2bdf894b05844e6ce24c7a42eaf3abae2312b094d1277db0a09bc83a8fef886a

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Size

17.5MB
MD5

b01e46bf32bbd7ee487afa466675d66e
SHA1

bc824d6f59df34c2921e82b28117c06c8d067078
SHA256

2bdf894b05844e6ce24c7a42eaf3abae2312b094d1277db0a09bc83a8fef886a
SHA512

5ee755da3d0a7dfee73413c25177a930b3e1ecf4e1270d9c83a9b4af3c7beff7318a855b87514da16ef39ae9e82e4e60728d4e3c708616724fad764888125e1c
SSDEEP

393216:Yvys39dd49QjUcMqaMVvvBLs1cP9yukE2y8Ql:Yvy79yFM0HEcP9170Ql

Score

8^/10

discovery exploit ransomware

Malware Config

Signatures

Possible privilege escalation attempt 15 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	Process
1756	takeown.exe
2996	icacls.exe
1252	icacls.exe
2404	takeown.exe
1968	icacls.exe
2656	icacls.exe
480	takeown.exe
1308	icacls.exe
2816	icacls.exe
2784	icacls.exe
2104	icacls.exe
2796	icacls.exe
2944	takeown.exe
2820	takeown.exe
1416	icacls.exe

Executes dropped EXE 30 IoCs

Processes:

UXTheme Patcher64.exeUXTheme Patcher.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeJpgToBmp.exebx.exeboot.exeWin7BootUpdaterCmd.exeRIC.exeMoveEx.exeMoveEx.exe

pid	Process
280	UXTheme Patcher64.exe
1200
1052	UXTheme Patcher.exe
1356	ResHacker.exe
912	MoveEx.exe
2364	ResHacker.exe
3048	MoveEx.exe
2400	ResHacker.exe
2408	MoveEx.exe
2848	ResHacker.exe
2652	MoveEx.exe
1992	ResHacker.exe
332	MoveEx.exe
2016	ResHacker.exe
1660	MoveEx.exe
2992	ResHacker.exe
2096	MoveEx.exe
2708	ResHacker.exe
1016	MoveEx.exe
628	ResHacker.exe
1248	MoveEx.exe
1796	ResHacker.exe
1272	MoveEx.exe
2044	JpgToBmp.exe
2956	bx.exe
1692	boot.exe
2496	Win7BootUpdaterCmd.exe
2416	RIC.exe
2836	MoveEx.exe
2616	MoveEx.exe

Loads dropped DLL 64 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeUXTheme Patcher64.exeUXTheme Patcher.exeResHacker.exeResHacker.exeResHacker.exe

pid	Process
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
1372
2792
2320
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
1332
1236
1696
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1052	UXTheme Patcher.exe
1052	UXTheme Patcher.exe
2696
2160
2884
1052	UXTheme Patcher.exe
1052	UXTheme Patcher.exe
2252
1936
1916
1052	UXTheme Patcher.exe
1052	UXTheme Patcher.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1356	ResHacker.exe
1356	ResHacker.exe
1356	ResHacker.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
940
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
2364	ResHacker.exe
2364	ResHacker.exe
2364	ResHacker.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
592
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
2400	ResHacker.exe
2400	ResHacker.exe
2400	ResHacker.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
2548

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	Process
2404	takeown.exe
2104	icacls.exe
2996	icacls.exe
2784	icacls.exe
1968	icacls.exe
2820	takeown.exe
1416	icacls.exe
2944	takeown.exe
1308	icacls.exe
1252	icacls.exe
2816	icacls.exe
2656	icacls.exe
2796	icacls.exe
480	takeown.exe
1756	takeown.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 22 IoCs

Processes:

UXTheme Patcher.exeUXTheme Patcher64.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\uxtheme.dll	UXTheme Patcher.exe
File created	C:\Windows\SysWOW64\themeui.dll.tmp	UXTheme Patcher.exe
File opened for modification	C:\Windows\System32\uxtheme.dll.backup	UXTheme Patcher64.exe
File opened for modification	C:\Windows\System32\uxtheme.dll.tmp	UXTheme Patcher64.exe
File created	C:\Windows\System32\themeservice.dll	UXTheme Patcher64.exe
File created	C:\Windows\System32\themeui.dll.backup	UXTheme Patcher64.exe
File created	C:\Windows\System32\themeui.dll	UXTheme Patcher64.exe
File created	C:\Windows\SysWOW64\uxtheme.dll.tmp	UXTheme Patcher.exe
File created	C:\Windows\SysWOW64\themeui.dll	UXTheme Patcher.exe
File opened for modification	C:\Windows\System32\themeservice.dll.tmp	UXTheme Patcher64.exe
File created	C:\Windows\System32\themeui.dll.tmp	UXTheme Patcher64.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll.backup	UXTheme Patcher.exe
File created	C:\Windows\SysWOW64\themeui.dll.backup	UXTheme Patcher.exe
File created	C:\Windows\System32\themeservice.dll.backup	UXTheme Patcher64.exe
File created	C:\Windows\System32\themeservice.dll.tmp	UXTheme Patcher64.exe
File opened for modification	C:\Windows\System32\themeui.dll.tmp	UXTheme Patcher64.exe
File created	C:\Windows\SysWOW64\uxtheme.dll.backup	UXTheme Patcher.exe
File created	C:\Windows\System32\uxtheme.dll.backup	UXTheme Patcher64.exe
File created	C:\Windows\System32\uxtheme.dll.tmp	UXTheme Patcher64.exe
File created	C:\Windows\System32\uxtheme.dll	UXTheme Patcher64.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll.tmp	UXTheme Patcher.exe
File opened for modification	C:\Windows\SysWOW64\themeui.dll.tmp	UXTheme Patcher.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\8.bmp"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeResHacker.exeRIC.exeboot.exeResHacker.exe

description	ioc	Process
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BEH.pdb	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\5000.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\Explorer.exe\6803.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\RAM\RAM.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\7z64.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Gmail\Gmail.config	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1001.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12287.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\NewFiles\pnidui.dll	ResHacker.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Newgen.exe.config	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12302.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\2409.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Aura\ru-RU\Aura.resources.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\PicturesV2.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12273.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12281.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3032.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\iLicense.Client.DLL	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11121.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12270.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini	ResHacker.exe
File opened for modification	C:\Program Files (x86)\8 Skin Pack\NewFiles\	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3030.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Backup\batmeter.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12295.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\14000.txt	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3048.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Logs\pnidui.dll.log	ResHacker.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Cache\Sounds\Windows Minimize.wav	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Control Panel\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Store\$[Cache]\Icon_Music.png	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12217.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12275.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\5010.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3086.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BEH.ilk	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd	RIC.exe
File opened for modification	C:\Program Files (x86)\8 Skin Pack\Backup\	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12277.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\shellbrd.dll\1041.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\bx.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BEH.exp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12291.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\2404.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Calendar\Calendar.config	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\TaskbarUserTile\Nini.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Install.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12234.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Music\Microsoft.WindowsAPICodePack.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Skin Pack\8\Win7BootUpdaterCmd.exe	boot.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Newgen.iFr-License	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\RIC.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\authui.dll.txt	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Internet\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\SevenZipSharp.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11153.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Logs\basebrd.dll.log	ResHacker.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Desktop\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\PicturesV2.config	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12283.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\5035.jpg	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\basebrd.dll\2120.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\ExplorerFrame.dll\280.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Drops file in Windows directory 47 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeJpgToBmp.exe

description	ioc	Process
File created	C:\Windows\resources\Themes\Aero Lite Basic\Aero Lite Basic.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Glass\Metro Glass.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Simple 8\Simple 8.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Handwriting.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Unavailable.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\busy.ani	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Glass.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8\Shell\NormalColor\en-US\shellstyle.dll.mui	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Web\Wallpaper\windows 8.jpg	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Black.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Full Glass\Aero Lite Full Glass.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Glass\Aero Lite Glass.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\8.bmp	JpgToBmp.exe
File created	C:\Windows\Cursors\8\Alternate Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Link Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Normal Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Black\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Web\Wallpaper\8.jpg	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Basic\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Glass\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Basic.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Glass.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite\Aero Lite.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Black\Metro Black.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Simple 8\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Working In Background.ani	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8\Aero 8.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro White\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Windows 8\Windows 8.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Windows 8\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Diagonal Resize 1.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Help Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Windows 8.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Full Glass\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro White\Metro White.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Vertical Resize.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Glass\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Diagonal Resize 2.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Horizontal Resize.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Move.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Full Glass.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro White.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Simple 8.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Win7BootUpdaterCmd.exeRIC.exeb01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exetakeown.exeResHacker.exeboot.exeResHacker.exeResHacker.exeJpgToBmp.execmd.exeUXTheme Patcher.exeicacls.exeicacls.exeResHacker.exetakeown.exeResHacker.exebx.execmd.exeResHacker.exeResHacker.exeResHacker.exetaskkill.exeicacls.exeicacls.exeResHacker.exeResHacker.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win7BootUpdaterCmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JpgToBmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UXTheme Patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2612	taskkill.exe

Modifies Control Panel 17 IoCs

evasion

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\Help = "%SYSTEMROOT%\\Cursors\\8\\Help Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\Hand = "%SYSTEMROOT%\\Cursors\\8\\Link Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\Arrow = "%SYSTEMROOT%\\Cursors\\8\\Normal Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\AppStarting = "%SYSTEMROOT%\\Cursors\\8\\Working In Background.ani"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\IBeam = "%SYSTEMROOT%\\Cursors\\8\\Text Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\SizeNWSE = "%SYSTEMROOT%\\Cursors\\8\\Diagonal Resize 2.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\SizeAll = "%SYSTEMROOT%\\Cursors\\8\\Move.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\Wait = "%SYSTEMROOT%\\Cursors\\8\\Busy.ani"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\NWPen = "%SYSTEMROOT%\\Cursors\\8\\Handwriting.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\No = "%SYSTEMROOT%\\Cursors\\8\\Unavailable.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\SizeWE = "%SYSTEMROOT%\\Cursors\\8\\Horizontal Resize.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\Crosshair = "%SYSTEMROOT%\\Cursors\\8\\Precision Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\SizeNESW = "%SYSTEMROOT%\\Cursors\\8\\Diagonal Resize 1.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\UpArrow = "%SYSTEMROOT%\\Cursors\\8\\Alternate Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Cursors\SizeNS = "%SYSTEMROOT%\\Cursors\\8\\Vertical Resize.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

pid	Process
1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exetakeown.exeWin7BootUpdaterCmd.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	480	takeown.exe
Token: SeTakeOwnershipPrivilege	1756	takeown.exe
Token: SeTakeOwnershipPrivilege	2944	takeown.exe
Token: SeTakeOwnershipPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeIncreaseQuotaPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSecurityPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeTakeOwnershipPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeLoadDriverPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemProfilePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemtimePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeProfSingleProcessPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeIncBasePriorityPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeCreatePagefilePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeShutdownPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemEnvironmentPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRemoteShutdownPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeUndockPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeManageVolumePrivilege	2496	Win7BootUpdaterCmd.exe
Token: 33	2496	Win7BootUpdaterCmd.exe
Token: 34	2496	Win7BootUpdaterCmd.exe
Token: 35	2496	Win7BootUpdaterCmd.exe
Token: SeIncreaseQuotaPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSecurityPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeTakeOwnershipPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeLoadDriverPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemProfilePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemtimePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeProfSingleProcessPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeIncBasePriorityPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeCreatePagefilePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeShutdownPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemEnvironmentPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRemoteShutdownPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeUndockPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeManageVolumePrivilege	2496	Win7BootUpdaterCmd.exe
Token: 33	2496	Win7BootUpdaterCmd.exe
Token: 34	2496	Win7BootUpdaterCmd.exe
Token: 35	2496	Win7BootUpdaterCmd.exe
Token: SeIncreaseQuotaPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSecurityPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeTakeOwnershipPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeLoadDriverPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemProfilePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemtimePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeProfSingleProcessPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeIncBasePriorityPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeCreatePagefilePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeShutdownPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeSystemEnvironmentPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeRemoteShutdownPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeUndockPrivilege	2496	Win7BootUpdaterCmd.exe
Token: SeManageVolumePrivilege	2496	Win7BootUpdaterCmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

UXTheme Patcher64.exeUXTheme Patcher.exe

pid	Process
280	UXTheme Patcher64.exe
280	UXTheme Patcher64.exe
1052	UXTheme Patcher.exe
1052	UXTheme Patcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeUXTheme Patcher64.exeUXTheme Patcher.exe

description	pid	Process	procid_target
PID 1192 wrote to memory of 280	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	32
PID 1192 wrote to memory of 280	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	32
PID 1192 wrote to memory of 280	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	32
PID 1192 wrote to memory of 280	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	32
PID 280 wrote to memory of 480	280	UXTheme Patcher64.exe	33
PID 280 wrote to memory of 480	280	UXTheme Patcher64.exe	33
PID 280 wrote to memory of 480	280	UXTheme Patcher64.exe	33
PID 280 wrote to memory of 2796	280	UXTheme Patcher64.exe	35
PID 280 wrote to memory of 2796	280	UXTheme Patcher64.exe	35
PID 280 wrote to memory of 2796	280	UXTheme Patcher64.exe	35
PID 280 wrote to memory of 2104	280	UXTheme Patcher64.exe	37
PID 280 wrote to memory of 2104	280	UXTheme Patcher64.exe	37
PID 280 wrote to memory of 2104	280	UXTheme Patcher64.exe	37
PID 280 wrote to memory of 1756	280	UXTheme Patcher64.exe	39
PID 280 wrote to memory of 1756	280	UXTheme Patcher64.exe	39
PID 280 wrote to memory of 1756	280	UXTheme Patcher64.exe	39
PID 280 wrote to memory of 2996	280	UXTheme Patcher64.exe	41
PID 280 wrote to memory of 2996	280	UXTheme Patcher64.exe	41
PID 280 wrote to memory of 2996	280	UXTheme Patcher64.exe	41
PID 280 wrote to memory of 1416	280	UXTheme Patcher64.exe	43
PID 280 wrote to memory of 1416	280	UXTheme Patcher64.exe	43
PID 280 wrote to memory of 1416	280	UXTheme Patcher64.exe	43
PID 280 wrote to memory of 2944	280	UXTheme Patcher64.exe	45
PID 280 wrote to memory of 2944	280	UXTheme Patcher64.exe	45
PID 280 wrote to memory of 2944	280	UXTheme Patcher64.exe	45
PID 280 wrote to memory of 1308	280	UXTheme Patcher64.exe	47
PID 280 wrote to memory of 1308	280	UXTheme Patcher64.exe	47
PID 280 wrote to memory of 1308	280	UXTheme Patcher64.exe	47
PID 280 wrote to memory of 1252	280	UXTheme Patcher64.exe	49
PID 280 wrote to memory of 1252	280	UXTheme Patcher64.exe	49
PID 280 wrote to memory of 1252	280	UXTheme Patcher64.exe	49
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1192 wrote to memory of 1052	1192	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	51
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 2404	1052	UXTheme Patcher.exe	52
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 1968	1052	UXTheme Patcher.exe	54
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2816	1052	UXTheme Patcher.exe	56
PID 1052 wrote to memory of 2820	1052	UXTheme Patcher.exe	58
PID 1052 wrote to memory of 2820	1052	UXTheme Patcher.exe	58
PID 1052 wrote to memory of 2820	1052	UXTheme Patcher.exe	58
PID 1052 wrote to memory of 2820	1052	UXTheme Patcher.exe	58
PID 1052 wrote to memory of 2820	1052	UXTheme Patcher.exe	58

C:\Users\Admin\AppData\Local\Temp\b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\UXTheme Patcher64.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\UXTheme Patcher64.exe" -silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\System32\takeown.exe
    "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\uxtheme.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant %username%:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2796
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2104
- - C:\Windows\System32\takeown.exe
    "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeservice.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeservice.dll /grant %username%:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2996
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeservice.dll /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1416
- - C:\Windows\System32\takeown.exe
    "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeui.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant %username%:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1308
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1252
- C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\UXTheme Patcher.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\UXTheme Patcher.exe" -silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\uxtheme.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2404
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant %username%:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeui.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant %username%:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\authui.dll.txt"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\authui.dll.xpize" "C:\Windows\system32\authui.dll"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\basebrd.dll\basebrd.dll.txt"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\Basebrd\basebrd.dll.xpize" "C:\Windows\Branding\Basebrd\basebrd.dll"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\ExplorerFrame.dll\ExplorerFrame.dll.txt"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\ExplorerFrame.dll.xpize" "C:\Windows\system32\ExplorerFrame.dll"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\imageres.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2848
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\imageres.dll.xpize" "C:\Windows\system32\imageres.dll"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\pnidui.dll.txt"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\pnidui.dll.xpize" "C:\Windows\system32\pnidui.dll"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\shell32.dll\shell32.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\shell32.dll.xpize" "C:\Windows\system32\shell32.dll"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\shellbrd.dll\shellbrd.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\ShellBrd\shellbrd.dll.xpize" "C:\Windows\Branding\ShellBrd\shellbrd.dll"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\SndVolSSO.dll\SndVolSSO.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\SndVolSSO.dll.xpize" "C:\Windows\system32\SndVolSSO.dll"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\batmeter.dll\batmeter.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\batmeter.dll.xpize" "C:\Windows\system32\batmeter.dll"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\explorer.exe\explorer.exe.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\explorer.exe.xpize" "C:\Windows\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\JpgToBmp.exe
  C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\JpgToBmp.exe C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\8.jpg - C:\Windows\Web\Wallpaper\8.bmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Program Files (x86)\8 Skin Pack\bx.exe
  "C:\Program Files (x86)\8 Skin Pack\bx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Program Files (x86)\8 Skin Pack\boot.exe
  "C:\Program Files (x86)\8 Skin Pack\boot.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\Skin Pack\8\install.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
  - - C:\Program Files (x86)\Skin Pack\8\Win7BootUpdaterCmd.exe
      Win7BootUpdaterCmd boot.bs7
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- C:\Program Files (x86)\8 Skin Pack\RIC.exe
  "C:\Program Files (x86)\8 Skin Pack\RIC.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2612
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Users\Admin\AppData\Local\IconCache.db"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:n\AppData\Local\IconCache.db"
  2⤵
  - Executes dropped EXE
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\8 Skin Pack\Aura\Aura.exe

Filesize
460KB

MD5
b13404d4770a8590409a22288f47af3e

SHA1
d159beaf09a76e9f92eadf96f27396cb47a3a130

SHA256
e0f5e720ba1748f0ca083b03cf98adfa0f9437f68f16d325aa35cbe71dfbd5b6

SHA512
9d4efacad59ff1b999d938c2d3e7cd8d0926106b6b9a605a3ad0f1ef60847e534c931d7c264b99e0b6e6137cd21006b34815680660720dbec0a3ff2934e6a34e

Download Submit
C:\Program Files (x86)\8 Skin Pack\Backup\authui.dll

Filesize
1.8MB

MD5
0bee002c68e28ce6da161dcf1376d7d7

SHA1
d5cc3bec12c801e11217acc6927e1e6e401fe208

SHA256
1d4ee0b9ce22d139478008d5591b8c9f027c235cba601f95a96547cf98159d4b

SHA512
27df5a6a15b3105a31f6cbbc29a59014ad1612eca9b34ec18eea60eee12ac496d11e3590ce9ccd65808d8eb35e411aaa4a6cabd407598351c593cdf759eb2bcd

Download Submit
C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BetterExplorer.sfx.exe

Filesize
410KB

MD5
1b57087c796415a3f5157c47abd25e95

SHA1
eefd3b23380d9d9e9356d1b5e1d2877c2c4b11b2

SHA256
c049d2449dfb8b0a87716cf43e1e104ac25c7cc819273d177d6001d87a8fff1b

SHA512
0c3656336fc5367817bcbc53f674c72815972b0d301366d454720c602c6699d6d1681fcf1e87e9c811c000804503ce07b72b87947c960f08a4a82c84932d2741

Download Submit
C:\Program Files (x86)\8 Skin Pack\MetroBar\MetroBar.exe

Filesize
1.1MB

MD5
04428736e32be7a2de946b0297ac25fd

SHA1
50668d2521e165f9a7821a9c89896d891643026b

SHA256
7394e7a7e4bbe40b62ba49b5caa03233fc38afe840bdd851766dc7b71517e8a3

SHA512
a08ef8f8978486d4477193565887a8932a6a708aa94c736619d46d7ddceae471ca79a646b7e6a188f2bf368457a43c768429e34cd0ae19682fda237c6cdb4ca4

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Newgen.exe

Filesize
832KB

MD5
14955aa543982954351e5a08eff38189

SHA1
b3a508eea0d2081b2f19c91c9bec05d9987caa05

SHA256
d90e6551a7362bac69203a102e5891cb81fb518bbf003fd7624c69a2cde49359

SHA512
d106a804b8394abc3a7739de7fb781dd3571e9e222a16a54dcab18690fe6207b673888e3a5d0dfec62f5051a6fd822f45e742e4f271ef4db5b063d86930ba3f6

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Microsoft.WindowsAPICodePack.DLL

Filesize
103KB

MD5
56e013e924822c9d02329b15b03ede73

SHA1
085dacfcd1ffa398b795d096833d16367b0d2886

SHA256
7b88388b8367f0d873d0e3b66f533869c24e346fb6f0b2c6c783f931cc9a1631

SHA512
ea0020ee32e0c7e7323f5858a462bf762f65013509012147430f0d8f665eb86f534d2491ca9f737c15bf6f995a8d3e0172537129a0dc8628cf7bf0d0f48457d1

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Microsoft.WindowsAPICodePack.Shell.DLL

Filesize
530KB

MD5
6d8deb7be7360761fd43ec9ddcaa0811

SHA1
b45482a37b381de2a0293b6be48c4cdef04aebff

SHA256
aa5d80cdc0da52970031309b457e3e3fd505bb1ac13fb79801d15bfbb4a700b2

SHA512
c400812dcdec40e4bce3ebfd1a3d472dbe27fb5bccd22e198f870f418c003d121135fa82e6699c581167f48393cacfc4876eb2e50f51104bcd9d322a5641f75c

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Newgen.Base.DLL

Filesize
394KB

MD5
2348e8093bbe2fbbf1f37ec5311da99e

SHA1
fd7c9e99586b70d633dd0fee02ea9789d6939a09

SHA256
cd963d07c0bd3eadfeb4b4b124c7d9711d33bc6747f1d096eb1f363a25d47414

SHA512
804cb0a3e943f5909e3c167c803566a5bd65effb44e594a9b068d321bfb401e275b41acd3c3f337f16e6315fcd98fc6ca8e58484310e7e0706eec18d4d6a0107

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\RAM\iFr.Helper.dll

Filesize
10KB

MD5
d5f7aecf1bb39385cd78a7a550efe5cf

SHA1
fffa95c6a865811a74dd4c524e736a59cd37d8eb

SHA256
573773e06d3b3603947711a8f858f258680a8a16c10c092a641d0ebf58872e1e

SHA512
f41d73ed28650f4d4fda31946da80e72aa2c34fea941c18501f40c4937c0ce8ed1c02b28f8220b96649aa09742ea776b7782d91aeca36daa24de22354732c597

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1001.bmp

Filesize
4KB

MD5
e6652b764812b14001bf90e455246ccd

SHA1
a335c33cbbbbfab47d1f6948590e49551b371355

SHA256
c1ab5100babbc61044361c94ab5bb0197602b6aa9b1f5ad55a7f17d1eb83091b

SHA512
76ef525601b347d1b34561e4f1bdd59f29477e4992c2aa0a8d40989b535b1a0fe18bf739f12e2a6eb11835c97114a9885275af82744b0d2e85df34cc18fe7037

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1002.bmp

Filesize
10KB

MD5
8376375d8108f6401582b9779784fe44

SHA1
ae2141495edb7e610a9731dd5430e16ed6e45413

SHA256
dccd97daf7d635681295f82817c373fab5338fbfed257f513595186e79b96146

SHA512
66e0e6476ff5d378dc58172d428874dd5d82ea6d353f33c8e1e3a0cb356410e8b3f9621c38c43d50dc8eca44ccbdec3e1aca34805823cdc4c045b57c4b577863

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1003.bmp

Filesize
2KB

MD5
193014123fc3eecc9b4c2d24a5490f69

SHA1
f3e29e9e8035248ed6fca871136162bf446610e7

SHA256
bbd0b0d3e57c40c16e5a75f90e31f53597de3537224c101ee195894e56384013

SHA512
0cb00a15f89392d241c28adf71069bb62234bfd5e07f80fbbcbdb9bd3a14c7e9506cb53adebb41cf62c77cdfbbc7a3bd62fb25ed0516c8dd9f24a07d1e07d9ab

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1004.bmp

Filesize
5KB

MD5
0b59f92a64b0d348887abf06db30ad8b

SHA1
6b608b94660e8882e6325e3f807d381919c3a872

SHA256
0920644fc5456b5ab12e8c8c877f0b9a4ba76b67c943329e10c6e9116dc4d86e

SHA512
91239d4997e61f2f9533d4fbe2046497e8112e6176ee73b2a9e3404828caaa99547f6716cdc159441a394b11a751763970cc3ccf1f720cd8d3f84c1a5382f358

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1005.bmp

Filesize
6KB

MD5
85d1224af50fc8c9d1a06e397adc6976

SHA1
6fba978b1879655ee176f5862e093b3d7e1af074

SHA256
f89cb70ea6a250efdc24703d58721b7d4666e70f744fc5d893b391490c6f54c3

SHA512
fdaa368688bcd6584375d8ace5ca286db9348fcdf86a1de6de45381d0d228afb6c23d320fe2f389f3abc81900b8a7b830085dbd4ca6a387af8135b93818f5ec9

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1006.bmp

Filesize
181KB

MD5
2e60e340c1311ac3c4a437c0c177405a

SHA1
1b37d8d6cf69fb6dd83913e0bc251258d44325f4

SHA256
7cfab37629f4e06a934081fdd93fcfff46f995b04296e9ab3a586dc05b639a8d

SHA512
1ec120e6f07f131f0e3db351d0b100dc28266877ac7e432fae2942bd3ed04b3fe380a69f030d549e601a139c4282c23ca2fa220407bc6e22d2c86e30714559f7

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\1007.bmp

Filesize
6KB

MD5
01fedb165d3b5974106ba168653c7ef8

SHA1
32f7e1cdde5cad442b0df008e41e8e2ebe8a21ee

SHA256
5ccd7f217ee7281fffd06b78aadcedd48e492c1c0e9727ca019586482a0442e2

SHA512
dea8ac0364e1b81e83daa1a6c7b832f3837d811ec55882e0e97715c6e41c47579fb961fc3f4f59ed65df7d8a9983e09bc5b51d04642d4d018a32044eeb914b88

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11000.bmp

Filesize
378B

MD5
b1e9f9c094fdd0cb48b776ef33b273de

SHA1
797af6e83db46904f561722bf885b8344912c05b

SHA256
308744483245381db7c87d99dc96a81e2cb2c10009434b1be7a57c71926a2988

SHA512
3bcf8ac2e5026332018104a5cec0c8dfb475006786a87d53bc208662bde2b858a8374b7f81eb3549c0eecbe8473d54c66c6c13cfa5dc619565a496d079567be8

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11001.bmp

Filesize
378B

MD5
c8dc89020492c84471207eeab9d7d99a

SHA1
35e94f85f1555b0537c32af3f6593c188fa21aac

SHA256
acf90aa978ed387f7a14662d4d4bbad21a7989b5b2690a0f25acc9fe7b7520a0

SHA512
ab9a668cccdef4f18909be8ed86e2676726e90f3ace94a515daf92e9aad91cc7759e20d027c7a8dd6d3fef3e1e3a24c3b0a4d3249d8bb958f580fa62e71df350

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11002.bmp

Filesize
378B

MD5
48c75d95475f11840964aeda8a59fdc1

SHA1
9d6a8422353cd194e9ea575ba13152361cc573cc

SHA256
60efc3425016df8642f240d0e3628601d2867a0c5a8a6f82b14b0722c32a25f3

SHA512
1dfd68eba1838a1fdd15b457319f1bda312ed393f858231d6b968782876cac47c5a82d794037a264da587a3f418e12d64b0f41fbfde36be0077c70c137b75f95

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11003.bmp

Filesize
378B

MD5
a8e37a45353f8bdc3fe88542ecd37f6e

SHA1
b92dbcae9d1605d6d51cccf987b8d8e8bb5a84c1

SHA256
568d792c20c99bd67a19572e223cf96e574db02e292d7d88d05fe895654e4bbb

SHA512
e7b51af31026a213e4b6cfd6e2fdcbcd1d5bf0531c5a1c4a0a2e7d12c18a006a427d911b1ed02942842412e9dfb116bc25b56ed53d4f23277dd3871004f0c358

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11123.bmp

Filesize
3KB

MD5
b6e73736924518b6fa1d4aa4606cd70b

SHA1
6936934a872300bd3651cb5a208859ee53ef53d4

SHA256
68e80f1b74696bf20300ccc1898d012623407c8ef85dd77ad723768374dbf8e8

SHA512
b6a664f5ff7488dee156a918d17c98b6c4b00bf8797ab64e55aa621e4e0b1dbef593f91e92dff9ec1a1a26fd8417443478476d794fe3de05dbc41af70b2a8475

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11129.bmp

Filesize
2KB

MD5
bb49cd8c7e4d37abada29a7c2a2e7c46

SHA1
b1c22bb6b6109626d8c9ff9d9c75d37e3fe5ec83

SHA256
a1f45ba75dbec9051fdc99f3e6fbbc535699c0bb274c60a5fe3e475453473a61

SHA512
d62a4b467f46f799359d59f43f8d5e1b7da854b2cd6632539acf97b27853d9bc9c878a7baec209f31de38c16204d317d700fc83b18aa43984404ffae07c425d0

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11136.bmp

Filesize
2KB

MD5
bad9dd2dd59bfbf16f71b980ba420ce7

SHA1
9255e330df54b53df7a0ae13708e810d309bcbc5

SHA256
d935e375f32b59ea7e1d4362189696f9b261ee82eac6b654f8bcb6328d0dfc43

SHA512
2a7446633d17961d05c39cd864e5b0c156df1e2f87261d413c940174f0e0e59a0684f5cf0e9165b730bb509e275fe47abf5849876f61c9683b6dd6bc35112b00

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12208.bmp

Filesize
270B

MD5
73007734eea6beb642a6727c42ec7bbd

SHA1
a5618c4c9e1fef905aed3d0f40921d8318841c95

SHA256
ddbf46dea78461d03e3d8c47fd4af2955d8f5ffaab0b095f25f1d91951bfaee4

SHA512
c6b1a1751bbaad87b7b5deeca1d73e13c9042d8c95be61f38300683987b8328c3dd9f35b9f36eae32c2ba30b3443da8f19e8c510a4adcb3b2b97b2bb00d6420e

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12222.bmp

Filesize
25KB

MD5
c3210059b170e580cd9ced109ba1956d

SHA1
109185c5e3528fdf9efbdb1f36317d1a540f887f

SHA256
e78257f4187c16024e46463a8f15aedc90b52dff8e518bc6b250e237ae86ab3e

SHA512
f56c3e05465bc319b60027740bcbb1f279daa4c69dfbb7e1c552ff36d5d66a8ce37b1fcc4b4f63ab6aa4aa36e447e2e21bb938ef189577acdd2389e95faa8aff

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12237.bmp

Filesize
39KB

MD5
0fe186c49c6741ea67a8834f47efa6d3

SHA1
04b390d00dd4e8b388eed557989d11c17a3ea636

SHA256
6c32925cb1539279665a000d6636830bbf3a5ec0907e42117074f2966432620f

SHA512
19fa9315f7d2b1ba8c338ea01d5430fa9f21e26a0d65713688b3120ebc06366312d0866df9bc81c19379e6ad84b36a86237f1ef9e43f58fbe10e41811609fc8c

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12263.bmp

Filesize
3KB

MD5
4c96399fa401d46557f1c9f607032ec7

SHA1
6dfcfeb31f7ca4386e1b7a80188cf445605d2226

SHA256
183d89a95dcbf593e557740406ad0ef6c7b66c71c461aeda76a6bc9a1f9cc128

SHA512
5fb01054a5906f8a55d039cbada75ef5c1e9e1d07e62ca01b76593e4e73afa852b8ab9a59b2e6640e63b1f769182340762221cd49e30677f97ce948d9530a9f8

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12281.bmp

Filesize
7KB

MD5
b30714bebca8a69b300ebc3522805c76

SHA1
2f18d25d35f593e31ecbb07b69530ce9f6c71700

SHA256
13c283de7ff1d2c51ce7a11feb5524a89e0ec756ac77125e82b293d05e98f0f2

SHA512
ec81098d1b00b93f27acbc2ecf376518e648e5c6b03da78203b73538b6ff90e00e48093182ae5f08974a149714ff919c1bd41ebabdfe4ed3ab573533ada59152

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12302.bmp

Filesize
2KB

MD5
3d6b73a0623bb8af1c2b739a81244fd6

SHA1
0498180178667f86149c2c3c6c4527126552e262

SHA256
d51eeb585e258c4d1672b051ebad0ba27e10865f585d18a46e330ccb53768873

SHA512
f5025f8663838f55e6f5413280b090a741bb6a5d1e495b7117dc903e01a1d780fb20296122e501694f3c5a5acca07c3cf8ec306b951dfefdebe03ae436f930e4

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12305.bmp

Filesize
4KB

MD5
9520f21d52c7238b93e33756eb343d46

SHA1
cd8b48a8eb7bbbe1400210ce8c301795131973ab

SHA256
36a38760f4b83dc58d0d19401138522c8515f3a6b11bdb89c41d9fac405c2577

SHA512
321a04bd2977b95e1f05ecfbe49ef650bf7a1b5aa69f2df8dfa60c3e8129e496f3ac1ab2e7c7c27b9654ce25ffdf4b0cadc91feab2c9d5a245e7ff55fef31be6

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\authui.dll.txt

Filesize
8KB

MD5
f305fb3759ae9239cf09fb5d2e9f2184

SHA1
546e02ea415c6903e0f1e74a66545ad4d3cfea2a

SHA256
9c698809ae9a7bb9d1cc26e96e37ccd0e1290bbc30012c07dcb2bcc649597fa8

SHA512
e330370a07b84b24c3f8048dd1156d47203a0c63e1d933736f5942237fba3a01d790e8d14e3125e6c197585cc16200749602408c45cdf613dd955c9ca0b7dc02

Download Submit
C:\Program Files (x86)\8 Skin Pack\SP.exe

Filesize
1.6MB

MD5
2f260ebb64afda32213668663fd83e70

SHA1
83b221ea59e2c23a9593e71b595241508b7efe17

SHA256
3e2a3388896545f9bea1d556ff6383c67f92404bfd33591988963dfae5fd3e5a

SHA512
87acfdb22a96483ad0ddd990d46d68d01b1b1bf0621b83031fdada219602b0aa91300c362749cd1e13a3ea4ed8f45a3b841c6820f4b446205dbdea39869eef2b

Download Submit
C:\Program Files (x86)\8 Skin Pack\TaskbarUserTile\UserTile.exe

Filesize
26KB

MD5
81e70e4fcb88486aee8ead21a3ad746f

SHA1
b1a190657a7e6dea00e27b5c76cdaff2c4d28210

SHA256
04e1e116477a4d5ca9521a6bde97cf2239222e02d677f73aa52d71f758942fc7

SHA512
25a9f60ed96146dae79e5459e7aa637f937a4e2d9ee582c9f99eaa9c86fa2618ce76762eaf523d88e81a3de27e39739654c7260905a788df044615ed273d15cc

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe

Filesize
15KB

MD5
fdc7b5defae116802a0f695d789d3a35

SHA1
2a7bbda9bdb9df297a174a6ade11b282cd5d558b

SHA256
e0017fb1874641754b228fe0d50e23302e69b93e4331d535c6fe6d0c22199629

SHA512
4c9d2e6a44438d816ae6fa35525ad4c018bfb5a43f4ebb7f7843eaae9617241cc0ca98b1d31f38d7f4edfc4c184123b632071351ca00c6c05c8eb721a8f3bf4a

Download Submit
C:\Program Files (x86)\Skin Pack\8\install.cmd

Filesize
27B

MD5
04a01b7bb9e5d780194d6729237f5923

SHA1
5a0e5dfebac286abe4cad1d3a99fd6ee99116cd2

SHA256
3a393057c762af5c067ca058924ec5e64921a798aaee2f9bd818d88d50adbdff

SHA512
e24d1dbfd64ec6a0621c3e3fd68d6fedea82603acefc4bc9635bf99278724678f816766d920af66291ab021b37fdeafb94337476e6b8c16a2f5c197943a7b435

Download Submit
C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd

Filesize
89B

MD5
747cf038b116aa75f173f8042fdbb7a8

SHA1
d0e6f21765d15661207986db9da2cebd21ef9bd0

SHA256
61ad0a31a74ad1eeb7ed490188a4562c0a1a8ac832bacf467131c2bc0a887dbf

SHA512
87f83dee494a3902db7ea29e2c442927f3391ce0d8021402cdf6d3fe5b42cad9fafcddf762f9fc2eed2cf52d34d5e37c285701fa618292597331ac63d0dd2d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
530B

MD5
5e275db761aa5a23ac651af8f6c4a000

SHA1
583fe93323b8fee3be1469f2d1bfc16a091ebc70

SHA256
3b9b2f75b724fe5354d24a0ef729b8a2aaa8a9313166eafb1f73b07cf1a745ef

SHA512
892fd01ee561591cee4d00ae4cd3cc91a07587c097d6969f8392af87582f93c259c52dae17d161e22ba12bf47b0d4d9953cddcb7df91a4a0e4de1a9873c936ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
222B

MD5
467bf0d114c0306ab387eb112bbf8224

SHA1
d368a34997b566cb7d42042036bbd50492fb442e

SHA256
74088ef7c8da40924c845789962467a9054fce0c85e5a99cbf4e3f3877144205

SHA512
e4be28a0c09ab9628057579073470fa4979b2eb713c3c9f8f60fb70815c115982a352044f30fb00ffa02bc124761e250724c68ab3e84282481f3b0333eceba19

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C9B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\ExecCmd.dll

Filesize
4KB

MD5
b1d08c24cad3f8f6ccd6b9ebd24d30c0

SHA1
d01549db25d0345c05d3c2eb90b173f937966ce5

SHA256
c4b6ff0091b3401670c8c6d3cb337d3ba0c2a514e66b0ea3501bb7ef78ddba69

SHA512
9cb5735c86cdf8d126268b7b2ec8fafd654d69bdfe5336d54b7d44b5ac8e1174836c487bb4aa40517516a55323bf9f916a96753c8dd2bc9b2d481071c9d9fbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\JpgToBmp.exe

Filesize
44KB

MD5
a3e8696c93ad86d6b76a455e9d04582f

SHA1
17368dc01a16b6a67663c1900575aa96f5e170ba

SHA256
cce22a24171bca94741e8e5aed408b8abf33f20a27c6fe8696947285e7e7da70

SHA512
85de5fcdc530c787aae8aa9ef3a0c27f22ac65dd8ca066e71859b417d141cf49d4013fc05b008cd49dad66a90f23efcd8bd37bc7360c6873171e334cbb7ce30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\UXTheme Patcher.exe

Filesize
72KB

MD5
c35efaa15f6f1da888efc247e886389d

SHA1
e3f35519380a564ff62f5ea2fa95fd5bca38bb1a

SHA256
558f6e38c300957234231234c44ccf41217182677e859c9005a51094bdf01794

SHA512
fd3d27271cab60f51929a4e92cccd0ce2edf8c95fd2db6cc957620ff2f7522e644b67862ec7803e6068f5ae75caedad9daae3dafdd4b7f4898c618c8498dca16

Download Submit
C:\Windows\Resources\Themes\Aero Lite Glass\Shell\NormalColor\shellstyle.dll

Filesize
342KB

MD5
1e59a02a8c6f49e61c5880971d560eee

SHA1
9c0d83b4f5e39114d2a6148b36f54cab1ba9904c

SHA256
b887f47f4ea0f63d3095f99020d8d391062d99722e812530f0f674ff8b7e237c

SHA512
0c6c3e61bcd1d53196066765a377592ac468913b544c76fbc6959d20428a14262a4247cb2e6af994076d8a4a1cd82521929018e18dfe4f3ef0a5ca735d295dcd

Download Submit
C:\Windows\SysWOW64\themeui.dll.tmp

Filesize
2.6MB

MD5
1d81652c6689543c4965fb13698400ed

SHA1
9d269c05c7586368946d1755352d52f32ccbd148

SHA256
8d8f9b41d4e26fa65f04fdd18a50926d930b45925a5ae813c0cd72e582c110a8

SHA512
7cc1f5d668c05444eeb0322fabce1a1b0fc3febfecc7c32c255d5989b1d64ebf1535b4b00a340e25788584943f60014bb3f1ff35217de803763365825df5ff06

Download Submit
C:\Windows\SysWOW64\uxtheme.dll.tmp

Filesize
240KB

MD5
5791d764ef253b4400b53d15ae6a5c17

SHA1
d197f0ca64552ae0a858582ae94e58aeb2e4a283

SHA256
9771210f4de326d030260c95988f9862e1e93770fb318909adeb3dd7f15882aa

SHA512
96e28598146268fb258da5d0d204103c4056d3b2c56c2584dd631f611ce53e40aa9256146d43b948c29835ab026bbc41d6d275dbf58c1eb3863f52046e01ea21

Download Submit
C:\Windows\System32\themeservice.dll.tmp

Filesize
43KB

MD5
9201be2bab8a9ff8e20d8439ae3bb04d

SHA1
19bd1e2512e477e263f8fbc0fe594bd1686b2484

SHA256
d973c4fe5b8d02b15476d72b49105840a04dbff8bcb77117c0354d046e6c02fb

SHA512
fb6eae38d112eaab15cef451ed2d5f1d2e49a3e516f65a1366f9fb7bc0f337a80dadd02f7e089c6c59430ad1fa111a68aa6791c8f03a30c223265b9499487556

Download Submit
C:\Windows\System32\themeui.dll.backup

Filesize
2.7MB

MD5
2c647abe9a424e55b5f3dae4629b4277

SHA1
4182d231d6e1e07a713c3120518f5debdf89aa78

SHA256
7b33009d253bafff87535c075e75498b6a06f334035ddc0df51e10a142b4df9e

SHA512
575a9a81ad59ba6507df051d9085a177a15c03d6ee8a573956f60dd3080acea771038b3c0819f6d11b8e127b5e399610f40a181e3a4a2002b63361e4642b233f

Download Submit
C:\Windows\System32\uxtheme.dll

Filesize
324KB

MD5
8bf20c54ffb37cfb960f708ffa813fa7

SHA1
227b5cc038dd4297b8bd3583c2eced25b081b25a

SHA256
638c59147dd0272bd2b32af704314e748558d74d22d0777c99fa240fea1ef41b

SHA512
2389b3fee6101209a4604eb9ab6452f7a12b0fb70122eed42c8bd47c837033ce5cfb2ad08b2e9d92fb68642fbf5fdcb3c00aee1099bf3d946d741f1c87052d18

Download Submit
\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe

Filesize
997KB

MD5
2f92eed4e2061af0961f379e9ded70d6

SHA1
8b58dcd428759d3633a14bcfc62a8cb6deb66de5

SHA256
52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f

SHA512
909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\Banner.dll

Filesize
4KB

MD5
0116a50101c4107a138a588d1e46fca5

SHA1
b781dce23e828cf2b97306661c7dad250a6aaf77

SHA256
ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b

SHA512
55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\UXTheme Patcher64.exe

Filesize
92KB

MD5
5eac71e2ab8b58f00da48a21becb586f

SHA1
57fe7ac0196a04b535615f19b0758e75071a9943

SHA256
196756bea46f45de4b8e2eedebd51df8222f627f1eb9c2876d927718c85286e9

SHA512
2345d45a9d2b163d2a550808ab2af72748e80615e9d7965d40642b80cf53c3eab3ad07cbfed6b8b97ea1656436306919de6e74fef9f62c62456bd058c70830ff

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E63.tmp\xml.dll

Filesize
118KB

MD5
42df1fbaa87567adf2b4050805a1a545

SHA1
b892a6efbb39b7144248e0c0d79e53da474a9373

SHA256
e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845

SHA512
4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

Download Submit
\Windows\SysWOW64\themeui.dll.backup

Filesize
2.6MB

MD5
5992a9df57fd5e6960fdcc2db69867f7

SHA1
c5db35169d1ca2db1a8450f49a9aa0a52facdc05

SHA256
9be3a7bedb18ab9399d2b665ee9edc553e63599f51d98a1b43e6aeb0c1e1b166

SHA512
3c118e0d263c85d04bcb0fbd169da859310e5c4f286a215e84b307fcd3944147faa44e24e6c7dfcd0a3ebf0fb09410c421316e18c934ec822d6b74cbab0af34c

Download Submit
\Windows\SysWOW64\uxtheme.dll.backup

Filesize
240KB

MD5
43964fa89ccf97ba6be34d69455ac65f

SHA1
391fa4e8020c872311e8a7daf6540687133f9496

SHA256
10e3b89a5470e1bb6f73382135dd2352f5073c1ee8485d7476cfb5122d4aaa2f

SHA512
b87b15bf18b51181971b702a3bec476db263c248f619541d1c8ced30c0d401dfd4b77a5ceb56a0a39e12cf3962b5ac62dbddee7cb5fcdf8d3cf14da898858511

Download Submit
\Windows\System32\themeservice.dll.backup

Filesize
43KB

MD5
f0344071948d1a1fa732231785a0664c

SHA1
af0e3bcf1f56b5a89cdb2b1dca66a0140564c041

SHA256
db9886c2c858faf45aea15f8e42860343f73eb8685c53ec2e8ccc10586cb0832

SHA512
263a8bc5f6b79da1345cfc5070cbd1a334f978ead127d958b264e86f0a6283ea62f1eb4a13c6b8f37b388954a4e314934b45088efc56353d249ddf2b51e96d5b

Download Submit
\Windows\System32\themeui.dll

Filesize
2.7MB

MD5
15150f4c82f9074250dff31950781f5a

SHA1
7c9e33e48bc095b49cd500bf8564d39b2d245688

SHA256
1f722dac2a51a6659a2b72950bb4d1dccb33dff3bd0ea6b05675f21c9558a90b

SHA512
49002032d235ed33ec0f2b38257c83a65eb527b743ebc98d572fdf68a5146fde94d6ecf3650157e5a309166b29f79e377173e651905ad456296eafc649ec6f34

Download Submit
\Windows\System32\uxtheme.dll.backup

Filesize
324KB

MD5
d29e998e8277666982b4f0303bf4e7af

SHA1
e803b0af61ea2ddcd58b5a63b1cfbb73266318ea

SHA256
4f19ab5dc173e278ebe45832f6ceaa40e2df6a2eddc81b2828122442fe5d376c

SHA512
f89ae9153fc718c1f72a8a555e08b599516b0f16e678762bc03a2ba74aad735d591635e159d40470254bdf4ceb8d7a96d47d431f3e34b384fc2aec1fb9281bbd

Download Submit
memory/280-174-0x000007FEFBA50000-0x000007FEFBAA6000-memory.dmp

Filesize
344KB

Download
memory/280-114-0x000007FEFBA50000-0x000007FEFBAA6000-memory.dmp

Filesize
344KB

Download
memory/332-599-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/628-679-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/912-430-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1016-664-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1192-41-0x0000000002AF0000-0x0000000002B11000-memory.dmp

Filesize
132KB

Download
memory/1248-686-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1272-715-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-422-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1660-616-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1692-1049-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1796-708-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1992-592-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2016-609-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2096-642-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2364-445-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2400-478-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2408-485-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2416-1071-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2616-1102-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2652-524-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2708-657-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2836-1095-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2848-517-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2956-945-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-635-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3048-452-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download