885aba75eddb447464874fbeeeb0c456b218ab3fceef279697b32e07372c2a75

Analysis

max time kernel
330s
max time network
335s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SkinChanger.exe
Size

86.8MB
MD5

2f7f672c15bd26e2c73831848cc6436f
SHA1

d57fe68cfad3eae75095dab49d019886dd954e2a
SHA256

ec4d84990bb0d163d45ee842a7cbed806ea7b67552895a25a62d614cabfdda72
SHA512

f8ce0889774e8ac02c4003f1f75748f1d143f0a3c07ff73ccd96bf2bd00f61b03d705090b8e4c21198a8aa1a1c3095a16b173edb081ce4697f975bc361e3c0b7
SSDEEP

1572864:on0YI2VqaYBiMFacAtjsmjLASovu3NI/q17EATkPZOQNe6xiQyB+w75m:v92kaYBlFaz1w7G3O/pPPAQNe6xiQyho

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkinChanger = "C:\\Users\\Admin\\AppData\\Roaming\\SkinChanger\\SkinChanger.exe"	SkinChanger.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SkinChanger.exe

Executes dropped EXE 11 IoCs

pid	Process
1440	SkinChanger.exe
4004	SkinChanger.exe
5040	SkinChanger.exe
4372	SkinChanger.exe
5104	SkinChanger.exe
1820	SkinChanger.exe
1052	SkinChanger.exe
244	SkinChanger.exe
4676	SkinChanger.exe
3100	SkinChanger.exe
2752	SkinChanger.exe

Loads dropped DLL 20 IoCs

pid	Process
1440	SkinChanger.exe
4004	SkinChanger.exe
4004	SkinChanger.exe
4004	SkinChanger.exe
4004	SkinChanger.exe
5040	SkinChanger.exe
4004	SkinChanger.exe
4372	SkinChanger.exe
5104	SkinChanger.exe
1820	SkinChanger.exe
1052	SkinChanger.exe
244	SkinChanger.exe
1052	SkinChanger.exe
1052	SkinChanger.exe
1052	SkinChanger.exe
4676	SkinChanger.exe
1052	SkinChanger.exe
3100	SkinChanger.exe
2752	SkinChanger.exe
2752	SkinChanger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkinChanger.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SkinChanger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SkinChanger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SkinChanger.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	SkinChanger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	SkinChanger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	SkinChanger.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	SkinChanger.exe
2752	SkinChanger.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe
Token: SeShutdownPrivilege	1440	SkinChanger.exe
Token: SeCreatePagefilePrivilege	1440	SkinChanger.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1440	1936	SkinChanger.exe	103
PID 1936 wrote to memory of 1440	1936	SkinChanger.exe	103
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 4004	1440	SkinChanger.exe	104
PID 1440 wrote to memory of 5040	1440	SkinChanger.exe	105
PID 1440 wrote to memory of 5040	1440	SkinChanger.exe	105
PID 1440 wrote to memory of 4372	1440	SkinChanger.exe	106
PID 1440 wrote to memory of 4372	1440	SkinChanger.exe	106
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107
PID 1440 wrote to memory of 5104	1440	SkinChanger.exe	107

C:\Users\Admin\AppData\Local\Temp\SkinChanger.exe
"C:\Users\Admin\AppData\Local\Temp\SkinChanger.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
  "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
    "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1656,i,3807088429901268468,321617264196089293,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4004
- - C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
    "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --mojo-platform-channel-handle=2020 --field-trial-handle=1656,i,3807088429901268468,321617264196089293,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5040
- - C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
    "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --app-user-model-id=skinchanger-nativefier-30486c --app-path="C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2272 --field-trial-handle=1656,i,3807088429901268468,321617264196089293,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4372
- - C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
    "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --app-user-model-id=skinchanger-nativefier-30486c --app-path="C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1656,i,3807088429901268468,321617264196089293,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:2668

C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
"C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1820
- C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
  "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1492 --field-trial-handle=1752,i,7513707298527960767,5211623728624297556,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1052
- C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
  "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --mojo-platform-channel-handle=2060 --field-trial-handle=1752,i,7513707298527960767,5211623728624297556,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:244
- C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
  "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --app-user-model-id=skinchanger-nativefier-30486c --app-path="C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2288 --field-trial-handle=1752,i,7513707298527960767,5211623728624297556,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4676
- C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
  "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --app-user-model-id=skinchanger-nativefier-30486c --app-path="C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1752,i,7513707298527960767,5211623728624297556,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3100
- C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe
  "C:\Users\Admin\AppData\Roaming\SkinChanger\SkinChanger.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=936 --field-trial-handle=1752,i,7513707298527960767,5211623728624297556,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\D3DCompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\libEGL.dll

Filesize
460KB

MD5
961c060f241a7ae22e962c82d7803ef1

SHA1
0060b167e55db981c1588ca2074b8ca38b9a8153

SHA256
c8e8007d746df73edbf73cdff18c09bb756f43814978c84a28a72f95d0ac5dc9

SHA512
79539e0d0036124b59f94c6fec0c596e64c41626b9994ff7457f2f6b26e8f2648f93f63f6422c444eb3c8b803079f6ef1f52191980ea88de9d25c40b30547599

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\libGLESv2.dll

Filesize
6.8MB

MD5
18d62249e5bd4fa1f66c95a9ee9eb275

SHA1
4ea5d8344a8fc09ed2bda4d3034c3c8410c85e91

SHA256
3299de173b3e5ce2f69476b77d96f6a758b2ccfdf3ad811902e5cd511c6888ff

SHA512
fa29557836e56f981249ee8500a8271a7795cbe2a4afb6abbbd57e4aa26c6b731d151258f093643bbfa18cd9adf706a9e4d532481c62d713b7f1a1045301dc07

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\resources.pak

Filesize
4.9MB

MD5
c7b17b0c9e6e6aad4ffd1d61c9200123

SHA1
63a46fc028304de3920252c0dab5aa0a8095ed7d

SHA256
574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66

SHA512
96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app\icon.ico

Filesize
16KB

MD5
0e81be39beb41921a74dcd3b42e8a68c

SHA1
8c447e0a18b1f6a3b69729410406dd70153fdaa8

SHA256
96ad2162b507b443dea26e16e73e035a642484b8089d9fbec43b6c29464fb18b

SHA512
0fa4e1c82b6aad9e6b3796c64ef27b6349b35e067f2dbec90d13dbe38bea5154df819f097e1a20564b039796cd7be1fceefdab2d272d7d5214f5c88c4787e841

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app\lib\main.js

Filesize
495KB

MD5
d1bbee38f184cd44322a0bbae13d6b7d

SHA1
900c2362ed581436a7e0b5210ae1cc2fba769ca0

SHA256
3bc4df185354269c757e4c31414ded23866a6e5bb880b07e2ba22e1314281863

SHA512
6ca51132ff3e88c97005c626d913d263a9ed383e64803f66a980ce57e92e3bba16b3008b87480818476cde5979efea6bc2c1edb1472517a93d26d1bccb75d0a2

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app\lib\preload.js

Filesize
4KB

MD5
fa55c68c5f0b5a560604becb9df601fe

SHA1
0eeb7a10a9574238d6360ab895c78ddfdbca61ed

SHA256
317ea36e9119cd2024689687aaf927287213b5ec2909bb98c1ae87a01b49106e

SHA512
709da44b05879e4c1e8121e8c818e364bd6167d873529274d9ed63ea1b25a1ff4e9f501f11668a01677f9f610950a44b9fcbef99356d4c3cd9db51619d2dd9bd

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app\nativefier.json

Filesize
947B

MD5
594b84d374832be68c2e76d5615d18f1

SHA1
e4c3c13b3f1df2226d5e79d4e55a19161d089876

SHA256
903606674887f6fbef5dac3f908233eaad13e2e3e4ba2574a77aeef421bd0111

SHA512
c2054843458aa0940c9294d7533cc8a624ce6363d0ba3f41980f92a9a6b520e0ac688221ba5d15c84785ecf6a6713850e0d1a273e20c5625423fd34f9300b5a0

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\resources\app\package.json

Filesize
598B

MD5
a4dcd7f05c94b9e51c2e9a65b9eb5f99

SHA1
cdf6930eecbf44ac420c69d8deb4209e5225615f

SHA256
8981240c01b0e66d805442ba2b81ff1b7475d0d8eb006a87462ff4f6deb77217

SHA512
96bf53df9e37dc0bd470351de11568470461a5fbb7a5337b4d9b77bad1227216b85225776b4f07a0263bff15a763f5fda48fa410dee40bdd4444377603e08943

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\v8_context_snapshot.bin

Filesize
713KB

MD5
1270ddd6641f34d158ea05531a319ec9

SHA1
7d688b21acadb252ad8f175f64f5a3e44b483b0b

SHA256
47a8d799b55ba4c7a55498e0876521ad11cc2fa349665b11c715334a77f72b29

SHA512
710c18ef4e21aa6f666fa4f8d123b388c751e061b2197dae0332091fbef5bd216400c0f3bca8622f89e88733f23c66571a431eb3330dba87de1fc16979589e97

Download Submit
C:\Users\Admin\AppData\Roaming\SkinChanger\vk_swiftshader.dll

Filesize
4.5MB

MD5
fcec6c6fbc34cfd9a449af66364da381

SHA1
f6016b721dec138d75e9d542f3e2210a673ad52b

SHA256
738fe97f7fbafa6524f11cf0cf0999ca3aef752bed44e1179d589aae92937ed2

SHA512
26527975979e58870c3c365b9ab432b4b3af88ed606673971fba009489db4482a5ace0e122b8cf67de075c37174c7c423ee8e219cfb4c9a331be66bb8af9edf9

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Cache\Cache_Data\data_0

Filesize
44KB

MD5
d7e25e406ef22656c5b47d1ed8e943f6

SHA1
de1480aa8e8ea69d486cc3e46d3ab3c2c629f439

SHA256
e44e48cc46c39c0c918d893f8421975eab236201e80cae3914e8ecc691c8e7c7

SHA512
76764f332d2b744b871019b7485f1b0652ed6ad4e59f15d110c0f051a2a35f419797d2c12fe5348d9b9cfda6082053f1bfce40a5abbdc3ef88b63d30ff58fdee

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Cache\Cache_Data\data_1

Filesize
264KB

MD5
2e051f21fb14c86ae32451b6b62a7dd8

SHA1
12580cb5782834d0060d8261fc272a2ca370652f

SHA256
f463343ccfd893d10cd8cfb6b9e8e700718418f39f70ec49d24127de040bfd85

SHA512
25ff9fe0ecca36fd626764f2df87951dd549a7f4cf066737f1e6b38ce1a27a44bf70226eb29becd6ac16e47b8c6ae0560cf297c6775e980624bf0b6aa3250a16

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
f5645d190c623dd4d18be3d4cac2dc31

SHA1
3011e3bf6c9857894b55d9b00b670de4137ca3ad

SHA256
9b9ebdf0135ac2a7816b5c16c085922b36a2012f9edabbb5316dde4f83f42fab

SHA512
c17c1818ba23e3ff4b392a43114f98b1b086fff851be1a2c8e44bac35d5d331972a224aed1a2832176899536035e1bc3405548798c8584f66f19c2e89402f0b4

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Cache\Cache_Data\index

Filesize
256KB

MD5
d0a1406b44b77409ff6d6924322c46de

SHA1
f62b9470e74b9d69a7610271022dcbe0ac1e5f68

SHA256
1aee815cfa9a9ea56b925ed938ba533a26bf94dd9e413ada7f026a4e7acc523a

SHA512
fa911f326a6482abfa7731743a2e8e76753b9de0e7b4547ed2bff6e0c91fc446d5577f7bcf5418743db45eb23afb35d2e9edecbd3597bce1cd131c0238aa409f

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
701daa9dfa6ec38b55161d34968c4b9f

SHA1
e9c5b1940229563bee92880b4badd6bba471c6d8

SHA256
d5c2cc7b536d093f2e725a6ef0914e0e460bd31c5265037317d644665a35a737

SHA512
10e30c7fc37273264942b70ed2a995e1e98c43bcdf81f9be0600c515c7df25efbf83a2599430fcf4694fe5846fb046bd14c2dcb43faffda78b15a9de301ca849

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\GPUCache\data_1

Filesize
264KB

MD5
d2843d0039a5943f96b30d4c3c907c69

SHA1
a0306ab982b25fe7ca825ccb86ccd1bf4da4c9e7

SHA256
744f71973a92374a66a5b9969b9ba53bc70e3ecea065ede7251030675dab4f64

SHA512
967af82d5feda4733e7905e6c67e44c82704c2dcac263ec9b5a0a194fb3b59382e0aa99b79ee8ff5ec385422020a95d0fb3df2841c6c8135a5a4fc7b2e516b2a

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\GPUCache\index

Filesize
256KB

MD5
5645d342a796ea90c8da32385c8ef32c

SHA1
ad5c22764775ac36ce4fa0c92824d519c2f4c341

SHA256
e8edfae75ade93b0bb8e7cf7c670dec1cd7b46009e9e60eea9744a0b5bac639f

SHA512
7ad0acc3d0f461e209eb0d12a956b043f7513e8ccd2a5b6fcbf9807235d1d39c823f7e86f29f286084ab33ed8b3978899ce0665babc6c960877b945878889769

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Local State

Filesize
389B

MD5
fcc0a37571887dd1684800809c54c840

SHA1
5548c3ab702f837cd61669664093cacf99a02997

SHA256
03c4d53954e28044603d75bfda5e4cd7e1fb433e0085d72b9749f952f3eeec88

SHA512
044bd1a6f659096a005c1dce2c815aee2ef1ec3a9bce3608a9cddf83cb96c226b88deafb6b9ca1a42589501fbd2b605461054b6e60f4e8ba2e8c9a5d8e863b81

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Local Storage\leveldb\LOG

Filesize
291B

MD5
743f8b6d8e5fbd9d35f0b30cb40cc240

SHA1
aec7725e28781eaf77574ab38aac5e59c7ddb625

SHA256
c42241e55d3eda69d06e1ac57cac082cd202421aa39c1ca6e2af410ee50400f2

SHA512
3d9f0eedd7488146fd59d2e45f3fdf3fa80e5d3afd83540793fac05cfec9e744b3e5b63cc320c1c9ad009af8ea05291feb7a0da7db3144272dd1498cb29c80d3

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Network\Cookies

Filesize
20KB

MD5
cd6055dd5ee444d194a74777a1cf86a5

SHA1
c2047d14d4d6dc558603cf0a3cad75607078fd00

SHA256
f4a7d8e1f299f7464dea05178d5e8d9206d975f079d191a3a28afb5b2653eb74

SHA512
7fdd555bdcee5832c373b25bab8ac82bfa7aef2f1666196acb0effebf12f8a29b70f01dc9d36c9c735cbadf990dc71b83b2a593923e53f1efc842798321b5f24

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Network\Network Persistent State

Filesize
296B

MD5
beff5f34efcd9382eed601364051a4ce

SHA1
6eb34aff86f6a383470ce6c288f3db0ce0d2856a

SHA256
9cc452759082225a0c48825793710b00036a5e7e5d056a07b828d621aa7ae517

SHA512
e89fc6a3b4b9311272276776f35bad88d01a6dbfdf87a896a9938f2b41732cf3cae10c26de1ff527fae07f7085d97314855a29c8f9de7705f2e8e97fad3aafef

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Network\Network Persistent State

Filesize
388B

MD5
1404e4d97d6725d21dface21f83a731a

SHA1
55f07c5e27dde29ad75ac36113499a2ba07d5a3a

SHA256
201fb5dc466d330f31b2adceb2362d3f9c743e77a861d73d2c7f02369bc5f48a

SHA512
23da17dec0bb2a7cc275c5db7941ee4d2d70b5224963ff02738f5bfc4e89418aef58ecd08616057732be0997e8152e37d79ba0c12a72ec090cd71b206896efe5

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Network\Network Persistent State~RFe599224.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Network\TransportSecurity

Filesize
203B

MD5
2709934eb134eb0b921d4d8026be4910

SHA1
9b1fe963a6066c05cd4924a452b33b754242e0e0

SHA256
246c38eca3273f1d670c24e384ba71337b61fe5f8bf82c9d4c6c47f0de522679

SHA512
5455f8c7b435d6e8bebef9952168e569646cd53498a3300ab104fc048a59db4e96640e760b30882922c0cffa83142cb22b3b94b8ea39bc46969b947b4dc2285e

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Network\TransportSecurity

Filesize
203B

MD5
73355d89edce89f34c6936d703fa947f

SHA1
2b52ee1189d8f0c3fa9fe456596b28a09ac66d77

SHA256
eae17758b75a3100d6f04f564a5e4b2e25aa418d32e558eabc5346ea6bd06059

SHA512
69ce2b062e571abe4994e871dcc9981613d3b59148bcc71ae3264d82c85e848cc33d7e103a6fc42ba92725a41d54327fc795597e1849eb13ce6b65ab2223e1a8

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Preferences

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\skinchanger-nativefier-30486c\window-state.json

Filesize
137B

MD5
802c0e6d211918eb778230fa5e0c3605

SHA1
60d1373594259cb5d88b9e629db128a9a4ab227b

SHA256
7970be9507cd0aa9ef53f39fd63580f2d11a0234a695ad18c6a499ab69eb2eda

SHA512
7c6340e59d479c2cd7b8e6fe57448195dc4e0b1c3888015ffb066562b3d52764a9989a96ad952d2161ee1cf7688df29697ae35bee7341e742917b151b9d9287a

Download Submit
memory/1936-10-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1936-0-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1936-204-0x0000000000450000-0x000000000072F000-memory.dmp

Filesize
2.9MB

Download
memory/1936-184-0x0000000000450000-0x000000000072F000-memory.dmp

Filesize
2.9MB

Download
memory/1936-9-0x0000000000450000-0x000000000072F000-memory.dmp

Filesize
2.9MB

Download
memory/2752-444-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-451-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-452-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-453-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-454-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-455-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-456-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-446-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-445-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/2752-450-0x000002CAE4190000-0x000002CAE4191000-memory.dmp

Filesize
4KB

Download
memory/3100-432-0x000001B8C5290000-0x000001B8C533C000-memory.dmp

Filesize
688KB

Download
memory/3100-428-0x000001B8C5290000-0x000001B8C533C000-memory.dmp

Filesize
688KB

Download
memory/4004-216-0x00007FFDDBB50000-0x00007FFDDBB51000-memory.dmp

Filesize
4KB

Download
memory/5104-289-0x00007FFDDB7C0000-0x00007FFDDB7C1000-memory.dmp

Filesize
4KB

Download
memory/5104-288-0x00007FFDDB8A0000-0x00007FFDDB8A1000-memory.dmp

Filesize
4KB

Download
memory/5104-297-0x000002BFAA500000-0x000002BFAA5AC000-memory.dmp

Filesize
688KB

Download
memory/5104-303-0x000002BFAA500000-0x000002BFAA5AC000-memory.dmp

Filesize
688KB

Download