Malware Analysis Report

2024-12-07 14:52

Sample ID 241009-d1b4cavbjb
Target 29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118
SHA256 8d03960cb9aa16abcff1f99970a14ab762c4ceeb8094761e1fe84e444039cc6d
Tags
discovery upx aspackv2 ransomware exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8d03960cb9aa16abcff1f99970a14ab762c4ceeb8094761e1fe84e444039cc6d

Threat Level: Likely malicious

The file 29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery upx aspackv2 ransomware exploit

Possible privilege escalation attempt

ASPack v2.12-2.42

Modifies file permissions

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Drops file in System32 directory

Sets desktop wallpaper using registry

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 03:28

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3508 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3508 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 4a6366797646c9ab71c2e243cb43c8a4
SHA1 310136962ee9f83fd544d0fd2461a2de16a5c155
SHA256 c70ac2ca3ad77be53ef0112820c9428cc168618187df60a7899c84fe8a9bc721
SHA512 3d0e5e06027e4729753f9fd9245ffe2ba7b8f0e8397e85216570083c64742097d73dbf99fc59f9857e835edbf4734b1b23ffb1beddb4ce1b57f10777e15eb214

\Users\Admin\AppData\Local\Temp\nstFF57.tmp\registry.dll

MD5 1c9523d1c77e5c18d7f1cf3be21c9392
SHA1 f6afd13a7e0585082f64600959c3b31d18e55946
SHA256 d1bd1879f4c1e9a7c3233ba79eb44c93fecb4d3ecdad7b896e4e2e1b14690459
SHA512 52662a37ed0ec9db7a94c245488bf3639e7d2dd76ec28b08415ee93b53489bdf7fc38c1df768033a6a2a2a2571709518e81d66a325f6609d6552442a1aef4c4b

C:\Users\Admin\AppData\Local\Temp\nstFF57.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

\Users\Admin\AppData\Local\Temp\nstFF57.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nstFF57.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:06

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4548 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4548 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4980 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4980 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:07

Platform

win7-20240903-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xml.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 3960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1404 wrote to memory of 3960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1404 wrote to memory of 3960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:06

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Jelly Bean Skin Pack\$PROGRAMFILES\Jelly Bean Skin Pack\

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 4a6366797646c9ab71c2e243cb43c8a4
SHA1 310136962ee9f83fd544d0fd2461a2de16a5c155
SHA256 c70ac2ca3ad77be53ef0112820c9428cc168618187df60a7899c84fe8a9bc721
SHA512 3d0e5e06027e4729753f9fd9245ffe2ba7b8f0e8397e85216570083c64742097d73dbf99fc59f9857e835edbf4734b1b23ffb1beddb4ce1b57f10777e15eb214

C:\Users\Admin\AppData\Local\Temp\nspC565.tmp\registry.dll

MD5 1c9523d1c77e5c18d7f1cf3be21c9392
SHA1 f6afd13a7e0585082f64600959c3b31d18e55946
SHA256 d1bd1879f4c1e9a7c3233ba79eb44c93fecb4d3ecdad7b896e4e2e1b14690459
SHA512 52662a37ed0ec9db7a94c245488bf3639e7d2dd76ec28b08415ee93b53489bdf7fc38c1df768033a6a2a2a2571709518e81d66a325f6609d6552442a1aef4c4b

C:\Users\Admin\AppData\Local\Temp\nspC565.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Users\Admin\AppData\Local\Temp\nspC565.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nspC565.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 236

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3996 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3996 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1612 -ip 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\JpgToBmp.exe"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240729-en

Max time kernel

14s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 224

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xml.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 368 wrote to memory of 3716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 368 wrote to memory of 3716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 368 wrote to memory of 3716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3716 -ip 3716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 244

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 4408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 4408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 4408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\JpgToBmp.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe N/A
N/A N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Android.bmp" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\Painting\Separator.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerAppstab\icons\VStudio.PNG C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerDirverdock\I.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\Flip\widget.xwl C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12294.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12306.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12321.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoSea\bg.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Lang\Ï_ÏÝÏÚÏÚÏ_Ï_Ï_.txt C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Settings.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Phone_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\Milk2\Milk2.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Logs\ExplorerFrame.dll.log C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\57.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12315.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3032.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\notepad.exe\notepad.exe.txt C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Languages\1025.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerSystem\bar.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerWeahter\Default.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\TabTemp\Default.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12224.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12267.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ExplorerFrame.dll\579.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Music_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\weatherTemp\Icon\27.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12261.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Action complete_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Clock_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerRSS\Icon.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12218.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12317.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Logs\batmeter.dll.log C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Logs\imageres.dll.log C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12230.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12282.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Logs\Explorer.exe.log C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Barcode Reader_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1008.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\152.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\9.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerWeahter\icons\rain.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\notepad.exe C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\htc sense_internet_icon_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerAppstab\null.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Images\logo.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1035.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\5100.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ExplorerFrame.dll\34569.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoIron\sep.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ZaKtoon\ZaKtoon.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerWeahter\icons\cloudy.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3054.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Opera Mini_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\androidClock1\dots.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\weatherTemp\script.js C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\181.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12300.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3023.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\jb-new-logo.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoSky\sep.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Images\WidgetDock\bt2.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerAppstab\icons\ccleaner.PNG C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\HTCHome_En\Icons\wind.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\resources\Themes\Android\Shell\NormalColor\shellstyle.dll C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Web\Wallpaper\Android.jpg C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Android.bmp C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\JpgToBmp.exe N/A
File created C:\Windows\Cursors\Android\Help Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Horizontal Resize.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Link Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Unavailable.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Alternate Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Move.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Working In Background.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Busy.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Diagonal Resize 1.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Diagonal Resize 2.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\resources\Themes\Android\Android.msstyles C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Vertical Resize.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\resources\Themes\Android.theme C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Handwriting.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Normal Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Precision Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Text Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\JpgToBmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\Crosshair = "%SYSTEMROOT%\\Cursors\\Android\\Precision Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\IBeam = "%SYSTEMROOT%\\Cursors\\Android\\Text Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\SizeAll = "%SYSTEMROOT%\\Cursors\\Android\\Move.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\Hand = "%SYSTEMROOT%\\Cursors\\Android\\Link Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\Arrow = "%SYSTEMROOT%\\Cursors\\Android\\Normal Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\NWPen = "%SYSTEMROOT%\\Cursors\\Android\\Handwriting.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\SizeWE = "%SYSTEMROOT%\\Cursors\\Android\\Horizontal Resize.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\SizeNWSE = "%SYSTEMROOT%\\Cursors\\Android\\Diagonal Resize 2.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\SizeNESW = "%SYSTEMROOT%\\Cursors\\Android\\Diagonal Resize 1.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\UpArrow = "%SYSTEMROOT%\\Cursors\\Android\\Alternate Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\Wait = "%SYSTEMROOT%\\Cursors\\Android\\Busy.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\SizeNS = "%SYSTEMROOT%\\Cursors\\Android\\Vertical Resize.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\No = "%SYSTEMROOT%\\Cursors\\Android\\Unavailable.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\AppStarting = "%SYSTEMROOT%\\Cursors\\Android\\Working In Background.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Cursors\Help = "%SYSTEMROOT%\\Cursors\\Android\\Help Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 33 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 34 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 35 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 36 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 33 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 34 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 35 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 36 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 33 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher64.exe
PID 4744 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher64.exe
PID 4744 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe
PID 4744 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe
PID 4744 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe
PID 4744 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe
PID 4744 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe
PID 4744 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher64.exe

"C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher64.exe" -silent

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe

"C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe" -silent

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\imageres.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\imageres.dll.xpize" "C:\Windows\system32\imageres.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imagesp1.dll\imagesp1.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\imagesp1.dll.xpize" "C:\Windows\system32\imagesp1.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\authui.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\authui.dll.xpize" "C:\Windows\system32\authui.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\batmeter.dll\batmeter.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\batmeter.dll.xpize" "C:\Windows\system32\batmeter.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\pnidui.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\pnidui.dll.xpize" "C:\Windows\system32\pnidui.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\SndVolSSO.dll\SndVolSSO.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\SndVolSSO.dll.xpize" "C:\Windows\system32\SndVolSSO.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\stobject.dll\stobject.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\stobject.dll.xpize" "C:\Windows\system32\stobject.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\basebrd.dll\basebrd.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\Basebrd\basebrd.dll.xpize" "C:\Windows\Branding\Basebrd\basebrd.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ExplorerFrame.dll\ExplorerFrame.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\ExplorerFrame.dll.xpize" "C:\Windows\system32\ExplorerFrame.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\shellbrd.dll\shellbrd.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\ShellBrd\shellbrd.dll.xpize" "C:\Windows\Branding\ShellBrd\shellbrd.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\explorer.exe\explorer.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\explorer.exe.xpize" "C:\Windows\explorer.exe"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\iexplore.exe\iexplore.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Program Files (x86)\Internet Explorer\iexplore.exe.xpize" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\notepad.exe\notepad.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\notepad.exe.xpize" "C:\Windows\system32\notepad.exe"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\wmplayer.exe\wmplayer.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Program Files (x86)\Windows Media Player\wmplayer.exe.xpize" "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\JpgToBmp.exe

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\JpgToBmp.exe C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\Android.jpg - C:\Windows\Web\Wallpaper\Android.bmp

C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\android4\install.cmd" "

C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe

Win7BootUpdaterCmd boot.bs7

C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\Lion\KEX.cmd" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd" "

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Users\Admin\AppData\Local\IconCache.db"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:n\AppData\Local\IconCache.db"

Network

Country Destination Domain Proto
US 8.8.8.8:53 installer.filebulldog.com udp
US 3.18.7.81:80 installer.filebulldog.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.7.18.3.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 191.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\Banner.dll

MD5 0116a50101c4107a138a588d1e46fca5
SHA1 b781dce23e828cf2b97306661c7dad250a6aaf77
SHA256 ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b
SHA512 55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\inetc.dll

MD5 f02155fa3e59a8fc48a74a236b2bb42e
SHA1 6d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA512 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\xml.dll

MD5 42df1fbaa87567adf2b4050805a1a545
SHA1 b892a6efbb39b7144248e0c0d79e53da474a9373
SHA256 e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845
SHA512 4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

memory/4744-37-0x00000000056B0000-0x00000000056D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher64.exe

MD5 5eac71e2ab8b58f00da48a21becb586f
SHA1 57fe7ac0196a04b535615f19b0758e75071a9943
SHA256 196756bea46f45de4b8e2eedebd51df8222f627f1eb9c2876d927718c85286e9
SHA512 2345d45a9d2b163d2a550808ab2af72748e80615e9d7965d40642b80cf53c3eab3ad07cbfed6b8b97ea1656436306919de6e74fef9f62c62456bd058c70830ff

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\UXTheme Patcher.exe

MD5 c35efaa15f6f1da888efc247e886389d
SHA1 e3f35519380a564ff62f5ea2fa95fd5bca38bb1a
SHA256 558f6e38c300957234231234c44ccf41217182677e859c9005a51094bdf01794
SHA512 fd3d27271cab60f51929a4e92cccd0ce2edf8c95fd2db6cc957620ff2f7522e644b67862ec7803e6068f5ae75caedad9daae3dafdd4b7f4898c618c8498dca16

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\139.ico

MD5 715f0b190a960689dd412d2afa82520b
SHA1 9f08dea801d368ed181842b91e894b9145616c41
SHA256 84567059fc3215de5a0f30c1fbecc8ee0486028b15e303cf184ddf2bd4feb4f8
SHA512 cb0b2dbc3c156f66e686dadc3665ef832bdc3b418f00ec80debe178b10a9372af8935c4c0a388a01c5d82ff5db9863ce31fdf8d94a71ff4b06ad2908810996e2

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\imageres.dll.txt

MD5 f3bd97a52850eab52d4f316a283675c2
SHA1 99d44c7f2d32409985a814264eb8f2ae0f35d553
SHA256 f0635f35c1d17c30ca85e5981cecc53289d0ebcba8656a3f136538df8fb61e29
SHA512 749f2ab73755f69a74a9fb0937686d1e20c1cd7499e21bd7ff91d86e40331683f46a28a8592a7aad8508cc4496687bdf3e76a60f34733ee02c823fdecc1ec020

C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\imageres.dll

MD5 620c454d6138083f146cd718cf3003e2
SHA1 155c86d26602058d21ce2cb0ba097292f4374d4a
SHA256 67c93e5c99187db024be2ddbf26020911d1f6e8836ddb2da2e51a87228c3182b
SHA512 c5cc55a32d29ed228982b16c1599e3293cd4540c67307837aab3dd5b7f46d5f858c60a7dc205fd2ef62e2464ffc1da22a0949dd6cd861cccd477e1cc2596b258

memory/4284-308-0x0000000000400000-0x0000000000502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\ExecCmd.dll

MD5 b1d08c24cad3f8f6ccd6b9ebd24d30c0
SHA1 d01549db25d0345c05d3c2eb90b173f937966ce5
SHA256 c4b6ff0091b3401670c8c6d3cb337d3ba0c2a514e66b0ea3501bb7ef78ddba69
SHA512 9cb5735c86cdf8d126268b7b2ec8fafd654d69bdfe5336d54b7d44b5ac8e1174836c487bb4aa40517516a55323bf9f916a96753c8dd2bc9b2d481071c9d9fbf8

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

MD5 fdc7b5defae116802a0f695d789d3a35
SHA1 2a7bbda9bdb9df297a174a6ade11b282cd5d558b
SHA256 e0017fb1874641754b228fe0d50e23302e69b93e4331d535c6fe6d0c22199629
SHA512 4c9d2e6a44438d816ae6fa35525ad4c018bfb5a43f4ebb7f7843eaae9617241cc0ca98b1d31f38d7f4edfc4c184123b632071351ca00c6c05c8eb721a8f3bf4a

memory/5044-319-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imagesp1.dll\208.ico

MD5 d6aa3deb9677e17c6a02209255c10217
SHA1 cb98d1e746b9648f7e376089bc4ae7286c23efec
SHA256 a8a1946eaa7ec9c2a3a67af760fc20b3ec2fea471897ae2ef579396fc4b7b4fc
SHA512 679ec74339b76b7818258cd87897c7c4a5c1e1f2e10b2c2a3a790de3f29d7286ccbca5dc871728ecfa1d92e80fcbcf400116fe5d2d1d298701931a16213c14f6

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.ini

MD5 8d8ef66c93ab90e0fa91d7424b72bbb6
SHA1 49b8871413faea71f451921581aa9e2b6825c201
SHA256 99c104a02846d22b412ce62354be18d51533cadba15315d1f2aee05fb1a820a3
SHA512 3528938c0b1fd40de65d7e41ea71c347b9dd5272b74757a21d7d6fef037f13f2f7ef08886203ab11efe7b6f95def28e84ad3735b7b1058a1770460a51e5cee2a

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imagesp1.dll\imagesp1.dll.txt

MD5 6b20ed47623302306418b66ef8777551
SHA1 557c17fd3e9ceae3dad70c26624ef42160ddbfa6
SHA256 705747bb0e913391544740615b1a4514792ddf864fad1eac896869cfab5b86c6
SHA512 dc7d3f935a3ca7f5b53c0107a3f621b57696dc1fd87d7fd6705b88acc193c73ffe468f31099f6677782d545c1c9869fb916ad8722248fd01721bdc35eb8163fa

C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\imagesp1.dll

MD5 08b119c2db5ecd2b0b6f502487f3688b
SHA1 def03a82ee71cf4727a8ba44284b676beca733a9
SHA256 494b5be61b561db063677b15fa0093efde12edb921fb2b6fde8db9c50c5c9f47
SHA512 b45581483c3af08f280e16491890fdbfbd7ed7c3fa62ad5a0acb10c3530c79221859565d5a8afb2eee2f649b83a65cd19ababe2041e5b11e5f87ce01f67095da

memory/4944-340-0x0000000000400000-0x0000000000502000-memory.dmp

memory/3464-348-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12270.bmp

MD5 a9d5b28ed75fd5cecf329069dbcb32c1
SHA1 9cb57c34f16f1204b533aa486f5cecb097cdd731
SHA256 b5d942187d3fdce96d2b0dd9c4c5614f24fe625c7077064685fdd1cb367e44b8
SHA512 a39f1964043c245c73c21f7f35be6e0b96e72ba2f8aaa1057a5adedb7b1a79e9960c54aad8964705758b32aea3f85aa07c65a34305c3c65d043086bbc55db84b

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12269.bmp

MD5 e3f1d45510350054bce2567316220c22
SHA1 929dcc5b84b75c0359ea26e64b5a88227431e813
SHA256 4f973fc52c1e800b857035ad041ebe9fc2bcb8e04e94d3ce6b9737d5b84b8f6a
SHA512 08c4de5d6794ad37b7a25fe16907a783b3872d37c8243232a3dce3af1f19846db100536830014d0502dab9a86d2896d0553a4623e78283170ef52dcd1df6431d

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12281.bmp

MD5 7f10c345de67f2a3e0770fb9c15cf305
SHA1 276618bb7251808cf804b95477596dc8b4eddc7a
SHA256 50fa178e1d5da32749302dd7e0043c4bc215dfaab620127eccaabede20534fa8
SHA512 3e786e3319acb91c1ab8b262b97467614464d1e69e4491cbdb3650274f6d0ee387ed0c2c56d694973043ff7fde5fbbb146602df00ce96e5e07dfc2532453e382

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12321.bmp

MD5 07320111067f436917a3afca9662e5d9
SHA1 cad8f4734ce2f545d3ad2ac64abe1aaab00534c0
SHA256 07d7cd4fb7f981ad1880000c4447564a5469eac43ad016941906afaa2e185a4c
SHA512 b39ec47080e82fcac2f2468d21d8e482fa152456ff7708cde75e2ba3e60eb9c96baca8d11d46714949c439886f146815391a0d2b0d133e40c58f1d5fd1f92963

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12320.bmp

MD5 ef507d59f550667bcd2d2308f6e8bb49
SHA1 ee2e050cbeebfc6ca98098999312a1639cc145d8
SHA256 d568b1e48f1fac4e0c98ae4287e8eb80366bea619d010f9003784f664367012b
SHA512 f38720bc16340df09a4b39910ba7ff9dad48c766967ef90f2f1101b4feea36dfdd261118fdb11b74ee54939049087b7404591ee21931598842c3439c3d9d0661

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.ini

MD5 1e63cef9155fc3a0c98644aa7c95d1c5
SHA1 8054b82558b5393b938349decae964cf6c79fa70
SHA256 256be57b9632bb3a6d8efdc676f52695fe2fb5634e410be108edb660888ec123
SHA512 adb68247387f7e54df3cdb0d1a4256500b2e884e67ae6ccf13856983d99897e9cb4564be289e9778e62dfc6a3d66aa76617c8666b542745c8b1ea9d5b6674674

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\authui.dll.txt

MD5 f8e6567ac9e88bc469b56bb832f75f20
SHA1 f1e77898790fe20959d83fb2ab8ae8f5ba9627ce
SHA256 3bca07d71ccf1f4cb12141f75436a2616845e83e6612f671c1719e22b71be18a
SHA512 27909058bba7217464db2aac2336d9987900210ea645a6c708097354c06d74fe8508849865f8969964a7c4388d2883a09955cca13e61a546bbbc8604f463f2d7

C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\authui.dll

MD5 9742f598cd47bd90a6698e29d16c039e
SHA1 319ea3f8ff1dc544520937346b966fe5a23725bd
SHA256 1bf55c034d54c4925896e30ae3c772e1520c768e64f499d766d026a0de55e3a0
SHA512 e8fb782a0623cbd66cd94ae7f38d643af56d09a436cd15f991e29338549284d036d6e40d7e0755f5046e3ba8d5f9a22cdd027cada0480be1782c174d36e685f8

memory/3732-432-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4360-440-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.ini

MD5 0f41921931406025353c7839294bf784
SHA1 a95b7a2d36d042a0e6bfda632f3c6ba2bc1b457a
SHA256 df10aadffbdcaf245c041118d916c36035bf68e526503f37fdd2c91fe9161811
SHA512 d32d4f632d32d2cd763b99f6858daf248520e44943e5dd2961f8bbd14cb6929bfa8968c47cb59b2802455c60d5cf89d2bfc4b8fd8ee53e7bea1d56f2fd3a3a9a

C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\batmeter.dll

MD5 72b4c51711c54edfe24129ae522221a4
SHA1 43d9b8f0d15cc235b3170dcdb25bf15be300563e
SHA256 61903d145506ce4857e5211e289dd9e0251b1081a2417d268d373284c76293f0
SHA512 bb230d0c7e687e7e7a51d661398daf4253809ed70e429264a5589be4091b9c387a44551f8012f172eedb8ad5f7f3175b66f4940925e1bddef70446108f2fb3f7

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\batmeter.dll\batmeter.dll.txt

MD5 bc4d264998df2169cb473cc94ea7a3f4
SHA1 8765de1328fabdb4343335144483bab924ef41fd
SHA256 e605a11d4c1b4519e8f44f0e85ac6473696b51e81e6ac8afb7be88a2313ad5c6
SHA512 5f607dfbaa3f5aeea4f80b0b1ee48ccb315813814720e9a3c99aaf298dc11577a87775022a944ce08785203c8d2538e62e398d0f69373db33575d3716bdbdc56

memory/2056-456-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1920-464-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.ini

MD5 a365e2b29dc609e6f4103de27ebf9542
SHA1 588443ff0ffb5a808f71b490acf481a1f687566c
SHA256 7caaefb5cc65fd06ac317559685fce129e9d8f5fd65dbae824b926658781d4a0
SHA512 9ade6e4f88f439173245079a81db80710350d40a62aa3644386092f6868053def3c654c6aadf631b8bbf5fd598c7ca6292b23a420b4fcd3d4ff737ade967b649

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\pnidui.dll.txt

MD5 7f1d77c804b9f8edb26fa3aee402701c
SHA1 4868cefc5cbc839da1718b76c350e8867952c0cd
SHA256 5597879476354685146eb23355ee8e6428cb77e342f42483536a783ba4b4ffd8
SHA512 55da39d18b3d2467acca15c8736baffa6763e6fe7ba2012cf6e94862cd64b18545944fd3f240b193371582aaf6ecf542413d9b612f1fb71a06282b45d5fb7ebf

C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\pnidui.dll

MD5 bc5be132cab791c258a17c6d40b50df2
SHA1 2dfd0ae57355cff5c8d97889d9a55947c339497e
SHA256 c4b3df6dc6a078b73a3dd935b807060ca323a98653eb13ec72582e6c98abafe4
SHA512 41d39c0a689eea236b281e4cedd83fe9650b0a2493fc005ae9f6f4243cc880a35637ff532ba97dece26d2bff3085783bfc676173c97261c7a8e4ecfeca023f32

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3024.ico

MD5 07257d99d205d501f817fcdf3671f3c5
SHA1 16de25f89ab85f672c1ab88cd71ce5871a214f75
SHA256 644cd4c4f1b118d4a5dbc9f58ebf2ad1d1cb9d5f90f8ac64f33d2054f44746a2
SHA512 1f1a06668eafeaaec4c68c67a41794e72db064149839b04a2a64d78780ee5d92001a312efc7f80134e3525b46862ba758f1b1b806480f483f97f7a10f82c6920

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3023.ico

MD5 9b1d33d7a2675ce832967f6c37bd1cdb
SHA1 35eed0510cc05e5c343dcf4f8de45d78b66dcd17
SHA256 4e529462b548c53da222d56db981f97abb705dc61ccf4ff8f1db39db94f101c1
SHA512 c25f97d5e8a8bc6953def0df836640dd4135bf4f363a329a32716deb31933ed39eea95c0c56da637c125b9ada1dd5980b78ce7b361c9c15b79e658a2aa129ab2

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3022.ico

MD5 7970f38bac426041642308a14c5c5b4c
SHA1 67d851c02e2de07f2bcb7e3829d593a3b9156508
SHA256 2fb4fba23e1cffe4bdb50add8d8131bd51e8a7935acf084518d3a20fafc2f68b
SHA512 552e120a2f5a1e45f6cf855263375f522d77f87a795ac4abf35e0abc3c1f184b5de443755c1dd011fae052a5be44e77b48b6ff97d51324f8252e2de324694508

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3021.ico

MD5 b443a5a570ee9894f5061f81ea360540
SHA1 885ef78174414a56ad9b9176683117921045028d
SHA256 b13e4b55b8115f3621f0cd3de152086d35c85a1a01ee2f5fc850b492f3553cab
SHA512 78919d3407da5083e5c4494e035065ceb256adbd10ebe94453a58deb1cb13a2d803012b1adb043a59c6d875049f2b938867e58675a4f52de738bb906a84eed7c

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3020.ico

MD5 b1ba2294cbfc502551e803088584378b
SHA1 772a86c547fe420d002073d9dd570c5fdd7e51a6
SHA256 03136b58bc58b85d59f5a0010c1f292b036e3560da41977b73536cb8a92d3152
SHA512 d21c0d6bb01ceff5fd3eb4b2946eaad77e71ae08a154300531dce3a0d24dc79a58183ac161ea77ce8889ae0c346a9c69097125cade756e77dd3ba0a1dc4a46cc

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3051.ico

MD5 45e3984359bccd8704312bc4b114fc17
SHA1 9d8edf37add520bfc26bb65a2590a967a0704a3a
SHA256 921d20feadfd5365ed89b16999510f61c5a479c65efb391692b3ec31fcfc2687
SHA512 b10520daed072064f22e64b193402a5089f180e23b7103a76b6722b0c12e4d63d1f6aaf904415371caf08744b68e4d7fd5de3b6de7067af17c6c73d86dee8b82

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3048.ico

MD5 cd970f9fc7564ae4fdf15848744a1694
SHA1 73d1a0150b031e5e1176178dd263b50486dea398
SHA256 e69c7eb0869db7fba6b7f38531cf711a475b77850fa90eacd4b62a57a16faeca
SHA512 9e1b59d2f37b72ad93903b918f88670cce9b6bd6972494114d7b50106862f84fdfe306a73c8bf5273476b8f895cc4e538f86ec40aa8eacd8591f43a6ef47e6bf

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3032.ico

MD5 662dbdffcea050218ee8618203828477
SHA1 bccc0e9d21bd383de980592e85d9130eed2833f0
SHA256 76e7b5621f1bfe5260e4f74a51249dc603a314043b987d241e6bad8bd55ab93a
SHA512 6629c5ab868acf22d96e26f8e3f6196e0abf1ca9c5b7c1353e972157a73c2d54a91395a2d695a1afe9a57a21f683abbc5073f4fa10d65b4d097d6e2aee21a58f

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3031.ico

MD5 5f3f8421bd0c0ef3d474f59a2b520876
SHA1 f1b1da4782d8bf70461b5d83ae71313f80607bf4
SHA256 b0e5e667c4d503e94963253a8085a3cc93edff67f6e0d034d2ac859e9d861639
SHA512 4b8abbc042e05039aa502b58b9926ea11e711820f94930efe95bf22751b54163fb17eddcae8dc579ddeb269095c0f30709732759fda8ee55b471d66eae72371a

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3030.ico

MD5 65902b25de2aa58f144975111e585123
SHA1 0dda949db5b5c4cedfe73c3c021500a6d94f2fe3
SHA256 ef88023aa4cc474e5b2ee442fa758af056ce451a7d447065db26ed5d8e6d2309
SHA512 d356db9a93de774d8fb045de0c4807c58e2231bc05e45441ad6bd504e60f372499864a041710c7a5d706d9807f4067d98fcdc2e80e2d99dff347f00a205a3b7d

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3029.ico

MD5 ccece1faf666b86629d829ace5d73c10
SHA1 af3d3d7512779e7dd56e939d38ce27ea530725d7
SHA256 3b9032199f6335c4cc07eeea66921023059eb22a8ffd1d7cd7e935a997cf2e35
SHA512 0158e730dd1b7d008cc0c31d2ce8ddba691db91c0b7ecbab9475e4b5a22f83fbabe8b830ca567c035956a888fb9be86e402180ce616183ca405f575877fd7a68

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3028.ico

MD5 c8ab0af6c54789e62a29039165113fc1
SHA1 bde1bb33032309c232c983df3bb723e1b6d99ece
SHA256 cf47be4a4733cdd6b5303bcb2f740edca742332327b904aa370e8cb8f4adc584
SHA512 f21daad4bbd26f0c177acc1da5429485858320b507b9cd98aed3322c8dadb5c082aa116b390f3d98a2d6c9ffad03833426b5b61c606224f4133a9368547176b0

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3027.ico

MD5 0a0f9e27c54e4c910968cf20907d6a1e
SHA1 9b53528e5825d61a33213b636ee67caee7f3a2a4
SHA256 fb76d4b92419ee8f32285451fd90c708cb475a340ba5c1dbebc269027907c8be
SHA512 9f2c4a52c3f953ee2fbe245a44f137c03b24d376a3f434e2e12c8117014e3199ab39d1cabe18cb5c0b6a3d2f8014507d68e34619369e91c0c49e6101f78a178c

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3025.ico

MD5 93047f1f28599485003ac4959eb1dde5
SHA1 c1a84ba3f5003bd6c5a476547d4f0d822835970c
SHA256 232e73491cdf7d55e32d3b9f64e32be4ad74fbf8e550707f135bc4faeb50b9e7
SHA512 b1696f18869f917e04dc6999115b0e152b3b146bdb6528c7ff9ad9e33370455e74757d7789f880bb0e213252af8c4479c1eb3bdb97a8c6c0e2ae0e19c31af32b

memory/1444-535-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4380-540-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4148-555-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2904-560-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4008-569-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4612-574-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5096-584-0x0000000000400000-0x0000000000502000-memory.dmp

memory/5104-589-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1732-614-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2340-619-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4240-628-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1052-633-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3208-646-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2428-651-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4396-664-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4564-669-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2528-678-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1588-683-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4468-694-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4300-699-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\AstroOrange\background.ini

MD5 897b938340df28f4b6644a21e993b5b4
SHA1 2ce7d74e54923fd3c0a9d3b55198c0052e65fb11
SHA256 2f9a65652dcfd86b9a423926171a475d45085ba1447c2a0b553da2c3875043f3
SHA512 9ba3f6635cb2590bda828a88a624083db1c258d5953e82ac13a9134eceb38d8b03f60adb5d2b42479f68f294d400b2422d16784e7bd4c012f996b50eb41f47e6

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\AstroOrange\separator.ini

MD5 d790ef81c98f5e58509753663c555450
SHA1 114b312c07d64f3bb51d58a461a79109751df34d
SHA256 1b5fbb364299f161c9a6ee23d64a611492761c9712e349132915b7717cce77f4
SHA512 460ddca2cd01449cc8312ba08816de256b06bb0c1084a2b7ed57c9afb5e01b6da23e44c4b3f07f7c348cb6a47dc5319cfd3dd83188c3fbbc29d83831920ef5d6

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\Milk1\Separator.ini

MD5 61942857b9195d332e8652f327e1fc9a
SHA1 08bc1313f64cc70a4ab1c17729e04a305d536ea2
SHA256 3209912209357823aa3bc1f6fd45e2bcdaaa6b47bbc60233731601d10acb4ef6
SHA512 22323d771b2bf7f61e4a120a750f9c6125d516e01214d12e952a22046fd0326675f0e671b166ac07e73ea0f48db41dbea9ea5586ae662a5d84fa29b9b9ea5c4c

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoSky\background.ini

MD5 af5ae49010e6ca1f108b805fa8b8b098
SHA1 391b94f97e470e6e45ea32b32a1e3b0a7ab4406a
SHA256 fab2d4d53b491671deb18cb13402a2e26208a533eaaced4a326ff3dc8da79d12
SHA512 a91a9d971b42e0cdac954e663abfeea8495c255201ba7f410d39ea057052550bc7cc20778c154712753324b7306dfed6d07750e265131c3b60ba161900dd6315

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\RocketDock.exe

MD5 7dfccc67990b6de7f30f553a4e4612a4
SHA1 521e9198e3dc1d41fac02eb01fb9f47f6d2a9855
SHA256 9ff98d6fd2539cefc9f42103a7f72388bed6ee590400559b92bc7430228da36a
SHA512 e43038e184a4271633f7925656aa37d14dd67fb606aa18e8e9e18329cf9e71965217bc9687a5e317d0ab97cea40e40f0a72b0cf6d56d5c85cf1e1038e6be30eb

C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\weatherTemp\Icon\23.png

MD5 cf30d2b2c170a5a98caa3a7215d83ae3
SHA1 abedd45bb623548605da0b2a93d0afaeb12f489b
SHA256 29cba7577d397dc14d0a1837fa779701c80dd029573d6df78619201915d478f0
SHA512 ea7303d2eabfffab9a97348a9f61f84ea33903b135a2d5936d53f43511a4d0b8363a3af7955a71e55174806ef34142cbec65dbb83ef5c3f1bc7052d633384921

C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\weatherTemp\Icon\26.png

MD5 2677773a835efd1ad8fe6eb10e4c0835
SHA1 cde8a8dd51d8ad665298ffe5edbdc563dcaea4a2
SHA256 c0f902e9e3c01d6f0d1249bb9cb703432aedd55f363a2c6b6d5340ca75741e82
SHA512 2da6602e8926ead005521f1a18d5c789f4d5f7d2d05db0bf5b62fc29bd601a9e3da42121887647ab34333b9bb75f01d53805e5650700f8563980799c089dfee9

C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\xwidget.exe

MD5 301436520517ebca12d4201505a77670
SHA1 584aed4be04bc8288e3ecdf35855a8e409a69bb9
SHA256 56bb657fafd05ebd86c5b7efba8f00c4226008a121eedc81bfadce48bc506f18
SHA512 84a6d44c574e1e233baa274c7fe1f4f4c78b2700680ee3adf0419a74fe7719faaf8b7e20e3b78192e79adb9ef0dd14d2ef43a5066aa90db8866ad169dd02dc8a

C:\Program Files (x86)\Skin Pack\android4\install.cmd

MD5 04a01b7bb9e5d780194d6729237f5923
SHA1 5a0e5dfebac286abe4cad1d3a99fd6ee99116cd2
SHA256 3a393057c762af5c067ca058924ec5e64921a798aaee2f9bd818d88d50adbdff
SHA512 e24d1dbfd64ec6a0621c3e3fd68d6fedea82603acefc4bc9635bf99278724678f816766d920af66291ab021b37fdeafb94337476e6b8c16a2f5c197943a7b435

memory/2744-1466-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

C:\Program Files (x86)\Skin Pack\Lion\KEX.cmd

MD5 088b426c6ebb2f2af680f6ac1b1d989f
SHA1 7e0848e8c36c87c7448b6c479b46337429c3b9c0
SHA256 5da151a916d4a9118e82ea8d783e4545441612833e4f555e0948e696f35ef996
SHA512 7a841fe94174551c807d5a174eea502c5d125db7037b7de45d8f5251b7932115f1bb5bb6aba4c6390b1a8e034bdb1a7918603bbae101fc6f8dafea77677feaae

memory/4904-1482-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3112-1498-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd

MD5 747cf038b116aa75f173f8042fdbb7a8
SHA1 d0e6f21765d15661207986db9da2cebd21ef9bd0
SHA256 61ad0a31a74ad1eeb7ed490188a4562c0a1a8ac832bacf467131c2bc0a887dbf
SHA512 87f83dee494a3902db7ea29e2c442927f3391ce0d8021402cdf6d3fe5b42cad9fafcddf762f9fc2eed2cf52d34d5e37c285701fa618292597331ac63d0dd2d40

memory/1636-1515-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3800-1520-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:06

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 244

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:05

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 228

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240903-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\JpgToBmp.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe N/A
N/A N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\uxtheme.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File opened for modification C:\Windows\System32\uxtheme.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\System32\themeservice.dll C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\System32\themeui.dll C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File opened for modification C:\Windows\SysWOW64\themeui.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\SysWOW64\themeui.dll C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\System32\uxtheme.dll C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File opened for modification C:\Windows\System32\themeservice.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\System32\themeui.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File opened for modification C:\Windows\System32\themeui.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\SysWOW64\uxtheme.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\SysWOW64\uxtheme.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\SysWOW64\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\SysWOW64\themeui.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File opened for modification C:\Windows\System32\uxtheme.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\System32\uxtheme.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File created C:\Windows\System32\themeservice.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A
File opened for modification C:\Windows\SysWOW64\uxtheme.dll.backup C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File opened for modification C:\Windows\SysWOW64\uxtheme.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\SysWOW64\uxtheme.dll C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
File created C:\Windows\System32\themeservice.dll.tmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Android.bmp" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerGallaryView\Main0.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Skype_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoTree\sep.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerGallaryView\main2.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\37.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\HTCHome_En\Icons\snow.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\54.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Languages\1040.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\AstroLife\separator.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\CrystalXP.net\background.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Images\logo.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\169.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.ini C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1027.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3095.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Languages\1038.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12299.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\5102.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ActionCenter.dll\7.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12317.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3029.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3032.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\HTCHome_En\Icons\wind.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Images\hub_button.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\5002.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\Action complete_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoSea\bg.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerDirverdock\Icons\DriveD.PNG C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\HTCHome_En\Icons\moon-1.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\batmeter.dll\batmeter.dll.txt C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12287.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\anddroid 2.0 dock\back.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Update\update.URS C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\183.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\38.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\97.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ActionCenter.dll\5.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12273.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\3072.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\angrybirds_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\AstroLife\background.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\158.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\HTCHome_En\Icons\moon-15.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Data\Style.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Languages\1043.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\Milk2\Separator.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Data\Behavior.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Strings\AutoCompletion.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\164.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\iexplore.exe C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerDirverdock\Icon.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerUptime\main.xul C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\84.ico C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ExplorerFrame.dll\291.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Languages\1052.ini C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoClay\sep.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerRSS\main0.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerWeahter\icons\flurries.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Lang\Ï_ÏÝÏÚÏÚÏ_Ï_Ï_.txt C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12226.bmp C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\AppData\Widgets\EkerAppstab\Icon.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\VolumeTemp\fill.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Icons\LG Optimus One_mirror.png C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\Android\Help Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\resources\Themes\Android\Android.msstyles C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Web\Wallpaper\Android.jpg C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Handwriting.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Horizontal Resize.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Working In Background.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Android.bmp C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\JpgToBmp.exe N/A
File created C:\Windows\Cursors\Android\Unavailable.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Vertical Resize.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Diagonal Resize 1.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Move.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Normal Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Text Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Precision Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\resources\Themes\Android.theme C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\resources\Themes\Android\Shell\NormalColor\shellstyle.dll C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Alternate Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Busy.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Diagonal Resize 2.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
File created C:\Windows\Cursors\Android\Link Select.ani C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\JpgToBmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\Wait = "%SYSTEMROOT%\\Cursors\\Android\\Busy.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\No = "%SYSTEMROOT%\\Cursors\\Android\\Unavailable.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\UpArrow = "%SYSTEMROOT%\\Cursors\\Android\\Alternate Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\NWPen = "%SYSTEMROOT%\\Cursors\\Android\\Handwriting.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\SizeWE = "%SYSTEMROOT%\\Cursors\\Android\\Horizontal Resize.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\Crosshair = "%SYSTEMROOT%\\Cursors\\Android\\Precision Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\SizeNWSE = "%SYSTEMROOT%\\Cursors\\Android\\Diagonal Resize 2.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\SizeAll = "%SYSTEMROOT%\\Cursors\\Android\\Move.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\Hand = "%SYSTEMROOT%\\Cursors\\Android\\Link Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\SizeNS = "%SYSTEMROOT%\\Cursors\\Android\\Vertical Resize.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\IBeam = "%SYSTEMROOT%\\Cursors\\Android\\Text Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\SizeNESW = "%SYSTEMROOT%\\Cursors\\Android\\Diagonal Resize 1.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\Arrow = "%SYSTEMROOT%\\Cursors\\Android\\Normal Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\Help = "%SYSTEMROOT%\\Cursors\\Android\\Help Select.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Cursors\AppStarting = "%SYSTEMROOT%\\Cursors\\Android\\Working In Background.ani" C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 33 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 34 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 35 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 33 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 34 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: 35 N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe
PID 2052 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe
PID 2052 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe
PID 2052 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe
PID 1708 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\takeown.exe
PID 1708 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 1708 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe C:\Windows\System32\icacls.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 2052 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\icacls.exe
PID 584 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe
PID 584 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe C:\Windows\SysWOW64\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29f9cfeda401c46c17767ee0c60359fa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe

"C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe" -silent

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /f C:\Windows\System32\uxtheme.dll

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant %username%:F

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant *S-1-1-0:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeservice.dll

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\themeservice.dll /grant %username%:F

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\themeservice.dll /grant *S-1-1-0:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeui.dll

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant %username%:F

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant *S-1-1-0:(F)

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe

"C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe" -silent

C:\Windows\SysWOW64\takeown.exe

"C:\Windows\System32\takeown.exe" /f C:\Windows\System32\uxtheme.dll

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant %username%:F

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\takeown.exe

"C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeui.dll

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant %username%:F

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant *S-1-1-0:(F)

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\imageres.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\imageres.dll.xpize" "C:\Windows\system32\imageres.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ActionCenter.dll\ActionCenter.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\ActionCenter.dll.xpize" "C:\Windows\system32\ActionCenter.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imagesp1.dll\imagesp1.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\imagesp1.dll.xpize" "C:\Windows\system32\imagesp1.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\authui.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\authui.dll.xpize" "C:\Windows\system32\authui.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\batmeter.dll\batmeter.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\batmeter.dll.xpize" "C:\Windows\system32\batmeter.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\pnidui.dll\pnidui.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\pnidui.dll.xpize" "C:\Windows\system32\pnidui.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\SndVolSSO.dll\SndVolSSO.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\SndVolSSO.dll.xpize" "C:\Windows\system32\SndVolSSO.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\stobject.dll\stobject.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\stobject.dll.xpize" "C:\Windows\system32\stobject.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\basebrd.dll\basebrd.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\Basebrd\basebrd.dll.xpize" "C:\Windows\Branding\Basebrd\basebrd.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\ExplorerFrame.dll\ExplorerFrame.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\ExplorerFrame.dll.xpize" "C:\Windows\system32\ExplorerFrame.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\shellbrd.dll\shellbrd.dll.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\ShellBrd\shellbrd.dll.xpize" "C:\Windows\Branding\ShellBrd\shellbrd.dll"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\explorer.exe\explorer.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\explorer.exe.xpize" "C:\Windows\explorer.exe"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\iexplore.exe\iexplore.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Program Files (x86)\Internet Explorer\iexplore.exe.xpize" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\notepad.exe\notepad.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\notepad.exe.xpize" "C:\Windows\system32\notepad.exe"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\wmplayer.exe\wmplayer.exe.txt"

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Program Files (x86)\Windows Media Player\wmplayer.exe.xpize" "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\JpgToBmp.exe

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\JpgToBmp.exe C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\Android.jpg - C:\Windows\Web\Wallpaper\Android.bmp

C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\boot.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\Skin Pack\android4\install.cmd" "

C:\Program Files (x86)\Skin Pack\android4\Win7BootUpdaterCmd.exe

Win7BootUpdaterCmd boot.bs7

C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\TopTaskbar.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\Skin Pack\Lion\KEX.cmd" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\RIC.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd" "

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:\Users\Admin\AppData\Local\IconCache.db"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

"C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe" "C:n\AppData\Local\IconCache.db"

Network

Country Destination Domain Proto
US 8.8.8.8:53 installer.filebulldog.com udp
US 54.161.222.85:80 installer.filebulldog.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.7.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\Banner.dll

MD5 0116a50101c4107a138a588d1e46fca5
SHA1 b781dce23e828cf2b97306661c7dad250a6aaf77
SHA256 ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b
SHA512 55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\inetc.dll

MD5 f02155fa3e59a8fc48a74a236b2bb42e
SHA1 6d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA512 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

memory/2052-43-0x00000000025A0000-0x00000000025C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\xml.dll

MD5 42df1fbaa87567adf2b4050805a1a545
SHA1 b892a6efbb39b7144248e0c0d79e53da474a9373
SHA256 e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845
SHA512 4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher64.exe

MD5 5eac71e2ab8b58f00da48a21becb586f
SHA1 57fe7ac0196a04b535615f19b0758e75071a9943
SHA256 196756bea46f45de4b8e2eedebd51df8222f627f1eb9c2876d927718c85286e9
SHA512 2345d45a9d2b163d2a550808ab2af72748e80615e9d7965d40642b80cf53c3eab3ad07cbfed6b8b97ea1656436306919de6e74fef9f62c62456bd058c70830ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e31330bfdf1ebceb9cc86344a979e933
SHA1 a17668a57e4027176792f3a59b2150284d9fb492
SHA256 38f3797a185aa7135c8e314a387764d9f17010d0059852e7310512770c56ea37
SHA512 9c13487c667121b17caefaba4316a8988e4c06d4dd75e0e1703c56e389898bcf25620d09a377dfdce785b3d9cf194baca1ba950c5e7e14e31a0023557a1fae5d

C:\Users\Admin\AppData\Local\Temp\CabE428.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Windows\System32\uxtheme.dll

MD5 8bf20c54ffb37cfb960f708ffa813fa7
SHA1 227b5cc038dd4297b8bd3583c2eced25b081b25a
SHA256 638c59147dd0272bd2b32af704314e748558d74d22d0777c99fa240fea1ef41b
SHA512 2389b3fee6101209a4604eb9ab6452f7a12b0fb70122eed42c8bd47c837033ce5cfb2ad08b2e9d92fb68642fbf5fdcb3c00aee1099bf3d946d741f1c87052d18

\Windows\System32\uxtheme.dll.backup

MD5 d29e998e8277666982b4f0303bf4e7af
SHA1 e803b0af61ea2ddcd58b5a63b1cfbb73266318ea
SHA256 4f19ab5dc173e278ebe45832f6ceaa40e2df6a2eddc81b2828122442fe5d376c
SHA512 f89ae9153fc718c1f72a8a555e08b599516b0f16e678762bc03a2ba74aad735d591635e159d40470254bdf4ceb8d7a96d47d431f3e34b384fc2aec1fb9281bbd

C:\Windows\System32\themeservice.dll

MD5 9201be2bab8a9ff8e20d8439ae3bb04d
SHA1 19bd1e2512e477e263f8fbc0fe594bd1686b2484
SHA256 d973c4fe5b8d02b15476d72b49105840a04dbff8bcb77117c0354d046e6c02fb
SHA512 fb6eae38d112eaab15cef451ed2d5f1d2e49a3e516f65a1366f9fb7bc0f337a80dadd02f7e089c6c59430ad1fa111a68aa6791c8f03a30c223265b9499487556

\Windows\System32\themeservice.dll.backup

MD5 f0344071948d1a1fa732231785a0664c
SHA1 af0e3bcf1f56b5a89cdb2b1dca66a0140564c041
SHA256 db9886c2c858faf45aea15f8e42860343f73eb8685c53ec2e8ccc10586cb0832
SHA512 263a8bc5f6b79da1345cfc5070cbd1a334f978ead127d958b264e86f0a6283ea62f1eb4a13c6b8f37b388954a4e314934b45088efc56353d249ddf2b51e96d5b

memory/1708-151-0x000007FEFBC30000-0x000007FEFBC86000-memory.dmp

C:\Windows\System32\themeui.dll

MD5 15150f4c82f9074250dff31950781f5a
SHA1 7c9e33e48bc095b49cd500bf8564d39b2d245688
SHA256 1f722dac2a51a6659a2b72950bb4d1dccb33dff3bd0ea6b05675f21c9558a90b
SHA512 49002032d235ed33ec0f2b38257c83a65eb527b743ebc98d572fdf68a5146fde94d6ecf3650157e5a309166b29f79e377173e651905ad456296eafc649ec6f34

C:\Windows\System32\themeui.dll.backup

MD5 2c647abe9a424e55b5f3dae4629b4277
SHA1 4182d231d6e1e07a713c3120518f5debdf89aa78
SHA256 7b33009d253bafff87535c075e75498b6a06f334035ddc0df51e10a142b4df9e
SHA512 575a9a81ad59ba6507df051d9085a177a15c03d6ee8a573956f60dd3080acea771038b3c0819f6d11b8e127b5e399610f40a181e3a4a2002b63361e4642b233f

memory/1708-178-0x000007FEFBC30000-0x000007FEFBC86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\UXTheme Patcher.exe

MD5 c35efaa15f6f1da888efc247e886389d
SHA1 e3f35519380a564ff62f5ea2fa95fd5bca38bb1a
SHA256 558f6e38c300957234231234c44ccf41217182677e859c9005a51094bdf01794
SHA512 fd3d27271cab60f51929a4e92cccd0ce2edf8c95fd2db6cc957620ff2f7522e644b67862ec7803e6068f5ae75caedad9daae3dafdd4b7f4898c618c8498dca16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6

MD5 5e275db761aa5a23ac651af8f6c4a000
SHA1 583fe93323b8fee3be1469f2d1bfc16a091ebc70
SHA256 3b9b2f75b724fe5354d24a0ef729b8a2aaa8a9313166eafb1f73b07cf1a745ef
SHA512 892fd01ee561591cee4d00ae4cd3cc91a07587c097d6969f8392af87582f93c259c52dae17d161e22ba12bf47b0d4d9953cddcb7df91a4a0e4de1a9873c936ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6

MD5 d3f38f1385b460cff1f31aca69fe625b
SHA1 40febadc45157771bce414f19d32310cdf3281bb
SHA256 6c4948fa56a639ecea9ee562c5255ecf706c3eae3693751d9904322b54a6246f
SHA512 1a774672276dd11f8a5ca91f7a380f615b61901141bf7af5514ccc5fc9fc5fcdcb72457b1ce391d3a970b8da692e57129d71e1cb94255fb119b5da8ece8386e4

C:\Users\Admin\AppData\Local\Temp\Tar25BA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\SysWOW64\uxtheme.dll.tmp

MD5 5791d764ef253b4400b53d15ae6a5c17
SHA1 d197f0ca64552ae0a858582ae94e58aeb2e4a283
SHA256 9771210f4de326d030260c95988f9862e1e93770fb318909adeb3dd7f15882aa
SHA512 96e28598146268fb258da5d0d204103c4056d3b2c56c2584dd631f611ce53e40aa9256146d43b948c29835ab026bbc41d6d275dbf58c1eb3863f52046e01ea21

\Windows\SysWOW64\uxtheme.dll.backup

MD5 43964fa89ccf97ba6be34d69455ac65f
SHA1 391fa4e8020c872311e8a7daf6540687133f9496
SHA256 10e3b89a5470e1bb6f73382135dd2352f5073c1ee8485d7476cfb5122d4aaa2f
SHA512 b87b15bf18b51181971b702a3bec476db263c248f619541d1c8ced30c0d401dfd4b77a5ceb56a0a39e12cf3962b5ac62dbddee7cb5fcdf8d3cf14da898858511

C:\Windows\SysWOW64\themeui.dll.tmp

MD5 1d81652c6689543c4965fb13698400ed
SHA1 9d269c05c7586368946d1755352d52f32ccbd148
SHA256 8d8f9b41d4e26fa65f04fdd18a50926d930b45925a5ae813c0cd72e582c110a8
SHA512 7cc1f5d668c05444eeb0322fabce1a1b0fc3febfecc7c32c255d5989b1d64ebf1535b4b00a340e25788584943f60014bb3f1ff35217de803763365825df5ff06

\Windows\SysWOW64\themeui.dll.backup

MD5 5992a9df57fd5e6960fdcc2db69867f7
SHA1 c5db35169d1ca2db1a8450f49a9aa0a52facdc05
SHA256 9be3a7bedb18ab9399d2b665ee9edc553e63599f51d98a1b43e6aeb0c1e1b166
SHA512 3c118e0d263c85d04bcb0fbd169da859310e5c4f286a215e84b307fcd3944147faa44e24e6c7dfcd0a3ebf0fb09410c421316e18c934ec822d6b74cbab0af34c

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\139.ico

MD5 715f0b190a960689dd412d2afa82520b
SHA1 9f08dea801d368ed181842b91e894b9145616c41
SHA256 84567059fc3215de5a0f30c1fbecc8ee0486028b15e303cf184ddf2bd4feb4f8
SHA512 cb0b2dbc3c156f66e686dadc3665ef832bdc3b418f00ec80debe178b10a9372af8935c4c0a388a01c5d82ff5db9863ce31fdf8d94a71ff4b06ad2908810996e2

\Program Files (x86)\Jelly Bean Skin Pack\Tools\ResHacker.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\imageres.dll.txt

MD5 f3bd97a52850eab52d4f316a283675c2
SHA1 99d44c7f2d32409985a814264eb8f2ae0f35d553
SHA256 f0635f35c1d17c30ca85e5981cecc53289d0ebcba8656a3f136538df8fb61e29
SHA512 749f2ab73755f69a74a9fb0937686d1e20c1cd7499e21bd7ff91d86e40331683f46a28a8592a7aad8508cc4496687bdf3e76a60f34733ee02c823fdecc1ec020

C:\Program Files (x86)\Jelly Bean Skin Pack\Backup\imageres.dll

MD5 5aa945234e9d4cce4f715276b9aa712c
SHA1 dba3c8cecb3f8d4b1d96265d8519dbe0e911f446
SHA256 65165bd131056816f009d987fc78ac86ffe0c3c38a27e73f873586b7ff4d59cf
SHA512 acf0d5706662b3f4abb68b94aad9155c17dc74ccf3a92ed97c9bc2abdf4f8fd32705bb7692836452304301605561121b4ef2b82b81563f9bf2a9d1c71e8c6233

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\10.ico

MD5 aaed38c42cce0a117c2af4070acf547b
SHA1 fc62b3f47dda6ee18533f8d75e52ed6102229112
SHA256 b953273f395101a1a7bc36ae3b28cf3764461b98bd2828c25dafcfd40f56d67d
SHA512 f2b98f46441890d2e00ec56d5650c3855f3f9142975293fb1d70f3900465e848ac8c278c02924faa84ae296d42b3469df11d485c0a34018d482814e052cea6f7

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\100.ico

MD5 f3fef05aa7d32e428638748ee0d8deba
SHA1 4c8ccff5e575e6bd426e29be031f16c46c22b26f
SHA256 4c403078b43007bed8313c84ee6249e4737111bdaf5045c07f1dcfe9c4f13fe5
SHA512 40aa3f8ad10abdf17cac0e420eb481b14f0ab386bf7fe2d61a97ed97ca8eb5952fd13e4f0acd4c110b0309b82a832e6a5ea5c64f271cf710f928bb78a3dcfa15

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1001.ico

MD5 786854f900ee99aa539de7a260803194
SHA1 baa7ddff312708d9b495ffca031a9b5eb535dfcc
SHA256 f4729c750e558beca9b0fb5a7104c108b8d44ead5c0498a6a8f2000776348680
SHA512 44d5fb095c33cbec1b3f541e5bc12f1768894ac732f1801f66eb51439ebce83a723ff7794eff58207cb6870f80ecbed531e1f1ebe096618912a59a1cd0a9279e

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1002.ico

MD5 b436eaa208518ed9c06d1264a89e7f5f
SHA1 09b4075aa51e57743f1a43070ee6f4fa22c0db02
SHA256 7ec6ff679c7dc9aa6b635e50dc96bee87c441d0a878af49a4110d8dc99c30841
SHA512 a4c467f1b612f2ca7d3ef472a8edaec1f65173833ff2c42bda505c37a058945d97d55520cc56b4f7785d1a5c3c09d46500deb530c27beecb6b95696ba01eae1d

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1003.ico

MD5 260cda0a22e0d2059f0e32e601431df1
SHA1 8c68237a675f66a6e54e2e71535a942a32d53b38
SHA256 7b8d9d216dc08ab639a91f1054c09808303dd08746f94fc035d9653fd9a06061
SHA512 94fe90b1bef0bed0c104f16dd3f6f50b192f3ed1aa072b2c685574a6a596c524cb7841f9687c4fd39e0c6d5998e83393d48ad2c78dab1b5f8f793ebb49d01133

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1004.ico

MD5 eef26eac36cd3b70f4217562b7f8edbb
SHA1 dbad65fe68d7bbb2d4c88e97e811510d86e0c50c
SHA256 7f599e595effcbb8e797bee64d6be469760507eccfca7d2e0ccf8eed255d337d
SHA512 36eca14cc44f041628848d16896bdc90ff977c360e672a3dec46228eec43574c39e474943839ee061d417d63cb94503af865649d44c8af074da12daa658e1e1e

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1005.ico

MD5 0198130230232c6628df2d3b9d72610a
SHA1 47b5158277a0ec29e0b1c780de11047dec3aa1db
SHA256 e6ccff9a2608d7fb69b835dcec9192ef572eac16c044f4ce7d7979eb0dca1764
SHA512 5afc244c0879b9a10918fd437c916e39fbe9f4fdeee248de54e33b592c5bbe95dcee3338f25d2da49dbf301698cf51047bd01682289823925705cc0f8e7b240e

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1008.ico

MD5 d5064688362678ed6d5e537f5f094dd5
SHA1 9dbb835c0a9012649cc7d7611197d29d86632468
SHA256 163056c50fc25167914a2acd6ed1103fe95f11529ca58b7b30bdadf01413bd34
SHA512 5cc745555829420f3ec90faeed02dcf75861b907c5bf816609b56b34ca85d0ab37582390ff8c08d8fc6cba7f7419d45c1bf10d4e6de12fd4cdc8bd7295e3faf8

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\101.ico

MD5 5e16d2fc751aa0ce5d3295e0b65122d0
SHA1 a33278a0a64e28d31155a10aff52f2bfb58f8b5d
SHA256 eef9a08ff74a36a8922f9daa0629605797a158604fbbeda9f29797d57cdc3474
SHA512 6a5953afc4662eb433d4e55071db4b7f98ce321c2336d8e5b794f22749a529eca1abd1c9662a0adde7b3c7f56dcabb8018139f7ffb7f33140bd6178d7f25193a

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imageres.dll\1010.ico

MD5 ab15323eaaac751c58672192a87b5092
SHA1 dfe5c65f349140b3e756b447bdc087e72deaa117
SHA256 f9bea74509fe114c973eea136d7fb26d3f653289dff1b83bb6fc17281155fcad
SHA512 27a1b9216d8deae0ec86b8878e655081773c9d779a29be89379204da9e3a38492dcc62bbea398eaf26afb15c93dd5c400a0f15c01bfa54c30a642b9a511af372

memory/3020-499-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2788-507-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2876-520-0x0000000000400000-0x0000000000502000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Tools\MoveEx.exe

MD5 fdc7b5defae116802a0f695d789d3a35
SHA1 2a7bbda9bdb9df297a174a6ade11b282cd5d558b
SHA256 e0017fb1874641754b228fe0d50e23302e69b93e4331d535c6fe6d0c22199629
SHA512 4c9d2e6a44438d816ae6fa35525ad4c018bfb5a43f4ebb7f7843eaae9617241cc0ca98b1d31f38d7f4edfc4c184123b632071351ca00c6c05c8eb721a8f3bf4a

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\ExecCmd.dll

MD5 b1d08c24cad3f8f6ccd6b9ebd24d30c0
SHA1 d01549db25d0345c05d3c2eb90b173f937966ce5
SHA256 c4b6ff0091b3401670c8c6d3cb337d3ba0c2a514e66b0ea3501bb7ef78ddba69
SHA512 9cb5735c86cdf8d126268b7b2ec8fafd654d69bdfe5336d54b7d44b5ac8e1174836c487bb4aa40517516a55323bf9f916a96753c8dd2bc9b2d481071c9d9fbf8

memory/2852-527-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\imagesp1.dll\208.ico

MD5 d6aa3deb9677e17c6a02209255c10217
SHA1 cb98d1e746b9648f7e376089bc4ae7286c23efec
SHA256 a8a1946eaa7ec9c2a3a67af760fc20b3ec2fea471897ae2ef579396fc4b7b4fc
SHA512 679ec74339b76b7818258cd87897c7c4a5c1e1f2e10b2c2a3a790de3f29d7286ccbca5dc871728ecfa1d92e80fcbcf400116fe5d2d1d298701931a16213c14f6

memory/2684-545-0x0000000000400000-0x0000000000502000-memory.dmp

memory/3048-552-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12269.bmp

MD5 e3f1d45510350054bce2567316220c22
SHA1 929dcc5b84b75c0359ea26e64b5a88227431e813
SHA256 4f973fc52c1e800b857035ad041ebe9fc2bcb8e04e94d3ce6b9737d5b84b8f6a
SHA512 08c4de5d6794ad37b7a25fe16907a783b3872d37c8243232a3dce3af1f19846db100536830014d0502dab9a86d2896d0553a4623e78283170ef52dcd1df6431d

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12270.bmp

MD5 a9d5b28ed75fd5cecf329069dbcb32c1
SHA1 9cb57c34f16f1204b533aa486f5cecb097cdd731
SHA256 b5d942187d3fdce96d2b0dd9c4c5614f24fe625c7077064685fdd1cb367e44b8
SHA512 a39f1964043c245c73c21f7f35be6e0b96e72ba2f8aaa1057a5adedb7b1a79e9960c54aad8964705758b32aea3f85aa07c65a34305c3c65d043086bbc55db84b

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12281.bmp

MD5 7f10c345de67f2a3e0770fb9c15cf305
SHA1 276618bb7251808cf804b95477596dc8b4eddc7a
SHA256 50fa178e1d5da32749302dd7e0043c4bc215dfaab620127eccaabede20534fa8
SHA512 3e786e3319acb91c1ab8b262b97467614464d1e69e4491cbdb3650274f6d0ee387ed0c2c56d694973043ff7fde5fbbb146602df00ce96e5e07dfc2532453e382

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12320.bmp

MD5 ef507d59f550667bcd2d2308f6e8bb49
SHA1 ee2e050cbeebfc6ca98098999312a1639cc145d8
SHA256 d568b1e48f1fac4e0c98ae4287e8eb80366bea619d010f9003784f664367012b
SHA512 f38720bc16340df09a4b39910ba7ff9dad48c766967ef90f2f1101b4feea36dfdd261118fdb11b74ee54939049087b7404591ee21931598842c3439c3d9d0661

C:\Program Files (x86)\Jelly Bean Skin Pack\Resources\authui.dll\12321.bmp

MD5 07320111067f436917a3afca9662e5d9
SHA1 cad8f4734ce2f545d3ad2ac64abe1aaab00534c0
SHA256 07d7cd4fb7f981ad1880000c4447564a5469eac43ad016941906afaa2e185a4c
SHA512 b39ec47080e82fcac2f2468d21d8e482fa152456ff7708cde75e2ba3e60eb9c96baca8d11d46714949c439886f146815391a0d2b0d133e40c58f1d5fd1f92963

memory/304-633-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1524-640-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1740-653-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2064-660-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1172-713-0x0000000000400000-0x0000000000502000-memory.dmp

memory/276-720-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1360-736-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2816-743-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3052-753-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1624-760-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1576-771-0x0000000000400000-0x0000000000502000-memory.dmp

memory/692-778-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2280-804-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1684-811-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2656-821-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1712-828-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1516-841-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2508-848-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2980-861-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1292-868-0x0000000000400000-0x0000000000409000-memory.dmp

memory/804-878-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2940-885-0x0000000000400000-0x0000000000409000-memory.dmp

memory/108-896-0x0000000000400000-0x0000000000502000-memory.dmp

memory/852-903-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj758F.tmp\JpgToBmp.exe

MD5 a3e8696c93ad86d6b76a455e9d04582f
SHA1 17368dc01a16b6a67663c1900575aa96f5e170ba
SHA256 cce22a24171bca94741e8e5aed408b8abf33f20a27c6fe8696947285e7e7da70
SHA512 85de5fcdc530c787aae8aa9ef3a0c27f22ac65dd8ca066e71859b417d141cf49d4013fc05b008cd49dad66a90f23efcd8bd37bc7360c6873171e334cbb7ce30c

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\AstroOrange\background.ini

MD5 897b938340df28f4b6644a21e993b5b4
SHA1 2ce7d74e54923fd3c0a9d3b55198c0052e65fb11
SHA256 2f9a65652dcfd86b9a423926171a475d45085ba1447c2a0b553da2c3875043f3
SHA512 9ba3f6635cb2590bda828a88a624083db1c258d5953e82ac13a9134eceb38d8b03f60adb5d2b42479f68f294d400b2422d16784e7bd4c012f996b50eb41f47e6

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\AstroOrange\separator.ini

MD5 d790ef81c98f5e58509753663c555450
SHA1 114b312c07d64f3bb51d58a461a79109751df34d
SHA256 1b5fbb364299f161c9a6ee23d64a611492761c9712e349132915b7717cce77f4
SHA512 460ddca2cd01449cc8312ba08816de256b06bb0c1084a2b7ed57c9afb5e01b6da23e44c4b3f07f7c348cb6a47dc5319cfd3dd83188c3fbbc29d83831920ef5d6

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\Milk1\Separator.ini

MD5 61942857b9195d332e8652f327e1fc9a
SHA1 08bc1313f64cc70a4ab1c17729e04a305d536ea2
SHA256 3209912209357823aa3bc1f6fd45e2bcdaaa6b47bbc60233731601d10acb4ef6
SHA512 22323d771b2bf7f61e4a120a750f9c6125d516e01214d12e952a22046fd0326675f0e671b166ac07e73ea0f48db41dbea9ea5586ae662a5d84fa29b9b9ea5c4c

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\Skins\ProtoSky\background.ini

MD5 af5ae49010e6ca1f108b805fa8b8b098
SHA1 391b94f97e470e6e45ea32b32a1e3b0a7ab4406a
SHA256 fab2d4d53b491671deb18cb13402a2e26208a533eaaced4a326ff3dc8da79d12
SHA512 a91a9d971b42e0cdac954e663abfeea8495c255201ba7f410d39ea057052550bc7cc20778c154712753324b7306dfed6d07750e265131c3b60ba161900dd6315

C:\Program Files (x86)\Jelly Bean Skin Pack\RocketDock\RocketDock.exe

MD5 7dfccc67990b6de7f30f553a4e4612a4
SHA1 521e9198e3dc1d41fac02eb01fb9f47f6d2a9855
SHA256 9ff98d6fd2539cefc9f42103a7f72388bed6ee590400559b92bc7430228da36a
SHA512 e43038e184a4271633f7925656aa37d14dd67fb606aa18e8e9e18329cf9e71965217bc9687a5e317d0ab97cea40e40f0a72b0cf6d56d5c85cf1e1038e6be30eb

C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\weatherTemp\Icon\23.png

MD5 cf30d2b2c170a5a98caa3a7215d83ae3
SHA1 abedd45bb623548605da0b2a93d0afaeb12f489b
SHA256 29cba7577d397dc14d0a1837fa779701c80dd029573d6df78619201915d478f0
SHA512 ea7303d2eabfffab9a97348a9f61f84ea33903b135a2d5936d53f43511a4d0b8363a3af7955a71e55174806ef34142cbec65dbb83ef5c3f1bc7052d633384921

C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\Res\Template\weatherTemp\Icon\26.png

MD5 2677773a835efd1ad8fe6eb10e4c0835
SHA1 cde8a8dd51d8ad665298ffe5edbdc563dcaea4a2
SHA256 c0f902e9e3c01d6f0d1249bb9cb703432aedd55f363a2c6b6d5340ca75741e82
SHA512 2da6602e8926ead005521f1a18d5c789f4d5f7d2d05db0bf5b62fc29bd601a9e3da42121887647ab34333b9bb75f01d53805e5650700f8563980799c089dfee9

C:\Program Files (x86)\Jelly Bean Skin Pack\xwidget\xwidget.exe

MD5 301436520517ebca12d4201505a77670
SHA1 584aed4be04bc8288e3ecdf35855a8e409a69bb9
SHA256 56bb657fafd05ebd86c5b7efba8f00c4226008a121eedc81bfadce48bc506f18
SHA512 84a6d44c574e1e233baa274c7fe1f4f4c78b2700680ee3adf0419a74fe7719faaf8b7e20e3b78192e79adb9ef0dd14d2ef43a5066aa90db8866ad169dd02dc8a

memory/2052-1655-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2052-1654-0x0000000005240000-0x0000000005250000-memory.dmp

C:\Program Files (x86)\Skin Pack\android4\install.cmd

MD5 04a01b7bb9e5d780194d6729237f5923
SHA1 5a0e5dfebac286abe4cad1d3a99fd6ee99116cd2
SHA256 3a393057c762af5c067ca058924ec5e64921a798aaee2f9bd818d88d50adbdff
SHA512 e24d1dbfd64ec6a0621c3e3fd68d6fedea82603acefc4bc9635bf99278724678f816766d920af66291ab021b37fdeafb94337476e6b8c16a2f5c197943a7b435

memory/1976-1688-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

C:\Program Files (x86)\Skin Pack\Lion\KEX.cmd

MD5 088b426c6ebb2f2af680f6ac1b1d989f
SHA1 7e0848e8c36c87c7448b6c479b46337429c3b9c0
SHA256 5da151a916d4a9118e82ea8d783e4545441612833e4f555e0948e696f35ef996
SHA512 7a841fe94174551c807d5a174eea502c5d125db7037b7de45d8f5251b7932115f1bb5bb6aba4c6390b1a8e034bdb1a7918603bbae101fc6f8dafea77677feaae

memory/2924-1716-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd

MD5 747cf038b116aa75f173f8042fdbb7a8
SHA1 d0e6f21765d15661207986db9da2cebd21ef9bd0
SHA256 61ad0a31a74ad1eeb7ed490188a4562c0a1a8ac832bacf467131c2bc0a887dbf
SHA512 87f83dee494a3902db7ea29e2c442927f3391ce0d8021402cdf6d3fe5b42cad9fafcddf762f9fc2eed2cf52d34d5e37c285701fa618292597331ac63d0dd2d40

memory/1836-1738-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2736-1762-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2256-1769-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2052-1770-0x0000000005240000-0x0000000005250000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-09 03:28

Reported

2024-10-09 12:04

Platform

win7-20240708-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.23.205.233:80 www.microsoft.com tcp

Files

N/A