Analysis Overview
SHA256
44c6d34c298f77d3914d42004275c5cfec9ea44857d0adbd6d3bd4da2dd838ee
Threat Level: Likely malicious
The file macOS Transformation Pack 5.0.zip was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Possible privilege escalation attempt
Stops running service(s)
Impair Defenses: Safe Mode Boot
Event Triggered Execution: Component Object Model Hijacking
Modifies file permissions
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Uses Volume Shadow Copy service COM API
Modifies registry class
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-01 19:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 19:32
Reported
2024-07-01 19:37
Platform
win10v2004-20240611-es
Max time kernel
133s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Created by WindowsXLive.net.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-01 19:32
Reported
2024-07-01 19:37
Platform
win10v2004-20240611-es
Max time kernel
144s
Max time network
167s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Official mirror ThemeMyPC.net.url"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5f26240ah4d3eh4a45ha3cchd4980ca66cc6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| GB | 23.62.195.195:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 195.195.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-01 19:32
Reported
2024-07-01 19:36
Platform
win10v2004-20240611-es
Max time kernel
67s
Max time network
122s
Command Line
Signatures
Creates new service(s)
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UnsignedThemes | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UnsignedThemes\ = "Service" | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| N/A | N/A | C:\Windows\UXSTYL~2.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| N/A | N/A | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UX Launcher = "C:\\Program Files (x86)\\UX Pack\\uxlaunch.exe" | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{05560347-3a9b-4644-a8ed-8b64cc947189} = "\"C:\\ProgramData\\Package Cache\\{05560347-3a9b-4644-a8ed-8b64cc947189}\\UxStyle_Bundle.exe\" /quiet /uninstall /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\UxStyle_20240701193519.log\" /burn.runonce" | C:\Windows\UXSTYL~2.EXE | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\Icons\~GLH02bb.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Default.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\RocketDock\Icons\~GLH0131.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\Config.ini | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\~GLH01ba.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerRSS\~GLH02e0.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\YzShadow\~GLH03c3.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\Res\Images\ThemePackage.ico | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\Resources\browseui.dll.res | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\ViFind\resources\orb.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\RocketDock\standalonestack2\images\~GLH0175.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\Res\Strings\~GLH036e.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\Resources\batmeter.dll.res | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\main.xul | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XLaunchpad\Update\~GLH025b.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\16.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerWeahter\icons\sun.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\top.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\~GLH027c.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XLaunchpad\Res\Images\checkbutton.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\Icons\~GLH02ba.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\Res\Template\DragDropTemp\~GLH0382.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\Resources\~GLH00c5.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\RocketDock\License.rtf | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\~GLH0399.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\VirtuaWin\icons\11.ico | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerRecycle\TRASHO.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\itunes.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerRSS\~GLH02dd.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerWeahter\icons\fog.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\RocketDock\Languages\~GLH0153.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Normal\right.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\DA.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\gdipp\~GLH00e9.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XLaunchpad\Res\Images\~GLH0256.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Normal\~GLH01c5.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Normal\top.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\ViFind\resources\~GLH01fb.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\~GLH028f.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\Resources\pnidui.dll.res | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\gdipp\FreeType\~GLH00ff.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\LeftSider\~GLH010c.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerGallaryView\main2.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerDirverdock\Icons\~GLH02af.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\Res\Lib\foo_xdcplugins.dll | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\Pdvd.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\~GLH0293.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XLaunchpad\Lang\~GLH0246.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\ICOFX.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0348.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\Resources\hexpatcher.exe | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XLaunchpad\Res\~GLH0251.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerWeahter\icons\haze.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\src\2.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\Icons\~GLH02b7.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerUptime\Default.png | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\~GLH03b7.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\TrueTransparency\lang\~GLH01ac.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerSystem\~GLH02ec.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XLaunchpad\AppData\Backup\~GLH0222.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UX Pack\XLaunchpad\Lang\Korean.txt | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\XWidget\Update\~GLH03bf.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\RocketDock\Icons\~GLH0133.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Program Files (x86)\UX Pack\RocketDock\Languages\~GLH0151.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Media\Lion\~GLH001a.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0054.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_7.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Fonts\HelveticaNeue-BoldItalic.ttf | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Cursors\El Capitan\Diagonal Resize 2.cur | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0026.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Chroma-2.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Mt. Fuji.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH006f.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Cursors\El Capitan\Working In Background.ani | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Media\Lion\~GLH0017.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Eagle & Waterfall.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\~GLH000d.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File created | C:\Windows\UXBackup\~GLH0016.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0029.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Isles.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Fonts\HelveticaNeue-Medium.ttf | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\cmd.exe | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\~GLH0009.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File created | C:\Windows\UXBackup\~GLH0010.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Abstract-3.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Desert-2.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_10.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0071.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\UXBackup\~GLH0000.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File created | C:\Windows\UXBackup\~GLH0014.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH003d.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Resources\Themes\~GLH00db.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Cursors\El Capitan\~GLH0012.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Yosemite 3.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\~GLH0003.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\~GLH0010.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\~GLH0015.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_1.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\~GLH0000.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File created | C:\Windows\UXBackup\~GLH000a.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\UxStyle_Core_Jul13_x86.msi | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Cursors\El Capitan\~GLH0013.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0038.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Flower-2.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0051.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\imagesp1.dll | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Abstract.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH002f.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH004b.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0070.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Fonts\~GLH00e0.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Media\Lion\chime.wav | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0022.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0039.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_13.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Brushes.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Mountain Range.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\batmeter.dll | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\Earth and Moon.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\El Capitan 2.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH005b.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_2.jpg | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0063.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\UXBackup\~GLH0011.TMP | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\UXBackup\taskmgr.exe | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
| File opened for modification | C:\Windows\Cursors\El Capitan\Vertical Resize.cur | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0033.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Yosemite\~GLH0077.TMP | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043e29724379355490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043e297240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043e29724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43e29724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043e2972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\Resources\\Themes\\Aero\\Aero.msstyles" | C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\DriveMask = "255" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ = "C:\\Program Files (x86)\\UX Pack\\OldNewExplorer\\OldNewExplorer64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\DriveMask = "255" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ = "C:\\Program Files (x86)\\UX Pack\\OldNewExplorer\\OldNewExplorer32.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\UXPACK~1\uxworker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe
"C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c takeown.exe /f "C:\Windows\Resources\Themes" /r /d y
C:\Windows\system32\takeown.exe
takeown.exe /f "C:\Windows\Resources\Themes" /r /d y
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:(OI)(CI)F
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:F /T
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:(OI)(CI)F
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:F /T
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Admin:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:(OI)(CI)F
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Admin:F /T
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant %USERNAME%:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:(OI)(CI)F
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant %USERNAME%:F /T
C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:F /T
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "uxlaunch.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "RocketDock.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "StandaloneStack2.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TrueTransparency.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TrueTransparencyx64.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TRUETR~1.EXE"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TRUETR~2.EXE"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "VirtuaWin.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "WinList.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "leftsider.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "leftsider64.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "XLaunchPad.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "xwidget.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "YzShadow.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "ViFind.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TaskBarHider.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "WinaeroGlass.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "explorer.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /x{8E363055-15E5-4D8A-9C69-A0A9DE9A3337} /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\UXSTYL~2.EXE
"C:\Windows\UXSTYL~2.EXE" /uninstall /passive /quiet
C:\Windows\UXSTYL~2.EXE
"C:\Windows\UXSTYL~2.EXE" /uninstall /passive /quiet -burn.unelevated BurnPipe.{31E6B239-0F89-474F-8E55-B6353444DC55} {7394EE84-895B-4A6E-B09B-E9F0D5757102} 3592
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" delete uxstyle
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" delete uxpatch
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" delete unsignedthemes
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-Light.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-LightItalic.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-Medium.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-UltraLight.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-UltraLightItalic.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer32.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer64.dll"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\basebrd.dll" "C:\Windows\Branding\Basebrd\basebrd.dll"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\ieframe.dll" "C:\Windows\system32\ieframe.dll"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\iexplore.exe" "C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\shellbrd.dll" "C:\Windows\Branding\Shellbrd\shellbrd.dll"
C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\UX Pack" /r /d y
C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\UX Pack" /grant %USERNAME%:(OI)(CI)F
C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\UX Pack" /grant %USERNAME%:F /T
C:\PROGRA~2\UXPACK~1\uxworker.exe
"C:\PROGRA~2\UXPACK~1\uxworker.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "wmplayer.exe", "wmplayer.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\wmplayer.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\wmplayer.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\wmplayer.exe.uxp" "C:\Program Files (x86)\windows media player\wmplayer.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "regedit.exe", "regedit.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\regedit.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\regedit.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\regedit.exe.uxp" "C:\Windows\regedit.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "batmeter.dll", "batmeter.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\batmeter.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\batmeter.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\batmeter.dll.uxp" "C:\Windows\system32\batmeter.dll"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "calc.exe", "calc.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\calc.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\calc.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\calc.exe.uxp" "C:\Windows\system32\calc.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "charmap.exe", "charmap.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\charmap.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\charmap.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\charmap.exe.uxp" "C:\Windows\system32\charmap.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "cmd.exe", "cmd.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\cmd.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\cmd.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\cmd.exe.uxp" "C:\Windows\system32\cmd.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "control.exe", "control.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\control.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\control.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\control.exe.uxp" "C:\Windows\system32\control.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "defrag.exe", "defrag.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\defrag.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\defrag.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\defrag.exe.uxp" "C:\Windows\system32\defrag.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "dpiscaling.exe", "dpiscaling.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\dpiscaling.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\dpiscaling.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\dpiscaling.exe.uxp" "C:\Windows\system32\dpiscaling.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "fsquirt.exe", "fsquirt.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\fsquirt.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\fsquirt.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\fsquirt.exe.uxp" "C:\Windows\system32\fsquirt.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "imageres.dll", "imageres.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\imageres.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\imageres.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\imageres.dll.uxp" "C:\Windows\system32\imageres.dll"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "imagesp1.dll", "imagesp1.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\imagesp1.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\imagesp1.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\imagesp1.dll.uxp" "C:\Windows\system32\imagesp1.dll"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "msconfig.exe", "msconfig.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\msconfig.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\msconfig.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\msconfig.exe.uxp" "C:\Windows\system32\msconfig.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "mspaint.exe", "mspaint.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\mspaint.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\mspaint.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\mspaint.exe.uxp" "C:\Windows\system32\mspaint.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "mydocs.dll", "mydocs.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\mydocs.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\mydocs.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\mydocs.dll.uxp" "C:\Windows\system32\mydocs.dll"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "netshell.dll", "netshell.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\netshell.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\netshell.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\netshell.dll.uxp" "C:\Windows\system32\netshell.dll"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "notepad.exe", "notepad.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\notepad.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\notepad.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\notepad.exe.uxp" "C:\Windows\system32\notepad.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "pnidui.dll", "pnidui.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\pnidui.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\pnidui.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\pnidui.dll.uxp" "C:\Windows\system32\pnidui.dll"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "rstrui.exe", "rstrui.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\rstrui.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\rstrui.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\rstrui.exe.uxp" "C:\Windows\system32\rstrui.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "sndvolsso.dll", "sndvolsso.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\sndvolsso.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\sndvolsso.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\sndvolsso.dll.uxp" "C:\Windows\system32\sndvolsso.dll"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "snippingtool.exe", "snippingtool.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\snippingtool.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\snippingtool.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\snippingtool.exe.uxp" "C:\Windows\system32\snippingtool.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "stobject.dll", "stobject.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\stobject.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\stobject.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\stobject.dll.uxp" "C:\Windows\system32\stobject.dll"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "taskmgr.exe", "taskmgr.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\taskmgr.exe.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\taskmgr.exe.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\taskmgr.exe.uxp" "C:\Windows\system32\taskmgr.exe"
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "twinui.dll", "twinui.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\twinui.dll.res",,,
C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\twinui.dll.uxp"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\twinui.dll.uxp" "C:\Windows\system32\twinui.dll"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\IconCache.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
C:\PROGRA~2\UXPACK~1\uxlaunch.exe
"C:\PROGRA~2\UXPACK~1\uxlaunch.exe"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gdipp_svc_32 binPath="C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_32.exe" start=auto DisplayName="gdipp Service (32-bit)"
C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_32.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_32.exe"
C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_32.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_32.exe"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gdipp_svc_64 binPath="C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_64.exe" start=auto DisplayName="gdipp Service (64-bit)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_64.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_64.exe"
C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_64.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_64.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" themecpl.dll,OpenThemeAction C:\Windows\Resources\Themes\macOS.theme
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1684 -s 4588
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4a0
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3868855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\GLC8388.tmp
| MD5 | b285c45a315f4e85a94962151c5f2b09 |
| SHA1 | c0daee3a412678988fa1a9325c52cdca102e1711 |
| SHA256 | 739105d5981cdb3040a184c28f7d7bfaf0eabf2529fa81f5697cb7c42ba0e784 |
| SHA512 | ed3ea4018fb1bd2859e8ebb74f0ab71f45096b687218ff748f6d581737385cc79b35940a2f6bbc2913d9ddec0902d168b5fd903729fce20ea83922bc4756d7b6 |
C:\Windows\UXSTYL~2.EXE
| MD5 | d4139d7130117272e09637ef90f7f965 |
| SHA1 | 2c3a57504be5eb936839e526bc5adb5a5ff97225 |
| SHA256 | 79c5b2bf0894b11e923a5f033612931c723332b4232e88177b95c4694bd9b8ef |
| SHA512 | 4694c83de3377a589bc71718d75c2ab341b059167ffe0ec50820c90bb9fb1186c7a32a6fe976c1abc3e2140cb040dad877efe6cf68c3400165c3af0fa710c02e |
C:\Users\Admin\AppData\Local\Temp\{05560347-3a9b-4644-a8ed-8b64cc947189}\.ba1\wixstdba.dll
| MD5 | 3b693bc186b3beb4d424eaf7aca43e40 |
| SHA1 | 24c095cf3b6c3cf3e8e6216679a952d70fe24ff3 |
| SHA256 | c7449b843802f8801b9e9fd80f1b98726f40552d36cd394897f468a7c25aa981 |
| SHA512 | 488c97aa90a7a7651a92991ecbc669cd87bc5242267cd674f7cb9b6280277c8dbd6765ecb990c28771981eada874ed0882f2536ee9df627a7b675bb16f2588d2 |
C:\Users\Admin\AppData\Local\Temp\{05560347-3a9b-4644-a8ed-8b64cc947189}\.ba1\uxstyle.png
| MD5 | bfdfea91dc57ee32e2053438a10a17b5 |
| SHA1 | 9f71f18160709dfb0bc40a5a39f4ec8e05295708 |
| SHA256 | 33a93195de4e8a096968257084968ed5b96538cf6d83439daf2256f7f6ec0501 |
| SHA512 | bd0fead91b39dcffb28701df0b33fee67473eda2bfde7b83797ab292e0f67a633ea21369fc14a34bdc84f251d5a3c33caffdeeb0eb2e305783e7d84bdaf2d11a |
C:\Users\Admin\AppData\Local\Temp\{05560347-3a9b-4644-a8ed-8b64cc947189}\.be\UxStyle_Bundle.exe
| MD5 | 665344f19578b9e060671be6ee4ad843 |
| SHA1 | 2b5d354b12fb82fa584e6366236b7f7818f0e8a6 |
| SHA256 | 77a583d1af2cd8856930d6552f85beae8b904b1fd76a1c184b508b79b00968d5 |
| SHA512 | 2bec6f9e7cdaba459f53ac5a11de0fda05db0af4c031355e937581af38ad71843dd5a85d24ebfed66bebaa4494c7fa150d5d7d8d9eaac09dd0c76b8b59810b49 |
C:\Windows\SysWOW64\moveex.exe
| MD5 | b83967e8e83318c36a2d4ef76ebd1d3b |
| SHA1 | 34383aa2f25af0fa26bc796737b75ac2e6641b56 |
| SHA256 | 54ad6a1348afc1be04b418b78c998ffa318bf6632e1f5a2c2ae53702201473f1 |
| SHA512 | d731c9c88c2815dcf8d313b2fc7d8f399fdd9c634b78d2817f2cc6a2afdc622bf52ad2e3de57acfa1e71991ed2cdc6f92688420d6c02c10d2223c6287dbe40e2 |
C:\Windows\Fonts\HelveticaNeue-Light.ttf
| MD5 | 18992d6df7890d39aebc935736407f8b |
| SHA1 | 2c3a9b805f1ec819085d912dd226e4d066ee7539 |
| SHA256 | 6560538aaf5e999665a8187ab240760bff43e1242de3080d2b36dbff9a443c5d |
| SHA512 | b8f557e337d64565ebfd339b8641c17e10a851436d9088cfd37f7c3d381b8c8b309813f61be8c5c57172bbc9d713c7b7918130d50ffa97756e63e1054286c6bc |
C:\Windows\Fonts\HelveticaNeue-LightItalic.ttf
| MD5 | 131b37ad41c711b8efd54a5971d3e13d |
| SHA1 | d28717ab4633f1f53d00eeafb6f3f0e18f3c2d35 |
| SHA256 | 018ec9c815dabd99c507798173740cfa3b5643948c3d6669495963b684d0d3ce |
| SHA512 | 11b7269a6f1d7a2bdb1960fea3da870256dcf6dd1421bb0f7a1cbe7de262e6d3971022f916e0422b2c341e06b6ec30b0ac8e4b7f9785642fc4114ed754607eaf |
C:\Windows\Fonts\HelveticaNeue-Medium.ttf
| MD5 | df55d36889c5b42bcb2383fcb89b4e5e |
| SHA1 | 206e8bacd8c1e40593e26374e63b30924085ac47 |
| SHA256 | d67118097874ef8c274f3ec9027e75ff52a0944ed8d4699c29deae1b7f1927c2 |
| SHA512 | 2ac973ce6a25ce4a12de3c2ae5796964996db76924fe19d6518fd3b4aab0f66cc18d2aa2978245346764f19bcd247e78e1523a806750b9e9f1b0f46ae0cb419d |
C:\Windows\Fonts\HelveticaNeue-UltraLight.ttf
| MD5 | fa9b7e324d3ad3595d18598b280f5be7 |
| SHA1 | f8c204202b038abed65514e76c8c2be5da74e228 |
| SHA256 | 17e81c49f702f1628c7ec95cebc7e3b179180dfdb09f7344976283265cd6a27b |
| SHA512 | c25a1775c7c6a46c9f8c4e22e9b029bdeb8074d1b6e2d0fe04bf54df1e2f2c13261ff34a074e6d28482ecc5d8bda7866dcbf66d2584703bbbfc5bc21d37d7bdc |
C:\Windows\Fonts\HelveticaNeue-UltraLightItalic.ttf
| MD5 | 264e1e45fdb36f38f425b48e2b2b3679 |
| SHA1 | f642d7e4b2c41aa4301cc3f8fd24e792310182a6 |
| SHA256 | 80eacd8b571f53bb3a3a3d1e81e6749e934112ab396fec46c6c1502fe6e69346 |
| SHA512 | e7783aa790478fe0c9e20110dad8a47907f2f4c2be97e53184970e85de4057305c9e27b368d8b23bfb3f484766cabed69b4095c5702ffc7a2ff5e87a71ca3d33 |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\~GLH01b6.TMP
| MD5 | 80eccfde72211709f905818d39b791e2 |
| SHA1 | d91df7c637bad848b52af14eb8f9701a02de73b2 |
| SHA256 | 16f086eea1be163db35c10881e45efcc7bca6b82ba9f3a2c126b68fae777f6f6 |
| SHA512 | ce406b06e33e9221113d1a50894578117d353fab26c60a5f8569c76845a7997c5be59be59a5e3b3dcca837954334cc18b3a62d7fc7be1896ac034eb43d2bcad6 |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\~GLH01c1.TMP
| MD5 | 104e364b7d04d42d7009012292355735 |
| SHA1 | 0238962c3870629085bb5a6a46949dfde7989ade |
| SHA256 | dde99bd79b25dcb0007651f5cb5cd1fce639448aee00ddafb3e8af184e0983af |
| SHA512 | 31c8dc3be1b21bf00c19f30ec6df5347cee0d9a9ea18d7c008fa79e812f01e32f50119de21cb3e9fb10f52b48558b3e136c76c1a2e3e0506b8ac0ebc9955c75a |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Normal\~GLH01c5.TMP
| MD5 | d1b0d2029084ddc837d1d25d5077b247 |
| SHA1 | 446be49d63a1bf53f90c9e47b22a9a3102cac42f |
| SHA256 | 7c2c41367a134a4a393b15669e7a64f5aa84e6ef29f1b0041d20e2b2755f61b3 |
| SHA512 | 6021bf300b312e07fa6fd139afa7fde8036d1b49f1b0bb63590d1acfb414c8196a7165eede6836923b85074fbdf8574ade15cbcacc46d0565e2154b7c5c63ace |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d5.TMP
| MD5 | 8f2d30e5d4a4a4df99e0ca28fa691f4f |
| SHA1 | 568e82646f801fce717daed32adaa384a9067af1 |
| SHA256 | 3da390ab39f78b6156145d66f9328eaa2924d8dabe4cbce5608bfa30cb588ea4 |
| SHA512 | b526921dba66cc95bc00467ceb32b2d10dbcec57eeb116944a083c2674a452eaac085b4e94e194199109b58ddf9813744c83474b24b2b44d5f3c631f24151e6f |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d6.TMP
| MD5 | 51343f00bd870e3a7095adfc44204795 |
| SHA1 | e942565de31e86ba11931048f329ecf37c003abd |
| SHA256 | f679e2a40a53f5d25245a343301099c7b439d31d2d0749b2f637f889b0040bbf |
| SHA512 | b8d0ae38535fb37553d96a7472299c354d190992802c3a98aeff1612f4ccbe98b93f96c56edcf87c8245c7d13dce0ef1f490d775fad65606c72754e42935af13 |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d7.TMP
| MD5 | 1f52cf0eb7810215db55646bd5db9e49 |
| SHA1 | 6f7c6697b495455b090a5a6334ca03ee50fa8b4b |
| SHA256 | 2cf10cbac31d71c43d21a8b678f1e82fab16d6b08980040e22e6a7f2dcb4358f |
| SHA512 | cb0cb6168ef74f7fa5c9d67fb05ab433a94818c634def3911ef15156ea67e2852791d20a94a8900ba1c333fcfa8e5f8ae8d64be02b33acec2951811dedc875d0 |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d8.TMP
| MD5 | 8ce5686d188be4fcad9d03a007bc585c |
| SHA1 | 7b4b3d82a4a339948219c89a4f4c05e2de48fdce |
| SHA256 | 1e67e395f3c4fae21b6bcf2ebae3db8b10d84eae8c3a4067662624100994b8a0 |
| SHA512 | 8dc0147c19933af8a094962d37a502f19d68df902260b4a6203009cd77bb23edeb5f0d30801860f6e5c0d71eac53be6d5fd260fcdf89912da78e4005c3dcd293 |
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01dd.TMP
| MD5 | bf21a888d86e07b25d96bcab3d1b374f |
| SHA1 | d21970822029ff93ed5604ada93e7b8ec58b9490 |
| SHA256 | 7dc52242b6b494bca75c8be439db60c2991b28edc679b500abdcbccae70052ea |
| SHA512 | 414796d01e6228effd9954c21191833d7560e11d3121d0a1ea1617380fe7ee29e6fa331bc1356c44a41d213156b4cb2fd31a49676bc62be77ec5a44826b0b280 |
C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0347.TMP
| MD5 | f1e6db999483d4a4b9613beffa5c1795 |
| SHA1 | bcdd96ae8339a7d48a9ae281ce07d22f1c1f51d5 |
| SHA256 | 117e339b4997c304a122be42509f78e9ea6031db6f96ae449062301fe0d00692 |
| SHA512 | adb863a46de62b2b53a41098ee772b52d22f477284e90655a3b9a5d4f85f9ba6f52ecbb5075b131f15c7fe20f6dac44f2ecf824bbc37a76fe61f4ce7b0072ed5 |
C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0351.TMP
| MD5 | 8e469981a2e89d9366c6b9dbb88aadd8 |
| SHA1 | 5c13bfd9cdcb0ba9c03a9391b9857a3b3d1908f0 |
| SHA256 | 36d581152908c48be76deace7c2c4ca94f604ad8151ada0d9ab03d03f4f8b941 |
| SHA512 | 97e2e073981264efbb1c0791493c6bfaa9011380cd8eeeb1f34d2ba738b0bf35348e6f61073a60910cf0e0e051b5e449ee92000e0f7fc346240b4c98f7188736 |
C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0353.TMP
| MD5 | 845260156d2d87945247aaa8f51603d1 |
| SHA1 | e6648323e7fd362e9fd4b4f494f8105feaad75c6 |
| SHA256 | 7977495fda73e75ca971d84606b771cd5d2c670a05798e0832ce16d1ea2cb24e |
| SHA512 | 2d371e0cf1ec4d557deb03b87a57730231462ee49cb01c4905a01ab03e96ec7e1175eee43692e8047d591c084b202ec615c0f8dd2aa940d5c5f5410bde8dc213 |
C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\~GLH03a2.TMP
| MD5 | cf30d2b2c170a5a98caa3a7215d83ae3 |
| SHA1 | abedd45bb623548605da0b2a93d0afaeb12f489b |
| SHA256 | 29cba7577d397dc14d0a1837fa779701c80dd029573d6df78619201915d478f0 |
| SHA512 | ea7303d2eabfffab9a97348a9f61f84ea33903b135a2d5936d53f43511a4d0b8363a3af7955a71e55174806ef34142cbec65dbb83ef5c3f1bc7052d633384921 |
C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\~GLH03a6.TMP
| MD5 | 2677773a835efd1ad8fe6eb10e4c0835 |
| SHA1 | cde8a8dd51d8ad665298ffe5edbdc563dcaea4a2 |
| SHA256 | c0f902e9e3c01d6f0d1249bb9cb703432aedd55f363a2c6b6d5340ca75741e82 |
| SHA512 | 2da6602e8926ead005521f1a18d5c789f4d5f7d2d05db0bf5b62fc29bd601a9e3da42121887647ab34333b9bb75f01d53805e5650700f8563980799c089dfee9 |
C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer32.dll
| MD5 | f315c162623f0710a41db517d7d51be7 |
| SHA1 | 3ff0d1faa1f2a50e038430fda0a2b5c4cee5a838 |
| SHA256 | 8c0514b777e04c58e9d274c5e8a0b8693925742e40d51b3db98e53b670658ded |
| SHA512 | a5547c724db3060e0626a20a07301bcac40bc33ded28263dca60d6ec26b0e60da2ff0fadb4d9d51e707435b6ba97e04a6916fe52d720dde9f2d3ab28769fb6ff |
C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer64.dll
| MD5 | 4d5892e1c196ede28a5ebc92319145c0 |
| SHA1 | 182d6c0b70b1941ca9f823063b977e449fe7b6de |
| SHA256 | 1c237a4ee1859e0d18729f9a8abe647fede7ace8c5bd1e8cc891f8d486f70a74 |
| SHA512 | 8d25d3342876704d580020bc3a4b138b238f93c1f531e57888e7f0cdd53a121ee881b72f336a191723c8d49bfe4f73eea1613d99b6eed835bb9a450c351dce05 |
C:\PROGRA~2\UXPACK~1\uxworker.exe
| MD5 | e960c7b7854e40a25f4d9ff89d565324 |
| SHA1 | 741509578c65bcd1e161119b229aa5031b287669 |
| SHA256 | 0bfabc19f3ddf737e6985e0730fcc2ae1414f883a99369010993f9b438e7d86b |
| SHA512 | 1287810857544b68fc04771be6c4905bc6216d797801f41d001de1eff500c30e7dff97d7c015889e7a01efe8d21b7657764a909c78a295b374525853d9cb2899 |
C:\Program Files (x86)\UX Pack\Resources\ux.sif
| MD5 | 4c810228f8e8d8b7e820461d3cac7cb6 |
| SHA1 | 9dadf34c66eb89be7fa47c6b22614fca8c039721 |
| SHA256 | d78bd0d710e19cc5463fc7fdb5c04ef07a59176fcc977674a245f4c7a5a30862 |
| SHA512 | 0ad692148e0e47f01e67e4aecb8ba6f184b6bcb6b7683056806aa69ebc31249d32534aad44fbe4d77f490c3755d6d341637009dc1bdfcacb993769ffda6714ea |
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
| MD5 | 1126825f25c71afc621ec89d2b026240 |
| SHA1 | 889adb9e5fc712f25097ebe401d57f52647e6a71 |
| SHA256 | 4b255534d59e984e8b87827be6ef7efe1e218301ff9ec81f8b3d750bb0951a99 |
| SHA512 | c167e3caf92ef586c1428b417115a5bb605561a9d4e82cf59976f45ac2e7d8d17354a560bf99fb1366b477d440b4cb290042f997e167b2979c95505ceed83d90 |
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.ini
| MD5 | 0b4eb63594ed8710d1e917edf50e0d94 |
| SHA1 | 256195febdf98923af3bbaec1c04a2dc9b7da82a |
| SHA256 | 1739b1d2b5a717e2e158d8b6758c4dec206e9aac6789eb85021c9313a557f70d |
| SHA512 | 3d4f9a4498c866edf99861097256e3cbe4c22ab8386faae564280cc48028493bb5af3b0c82503e0756948c9297ba6f7ad59aefb6e5ab39a3d6acf9f66ec3e779 |
memory/4764-2045-0x0000000000400000-0x0000000000958000-memory.dmp
C:\Windows\SysWOW64\PEChecksum.exe
| MD5 | 82b36d39067c90e20114ae1f87c2bebb |
| SHA1 | 065312ffadd0dd1fc335ffc40174d5a88b35bc0c |
| SHA256 | 4126de3a04b9045165cda0eec285c59e6dadf63185f67a9163a4a9b49c72cfb3 |
| SHA512 | 3391fb19d2a7a27c34ba526a86b8b775996561a6b35ce10604643be4da79877f24326ab0d30523248b0067c7a4ce679ff1c9d22fb89e540915938343b5f659df |
memory/4016-2048-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4312-2054-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4080-2056-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3236-2061-0x0000000000400000-0x0000000000958000-memory.dmp
memory/2924-2063-0x0000000000400000-0x000000000040A000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3024-2069-0x0000000000400000-0x0000000000958000-memory.dmp
memory/1144-2071-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4572-2076-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4000-2078-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4684-2083-0x0000000000400000-0x0000000000958000-memory.dmp
memory/3432-2085-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2164-2090-0x0000000000400000-0x0000000000958000-memory.dmp
memory/3788-2092-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4204-2097-0x0000000000400000-0x0000000000958000-memory.dmp
memory/3512-2099-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3468-2103-0x0000000000400000-0x0000000000958000-memory.dmp
memory/408-2104-0x0000000000400000-0x000000000040A000-memory.dmp
memory/552-2107-0x0000000000400000-0x0000000000958000-memory.dmp
memory/2924-2108-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1424-2111-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4292-2112-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3088-2115-0x0000000000400000-0x0000000000958000-memory.dmp
memory/2908-2116-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3012-2119-0x0000000000400000-0x0000000000958000-memory.dmp
memory/1876-2120-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2968-2123-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4800-2124-0x0000000000400000-0x000000000040A000-memory.dmp
memory/5004-2127-0x0000000000400000-0x0000000000958000-memory.dmp
memory/3380-2128-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4916-2131-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4044-2132-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1332-2135-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4296-2136-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3580-2139-0x0000000000400000-0x0000000000958000-memory.dmp
memory/2568-2140-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2548-2143-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4292-2144-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1188-2147-0x0000000000400000-0x0000000000958000-memory.dmp
memory/2536-2148-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3012-2151-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4980-2152-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4020-2155-0x0000000000400000-0x0000000000958000-memory.dmp
memory/3352-2156-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1788-2159-0x0000000000400000-0x0000000000958000-memory.dmp
memory/4688-2160-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2016-2163-0x0000000000400000-0x0000000000958000-memory.dmp
memory/3884-2164-0x0000000000400000-0x000000000040A000-memory.dmp
C:\PROGRA~2\UXPACK~1\uxlaunch.exe
| MD5 | ab10964cdb3af503d7fe9dd1c07ea9a6 |
| SHA1 | 42f11e170ecbe41445ee87132af9b4c1d0f78278 |
| SHA256 | 94c849878460c8279d187f9d3badcfe6f1638704c0c864811ddcea0a34349402 |
| SHA512 | ffa5876874e03516b3ee2a55b0e5fdbf243817b39007a73b3cb53509ff38836b8fb6406b101fec4d73b9cfd272dd427e467a0b169efbd31f77104354e09f56a4 |
memory/4216-2222-0x00007FFC053B0000-0x00007FFC053C0000-memory.dmp
memory/4216-2231-0x00007FFC054B0000-0x00007FFC054B2000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133643361794555688.txt
| MD5 | c54fd3db88e1a5d551c540c3e5d2e453 |
| SHA1 | 5666e545624a5bc40a64d7c758dc2a38f74f219e |
| SHA256 | 44d6f2a27c07ac5994c688bcd0c752dfe11000a55ca5705ce5f0d4d0c8b2a653 |
| SHA512 | f988ecb9a8be216a52caf91ee20a85f7a56043e56f056507ca40c587298ba9fb45831703b08653182bdcf13e0180c604df68bfc738d04fc4902372f4f243ee7d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WSEA9K3C\microsoft.windows[1].xml
| MD5 | a10a5315af9b5ec3f167c7c4344ab6c6 |
| SHA1 | 4e80fd779c1f21ecc2803b08447b0aafbf7eb04e |
| SHA256 | 378ae674b3bd38b758bfc3e454467425f2481eef9c527a912088e3b541e31bb0 |
| SHA512 | db214e86079aa7ce528a4846654428a2214f005859c0c5624417574cf299d6262c7046f0d2047484ac168ae155f6743679caf7556adbf96a83b554b7b26f2fed |