Analysis Overview
SHA256
c24ab8395d07ca9e1aeb1f3a108764cbd1a2245bd30c57f4c26a2adbb00206d5
Threat Level: Likely malicious
The file 685e7a0b83cafc668a666d43588bc997_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
VMProtect packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Control Panel
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 19:32
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 19:31
Reported
2024-05-22 19:34
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Stops running service(s)
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe
"C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete KProcessHacker2
C:\Windows\system32\sc.exe
sc delete KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4972-0-0x00007FF6FA540000-0x00007FF6FA990000-memory.dmp
memory/4972-1-0x00007FFA09CD0000-0x00007FFA09CD2000-memory.dmp
memory/4972-2-0x00007FFA09CE0000-0x00007FFA09CE2000-memory.dmp
memory/4972-3-0x00007FF6FA480000-0x00007FF6FAA3A000-memory.dmp
memory/4972-4-0x00007FF6FA540000-0x00007FF6FA990000-memory.dmp
memory/4972-5-0x00007FF6FA480000-0x00007FF6FAA3A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 19:31
Reported
2024-05-22 19:34
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\ITEMS_FILTER.exe
"C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\ITEMS_FILTER.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 19:31
Reported
2024-05-22 19:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\ITEMS_FILTER.exe
"C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\ITEMS_FILTER.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 19:31
Reported
2024-05-22 19:34
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Stops running service(s)
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Appearance\Schemes | C:\Windows\system32\rundll32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe
"C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete KProcessHacker2
C:\Windows\system32\sc.exe
sc delete KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop UxSms
C:\Windows\system32\net.exe
net stop UxSms
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UxSms
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config UxSms start=disabled
C:\Windows\system32\sc.exe
sc config UxSms start=disabled
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config UxSms start=auto
C:\Windows\system32\sc.exe
sc config UxSms start=auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start UxSms
C:\Windows\system32\net.exe
net start UxSms
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start UxSms
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Resources\Themes\aero.theme
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
Network
Files
memory/2868-0-0x0000000140040000-0x000000014048E000-memory.dmp
memory/2868-3-0x00000000775C0000-0x00000000775C2000-memory.dmp
memory/2868-1-0x00000000775C0000-0x00000000775C2000-memory.dmp
memory/2868-5-0x00000000775C0000-0x00000000775C2000-memory.dmp
memory/2868-6-0x00000000775D0000-0x00000000775D2000-memory.dmp
memory/2868-10-0x00000000775D0000-0x00000000775D2000-memory.dmp
memory/2868-8-0x00000000775D0000-0x00000000775D2000-memory.dmp
memory/2868-11-0x000000013FF80000-0x0000000140538000-memory.dmp
memory/2868-12-0x000000013FF80000-0x0000000140538000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 159bd6a587f370f16522b2a6f690bcc3 |
| SHA1 | c07d14fc439997e2f65b982c0702a985b36b9cf8 |
| SHA256 | 9193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993 |
| SHA512 | a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | b65aeb1b3da0b96313cc6e10dde4afe0 |
| SHA1 | 34039989280d6d5a45793deaab79665c79b74b8d |
| SHA256 | 0254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c |
| SHA512 | be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 05471356f0ea1c0f5f5b8deb29c3ebd1 |
| SHA1 | 12b14b737d1e0f76ca2494fb7a6841e5792a0504 |
| SHA256 | cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7 |
| SHA512 | 942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b |
memory/2868-678-0x0000000140040000-0x000000014048E000-memory.dmp
memory/2868-679-0x000000013FF80000-0x0000000140538000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 19:31
Reported
2024-05-22 19:34
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
109s
Command Line
Signatures
Stops running service(s)
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4728 wrote to memory of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | C:\Windows\system32\cmd.exe |
| PID 4728 wrote to memory of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | C:\Windows\system32\cmd.exe |
| PID 3284 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 3284 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 4728 wrote to memory of 3596 | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | C:\Windows\system32\cmd.exe |
| PID 4728 wrote to memory of 3596 | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe | C:\Windows\system32\cmd.exe |
| PID 3596 wrote to memory of 548 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\ipconfig.exe |
| PID 3596 wrote to memory of 548 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\ipconfig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe
"C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ARAB_1407a.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete KProcessHacker2
C:\Windows\system32\sc.exe
sc delete KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4728-0-0x00007FF7F3CB0000-0x00007FF7F40FE000-memory.dmp
memory/4728-2-0x00007FFE8CDA0000-0x00007FFE8CDA2000-memory.dmp
memory/4728-3-0x00007FF7F3BF0000-0x00007FF7F41A8000-memory.dmp
memory/4728-1-0x00007FFE8CD90000-0x00007FFE8CD92000-memory.dmp
memory/4728-4-0x00007FF7F3CB0000-0x00007FF7F40FE000-memory.dmp
memory/4728-5-0x00007FF7F3BF0000-0x00007FF7F41A8000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 19:31
Reported
2024-05-22 19:34
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Stops running service(s)
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Appearance\Schemes | C:\Windows\system32\rundll32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe
"C:\Users\Admin\AppData\Local\Temp\NIX_GLOBAL_UPDATE_1407_A\NIX_ENGLISH_1407a.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete KProcessHacker2
C:\Windows\system32\sc.exe
sc delete KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop UxSms
C:\Windows\system32\net.exe
net stop UxSms
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UxSms
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config UxSms start=disabled
C:\Windows\system32\sc.exe
sc config UxSms start=disabled
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config UxSms start=auto
C:\Windows\system32\sc.exe
sc config UxSms start=auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start UxSms
C:\Windows\system32\net.exe
net start UxSms
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start UxSms
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Resources\Themes\aero.theme
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
Network
Files
memory/1640-0-0x0000000140020000-0x0000000140470000-memory.dmp
memory/1640-5-0x00000000770A0000-0x00000000770A2000-memory.dmp
memory/1640-10-0x00000000770B0000-0x00000000770B2000-memory.dmp
memory/1640-8-0x00000000770B0000-0x00000000770B2000-memory.dmp
memory/1640-11-0x000000013FF60000-0x000000014051A000-memory.dmp
memory/1640-6-0x00000000770B0000-0x00000000770B2000-memory.dmp
memory/1640-3-0x00000000770A0000-0x00000000770A2000-memory.dmp
memory/1640-1-0x00000000770A0000-0x00000000770A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 159bd6a587f370f16522b2a6f690bcc3 |
| SHA1 | c07d14fc439997e2f65b982c0702a985b36b9cf8 |
| SHA256 | 9193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993 |
| SHA512 | a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 7c048eaacd1820ac933dccc0b872fa05 |
| SHA1 | 955999eb7463f7e4031d551e24fbd1e1fb812197 |
| SHA256 | 614d7a9ca519b3aa741a512e95f6f99aedd25e8c1630d30d13dd9735b562b3be |
| SHA512 | 09f35a1a69344e64b13f0a54ecc82cd7dd1ee9124bfc274fcd5fe8af2a07e30bbf0841d9230591cbbe12bc8f066f5f36e1577b82d5d1f3f0eb6b9b5154ce5d4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | b65aeb1b3da0b96313cc6e10dde4afe0 |
| SHA1 | 34039989280d6d5a45793deaab79665c79b74b8d |
| SHA256 | 0254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c |
| SHA512 | be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 05471356f0ea1c0f5f5b8deb29c3ebd1 |
| SHA1 | 12b14b737d1e0f76ca2494fb7a6841e5792a0504 |
| SHA256 | cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7 |
| SHA512 | 942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b |
memory/1640-677-0x0000000140020000-0x0000000140470000-memory.dmp
memory/1640-678-0x000000013FF60000-0x000000014051A000-memory.dmp