a281 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\swscale-2.dll
| MD5 | 2985c39796fb4a5f4357a1a7a134ad45 |
| SHA1 | 305dc537a03e0137a529dc30bfd2fc6c185402a3 |
| SHA256 | 4f17b1ceea162390f64f54a3d13de4bb9e553da1e51ae7061545b7843ddad9ca |
| SHA512 | 4764dbf01defe417d587adbee16901bf374e0548d4a00f4f977f058dbe00c54712fd25162e1bf1986b55521cc2f005e7ed8e78db15e6cabfddc6b6924ec423b8 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll
| MD5 | edae9002fefb06b952d7f9a49c1618e1 |
| SHA1 | d410d4a42540c1ece21ef5f317e9ee50ec464b6c |
| SHA256 | 256d4acfeafec73024cd076c86bafbbe2e4b55556b895368f8b19316ea5aa303 |
| SHA512 | 4597d54a5aec085547d55e11e147eff3177070639cdbd87c86517db35faf8491f496a4b94f4a8edfea2d4249f3e210ce2da29eceaf168101b5b03fec37b5c4e5 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll
| MD5 | 6635b96ff17ac97c38763e15079f63e0 |
| SHA1 | a3de56051e762436bd1f3d18383ef626eebf5b8c |
| SHA256 | ca60fe2ab14c271b7242c18f67b30c6631848713e86cf73a476bf405964b171b |
| SHA512 | c09cff451cc8628a6dc8f7ade8949e77da002d2d3475cbfb44e503cceddf6fcce008384c1ab41fc8d31622eb719e22cb9c8e77af98936cb1edcbb9738123cab7 |
memory/3168-114-0x00000000746C0000-0x000000007484E000-memory.dmp
memory/3168-113-0x00000000748C0000-0x0000000074BCE000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll
| MD5 | 1d911e7be5b1e99d40d0ff393faefb6a |
| SHA1 | 20c7850ce996aed4a0575a4e973f5edd56f0d600 |
| SHA256 | 165a6bb0311c0a172dec0f5a3a67b0d9e4c27e158edda72ab1f964f2e0f310c7 |
| SHA512 | ecf71fb902d594a5e8e3f7a05dd37f0d81927a81d7158162945d4143383376464f6ba6c6d04bd2a01cfdeb4dc6deb13c9b027174af85fc6b0be3279c07efd18f |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\templates\bank.wav
| MD5 | 7f8f43b88ace2aa68da97b37361ae90c |
| SHA1 | 61db9d81694af8ca02839c7bef9421133bfdaa14 |
| SHA256 | bb6a26507581f6074a63689a770670a20ab7c0567b3a6cc76f85c4e35110ce83 |
| SHA512 | c6baaf4be1aa9d39e1ea1711f1f3b9d09560066b33e97f89e67cb1bec7d46f1be6d2b97782d02d8ab67dd07f54cd6af7d7e5699f532f69c2852f681537b06970 |
memory/3168-115-0x0000000072470000-0x000000007262E000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pnras12i.dll
| MD5 | 814809dc3e61b2a8847e0dc9ea7ec67c |
| SHA1 | 6fa4c9b770ea56eb1b10447c70bc9fa5d37cdb3b |
| SHA256 | 362356d815db5202ced7d1ee67ea7c3a453534f8ba25d6abcede8f1ff23fa247 |
| SHA512 | 6fe5683b5bb14bda89290e403e514c05f1075402733c646b91dc4ca312cf76fa0f54ec13d6c9abf6d917343a22ddb49e08421740c71ccadf7dd815d37446f673 |
memory/3168-116-0x0000000006820000-0x0000000006979000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\awebform.resources.dll
| MD5 | 0e77bfad6b92733c3296a04719375901 |
| SHA1 | 982674869e2e76ee10937e946aad828ebea818ff |
| SHA256 | 87810c5d06310b6e61398314300646a0582fad7a99dba8368a06c886a59a38af |
| SHA512 | 391f6558d5b3241b1e1490763c80633b288e0b8a770815116530b352fb81ab7d18784d9103669c903e6b5b501cb8a062517dc599609bb269b86bf16cb8e8e7bf |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avfilter-4.dll
| MD5 | 6451a46bdc225d7f094c4f9ec0629439 |
| SHA1 | 6eba348004e02b93a54cb11186c14d05756ee75c |
| SHA256 | 61f64b06f3087ebd8576c93d49dcce346897939ba7bc5702b994274f52bd5847 |
| SHA512 | 790ce1d6bcbf5f6e0027fe06eebdfcb7941f8f534327db14375b5c3a0fd01f1e975b25653fcf3e23565b20417ac9b7b1de4a936afcb3a485fd488970f7cce76e |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avutil-52.dll
| MD5 | f832d24b70a2f4583c57a5fa9b6f0d68 |
| SHA1 | 092ce5cb6bfe6eadde62c4cfb911eab2474196f8 |
| SHA256 | 67a0f7d47ceff1407b9c4851032346a9b81a75fee6569274f15d092610f04cdc |
| SHA512 | 41048c023871b485718ae219f0d79bbe01a0704f8d2107d68ead2262e3f66737718afbb636b02109d1a2b427aab04dd394ef82d8014298fa3fdee0c61bfab185 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll
| MD5 | 4b68321dff7aeea53b342a2b788a221d |
| SHA1 | 2e48e687530f421e35b7c2aab1775efdb1614517 |
| SHA256 | 812a379fd31ca32bde952118eccf764972310c5ab7a9453569960fe3c6612284 |
| SHA512 | bc39a78b4bbfa90df0f80dec14e7a240411813de9644484661ab634c547833c05e865d61cdea8040af726490ccfdad7b455c4035bc15c45cdc11a897dd80acd3 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Fitness.raw
| MD5 | 752faece444d0009542dcd0ed4574fc9 |
| SHA1 | b997f08ee368b69ce44af13413a7bca06a5958d1 |
| SHA256 | 44eb0d89849ad5a9499aa798e2a1693ce7fdd330b61e81d3c1a8b439b31ab71f |
| SHA512 | dfb2b38edd12c342a858e57f0057dbb84a168f579afb166452599e356a58e9a672e75baece9a46f47d1241859c54abd563a26e6be406c25edd8f48cf308cc24a |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\License.txt
| MD5 | cc5d000307075f7c16eb5cf2c8606c8d |
| SHA1 | 0169dbed302b8a3d142522e6bcb6040609d07232 |
| SHA256 | 66014baaf612e3aa3084b0c9d7fd95041606f6157236ea10e80865e7cee4cab4 |
| SHA512 | d8cc2a3ae2bda1ad7d07f5ca4645c60d67bbb719ea8c42696e749604205b43fbb8630060924a486fee7f8f38984e53ab9c9016eabf8a548f9eec177d5d8b268e |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Readme.txt
| MD5 | 969c656269ca1f8437d76200e7620bcd |
| SHA1 | 80c6b239567b19e358250c8cbda9f100e6b0c28a |
| SHA256 | dad36f230fb9f65767b07006df1f73d04ad55863f17c1d0343771ce6c5e2ccfc |
| SHA512 | 030ba239643d0d2e68283ec428dbf916021b7e3939d2ad7df4ef7101cf581341e50b7900dd6aed32582df8c66539d0d5032106b9e41a95cf2886a25941f15941 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest
| MD5 | ce3ab3bd3ff80fce88dcb0ea3d48a0c9 |
| SHA1 | c6ba2c252c6d102911015d0211f6cab48095931c |
| SHA256 | f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b |
| SHA512 | 211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest
| MD5 | 6bb5d2aad0ae1b4a82e7ddf7cf58802a |
| SHA1 | 70f7482f5f5c89ce09e26d745c532a9415cd5313 |
| SHA256 | 9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582 |
| SHA512 | 3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b |
memory/3168-128-0x0000000006820000-0x0000000006979000-memory.dmp
memory/3168-129-0x0000000006820000-0x0000000006979000-memory.dmp
memory/3168-127-0x0000000006820000-0x0000000006979000-memory.dmp
\??\Volume{0d06ec8b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{616d4e31-fb7e-4615-a7cf-fbbc1b3a3bc5}_OnDiskSnapshotProp
| MD5 | a7fb043c8da8cc52d38b9b0704a7a62f |
| SHA1 | be5aab1f6ebf7f20f2db0e549157da684caf54e9 |
| SHA256 | 93657c34a91ae384a387b861e8f71093016860077a1d50dd5d12cc9a6f810829 |
| SHA512 | 87b26fe7ce84734ff07b86768a241cee382a5958a1ceb7505f084dd0b9b98eefdf4f9327865f144c34c123694ab818e70a9bed37c5d7022c61d14f7024cf401a |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | a18b354937b09098617208a81acdd3b5 |
| SHA1 | e6f02effbcc7655b9827d9362470948722f979ae |
| SHA256 | 724ecbe7eb40163625c6103b2e7019999f81eb2e16c79815f9d118fd9ec976e8 |
| SHA512 | 8f8afd022ae9ab0003aebfb68941993f04a7a3d0a49ceed232dbda0c7d344fab0e7d5dd6b390a6241a8d5298c9bb02b79773baa375bb9d52ccc757fc2005067a |
memory/3168-133-0x0000000000400000-0x0000000001554000-memory.dmp
memory/3168-137-0x0000000074600000-0x0000000074623000-memory.dmp
memory/3168-140-0x0000000074530000-0x0000000074567000-memory.dmp
memory/3168-136-0x0000000074630000-0x00000000746BB000-memory.dmp
memory/3168-134-0x0000000074850000-0x00000000748BA000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll
| MD5 | a7edb3c517001bf2764ceeb898790b51 |
| SHA1 | 2c035fca92779a0c9fa66fb477f6a1d68da5c1c5 |
| SHA256 | 192d8054740220f1eab138233a737a530d9f9cc16c8e82f6623b4160104edef7 |
| SHA512 | b885a437c81e707c2d84638643a470caa0a3a7013532600c42acbb257b1b3cb86d3ea7ed03926d710edf6784cbecbc6df6ebaed8cd740673a05f421310370537 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\msvcr100.dll
| MD5 | 5c07c7a992cdd266346ca4fdd8f7fc8e |
| SHA1 | a9f415e1c0b2b542dfddcf7e26026ef8831244b0 |
| SHA256 | 1484587de04f035d8b16cf783e78c78f4d475530673f577933d2454aa6703222 |
| SHA512 | 23c448b4b6c99d398ef1a35a7da444eea404ccba5dd4ea0afca8a5491090d3fa15abdebc1cef473117ef7235f6085fab6413175f11f3ba75d0d33e7080783854 |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
memory/3168-166-0x0000000006820000-0x0000000006979000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\nsm.lic
| MD5 | 7067af414215ee4c50bfcd3ea43c84f0 |
| SHA1 | c331d410672477844a4ca87f43a14e643c863af9 |
| SHA256 | 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12 |
| SHA512 | 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\htctl32.dll
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
memory/3168-168-0x0000000007A70000-0x0000000007A8B000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcichek.dll
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\pcicl32.dll
| MD5 | 009ee989752f09bf61f943a4a549e877 |
| SHA1 | 9796abc909ac47ca0dee4790c2bc422f86b80675 |
| SHA256 | fd7c6620cafb623aa47b1393ecf0d9805a1f366ab61da027045994ad649c5423 |
| SHA512 | bd2448b400660947be143db8cdbc7bb628f64994d5b097ca8080f65c39c3e89928ca654f00486f152d39d0ca78865790357a01ebda6be545934da4b0bacbdaac |
memory/3168-152-0x0000000006820000-0x0000000006979000-memory.dmp
memory/3168-192-0x00000000035A0000-0x00000000035A1000-memory.dmp
memory/3168-198-0x0000000006820000-0x0000000006979000-memory.dmp
memory/3168-195-0x0000000006820000-0x0000000006979000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPPlayer.exe
| MD5 | 0fd9ff2ae20e9ba60c9632ce1a379e11 |
| SHA1 | d5e3aefdf62fccf557ef9b7c58dafa770e069cdd |
| SHA256 | 9cc081dcdb932ef5f8dfb007039a33444633f71e6b9c18a8599bfa2d4559f27e |
| SHA512 | 5a41eecd7ecaf030ebdbc47e34dc613462cb90a54d43095a9a11cf01d7f5738628df5684084ca464b0c19ddc87c0368a12e31ca785cb4e40c59f1b68e41e3a38 |
memory/3168-202-0x0000000006820000-0x0000000006979000-memory.dmp
memory/3168-209-0x0000000006820000-0x0000000006979000-memory.dmp
memory/4392-216-0x0000000006E70000-0x0000000006E7B000-memory.dmp
memory/4392-218-0x0000000006C80000-0x0000000006C99000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\avformat-55.dll
| MD5 | 08b1007bb0dd53e3250932704ad02ac4 |
| SHA1 | 9ebd00e4feda31179244ed216ab743e7884613d5 |
| SHA256 | 294c0113e10f9411ef07cc79a69c75ac5f6c339c18c1aba5d67beca9c194a925 |
| SHA512 | 8cea6ffa17a481e0751d630a85d74bb139509b262fbdc3b7ffac0b3e662e23abac2d71ea0c38533bb1f8cb4ddfaafbf2ce4cec8d9e056b4dc981f7e5cb3de393 |
memory/4392-221-0x00000000070C0000-0x00000000070DA000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinIcon Maker Free\CPKernel.dll
| MD5 | a7a96e6dedf66a592ab7d43511e91000 |
| SHA1 | 3c0ec5442c846c14bb0bb9aaae8314be3e9c23e8 |
| SHA256 | 5faa5611bf8dc707fdfbe250152d92905b95e03703796b1b327cedb0d5b63bf5 |
| SHA512 | 0443fc35136b0952941c5ec9afce46e68079742c8b84b1239f87b5ac9805438c10473d5d6480f49daa9bb1fff60a7d4947444a21479ec10630308870d3616da5 |
memory/4392-217-0x0000000006C20000-0x0000000006C30000-memory.dmp
memory/4392-225-0x0000000000400000-0x0000000001554000-memory.dmp
memory/4392-226-0x00000000748C0000-0x0000000074BCE000-memory.dmp
memory/4392-227-0x0000000073680000-0x0000000074528000-memory.dmp
memory/4392-229-0x00000000746C0000-0x000000007484E000-memory.dmp
memory/4392-228-0x0000000074850000-0x00000000748BA000-memory.dmp
memory/4392-230-0x0000000074630000-0x00000000746BB000-memory.dmp
memory/4392-231-0x0000000007B10000-0x0000000007C69000-memory.dmp
memory/4392-232-0x0000000074600000-0x0000000074623000-memory.dmp
memory/4392-294-0x0000000003110000-0x0000000003111000-memory.dmp
memory/4392-304-0x0000000072470000-0x000000007262E000-memory.dmp
memory/4392-310-0x0000000008130000-0x00000000081BB000-memory.dmp
memory/4392-311-0x0000000007130000-0x0000000007131000-memory.dmp
memory/4392-313-0x0000000007130000-0x0000000007131000-memory.dmp
memory/4392-314-0x0000000007130000-0x0000000007131000-memory.dmp
memory/4392-316-0x0000000007130000-0x0000000007131000-memory.dmp
memory/4392-329-0x0000000072470000-0x000000007262E000-memory.dmp
memory/4392-330-0x0000000008130000-0x00000000081BB000-memory.dmp
memory/1864-333-0x0000000070A50000-0x0000000071200000-memory.dmp
memory/1864-332-0x0000000002B40000-0x0000000002B76000-memory.dmp
memory/1864-334-0x0000000001220000-0x0000000001230000-memory.dmp
memory/1864-335-0x0000000001220000-0x0000000001230000-memory.dmp
memory/1864-336-0x0000000005520000-0x0000000005B48000-memory.dmp
memory/1864-337-0x0000000005430000-0x0000000005452000-memory.dmp
memory/1864-339-0x0000000005DE0000-0x0000000005E46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bha4a3as.eke.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1864-338-0x0000000005D70000-0x0000000005DD6000-memory.dmp
memory/1864-349-0x0000000006060000-0x00000000063B4000-memory.dmp
memory/1864-350-0x0000000006460000-0x000000000647E000-memory.dmp
memory/1864-351-0x00000000064A0000-0x00000000064EC000-memory.dmp
memory/1864-352-0x0000000001220000-0x0000000001230000-memory.dmp
memory/1864-353-0x000000007F380000-0x000000007F390000-memory.dmp
memory/1864-355-0x000000006D370000-0x000000006D3BC000-memory.dmp
memory/1864-354-0x0000000006A40000-0x0000000006A72000-memory.dmp
memory/1864-365-0x00000000069F0000-0x0000000006A0E000-memory.dmp
memory/1864-366-0x0000000007440000-0x00000000074E3000-memory.dmp
memory/1864-368-0x0000000007770000-0x000000000778A000-memory.dmp
memory/1864-367-0x0000000007DB0000-0x000000000842A000-memory.dmp
memory/1864-369-0x00000000077F0000-0x00000000077FA000-memory.dmp
memory/1864-370-0x00000000079E0000-0x0000000007A76000-memory.dmp
memory/1864-371-0x0000000007970000-0x0000000007981000-memory.dmp
memory/1864-372-0x00000000079A0000-0x00000000079AE000-memory.dmp
memory/1864-373-0x00000000079B0000-0x00000000079C4000-memory.dmp
memory/1864-374-0x0000000007AA0000-0x0000000007ABA000-memory.dmp
memory/1864-375-0x0000000007A90000-0x0000000007A98000-memory.dmp
memory/1864-378-0x0000000070A50000-0x0000000071200000-memory.dmp