2bdf894b05844e6ce24c7a42eaf3abae2312b094d1277db0a09bc83a8fef886a

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Size

17.5MB
MD5

b01e46bf32bbd7ee487afa466675d66e
SHA1

bc824d6f59df34c2921e82b28117c06c8d067078
SHA256

2bdf894b05844e6ce24c7a42eaf3abae2312b094d1277db0a09bc83a8fef886a
SHA512

5ee755da3d0a7dfee73413c25177a930b3e1ecf4e1270d9c83a9b4af3c7beff7318a855b87514da16ef39ae9e82e4e60728d4e3c708616724fad764888125e1c
SSDEEP

393216:Yvys39dd49QjUcMqaMVvvBLs1cP9yukE2y8Ql:Yvy79yFM0HEcP9170Ql

Score

7^/10

discovery ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

boot.exeRIC.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	boot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RIC.exe

Executes dropped EXE 29 IoCs

Processes:

UXTheme Patcher64.exeUXTheme Patcher.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeResHacker.exeMoveEx.exeJpgToBmp.exebx.exeboot.exeWin7BootUpdaterCmd.exeRIC.exeMoveEx.exeMoveEx.exe

pid	Process
3020	UXTheme Patcher64.exe
3600	UXTheme Patcher.exe
3460	ResHacker.exe
680	MoveEx.exe
3800	ResHacker.exe
2440	MoveEx.exe
4392	ResHacker.exe
2064	MoveEx.exe
4924	ResHacker.exe
376	MoveEx.exe
3528	ResHacker.exe
1816	MoveEx.exe
3560	ResHacker.exe
1476	MoveEx.exe
2648	ResHacker.exe
1456	MoveEx.exe
4956	ResHacker.exe
1912	MoveEx.exe
3624	ResHacker.exe
2492	MoveEx.exe
64	ResHacker.exe
3508	MoveEx.exe
944	JpgToBmp.exe
3800	bx.exe
3360	boot.exe
3084	Win7BootUpdaterCmd.exe
5036	RIC.exe
2448	MoveEx.exe
1652	MoveEx.exe

Loads dropped DLL 39 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

pid	Process
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\8.bmp"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeResHacker.exeResHacker.exe

description	ioc	Process
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Disk\Disk.config	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Socialite\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12216.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12263.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\2408.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3084.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\RAM\Newgen.Base.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12217.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12322.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\ExplorerFrame.dll\578.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\Microsoft.WindowsAPICodePack.Shell.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12218.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Aura\Aura.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Hotmail\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BEH.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BetterExplorer.vshost.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12231.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\5010.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Me\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Widget.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11152.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\shellbrd.dll\shellbrd.dll.txt	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\Explorer.exe\6809.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Twitter\Hammock.ClientProfile.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\TaskbarUserTile\Nini.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3085.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\SndVolSSO.dll\120.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini	ResHacker.exe
File created	C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BetterExplorer.pdb	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\SP.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Reloader.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12323.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\5012.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\basebrd.dll\2120.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\8 Skin Pack\boot.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3051.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Socialite\Socialite.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Install.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12261.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\ExplorerFrame.dll\586.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Store\ru-RU\Store.resources.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\MetroBar\MetroBar.exe	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini	ResHacker.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\2401.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3086.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\Explorer.exe\7013.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Newgen.Base.xml	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Store\$[Cache]\Icon_Me.png	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11127.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11136.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\2407.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\Explorer.exe\6805.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12276.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12306.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\14003.png	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12219.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12284.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3077.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\Explorer.exe\6812.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\Hotmail\Hotmail.config	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11126.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12230.bmp	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3066.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\2406.ico	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Drops file in Windows directory 47 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeJpgToBmp.exe

description	ioc	Process
File created	C:\Windows\resources\Themes\Aero 8.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Basic.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Glass.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Glass.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro White.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8\Aero 8.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Windows 8\Windows 8.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Web\Wallpaper\8.jpg	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Unavailable.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Working In Background.ani	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Black.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Black\Metro Black.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\busy.ani	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Glass\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Black\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro White\Metro White.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Windows 8\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Web\Wallpaper\windows 8.jpg	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Glass\Aero Lite Glass.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Glass\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Simple 8\Simple 8.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Simple 8\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Diagonal Resize 2.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Handwriting.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Move.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Normal Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite\Aero Lite.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Alternate Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Help Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Full Glass.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro Glass\Metro Glass.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Diagonal Resize 1.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Vertical Resize.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Simple 8.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Full Glass\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\8.bmp	JpgToBmp.exe
File created	C:\Windows\Cursors\8\Horizontal Resize.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\Cursors\8\Link Select.cur	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Windows 8.theme	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero 8\Shell\NormalColor\en-US\shellstyle.dll.mui	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Basic\Aero Lite Basic.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Basic\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Aero Lite Full Glass\Aero Lite Full Glass.msstyles	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
File created	C:\Windows\resources\Themes\Metro White\Shell\NormalColor\shellstyle.dll	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

JpgToBmp.exeRIC.exeb01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exeResHacker.exeResHacker.exeResHacker.execmd.exeWin7BootUpdaterCmd.execmd.exeResHacker.exeResHacker.exeResHacker.exeResHacker.exebx.exetaskkill.exeUXTheme Patcher.exeResHacker.exeResHacker.exeResHacker.exeboot.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JpgToBmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win7BootUpdaterCmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UXTheme Patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ResHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boot.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1780	taskkill.exe

Modifies Control Panel 17 IoCs

evasion

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\Crosshair = "%SYSTEMROOT%\\Cursors\\8\\Precision Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\NWPen = "%SYSTEMROOT%\\Cursors\\8\\Handwriting.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\SizeWE = "%SYSTEMROOT%\\Cursors\\8\\Horizontal Resize.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\Wait = "%SYSTEMROOT%\\Cursors\\8\\Busy.ani"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\SizeNS = "%SYSTEMROOT%\\Cursors\\8\\Vertical Resize.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\IBeam = "%SYSTEMROOT%\\Cursors\\8\\Text Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\SizeNESW = "%SYSTEMROOT%\\Cursors\\8\\Diagonal Resize 1.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\Arrow = "%SYSTEMROOT%\\Cursors\\8\\Normal Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\Help = "%SYSTEMROOT%\\Cursors\\8\\Help Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\No = "%SYSTEMROOT%\\Cursors\\8\\Unavailable.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\SizeNWSE = "%SYSTEMROOT%\\Cursors\\8\\Diagonal Resize 2.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\SizeAll = "%SYSTEMROOT%\\Cursors\\8\\Move.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\UpArrow = "%SYSTEMROOT%\\Cursors\\8\\Alternate Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\Hand = "%SYSTEMROOT%\\Cursors\\8\\Link Select.cur"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Cursors\AppStarting = "%SYSTEMROOT%\\Cursors\\8\\Working In Background.ani"	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

pid	Process
1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Win7BootUpdaterCmd.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeIncreaseQuotaPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSecurityPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeTakeOwnershipPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeLoadDriverPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemProfilePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemtimePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeProfSingleProcessPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeIncBasePriorityPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeCreatePagefilePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeShutdownPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemEnvironmentPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRemoteShutdownPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeUndockPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeManageVolumePrivilege	3084	Win7BootUpdaterCmd.exe
Token: 33	3084	Win7BootUpdaterCmd.exe
Token: 34	3084	Win7BootUpdaterCmd.exe
Token: 35	3084	Win7BootUpdaterCmd.exe
Token: 36	3084	Win7BootUpdaterCmd.exe
Token: SeIncreaseQuotaPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSecurityPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeTakeOwnershipPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeLoadDriverPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemProfilePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemtimePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeProfSingleProcessPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeIncBasePriorityPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeCreatePagefilePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeShutdownPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemEnvironmentPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRemoteShutdownPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeUndockPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeManageVolumePrivilege	3084	Win7BootUpdaterCmd.exe
Token: 33	3084	Win7BootUpdaterCmd.exe
Token: 34	3084	Win7BootUpdaterCmd.exe
Token: 35	3084	Win7BootUpdaterCmd.exe
Token: 36	3084	Win7BootUpdaterCmd.exe
Token: SeIncreaseQuotaPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSecurityPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeTakeOwnershipPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeLoadDriverPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemProfilePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemtimePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeProfSingleProcessPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeIncBasePriorityPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeCreatePagefilePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeBackupPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRestorePrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeShutdownPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeDebugPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeSystemEnvironmentPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeRemoteShutdownPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeUndockPrivilege	3084	Win7BootUpdaterCmd.exe
Token: SeManageVolumePrivilege	3084	Win7BootUpdaterCmd.exe
Token: 33	3084	Win7BootUpdaterCmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

UXTheme Patcher64.exeUXTheme Patcher.exe

pid	Process
3020	UXTheme Patcher64.exe
3020	UXTheme Patcher64.exe
3600	UXTheme Patcher.exe
3600	UXTheme Patcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1996 wrote to memory of 3020	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	97
PID 1996 wrote to memory of 3020	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	97
PID 1996 wrote to memory of 3600	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	98
PID 1996 wrote to memory of 3600	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	98
PID 1996 wrote to memory of 3600	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	98
PID 1996 wrote to memory of 3460	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	99
PID 1996 wrote to memory of 3460	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	99
PID 1996 wrote to memory of 3460	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	99
PID 1996 wrote to memory of 680	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	100
PID 1996 wrote to memory of 680	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	100
PID 1996 wrote to memory of 3800	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	102
PID 1996 wrote to memory of 3800	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	102
PID 1996 wrote to memory of 3800	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	102
PID 1996 wrote to memory of 2440	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	103
PID 1996 wrote to memory of 2440	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	103
PID 1996 wrote to memory of 4392	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	105
PID 1996 wrote to memory of 4392	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	105
PID 1996 wrote to memory of 4392	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	105
PID 1996 wrote to memory of 2064	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	108
PID 1996 wrote to memory of 2064	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	108
PID 1996 wrote to memory of 4924	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	110
PID 1996 wrote to memory of 4924	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	110
PID 1996 wrote to memory of 4924	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	110
PID 1996 wrote to memory of 376	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	111
PID 1996 wrote to memory of 376	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	111
PID 1996 wrote to memory of 3528	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	113
PID 1996 wrote to memory of 3528	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	113
PID 1996 wrote to memory of 3528	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	113
PID 1996 wrote to memory of 1816	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	114
PID 1996 wrote to memory of 1816	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	114
PID 1996 wrote to memory of 3560	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	116
PID 1996 wrote to memory of 3560	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	116
PID 1996 wrote to memory of 3560	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	116
PID 1996 wrote to memory of 1476	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	117
PID 1996 wrote to memory of 1476	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	117
PID 1996 wrote to memory of 2648	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	119
PID 1996 wrote to memory of 2648	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	119
PID 1996 wrote to memory of 2648	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	119
PID 1996 wrote to memory of 1456	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	120
PID 1996 wrote to memory of 1456	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	120
PID 1996 wrote to memory of 4956	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	122
PID 1996 wrote to memory of 4956	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	122
PID 1996 wrote to memory of 4956	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	122
PID 1996 wrote to memory of 1912	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	123
PID 1996 wrote to memory of 1912	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	123
PID 1996 wrote to memory of 3624	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	125
PID 1996 wrote to memory of 3624	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	125
PID 1996 wrote to memory of 3624	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	125
PID 1996 wrote to memory of 2492	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	126
PID 1996 wrote to memory of 2492	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	126
PID 1996 wrote to memory of 64	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	129
PID 1996 wrote to memory of 64	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	129
PID 1996 wrote to memory of 64	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	129
PID 1996 wrote to memory of 3508	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	130
PID 1996 wrote to memory of 3508	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	130
PID 1996 wrote to memory of 944	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	132
PID 1996 wrote to memory of 944	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	132
PID 1996 wrote to memory of 944	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	132
PID 1996 wrote to memory of 3800	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	133
PID 1996 wrote to memory of 3800	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	133
PID 1996 wrote to memory of 3800	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	133
PID 1996 wrote to memory of 3360	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	134
PID 1996 wrote to memory of 3360	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	134
PID 1996 wrote to memory of 3360	1996	b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe	134

C:\Users\Admin\AppData\Local\Temp\b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b01e46bf32bbd7ee487afa466675d66e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\UXTheme Patcher64.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\UXTheme Patcher64.exe" -silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\UXTheme Patcher.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\UXTheme Patcher.exe" -silent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3600
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\authui.dll.txt"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3460
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\authui.dll.xpize" "C:\Windows\system32\authui.dll"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\basebrd.dll\basebrd.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\Basebrd\basebrd.dll.xpize" "C:\Windows\Branding\Basebrd\basebrd.dll"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\ExplorerFrame.dll\ExplorerFrame.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4392
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\ExplorerFrame.dll.xpize" "C:\Windows\system32\ExplorerFrame.dll"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\imageres.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4924
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\imageres.dll.xpize" "C:\Windows\system32\imageres.dll"
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\pnidui.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3528
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\pnidui.dll.xpize" "C:\Windows\system32\pnidui.dll"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\shell32.dll\shell32.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\shell32.dll.xpize" "C:\Windows\system32\shell32.dll"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\shellbrd.dll\shellbrd.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\Branding\ShellBrd\shellbrd.dll.xpize" "C:\Windows\Branding\ShellBrd\shellbrd.dll"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\SndVolSSO.dll\SndVolSSO.dll.txt"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4956
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\SndVolSSO.dll.xpize" "C:\Windows\system32\SndVolSSO.dll"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\batmeter.dll\batmeter.dll.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3624
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\system32\batmeter.dll.xpize" "C:\Windows\system32\batmeter.dll"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe" -script "C:\Program Files (x86)\8 Skin Pack\Resources\explorer.exe\explorer.exe.txt"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:64
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Windows\explorer.exe.xpize" "C:\Windows\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\JpgToBmp.exe
  C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\JpgToBmp.exe C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\8.jpg - C:\Windows\Web\Wallpaper\8.bmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Program Files (x86)\8 Skin Pack\bx.exe
  "C:\Program Files (x86)\8 Skin Pack\bx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Program Files (x86)\8 Skin Pack\boot.exe
  "C:\Program Files (x86)\8 Skin Pack\boot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\8\install.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
  - - C:\Program Files (x86)\Skin Pack\8\Win7BootUpdaterCmd.exe
      Win7BootUpdaterCmd boot.bs7
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3084
- C:\Program Files (x86)\8 Skin Pack\RIC.exe
  "C:\Program Files (x86)\8 Skin Pack\RIC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1780
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:\Users\Admin\AppData\Local\IconCache.db"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe
  "C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe" "C:n\AppData\Local\IconCache.db"
  2⤵
  - Executes dropped EXE
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\8 Skin Pack\Aura\Aura.exe

Filesize
460KB

MD5
b13404d4770a8590409a22288f47af3e

SHA1
d159beaf09a76e9f92eadf96f27396cb47a3a130

SHA256
e0f5e720ba1748f0ca083b03cf98adfa0f9437f68f16d325aa35cbe71dfbd5b6

SHA512
9d4efacad59ff1b999d938c2d3e7cd8d0926106b6b9a605a3ad0f1ef60847e534c931d7c264b99e0b6e6137cd21006b34815680660720dbec0a3ff2934e6a34e

Download Submit
C:\Program Files (x86)\8 Skin Pack\Backup\ExplorerFrame.dll

Filesize
2.1MB

MD5
25c08b9ebcdf01a5d2f198a4bd222e09

SHA1
d0a6e1e11e766d1aa0d106dc369d90473b0ca4e3

SHA256
e5ab3461435379588c6ec8d44ad35c9696720d7ce00affe3f79f36ddf89ccdf6

SHA512
bb730a032e4ab1e05885d17d4322e9fc06d2aa90c426168c9917c3b1be0036685c0e7fc4bc6331e7c86fe40e0ef9468ba930a0fc8827e4d0b14dab8f2e0ec969

Download Submit
C:\Program Files (x86)\8 Skin Pack\Backup\authui.dll

Filesize
275KB

MD5
9742f598cd47bd90a6698e29d16c039e

SHA1
319ea3f8ff1dc544520937346b966fe5a23725bd

SHA256
1bf55c034d54c4925896e30ae3c772e1520c768e64f499d766d026a0de55e3a0

SHA512
e8fb782a0623cbd66cd94ae7f38d643af56d09a436cd15f991e29338549284d036d6e40d7e0755f5046e3ba8d5f9a22cdd027cada0480be1782c174d36e685f8

Download Submit
C:\Program Files (x86)\8 Skin Pack\Backup\basebrd.dll

Filesize
1.4MB

MD5
e7efc89da9c2aeb5665dd65d1d963afc

SHA1
0d1b06df183b5d6709414add6f81267d18bc9cb9

SHA256
c5bd5368868fdff022042ec5b599736983aa6678e939179c24cb5a9077674784

SHA512
30efb321439d052d23f729c9d442aed9330160b38661e33df1dea47aca4dbabd95249f078986872d9f189bb426aa18b4570134995d7a333e42309e9d0b0fc721

Download Submit
C:\Program Files (x86)\8 Skin Pack\Backup\imageres.dll

Filesize
2KB

MD5
620c454d6138083f146cd718cf3003e2

SHA1
155c86d26602058d21ce2cb0ba097292f4374d4a

SHA256
67c93e5c99187db024be2ddbf26020911d1f6e8836ddb2da2e51a87228c3182b

SHA512
c5cc55a32d29ed228982b16c1599e3293cd4540c67307837aab3dd5b7f46d5f858c60a7dc205fd2ef62e2464ffc1da22a0949dd6cd861cccd477e1cc2596b258

Download Submit
C:\Program Files (x86)\8 Skin Pack\Backup\pnidui.dll

Filesize
2.1MB

MD5
bc5be132cab791c258a17c6d40b50df2

SHA1
2dfd0ae57355cff5c8d97889d9a55947c339497e

SHA256
c4b3df6dc6a078b73a3dd935b807060ca323a98653eb13ec72582e6c98abafe4

SHA512
41d39c0a689eea236b281e4cedd83fe9650b0a2493fc005ae9f6f4243cc880a35637ff532ba97dece26d2bff3085783bfc676173c97261c7a8e4ecfeca023f32

Download Submit
C:\Program Files (x86)\8 Skin Pack\BetterExplorer\BetterExplorer.sfx.exe

Filesize
410KB

MD5
1b57087c796415a3f5157c47abd25e95

SHA1
eefd3b23380d9d9e9356d1b5e1d2877c2c4b11b2

SHA256
c049d2449dfb8b0a87716cf43e1e104ac25c7cc819273d177d6001d87a8fff1b

SHA512
0c3656336fc5367817bcbc53f674c72815972b0d301366d454720c602c6699d6d1681fcf1e87e9c811c000804503ce07b72b87947c960f08a4a82c84932d2741

Download Submit
C:\Program Files (x86)\8 Skin Pack\MetroBar\MetroBar.exe

Filesize
1.1MB

MD5
04428736e32be7a2de946b0297ac25fd

SHA1
50668d2521e165f9a7821a9c89896d891643026b

SHA256
7394e7a7e4bbe40b62ba49b5caa03233fc38afe840bdd851766dc7b71517e8a3

SHA512
a08ef8f8978486d4477193565887a8932a6a708aa94c736619d46d7ddceae471ca79a646b7e6a188f2bf368457a43c768429e34cd0ae19682fda237c6cdb4ca4

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Newgen.exe

Filesize
832KB

MD5
14955aa543982954351e5a08eff38189

SHA1
b3a508eea0d2081b2f19c91c9bec05d9987caa05

SHA256
d90e6551a7362bac69203a102e5891cb81fb518bbf003fd7624c69a2cde49359

SHA512
d106a804b8394abc3a7739de7fb781dd3571e9e222a16a54dcab18690fe6207b673888e3a5d0dfec62f5051a6fd822f45e742e4f271ef4db5b063d86930ba3f6

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Microsoft.WindowsAPICodePack.DLL

Filesize
103KB

MD5
56e013e924822c9d02329b15b03ede73

SHA1
085dacfcd1ffa398b795d096833d16367b0d2886

SHA256
7b88388b8367f0d873d0e3b66f533869c24e346fb6f0b2c6c783f931cc9a1631

SHA512
ea0020ee32e0c7e7323f5858a462bf762f65013509012147430f0d8f665eb86f534d2491ca9f737c15bf6f995a8d3e0172537129a0dc8628cf7bf0d0f48457d1

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Microsoft.WindowsAPICodePack.Shell.DLL

Filesize
530KB

MD5
6d8deb7be7360761fd43ec9ddcaa0811

SHA1
b45482a37b381de2a0293b6be48c4cdef04aebff

SHA256
aa5d80cdc0da52970031309b457e3e3fd505bb1ac13fb79801d15bfbb4a700b2

SHA512
c400812dcdec40e4bce3ebfd1a3d472dbe27fb5bccd22e198f870f418c003d121135fa82e6699c581167f48393cacfc4876eb2e50f51104bcd9d322a5641f75c

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\PicturesV2\Newgen.Base.DLL

Filesize
394KB

MD5
2348e8093bbe2fbbf1f37ec5311da99e

SHA1
fd7c9e99586b70d633dd0fee02ea9789d6939a09

SHA256
cd963d07c0bd3eadfeb4b4b124c7d9711d33bc6747f1d096eb1f363a25d47414

SHA512
804cb0a3e943f5909e3c167c803566a5bd65effb44e594a9b068d321bfb401e275b41acd3c3f337f16e6315fcd98fc6ca8e58484310e7e0706eec18d4d6a0107

Download Submit
C:\Program Files (x86)\8 Skin Pack\Newgen\Widgets\RAM\iFr.Helper.dll

Filesize
10KB

MD5
d5f7aecf1bb39385cd78a7a550efe5cf

SHA1
fffa95c6a865811a74dd4c524e736a59cd37d8eb

SHA256
573773e06d3b3603947711a8f858f258680a8a16c10c092a641d0ebf58872e1e

SHA512
f41d73ed28650f4d4fda31946da80e72aa2c34fea941c18501f40c4937c0ce8ed1c02b28f8220b96649aa09742ea776b7782d91aeca36daa24de22354732c597

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\ExplorerFrame.dll\ExplorerFrame.dll.txt

Filesize
1KB

MD5
1d2cf5f7dbda0d9adc43a11591caf2f2

SHA1
ab267571aa3e41e07a6043de58686e6aceecc2c1

SHA256
223ec5e39865c34d5a8370ce5b57202e916ab26fc1503aa9d40851a0c3f55d18

SHA512
af51f70bd4f31187dadfb9c5910a1d531b380c660f09ff2c4b8498e0d6b509bcdc8b1c521d27a8a60a783a93d7e4762646398da39d5eea437696fba399db41cf

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11123.bmp

Filesize
3KB

MD5
b6e73736924518b6fa1d4aa4606cd70b

SHA1
6936934a872300bd3651cb5a208859ee53ef53d4

SHA256
68e80f1b74696bf20300ccc1898d012623407c8ef85dd77ad723768374dbf8e8

SHA512
b6a664f5ff7488dee156a918d17c98b6c4b00bf8797ab64e55aa621e4e0b1dbef593f91e92dff9ec1a1a26fd8417443478476d794fe3de05dbc41af70b2a8475

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11129.bmp

Filesize
2KB

MD5
bb49cd8c7e4d37abada29a7c2a2e7c46

SHA1
b1c22bb6b6109626d8c9ff9d9c75d37e3fe5ec83

SHA256
a1f45ba75dbec9051fdc99f3e6fbbc535699c0bb274c60a5fe3e475453473a61

SHA512
d62a4b467f46f799359d59f43f8d5e1b7da854b2cd6632539acf97b27853d9bc9c878a7baec209f31de38c16204d317d700fc83b18aa43984404ffae07c425d0

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\11136.bmp

Filesize
2KB

MD5
bad9dd2dd59bfbf16f71b980ba420ce7

SHA1
9255e330df54b53df7a0ae13708e810d309bcbc5

SHA256
d935e375f32b59ea7e1d4362189696f9b261ee82eac6b654f8bcb6328d0dfc43

SHA512
2a7446633d17961d05c39cd864e5b0c156df1e2f87261d413c940174f0e0e59a0684f5cf0e9165b730bb509e275fe47abf5849876f61c9683b6dd6bc35112b00

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12208.bmp

Filesize
270B

MD5
73007734eea6beb642a6727c42ec7bbd

SHA1
a5618c4c9e1fef905aed3d0f40921d8318841c95

SHA256
ddbf46dea78461d03e3d8c47fd4af2955d8f5ffaab0b095f25f1d91951bfaee4

SHA512
c6b1a1751bbaad87b7b5deeca1d73e13c9042d8c95be61f38300683987b8328c3dd9f35b9f36eae32c2ba30b3443da8f19e8c510a4adcb3b2b97b2bb00d6420e

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12222.bmp

Filesize
25KB

MD5
c3210059b170e580cd9ced109ba1956d

SHA1
109185c5e3528fdf9efbdb1f36317d1a540f887f

SHA256
e78257f4187c16024e46463a8f15aedc90b52dff8e518bc6b250e237ae86ab3e

SHA512
f56c3e05465bc319b60027740bcbb1f279daa4c69dfbb7e1c552ff36d5d66a8ce37b1fcc4b4f63ab6aa4aa36e447e2e21bb938ef189577acdd2389e95faa8aff

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12237.bmp

Filesize
39KB

MD5
0fe186c49c6741ea67a8834f47efa6d3

SHA1
04b390d00dd4e8b388eed557989d11c17a3ea636

SHA256
6c32925cb1539279665a000d6636830bbf3a5ec0907e42117074f2966432620f

SHA512
19fa9315f7d2b1ba8c338ea01d5430fa9f21e26a0d65713688b3120ebc06366312d0866df9bc81c19379e6ad84b36a86237f1ef9e43f58fbe10e41811609fc8c

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12263.bmp

Filesize
3KB

MD5
4c96399fa401d46557f1c9f607032ec7

SHA1
6dfcfeb31f7ca4386e1b7a80188cf445605d2226

SHA256
183d89a95dcbf593e557740406ad0ef6c7b66c71c461aeda76a6bc9a1f9cc128

SHA512
5fb01054a5906f8a55d039cbada75ef5c1e9e1d07e62ca01b76593e4e73afa852b8ab9a59b2e6640e63b1f769182340762221cd49e30677f97ce948d9530a9f8

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12281.bmp

Filesize
7KB

MD5
b30714bebca8a69b300ebc3522805c76

SHA1
2f18d25d35f593e31ecbb07b69530ce9f6c71700

SHA256
13c283de7ff1d2c51ce7a11feb5524a89e0ec756ac77125e82b293d05e98f0f2

SHA512
ec81098d1b00b93f27acbc2ecf376518e648e5c6b03da78203b73538b6ff90e00e48093182ae5f08974a149714ff919c1bd41ebabdfe4ed3ab573533ada59152

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12302.bmp

Filesize
2KB

MD5
3d6b73a0623bb8af1c2b739a81244fd6

SHA1
0498180178667f86149c2c3c6c4527126552e262

SHA256
d51eeb585e258c4d1672b051ebad0ba27e10865f585d18a46e330ccb53768873

SHA512
f5025f8663838f55e6f5413280b090a741bb6a5d1e495b7117dc903e01a1d780fb20296122e501694f3c5a5acca07c3cf8ec306b951dfefdebe03ae436f930e4

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\12305.bmp

Filesize
4KB

MD5
9520f21d52c7238b93e33756eb343d46

SHA1
cd8b48a8eb7bbbe1400210ce8c301795131973ab

SHA256
36a38760f4b83dc58d0d19401138522c8515f3a6b11bdb89c41d9fac405c2577

SHA512
321a04bd2977b95e1f05ecfbe49ef650bf7a1b5aa69f2df8dfa60c3e8129e496f3ac1ab2e7c7c27b9654ce25ffdf4b0cadc91feab2c9d5a245e7ff55fef31be6

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\authui.dll\authui.dll.txt

Filesize
8KB

MD5
f305fb3759ae9239cf09fb5d2e9f2184

SHA1
546e02ea415c6903e0f1e74a66545ad4d3cfea2a

SHA256
9c698809ae9a7bb9d1cc26e96e37ccd0e1290bbc30012c07dcb2bcc649597fa8

SHA512
e330370a07b84b24c3f8048dd1156d47203a0c63e1d933736f5942237fba3a01d790e8d14e3125e6c197585cc16200749602408c45cdf613dd955c9ca0b7dc02

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\basebrd.dll\basebrd.dll.txt

Filesize
456B

MD5
f3c8ca54e2ab4440970f8267d88b18d0

SHA1
48d38f72347851e01a7f97bf6f8ee28fd2dc9ae9

SHA256
cf209a09592e21f145a382379c976912a473896d234483d198c30073ceb35d4d

SHA512
11967e4012cda6107c69309969e9191a69b05ab29828b0b6d63ebde01583909ada0abe3ae09d3ba2d73b3257b98673fe32bec079f7dbd6af7dcd91eef3a94c7f

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\imageres.dll\imageres.dll.txt

Filesize
1KB

MD5
3ff94cbfaa207dc57c8905e8beb09528

SHA1
dbce846ecf30a6f6f0c85e509a446990c254ce8e

SHA256
527dc2b109ca68abe772ffd31d10eb684b2e47f2d16e21b962408eada6d86899

SHA512
d17e584512e50331f5c361622c00537c4c7eb00d3cedb6fdf4f884d779388ceda9845a75bf8fa56b28b071dd163e05fa48c0d4f1c3b883aa9aeadcd03176f900

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3020.ico

Filesize
7KB

MD5
5504317e448e145061aefca3303328c4

SHA1
e9e6cbe717633f62a259e2cb0e3b0c5d1211b3ff

SHA256
9270da1a5d9bd6ee8be283b78af46ed053ec0b372804da7d0df33e8fddbf2dff

SHA512
f589e2ee6b4e2693fdc0b4f74554addf756e74ba976c8523b63471d1637205bda83e9c35a7eb5aeb76cdced8551f6873948a8efed746ace582119f765d520480

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3021.ico

Filesize
7KB

MD5
1b6c430354868c286898c62a6645c2b9

SHA1
9c05ec8849e2441e21b6af9f67d7bf42bc45b1a1

SHA256
fce93359d341c57ca676e864337767b1b1cf01f3931964e285b0d657fd6bb29c

SHA512
12a67d41ff2daf97d639b55aef9651217dd3b3ea1a74eb076b0c7d5d209eb73713c3ef3a152e94296aeb572ea68284af9fb7dff588336b21b477421828e32f62

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3022.ico

Filesize
7KB

MD5
1be520a0b0985c52363092985d0cd2bb

SHA1
0eac9f323a19860c8332181585a12766edc79ad9

SHA256
cd1aaea46bd645bf91cc38f6fdca0ff9a294a63c5d3c892fa717dd3d0aa4d116

SHA512
9eef585750401760893f703e0f76d52a83df47126079bb814fb770082006b35a56ba649e1d429e1d285734904b8da5d5367dc0962e3c812bd24424d92e0f3603

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3023.ico

Filesize
7KB

MD5
b553196bd5d0579d2eb782dc01956be2

SHA1
780e1c6c7abec526e391e9bafb9d06de83105923

SHA256
49620d8f1cfe353b6bf5461941f1e170d95ced678237385295aedbc6ad7289fc

SHA512
fffa622ae32076809d7bc4812016eb9c32447e80b2506da657cb448deb3b276f3ed820feb74ee20e1f87bb3f664c37dde031134b45686fe3e7d9a261694d0bf9

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3024.ico

Filesize
7KB

MD5
e6e438481905f85c6a026571aba34f7a

SHA1
38c30a7097128bb293c4e9586c059692bd9fcbc2

SHA256
cb1c332abbea11cb1899dd850e4a1d93d14d54e6b0b47e4115a12092391a25ea

SHA512
117c388049a26f0dff31ecfad5af1c7a73865a9771dcef0beae4b09965f06d5f20be9899b228dea94a5a57004496240c1f6796a3e628c362bbb36a0873903b24

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3025.ico

Filesize
7KB

MD5
5dcdfe38197fe2ced8a64bdd7dc723fe

SHA1
cee3ac01872fd2892443880a20cb35c7408aacf3

SHA256
328528750b02c59b720425aa964427fcb7ad721d1c839992fca91158fd1d4996

SHA512
5170bc6f7738774ad7bfbefe6902949e117bf8005af779211befa292eef8814aae21df43398ae2d3e5d9f6caada5ff0cc1a7f897b280f869f73049ef039bca41

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3027.ico

Filesize
7KB

MD5
2fc58542a3d27ad6bd97e86997ea5af3

SHA1
be1ccfd3b2cc93a3496dd1cbfd4a9da59755979c

SHA256
e046d87a0a4aadd7e560b7e7aa185aba598f194a30b4c064cb854fe2d3840b39

SHA512
6ca6690985dd3ef7026371d5accc21110d7b1933ecd0a86a03b5654774e9a7dab3e82e7d43f9c701c35054c72f560a6e911747e60f8170926719a83464804877

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3028.ico

Filesize
7KB

MD5
63b3cfbefa86fe4ffa7616ee8672a3b6

SHA1
1d7da1974fe84f164fd5c643fbbd1d25535e3c6b

SHA256
97a6066ac2c8843ba4dc64148789668c86b3f18c2e42bebfe87ee47c32c819e1

SHA512
57f5bd1ec363a547322c2ad51d3603bc24a2715a66f85b5ab81f2bdb81259cdc451a5fbb524c73b123b2c09193536edd1e0e47287766d6d766ca3a58334c5592

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3029.ico

Filesize
7KB

MD5
615dd916e10adef209d102d3b4e6c827

SHA1
c061e145f369c9c9347d26975cc4a140d93d7011

SHA256
913355b0a109a65b47239f39581a2d9d0fde823b9f8d0e6d26a3f0dc81960939

SHA512
64cee6a51cb8c779f3495ee1571e7a2ee0add7829c7941e9447853376775f246234b101b54f327638e4b53860b2b13b45a38fd81ec397c1b982cdb7c732d22ee

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3030.ico

Filesize
7KB

MD5
7cad4f5d38b97b2b0dfb6e85f612ef72

SHA1
fd8b4d892b5ad67f98bc40390c15b92a38201ee0

SHA256
1b08ef62ba0a40726e65361c59ffbad5734a8644ec4231f6c0f910e37850580f

SHA512
65d956272bce5fe5e3f7cb2f7c850b9a2d1fcd698194e425c829a2e083750c8aa8f9c01e99826630215623797877226b723624415df1615235b7a3c6767ad0a9

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3031.ico

Filesize
7KB

MD5
8fa7991bf7ad0c16de6c7984984ad069

SHA1
c41d541bd4b3ac2d6f25f9cd74b73db11807035c

SHA256
c5e116099dd31a8099b4d1085e35d81cfd15a5733f628b9f3b340faea800219a

SHA512
cc958791f25e3c7cb0317a23903aaa7b17026885f6067fdad67194bfd951d93b128e798b70f0b22c1c462689a82750e1ce25ad3c16f9ba5f0e8dc7ba54f228e9

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3032.ico

Filesize
7KB

MD5
182e4436c709164c6a8c9df8bc4deee4

SHA1
25737390c2947350520fb4d572ff3090d7d4b89c

SHA256
ed0194bfe80e34a6fccbed91b61e020bdbcd32405223ec58069dabc51e4c826c

SHA512
046a318ddd8925deb63136f0a2710054401bd1977244dfe275c3619f8022b704003de32382ae5254e765895912a1f8e7f961310e6baa51b45f1a35934b35031a

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3048.ico

Filesize
7KB

MD5
1982e35184f8c63977911c5a9270f621

SHA1
ef6e879ed6e054e53fc9ffe9226e21fdc6906914

SHA256
e84124bc28d8f5d1c8a5578f8d14df74a63012ec41853a2b369e6e84c7dfbbe2

SHA512
e990aaa404f44d81d068d03e97da20ee270ce3ac98516bd44d54564dc2dec55e13967373478da9aede30333c0bf6e4620a53223955bd49d0497a08f4f52c4044

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\3051.ico

Filesize
7KB

MD5
b570608a0a6f27f7a9fb348dc6bca7ad

SHA1
01693e24bd2e6b81a07594d1a59ca6895a1b487a

SHA256
88c7f210374460e72f955fb0f0da55abdce8d9513a9fdd85e3b789694e896c5f

SHA512
8d6e5c67a94aa80cf2e38b65347231b9aaba8c6544142c7830e0b2fd8d3d0f7592d6a1c92c5055043cb2305a9a57e7fbcee2ea44c61bbdb6623804ede028a632

Download Submit
C:\Program Files (x86)\8 Skin Pack\Resources\pnidui.dll\pnidui.dll.txt

Filesize
3KB

MD5
15fbada26e0ff840498c9eb9d70d2b35

SHA1
5573c7424f12f37657a67e696b81c04561eb0a05

SHA256
490adbaf1e891c9887d5f1b8603ac42550db2553ee5d7ee9225ce9b4bea2f5e4

SHA512
39cbf2923a2366672bd9ec0197fb5003f1ae8eae55a21d38fa038bdddf048c2ef1a4b9c3fe6ee5fece89ec25e0cafadea74e0090592c7094d607e37271cbe6ef

Download Submit
C:\Program Files (x86)\8 Skin Pack\SP.exe

Filesize
1.6MB

MD5
2f260ebb64afda32213668663fd83e70

SHA1
83b221ea59e2c23a9593e71b595241508b7efe17

SHA256
3e2a3388896545f9bea1d556ff6383c67f92404bfd33591988963dfae5fd3e5a

SHA512
87acfdb22a96483ad0ddd990d46d68d01b1b1bf0621b83031fdada219602b0aa91300c362749cd1e13a3ea4ed8f45a3b841c6820f4b446205dbdea39869eef2b

Download Submit
C:\Program Files (x86)\8 Skin Pack\TaskbarUserTile\UserTile.exe

Filesize
26KB

MD5
81e70e4fcb88486aee8ead21a3ad746f

SHA1
b1a190657a7e6dea00e27b5c76cdaff2c4d28210

SHA256
04e1e116477a4d5ca9521a6bde97cf2239222e02d677f73aa52d71f758942fc7

SHA512
25a9f60ed96146dae79e5459e7aa637f937a4e2d9ee582c9f99eaa9c86fa2618ce76762eaf523d88e81a3de27e39739654c7260905a788df044615ed273d15cc

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\MoveEx.exe

Filesize
15KB

MD5
fdc7b5defae116802a0f695d789d3a35

SHA1
2a7bbda9bdb9df297a174a6ade11b282cd5d558b

SHA256
e0017fb1874641754b228fe0d50e23302e69b93e4331d535c6fe6d0c22199629

SHA512
4c9d2e6a44438d816ae6fa35525ad4c018bfb5a43f4ebb7f7843eaae9617241cc0ca98b1d31f38d7f4edfc4c184123b632071351ca00c6c05c8eb721a8f3bf4a

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.exe

Filesize
997KB

MD5
2f92eed4e2061af0961f379e9ded70d6

SHA1
8b58dcd428759d3633a14bcfc62a8cb6deb66de5

SHA256
52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f

SHA512
909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini

Filesize
255B

MD5
2ea9d98b4d02c5a6f94cea0577c6dfb4

SHA1
1a082f59ebd7c735eb4399238d7bd7f0fd42f57d

SHA256
6782cc969f298933fdfaf3cc346ad086796850b0f51fa2562775d2acf84347d9

SHA512
596b5bfde6a1635196c4eb8da4a57743aed591194993cad44a5ccb8d93838bb7db5be39938882b3bdcfb4be7e0f637c237e12384bc173499d7ac6d3a77520d10

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini

Filesize
273B

MD5
b76605062c36ea434b38f05b1de53865

SHA1
8d125e32d96710a765327d7112f977184a6ede38

SHA256
9029a2db53e9b6487ad03dca32d89143f52c7359ce77fc862b780a6c5194cecb

SHA512
d96f6be1952c43c1b6c1f930e4bc4a36909da3f73c68bd9c0e3f66e79af1fb7c84b32a85a64a9debe86cda3897ce89607b962d98c4febe566c7f6227fb34753e

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini

Filesize
297B

MD5
9b1ebf1648f1f20c30cce112027389d4

SHA1
145b2132ab2cd49274f190ad7173d58405f1de5b

SHA256
3ea4362a892df8e3236958294b1e21ebf766bdded410917f68fcd5c12b6a6912

SHA512
1b7f6f9707fdd0e84a1389fcdf4d43b8c11602eb0adc7881f39cfaaa6d38ba318efe1480197c8f8df792e16b4746e5f5fb67d9fd55f15fee72d5c6873d78df23

Download Submit
C:\Program Files (x86)\8 Skin Pack\Tools\ResHacker.ini

Filesize
316B

MD5
f2993c2b1502036823c823db486b4142

SHA1
41ee8c0f9bce85a0fcfd764fa23b41ad309b2ca1

SHA256
cbc8f5cb13a8815380a402506d8230842663b19e99828fa7fee5f1c4ba07bf2d

SHA512
77a656e9279df14eb7430f6a3d248878063cbc05bbb68587a167e8e788abb5daf7e35fcf0bbccc7ddf827b3c2bcf8317dfb46ec0f85198a81a89d763b93e4da3

Download Submit
C:\Program Files (x86)\Skin Pack\8\install.cmd

Filesize
27B

MD5
04a01b7bb9e5d780194d6729237f5923

SHA1
5a0e5dfebac286abe4cad1d3a99fd6ee99116cd2

SHA256
3a393057c762af5c067ca058924ec5e64921a798aaee2f9bd818d88d50adbdff

SHA512
e24d1dbfd64ec6a0621c3e3fd68d6fedea82603acefc4bc9635bf99278724678f816766d920af66291ab021b37fdeafb94337476e6b8c16a2f5c197943a7b435

Download Submit
C:\Program Files (x86)\Skin Pack\refresh icon\ric7.cmd

Filesize
89B

MD5
747cf038b116aa75f173f8042fdbb7a8

SHA1
d0e6f21765d15661207986db9da2cebd21ef9bd0

SHA256
61ad0a31a74ad1eeb7ed490188a4562c0a1a8ac832bacf467131c2bc0a887dbf

SHA512
87f83dee494a3902db7ea29e2c442927f3391ce0d8021402cdf6d3fe5b42cad9fafcddf762f9fc2eed2cf52d34d5e37c285701fa618292597331ac63d0dd2d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\Banner.dll

Filesize
4KB

MD5
0116a50101c4107a138a588d1e46fca5

SHA1
b781dce23e828cf2b97306661c7dad250a6aaf77

SHA256
ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b

SHA512
55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\ExecCmd.dll

Filesize
4KB

MD5
b1d08c24cad3f8f6ccd6b9ebd24d30c0

SHA1
d01549db25d0345c05d3c2eb90b173f937966ce5

SHA256
c4b6ff0091b3401670c8c6d3cb337d3ba0c2a514e66b0ea3501bb7ef78ddba69

SHA512
9cb5735c86cdf8d126268b7b2ec8fafd654d69bdfe5336d54b7d44b5ac8e1174836c487bb4aa40517516a55323bf9f916a96753c8dd2bc9b2d481071c9d9fbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\UXTheme Patcher.exe

Filesize
72KB

MD5
c35efaa15f6f1da888efc247e886389d

SHA1
e3f35519380a564ff62f5ea2fa95fd5bca38bb1a

SHA256
558f6e38c300957234231234c44ccf41217182677e859c9005a51094bdf01794

SHA512
fd3d27271cab60f51929a4e92cccd0ce2edf8c95fd2db6cc957620ff2f7522e644b67862ec7803e6068f5ae75caedad9daae3dafdd4b7f4898c618c8498dca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\UXTheme Patcher64.exe

Filesize
92KB

MD5
5eac71e2ab8b58f00da48a21becb586f

SHA1
57fe7ac0196a04b535615f19b0758e75071a9943

SHA256
196756bea46f45de4b8e2eedebd51df8222f627f1eb9c2876d927718c85286e9

SHA512
2345d45a9d2b163d2a550808ab2af72748e80615e9d7965d40642b80cf53c3eab3ad07cbfed6b8b97ea1656436306919de6e74fef9f62c62456bd058c70830ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6DA0.tmp\xml.dll

Filesize
118KB

MD5
42df1fbaa87567adf2b4050805a1a545

SHA1
b892a6efbb39b7144248e0c0d79e53da474a9373

SHA256
e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845

SHA512
4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

Download Submit
C:\Windows\Resources\Themes\Aero Lite Glass\Shell\NormalColor\shellstyle.dll

Filesize
342KB

MD5
1e59a02a8c6f49e61c5880971d560eee

SHA1
9c0d83b4f5e39114d2a6148b36f54cab1ba9904c

SHA256
b887f47f4ea0f63d3095f99020d8d391062d99722e812530f0f674ff8b7e237c

SHA512
0c6c3e61bcd1d53196066765a377592ac468913b544c76fbc6959d20428a14262a4247cb2e6af994076d8a4a1cd82521929018e18dfe4f3ef0a5ca735d295dcd

Download Submit
memory/64-535-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/376-348-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/680-242-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1456-476-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1476-453-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1652-887-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1816-439-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1912-495-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-37-0x0000000006A60000-0x0000000006A81000-memory.dmp

Filesize
132KB

Download
memory/2064-305-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2440-268-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2448-882-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-514-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2648-471-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3360-849-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3460-231-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3508-540-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3528-434-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3560-448-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3624-509-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3800-260-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3800-763-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-297-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4924-340-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4956-490-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5036-865-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download