Resubmissions
09-12-2024 12:05
241209-n9axra1paj 1009-12-2024 12:02
241209-n7ne3a1nen 409-12-2024 12:01
241209-n7c94a1nek 309-12-2024 12:01
241209-n6t68a1ncr 10Analysis
-
max time kernel
29s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-12-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Resource
win11-20241007-en
General
-
Target
d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
-
Size
33KB
-
MD5
d9789bfbc54d5cb6d52c385fd8f5d288
-
SHA1
b8f60c64c70f03c263bf9e9261aa157a73864aaf
-
SHA256
c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
-
SHA512
21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
-
SSDEEP
768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR
Malware Config
Signatures
-
Detected Xorist Ransomware 6 IoCs
resource yara_rule behavioral1/memory/572-10-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/572-9-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/572-4825-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/572-5536-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/572-5534-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/572-9872-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Xorist family
-
Renames multiple (1949) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 868 set thread context of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 -
resource yara_rule behavioral1/memory/572-5-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-8-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-10-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-9-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-4825-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-5536-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-5534-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/572-9872-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSplashScreen.scale-125.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-24_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-32.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.scale-200_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-72_altform-lightunplated.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40_altform-unplated.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-200.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-40_altform-unplated.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200_altform-colorful.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Fall_Right_Dark.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreStoreLogo.scale-100.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\GetHelpWideTile.scale-100_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\el-GR\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Tentative.scale-125_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.scale-200.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-80_altform-unplated.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PREVIEW.GIF d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SmallTile.scale-100_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.scale-150.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-300.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Tentative.scale-150_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FeedbackHubLargeTile.scale-100.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\eu-ES\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-40_altform-lightunplated_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\Windows Photo Viewer\es-ES\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-30_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-256_altform-lightunplated.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-125_8wekyb3d8bbwe\Images\splashscreen.scale-125.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-lightunplated_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Winter_Right_Dark.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-unplated_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CameraAppList.targetsize-32.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SnipSketchStoreLogo.scale-100.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_PinkFlower_Background.jpg d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-150.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Core.Presentation.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.UI.Xaml.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\schemas\EAPHost\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorAppList.targetsize-64_altform-unplated_contrast-white.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..i-appcore.resources_31bf3856ad364e35_10.0.22000.184_fr-ca_4e70158b4ed4df51\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_pt-br_6191d27e1bfa4d03\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\d637e93d3b284f0fe472fbe73f7217a2\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\IME\fr-FR\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-adm.resources_31bf3856ad364e35_10.0.22000.282_ru-ru_65a94cadc8efcad9\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..tionuxexe.resources_31bf3856ad364e35_10.0.22000.132_sl-si_884f011e2398f8c4\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\diagnostics\system\WindowsUpdate\uk-UA\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\INF\UGatherer\0000\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.22000.469_none_5419d7bc81737726\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..n-library.resources_31bf3856ad364e35_10.0.22000.160_th-th_9940a12c98f2e61a\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_ru-ru_8ad7ac23ab986581\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_10.0.22000.348_lv-lv_481e47e51633dbd8\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_pt-pt_20dae7095bacae3f\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_10.0.22000.469_bg-bg_6f28c60f4416f4a2\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Cortana.UI\Assets\HCBlack_Search_TraySearchBox_Glyph_100.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.22000.100_none_cbf7ec6fc0f80985\f\@AudioToastIcon.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_nb-no_b8c6ec823a751911\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorBadgeLogo.scale-150_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-license-default-core_31bf3856ad364e35_10.0.22000.493_none_7623ea4b4289f886\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..-credential-manager_31bf3856ad364e35_10.0.22000.41_none_33d6458aa3298dc5\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-100.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\Square310x310Logo.contrast-black_scale-400.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..ntmanager.resources_31bf3856ad364e35_10.0.22000.120_sr-..-rs_a3613078c9789958\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_sl-si_81bafa2aa1a92835\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\webapps\guidedsetup\network\area-content\it-IT\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_cs-cz_fe60491373990d7c\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorWideTile.scale-400_contrast-black.png d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_pt-pt_40cc267e0eb623c6\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\d9a87ed66c3aed538f8a92646fb00452\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\diagnostics\system\DeviceCenter\fr-FR\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.22000.120_de-de_d3efb2164ff65777\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-scripting-jscript9_31bf3856ad364e35_11.0.22000.282_none_8d5c9ec5a0e327dd\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.Resources\3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\IME\en-US\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\PolicyDefinitions\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Resources\3.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\fr-FR\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\oobeautopilotactivation-main.html d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_de-de_7e507d236a1de660\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-updatepolicy.resources_31bf3856ad364e35_10.0.22000.184_ja-jp_21a43461c86363e8\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-t..i-appcore.resources_31bf3856ad364e35_10.0.22000.184_hr-hr_a68ad015637fa8da\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\apppatch\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\Media\Windows Minimize.wav d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_nb-no_34c83597c177aa15\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_da-dk_b28fc205ede11a09\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_nl-nl_c6a67f6539770e2c\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..onaries-kiche-emoji_31bf3856ad364e35_10.0.22000.348_none_6d53a95ab9daa5f3\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\msil_microsoft.windows.s..gins.ipam.resources_31bf3856ad364e35_10.0.22000.120_zh-tw_5cb666d138a3323f\f\HOW TO DECRYPT FILES.txt d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW" d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0" d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!" d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 392 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79 PID 868 wrote to memory of 572 868 d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:572
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize50KB
MD5742cfd1b2c91f0bc866443ebf8b58740
SHA1091eff805dd145f609f19070620db2a1c5c69399
SHA256688417adb50242ee6144e6f8888fea3a1a556aa06f21fe90208714bf177e0208
SHA5126048d201144edee673d9c574db969c694b96a953dd9b66fb86a46ca23555645c483a352b5dac0091719e30dc9833d76c5f7b25ff82466e1b9fc2b8c3f88e93c8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png
Filesize1KB
MD54fd34bef279e7f94904ffd09eff264e3
SHA1dfc962967577d69534c830aa2a9dbc9d742c2413
SHA256e16bd2ec9893d9e7fad9fc10ea015e99b50a52d79c5340bb9b5e9404a5e5229f
SHA51239c44987de4c912cd7292b503a844fcb299347aaf81903a269ec8ff8792e59e5e021fd82e046f2ee974ad7754836912fac5fc8cdcb4a3e27b7cd27d7504d9897
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png
Filesize3KB
MD5d398bf414601efc3f232b2cadafb266a
SHA12ba655c502004f441095a589386db3a4e142da2e
SHA256082eab0cc4395597babec03c0907f291637e6513039f332b48f8a647912eda8f
SHA512b1b1cd4251fb21edf68b242a8ba3652a5ac225670f23698e00a2caafe312770eacd4d5d13b007313f9557abf6cc3a4ec007332ba00d70c456a7d74a6b0307739
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
Filesize683B
MD5bbb418f1cafff805415a4fd09401b0ad
SHA1147ecdf6c26b5f1e50740ed3d9a26bf090e42e82
SHA25687d17a8055ff1618863016aed0a9000be967cb0a23de1d2c395d5982bd809e24
SHA512dab813790f9925bca6359016a1751375c83305921b54733cf52c8a178e330a3f39a1af6f7b4d30392dac24d11f9594a9630559e52e345bfb9b763028d775254c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png
Filesize1KB
MD50250891f51f1a19982361f7d72309dbc
SHA1beb69feeb4333088fec978aeb7fd8ce3250392af
SHA25613211b854cea9f9307bc741c4bb9803a8b3b4b3259c0702426a41cd2d84dd3ba
SHA5126d1e00e492c9434b31fc4dbb0291a4bc9ba293ef3b09053217549261ada0f670e3915ff64d186b3f3dea981b2e94b221b018f71d2d050d68baa2d78d9ba708f2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png
Filesize445B
MD5bd19b88bd84cd377c30100e86d909d23
SHA1178137a6a52c426c030f5a1c1ebb8d3dc20eb16d
SHA256bb64e7ffa5b89a93471694cc248d76c87021863f93bbeb61f904d96dcf585f1b
SHA51251bcefb3149c657dd697366df613954b7cf758ebe1f942b572601d249ba9e7364e9f32a15890d65dd6368829713eb32054c009273a4e03e722d56938cd8573a5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png
Filesize611B
MD55f00bfa28141430d2a7c32a1f9a79d9f
SHA15f9be308d6eb54fc23ecb0f49319e45a5f5a4561
SHA256da042c976b4468e9d5752e86f58bcff665e3bffe9bc56f7924fab5683ec14a1a
SHA51299ff557c3bded9451062a3c3f4f15897bb785fe056d617563658b9333c2d7d8e9380ca42b16a7d3be19ad98f1d74adbbfa341d05bb15c6ffa2a752720d9b1599
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png
Filesize388B
MD52840306cda70f778c0cda646dd69940e
SHA1b9bcc01283df7bf1dd0bcfe1ad1220004927e250
SHA25668ddbdf4d7bb9bf723015de77d65e304d2cb96e6771e55c25166d07d8af977ea
SHA512cd36efbb35686ef6f55f5dd5d409a2cb8f88a69d068012b160306e4816c4f3097f12327b88be086afdfddad544aac52ab78dbc500e5115f5be40399a8b18f298
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png
Filesize552B
MD5571a288b1b2c856fbb2af9df718f8468
SHA10bdfe49922b3b0a6bb5ef093cabecabb8098d4ce
SHA256453e79b99434f037dfaa0543ba56d06a8111a3d5747e9d9d794fcd77c3ba2342
SHA512ab956852e45fa2240f6529e8373b0241d7ef0745883c52c4434cebc1893d0a75fd64afdf5907cfbf9d8ff263ea0d2889c6c60e8b2a338c213be727da5a038cbb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png
Filesize388B
MD56c09e177ca946b0b987ae192fcb2d058
SHA16e831e91312ede1df72df54994a13afbc98127a1
SHA256c8eb2566c67ecc64578d57d8a5ca399407e9496f27ce4d4b65d03d80d1358dd6
SHA512d0affb17bda7452ee056a5010d1682175eea7829596b510039a10d89361be7495408c41b4d68994258c9cc25f66d9278149c4ba4f78b851c9f7adcf12ed5a25a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png
Filesize552B
MD58fb3b5bff2873d01417fe38ad15c6416
SHA1a8f9fc32ccfb103511014f3c6064704bcfe5f08d
SHA256efc54132e962100b780d93da7ae388d68cac77677d6f80e5a9843033b36c8aa1
SHA51233781a2a89d27d833bc2bf77b91d1391503959d76cc84e6e8f56773a50f4d440cb9413899e7f93ab19fda6e9785e78a40ff7b7a462b36fa6c0d0fe4d9bf044ab
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png
Filesize388B
MD55ba5fdedf2ddb1cb9810e52fa76cd462
SHA1bafb01d7f71e7d12f0847f6230fc6adc2d1481cc
SHA2564c812cce04e4a120d8bc170be6773d7f6fcf9812260c2aa297df204959c0e8d8
SHA512328e88e1416b6d6cf3e42b82fb0419e5702a092e79794e8b88e30309b8f3669abaf840472da8e5acb036936d594e4bce0cc6388f085316fd11acdc2af7fa7923
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png
Filesize552B
MD5cba735be654054a5ad9368a2526a2a72
SHA19b7ca90a9d028efd98ef9dbb6a3bd050ccc30e30
SHA256becca10f94dd0569c09c2b8bc323fb0fe4722fd873ebe827fa876dfeb600a82b
SHA512982f9c5b2c5e9fd206fb941ecc13c363459404b1b9b399458725ee8156722a43922de1c32fb9ca4f74519ff2d170fc583cb75acb48dad9f031d70bdf08f352bd
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png
Filesize7KB
MD55717558bc21fc7dc0f00ff23b0c19b2e
SHA1936704aa0d2822a1e7fc9c4c7d5aa19aed4f9524
SHA2566a3dfe71abf3f8cedaa4054978621fe720f3c53db6d79a7995cd8cfd703a3d0b
SHA51238b59649c07c9989363b6e086cffe331c31a4913d4e1732c8c8931688eed41c319f01fbb01789210fcc7c7b0527690d51734943f6f78f3d5eee06b5b901c2f15
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif
Filesize7KB
MD5b1d87b479c0956c65570bf2b656b5e5a
SHA18722cb1762c073e0a118b0f013300f7afcc82df9
SHA256f64121d9ed18ea96800cd55ef4fc7ffb6e60c050cb4b7a738f37268a1600fe1e
SHA512cabc634644b112d5dbb50f4f18a3a83b8d3e1a4f4c3354acb88dc909dae880a8774fc69d51f945b9509c3d04fdbf34f5e2cac10f30ee7bb04f76731bfac9a5a4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png
Filesize15KB
MD561d2ee4a76aab8678cc8193b67e37346
SHA1cd5e05eabd65e3989d5147e52d2052ad41b58b9a
SHA2560283a8da988a750768959fdbaba5f4623b78a6ad00b022bc85bce84b8934d009
SHA512b7f5bbb93073705b2516457eb89471e481dd9badc17d71facda3cf7be4d0cf6ac1b0c60ea63fe0071b394cb09ab8d0b1a210548f38e2f2c9292757f85277b0b5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png
Filesize8KB
MD5bd8d57332060ca14f9fc453dab7eedf3
SHA1c87e358b84570d11f95dcea372615eb722a991a7
SHA2566a3e95b10b298e317418f81dfa2badaaab6abd157c066fcdb9ec14878a8f1622
SHA51297b762a6a9b7d329945f2b654761274bb25171a69551a2ad0447de3a4667d42e569c34ce758f95fb18e5e997f88e608a01dc6adf36c6ce920f8da9095089966c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png
Filesize17KB
MD5454f14554289db3acc0a5adf6378bc7a
SHA1649841330e47afefb1e09037061b6bb7d334a70d
SHA256a3bfc24f626d242c24ed0cf8bc7556700259fe671e6556fcf4bdfd5cf14605f1
SHA5127bd4ec16fc837d19b81f40b1d416132d8bd69a43e994774219241faca507d6b0d27e345640432a455786d6c4e49056214235c14fba2b19238c3df60cea8c031e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png
Filesize179B
MD5cc4253515e8c6b6f19274cb337badb52
SHA11393cba3fb26171612ca052a776e8eb74bfa76f4
SHA256532730a6e0c1374c8070ccbbc094d7c11d5489cc027f3fe537137a0f621b2249
SHA512f74dafa4fca581408e4d1c1ca81ffb3f12bc9c0cf6f3a031269d10894ad4e5633e0296c5b39dd6f330221ea128bd7d212717bef65870838463016338500a313b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png
Filesize703B
MD51993287394ed12b823855d40fd41341c
SHA1949cc5a1895a82f8abb1188fd5569adc5011595a
SHA25694c81ad025ecef750cdc5408e8a7719ab2d1d5e53f93f552a27a1180fa9fdcd1
SHA512577b93beecfcab3851f39231fe7865e5ca90d17ca6a9da3cb2ea488c3ecc3ac77bbab255aabc865c34b465133cbfe83e274875024d469265c4e8a8f2ed0422a5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png
Filesize8KB
MD5e6e48ac34995c24f356137e1c8460d5c
SHA143dd65e226192ccd624616a03334e663b1f0b134
SHA256d4ae7cec8c9138dbb10f2ccfd60fda7572c0ca781e220aa1c134ecc22249f944
SHA5120134ed538ccbe2d2236de892a502abf913d6c8e66b21e56202d4a9b0f714adddad04a9f32c13b88abc657ba37f1249c07f412cf6e5750318136c5c2ccd0c1c9b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png
Filesize19KB
MD512d5e12cc5f03b148b2aa782e0906610
SHA1d3a0e5253e250a3ebc21613ab5a5bd9330ef918c
SHA2564a8ad411cad4e221d256408c663e003940315cc9763e642da79ac2d11ad8e532
SHA51270a5377b73b2211f88ee0587324717d4c36b86d2f2a97723d2f703158d2bb5c58c3ea952abfede5916f33b5ba4ece79694ba04eb3ee5746adf678b78e01ac7e9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png
Filesize6KB
MD5897c883a30e927a0bca5e4a441db8cf2
SHA120414e69d2a453b553533848be1e21af6dacb45f
SHA256bae94c2d8bec01f639fa8f4b9db25914c4c3887a60d53fe3841a0caf7c769c22
SHA5126d25d6727f1c5855366e3b3c9f8ba1c3088138107fe08471f3fb0a44354e4a87b96efc9e2e4a59caf4ecc0c2e0894aabc332956fe9f7cb9033980054375c4f8f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png
Filesize2KB
MD512929e4040bcf36477cc2cbc733c2176
SHA104867208170beab54be8dd06a5ab09feee98e828
SHA25628b02a2cb73edb39643caca30275859d7b81df5e28191c95aabb23c15bb40cba
SHA51205647eb1b16b361a940c549f405ec033e4d3d74884ed4096b2f9a6d9b264d53dcbc30495c07375c03f5c790347ea12cbc7aa726b40dd60880de3b90aede4e1c5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png
Filesize2KB
MD522a6543bb16946c08079d6e39500887a
SHA1eb8a8d191c8705f0a179ee1542965c8fddc0d89c
SHA256fcc4bbf7c489df258e952e29975c6ad3a4553578e8d0d9523c203aab9d0722d9
SHA5126983473826be1ae793f85e53e552d379002310d36c70c7068e3a0cfc6c5157b28bc0041e2a04a1a82073c17277e6f6175842dc8e107afde32d4012d979ae7548
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png
Filesize4KB
MD5922e201c23d671691f4b70a369e986fe
SHA1146c0e3c6fb160081d89aa4b88a3be36740556bb
SHA256f37e57d289722b91aaf87e6afbf85ca3aec80030b1e747c4bbf84e6e7d55a385
SHA512aee7fb0106f93d251cf71230b5a25bc07507a9feedb87eb10057073e39784c9b146e788ac8bbd8be4c0f19c8b5a68304518a1de2122ed8d4a8228bb38cc2bec1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png
Filesize289B
MD5cea97013e3eaebeaec69c11824f323ee
SHA1d04666b0fe9984c85377f40100ea58c90d218ea0
SHA256fca536933f5a7ddf0bd7ced131076892fbf165c3dc29ad486dc9a27cbf3a43c7
SHA512037df1a97f61c822ceb7a648b561f7d6e7c92481de3b373bb64714a1b977837049b48a21f71d7957267e62235241312ff3379007ade7eb486b48748318b9fe73
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png
Filesize385B
MD5c366809c7c412ba8079df18e4857457d
SHA15a77e5f6aeea38fd559edd22870c6142f2e224c4
SHA25624aefd4bb5b78b0ef4229ae255f09152f093f095cba81e5896a5b9426396482a
SHA5122725f8f995fa17f6feaf08710997c09effa35c2ee6c3237e289466f5a6b129a25e052e02ad849ffe43900b2fcc279ed1f527898ffe5a33ee36a1cd1366a81d30
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png.EnCiPhErEd
Filesize4KB
MD5a46c064a820cb4f4ad7fa7f28d3b9c98
SHA1c27e76c2dcaef876abc568e55dce1fba19b6c6eb
SHA256caa4c3cbc82f67b8c9ac2384baaa6197fe3a7503f805231c93c5f902d201dce4
SHA512492562ace0a15ddeed7644265b5dc827d787d7e57eb0ddc834ecd8330d9123b31451aaedf0e1db5ad46080433e54ef29141092c2c5155c4bf41531d157256d70
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png
Filesize1003B
MD5d4e8642b606afd7d2a5a89a94990b148
SHA10af3d7dbc3fc036b5e1f48e52ab216dae3293aac
SHA256055bc8e41b22f9e181ff7ea87c87ffe21a9c15c46f44e2f0366f9268ee5608eb
SHA512524fd5f9e32ff764d7ee0f018a27920ad03fb1e35d1466e8fa8bb691d6f167a26a49b4403dee3558fa2c506e0d6256c2bc6d03b53a78efd57177343c0889c20c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png
Filesize1KB
MD5ef011752436c5ef86147b99bb6abf644
SHA139479d7cc673795cb12cbf7f226dbfdcbbb1b1b1
SHA256b005bb41de6bc8733ee9cc1c0b8da37ebd71d02d55b07527230c3a559e30c716
SHA512459114c48cfa5a70459bbefc075e875c75e9864a5dd00417796737840c2c70ca0ac0ba2292b7bfb46ccb7ddce8841b57da43bb9a0195da8617f510890a873288
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png
Filesize2KB
MD5239b8016067d55e8f2ffe89f1faf13fd
SHA15cbe2345182839eca2f3053c9cf8af4aed6e99d4
SHA2567de25db9ea7b649b34e1e3d9a416b0c2264742fa4e6598ade94b5766b60952e6
SHA512ed928b4b912e6fadbff56c717420abde6d74c4b4291941310a93f720c3712f7475b27db60e333917812755c5a4a6aa842553319c0cef3af18db422d5062e08d6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png
Filesize3KB
MD5e5566b65431d9506ed9e439942697671
SHA1a6e95f3fbc0466ba29278d307453ca6e69f6e610
SHA256b710ec83792dc0a02f8773c8e9d6851f74c44973299d2bffc3c101cefb8ced53
SHA512f4d5a0adc30f4a2c6be4c78576a52a1bb48bea7c3bb85ff2d738b2f7c1e4d2882e21686b1373744b9044f8921355e191ae582aecc136d14d9cab4b4cbadce12e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif
Filesize556B
MD58fe3cec6d9dd45354f2443b8060d82ef
SHA1b607cb4e2810048e9d57a8bc218ddf9e88227731
SHA2565e944cb5c444bf39a04431d47b250c54391cd51a44629f37291fa6e1ef501e77
SHA512d30529dfb4d42233977ae995f70239f3b27bb11dc418e22528f61f6681378938185bc2fbb1089695993a27d117663b72e0d1788f7bc2c807e8c2043ff93db7da
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png
Filesize6KB
MD5372972c295563a9f4f30416586fbb3b0
SHA154bc6d9fbb3e7a6670992a3a9cb529eb9befa902
SHA256ca29081ebb879418fa08a3bec305a02375ae9f2c72142bfba0b81544aa9912f0
SHA512437cc9c169ddd2ff0feb49ba8498f4278bc60201d716ef13accaa79e842d642d3e6d71369930a205ce73764f126675a7b3331f211b76539c3b0c202b6250af89
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png
Filesize826B
MD56adf4391a3523b218b0998631f5a506e
SHA1fb3f8408fb3f7111f7a1ea6c051a1fbcbd7fba3f
SHA25669971803353c9070b66bdb01a6fddf71a03b860c3f246a2ccaa0b410e44bcffa
SHA512b10f61d9cab2920d612d5ae42296fd14db96f6aa10d55b471ea1f027a0bca0f7a700a2295baacb97354ef2b6a77da007607af33daa93258fd79cc72d36c0a538
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png
Filesize1KB
MD5aa342183320cea15a8630d235b2fa9fa
SHA1be0646e0c58a96f6ae2cbe9a23a8f3a859543f51
SHA2561ab299f972d95c56a72773724307ed4676fd7f7a5efefb08377333ee6143d074
SHA5128bf4a3e0a8a9649837817d50466fbdc88a82b6498975e968881d8656003b03a7b48f89dc281407d4aabf1b99dc2283c106ae15c212982b65f320e89b8fbb7068
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
Filesize32KB
MD560fb13617090fee4f9b0be2f7a5f4abd
SHA13cb97e88c3ec718ee591a104b81b8e4af87bdd66
SHA2564c16a175d3b988c63c92081793b03dba1edbf835828d31a7f3260b3a8e69c132
SHA512d4c6ef2fb1f4486484b587fac74344dde35bf0134edf0a79e4c552a8cfa06f435f1dceeda3909bf3009af2bd5b1de4be77f0d641331bed3a21c1ce615167aa54
-
Filesize
394B
MD584aa889a87f60a5efba19bf8d6464613
SHA14fe67d41d2ed917651e5820f131780bf078e3c7f
SHA25643fc35d4b08e00236a28300d95f7426593db8f95f47e995477a77bfa5fb0ec99
SHA5121d67c2552d16b8c9fa33417d45c8229d291077f45a12692d8a7e9ade813dbc629a4b13eb4107a773896386b9c4e6993fbefe54348568ef28f44f40c6153ff0a4
-
Filesize
153B
MD527c9d1245163f6a2ba76cc91b0c3bb3c
SHA15f126d6fca1dd15ee1a058e5e96a0b3c89dbbfab
SHA256e25e7c97fca79b1146429e074fd830cea1283c464836c5b0e9676054e9469542
SHA512c331ac3a69f9c599bf00cf6bc934ddb6195d8454af11603a7e954115376c8e0d1d7d9513357c2012c200a57e9ef6d43caa2d3bb3f2eae4eb0a063a825edf616d
-
Filesize
190B
MD5b5ba00f5ec2dbf6b1fcec0ac6063233b
SHA1b2b6225f1f8aedcece2ddc54944ef8fa4c3f9b93
SHA256314e683877ba1290c8f661be0692a3128a92a0073997b38ed9afa5c6f8f01958
SHA5126371fdd94e905e30d02e39db82b4ee5274e40ee12d6c49c94a59a45ce4bcaa33a20c4ee03d3211bfc4e5ad9d7c563984bb533a59dd2ce84b49fa82fb54cc70d5
-
Filesize
190B
MD5089a26fb8eb056cea370e280137a3ec1
SHA159a2d5fdf8c655164080792f95a37b99305c8fa3
SHA256fcf418bc162502420a70ac77aa46f31be4bb88b73469bdde386e24ac1bf0da58
SHA5126a51d032fc21c2722dec3b55c175666637dc4ba62cbd4cc4eb3c6a6df0388adb6c214bb162f2c20f4b0ab855695e398bf54256ef3c944b9c56347ac4d6511809
-
Filesize
1KB
MD5447ba3078ae39c96bad23284c0ce1c37
SHA1407e455937c8a09cc916aab769f35c0a328622da
SHA256fb72cbca2416887d19dd6c75032a265d4d5f6c45304ae2eb33ba7b92583f412a
SHA512f5e99b5ec64b071cd6c33c44559a07e79c5a383bb7ca8e22dfa7e7cb52411e3ca9a55b24519664c7827f019f6986aa6a2eb07dbc89eaa25fac1c10d1fafa7300
-
Filesize
31KB
MD50a61124ff4d5f5a4a8877a01c03e7e85
SHA10f5d643f988157f06fcd64e78ad53722c63379bc
SHA256b01dd5be355ca9febb829e219f9a1d7ba82bba03128895b95df4a0c85ff0405a
SHA512a9baa426a3ce56d6401a9a46afcc12c355eefa1a974535d640ea52ad697d307bba6fa5978ba86b13221c73909f98a54bfcb7685477850dc9e77fc2d021c7a7ca
-
Filesize
34KB
MD562fc029f21f901df1a8b3f7068fbc679
SHA113f2627718807512efbd105c157e06ef33ad57fa
SHA2563a082e02197b77cc70741d4339c2ccf2d89413f696ea1a4fda5c63790acd165d
SHA512c4980e6658e4724d5868cf3c58422f3962d715debe02e2bdf0f31d918f013d169521dc6edea92feb35e5f7f52f4887a07b12aef49a0c933686288ebf0e0ec21e
-
Filesize
23KB
MD524e46dd90848f164ed8ed0af5211f0fb
SHA13126b4a0e282a46a71c416e78c0313134ca6161a
SHA2567d5cf5a621b00c8aa82f189226a23c96aa935ba6e01b33e41e34434da006c8ae
SHA51254ee08298c9778f3f13086c65cf71a43fd84d355ff59b194f19abe1d5592998573cd5fb120e7196e6acc9747fde12a97a840bc964cfe624fe9ce46242ff85ef2
-
Filesize
2KB
MD5cd7df679fa4e95668164470324d1eabf
SHA1c68d6eb1b8bddfea694f04849c2e630d20a441f0
SHA256481640b504204be5790aa88b1ee1ba09f455151a182751f51b99840b44360fa3
SHA5123e7895b2d0edd990dd999f73ff2f6f6b7995e20833481087e3fcdbef1802296bc6e4cc2be967fd322c48171ea066a963cebc047f72a09c236f6c0181d8b7311b
-
Filesize
1KB
MD56cc01d5205d4eec2db36048c409889ca
SHA16fa02d3ea4d0dd2f2c002fa149e495759d9a084a
SHA2560c5a6bb3e2d0c5f28ff3d51735e20626533befd8f73d2dd2d32d7095797a09c4
SHA51228988ff14047d4890db5f7f477cfc038a372eda7318fc6dd7dfb7859f2ed969d6ed1acf256ad3468808ac8f96c3d9df0ae6353d9d48cc6e62cfb3b67a34e1c1b
-
Filesize
3KB
MD5bc95c74cd948546d8d4951c2e6525fe7
SHA1ff6e0e18cd8feca8fa360cc8d1f4c5640e91016f
SHA2568ade00f1a561cb6ef988b2ea80491ebeb90d2e6c0053c16d3599313ef4465078
SHA512ad5ae0f72d29528b52b95b0b05e61d59d5542d3e2be7fed368b4aedd586ee58d522b9da76de5d7c19e2182396d54a82cef8ef992b49b9b6607c1b8e9f6ac54ec
-
Filesize
2KB
MD52138d8e6dc4c2842e859fafc4b374f48
SHA122f6855bdd11690dc136b320a177bd22224ed51a
SHA256edb4544c79834f9d09af2ff71761387f187aae4843516604cd0a6e72dfc87c59
SHA512f729b860c2dd48dcd17cdb68f28653e6d3a21f76d82105a2f75982e59b744435fc5f4ed82836629d96b7ec72aeab505efe435b5f03ca58d8d22cd0ba86dfde1b
-
Filesize
5KB
MD5d3171f6edc094f61cd44236e1088d1b7
SHA10dd2aaefc21c3f177f14ab2d1cce51bca560e604
SHA25689d42d61a9fbfc6fa5187df61bc6b23108d0ca20efa9d48d19c86b069bce77c4
SHA5122e0a6dc4a5e757a8c53ee742ed7eacb721700e8671460384fa6e60d0448255da1e247f6da47a7a59998a4b3ab2cf2b035a7f5913b3d0ca7a973f9d27aa080cb5
-
Filesize
17KB
MD5ea7ba5a415f120f7cb54d79985e04fe4
SHA1c1b88c54fbc3539cd1e25decb277a23d0030ffcb
SHA25662f0ff6ee63cc7e5c11a004109828a5c79e05906dd8e650b095ba99b6ac5c790
SHA512df0e3de5bdca4d445f084794e837d8098b95270dfac65112cfcbea4c041ea023c91ae034c0a437eed420008adc6304b56d7232839c4fc34a3ee3aaee7069c0a7
-
Filesize
320KB
MD5f98dccff5d73ca90421557f690008b6f
SHA146d23a7d333888a1a332674784fad6c206e8ea52
SHA256fab0df9c789cc984987c78dcdc254d371b2e6316e8484d428ede96f5cd44dc26
SHA51218e9380c3763b7c7dca6a36ed83d89671480c69e99d9e5b984f59521cb85ae82060b2faf458135953bdf6ad00bf24853ed23f905ee896775620ccabbf29a0777
-
Filesize
1KB
MD55b9bf7c00a193c1b622d3a3c64ec31a1
SHA117f5c63ca77bb07df2def21694561b2ac9ab9a8c
SHA2566c90339cd7dfabff5ebd48745e89012db00c0ecd0b4fc9a6e178e1c31804eff0
SHA512daaf102852ed8c2668c2cb3353efff1f712620f2a3db72b565bc0faf2e8cf5e96749104e18d3b57aff06be21d4e5e331dcdb895851513391ad2897c267af177a
-
Filesize
10KB
MD53a0b928f57979541130f1e8b56dbe3a0
SHA1e35beb4d0cae820e9887c457c4f240ed2d3e6700
SHA256b6bd0a404ecda0fe3de79292938e4c55b2a625038470eb575482b4ffddd16979
SHA512dc731b0338b6953752ba7a0247828ad214b8da7bd31df46372f4359fab025f2f9743ad94555b3c4cce8be0ff76eaa766fb1db850fd5b62a6e59092f368ba16b2
-
Filesize
3KB
MD51e40ab651b8fa79fd8660a7cf5220886
SHA1c33c170e510fad9dd2d0073df05d80ba38c7584b
SHA256eb96a1ec2b646f70a4531b150f308550d53182c9d574b72c343a471ae748b1a8
SHA512a254a3023a4cf55a066a61c44bd818eb40994ee471ce2bc16dcab4d589f5d8b51f1f99dd49603b0f21c102e633837d9e5a01bb1a895362eda2aa590bca812bd1
-
Filesize
162B
MD5d89ee322babbc83289180cc7cc83c05f
SHA12276ccd03b7cf06f935a66720252061941a9593f
SHA2566e50614b4cca3dbb28c2ff6c0c908507b60ed710dd7ce115e974d06872eeb498
SHA51239fa84c9ddf27331597090960af8a96c3e2bfef1bb328e457a31ca29fbc093a4866b191c2e1baa79b35ded544fbeaff4c9a43817fc2d37958ed69b19835d3d0b
-
Filesize
1KB
MD55d556908daf9cd748181dc320c63a44d
SHA11a1e1715cce0cccb7795163b753587f5586b2fdf
SHA256886abb82a69889db6fb21d7be3183483aa46b8963c817423ca8dbbdf841ffc67
SHA5122812b2a7d4e14e3178b82dc68bce092ee9a87c03af0c55413cd225103ce8808134900a1ec36222dfbb4fef8f1902402bb7e99abd2bac1e1fb591fc48f8be8e68
-
Filesize
3KB
MD507c656010b4241f8038e9054226b97d7
SHA11352bcf05d373feda4df2925d5c58d969faa0b36
SHA256d93c6864eafdc7b7cae2df8c0c7ebaa0e5f2f69939d0b1b6a5935c63478fd95c
SHA512a83d0a41186e2afef2ea76b7a31443043f5e391876019ba269ef3974edd7e4b70f0cd10266998701f7fcecd6712d94f5ec3eff96aa58b7c3450e50006f6da1e9
-
Filesize
1KB
MD5b12fc4195c69d41d03a4535d825a01f0
SHA11f4ef8d178888182387d61c5451a731b5f369e11
SHA256987cd759c0f19bbcc56aa50ad588599c7a549d3f2535d7e51c1503cd91753988
SHA512d92701a8f3bc5e0e16840056e274c52921113567386648b16396b6616445119d998bfcb31da51010b25437cd54d460f4659b2d756f8bed4b1a32af31cf49e687
-
Filesize
28KB
MD5b42114995b66874e65c3fcec2e89c375
SHA1f1b2f091e6b42c2d9cc74a3ed8aae7fc4dd58666
SHA2564a82fe9743373256d199907fca7dd6e3b156764dce58576b272c67857499f4cb
SHA5127c8a856ba15ee63bd5555518c69a130bbc0ae8f6fe607709b28605cbff80b46df7174466228c8626c2fb16de25888fb7eb8f38c7812bea68f0866b7f55351bcc
-
Filesize
2KB
MD5771242022f8e2a744f95950de824592b
SHA1be11ef5269f8377f77fea0d44e8d255dcaa6367c
SHA256c93aa5f59901c20a40a2f0632d1d08d899ed2ff1e9834cdb790a362df8a0dfe5
SHA5127188047144704851aaf58fe0a3aab20d987368a02eb20c8536f8452f4866ee23b2e2f1b93ea0396ca428614a240a9e0433fd4e3d7c9bb53a3bc38829902c6bd7
-
Filesize
1KB
MD52300cddbe7b5d2f9840ca30dda229f20
SHA191854de0d057a1b244f290f661412f2fd22fba49
SHA256274d6bc145fa91c54e7ceac1c2076f2019741249711aafc429b31283981b7403
SHA51280c8ccd0cef2e64a54315e0f662977edd537478c109f06a27943a1e5546ca3e5968d492cfcfd6f364cdcc24ceab4957c29538bf2de61771f1ad8d2bb87fde3da
-
Filesize
2KB
MD5dfc0fde76a3ef23b5cc19fcf4f942d9e
SHA10e534e2e58d4c5dc9fd1179219e2c53c845bbd00
SHA25685b51240ba6b44e961b61984d82752b2040ea89a58a1fc75e3926995737b1804
SHA5122405710e6cb54f980ff06a95a04266d750a516198b443a7b3296440c80afe27c3757e1e18beb49834481f90c8f57c1ee36fd4d4db39946607a18e4751ac75576
-
Filesize
1KB
MD5b37de7090c0461728c0f4440b9d659b1
SHA1debdfe834fe042938ec17dfa7a0536f89f274ffb
SHA25670241000a40bf3e3ed1f80162acfd3bdfb551eab0fbb35a5858460d9e159b667
SHA51257788cadd0438879eb1cafc9e32b616f9e2d85732b830ce852d97a48535b42a407e4e0bfea8770652c5cbe1a912dbb0173a0421d13fa876d6c0bdb39688089b4
-
Filesize
1KB
MD5edd1cae4cc4bc7a88e2fb96464e885d0
SHA160f44f61d2cb1666e6619c48f9b6eb191439524f
SHA256e86bab5ccc767da63b6799d2a7b7ab7be8e298b203382477204ef74c158d44cf
SHA512dc6e6874150259e957a1928e6a7008079c6939c4f69ae5c49e82ebf1e71ae7fd60a2b230c5d2e2ad308ce0381c902199e2422908aecadce18f6ce4acb791c173
-
Filesize
1KB
MD580e7bad3dc9dbee24849dad9cd734a9c
SHA170cc34f74246f6c3f9c666022c8259b20612ed5f
SHA2561cefb01933c29f688116208f8df5e0c72a23431eca82ac82e56e2485793a3834
SHA51233b2ed9f9c68d7944a1ed7581f133e4d6b4bc1ead9d05416169b8b66a40d01068548e4c0ffff9a31e8d0b9703d86831a64f492477ad94cba09f512cbb1336941
-
Filesize
3KB
MD5ac9eb4713a288421f9d8766cb622d9d9
SHA1fcebd66c899c077f63704d2f699b12f9260273cc
SHA256566cae4fe94744824db4e1b1fd0c04efdd42e61e47126e7c8c0b4ceb89df9b46
SHA512c17740a745a0197ae73d14ea6530f55d2982710b989763ac184a0971a195663fd22b4de76aa885a97d1c72ddba25bdb4b2b458143d679e34256d7b788c8a21f5
-
Filesize
2KB
MD5897ea2f793badf25a193bf6c8b5eb50a
SHA1b7a8b181a6e4b8df2a903c6d7e385e5e39a54277
SHA256ad68f7cc4f3ce9325d63e3195c3e861d7d50c7b1a89dbc02b7c858df570a372f
SHA5120a79365e7f1aaa356a70fb995c9ce51a9e3014b56b967e59b12d20dffc8614ac114bb98b1ed56dc018905c6d769071b32ada2e92c3d5d5ce11749c2703948962
-
Filesize
6KB
MD58bd5eb39a0c5cfde449b8f2a8dbca4ef
SHA13d1be6338ce65a2a2ac0b4165db24ae1d65cca93
SHA2563b9180e2cf0fb6cc80cffb6808fe87b731db12af5cf9b2ce0f43d585599b841f
SHA5126f7f1ddf36b7f2c48ef0dd01bf1621ede5829e217a0f286bbef2486cbb89e7246370b3acee25dc2674c6765f916809da4cf7f9507bda9529c6ee4d88122b1a08
-
Filesize
5KB
MD530aca111cd7ae7f5c5686622e48453f2
SHA1091b1b4d35fcae059b6aab9ac874ff0d9cdb8971
SHA2560efa0ac778d3dfe1e3dddbdb3b8e89b01c407a5ac8a938b188fcae80aad73d5f
SHA512499b249b4a4e3b74712ef45eb1ce08c630a44522ee7fba3b85f39cce24365c50387a046b5d852f9a6931f00b13620c7df48283ccb01fbec24585b5b764df53b3
-
Filesize
3KB
MD596b826b13f9afc0534131c336647ec39
SHA127ea3855a05c61d0247d030062c9e73d3461e7e0
SHA256e2a1bf1d800879b45acf29a2b1b4fec474d16e1ce3453487dc8949a9f12f2f66
SHA512d1c41d7f79cfc6d0c0f63c112fdf93615ee5610e9cb37ddbdd01acc580366507f78cc07fafa1d7127f7d839cb22b8f38982ab87c412924b4ff09b599623f1efd
-
Filesize
2KB
MD530f320fe9b1a0500b86af632749812d3
SHA116c94c1ff3014b329d4a1d6ff2b271fff13093da
SHA256256940f1373c20076f8b928d83224950bbc9a6e53ae8201952a34ecb59bd65d1
SHA51250cdcc8a25c3223609554bd13fe2fc0e5923c850d9a1507c2af160d791859bcebcc9da9120e9c0ad050e6131119fdd46d48f5547349a8b698a6f4cdd4aecffe7
-
Filesize
2KB
MD5804effa43aae5f83333c8d5d4f523e0e
SHA1367714459f011afbec55e06e55ad6cd8c34eaf95
SHA256e70de21f35ce75990c07c968170bb9ac7ca3a016748e1b4975ab8f62a18acdde
SHA5126904be78ad2e558a5dd1cb1c2264ffe6c3ac6d92a06a3e2e619e004fa6cb39f19e8ad1919eb750852d49c7cd56dd6bfc5112ce89529af7d05237b91edd58d211
-
Filesize
1KB
MD51ac36a46a9621df7206315184b5e7bec
SHA1b79cefc470751759372872075cd9189be3e9ac3d
SHA2562e4b0f3a7aaaebbfc11697a66894493bbe50327292d55ac04ecd8adb7524c09b
SHA51299531e54ef994ce6e2869abb894f1d88cf8dd195860610f924d8ffeaf04c9343109aabf534253b29ba0874578da20365659dc0395c507ba2e9db353d3ef6ca7d
-
Filesize
1KB
MD51d6d0587b145abb11de19c40b570646a
SHA1dca9ce36c5a18b2ced30fca5311602dedd65daf4
SHA256abea6a4ea56f99f5e990d753d51813834bca437dc29baf7b9925d1f21f6ef3c8
SHA512a0f7c0ab679fb3061f9e1246ac4f22904894e4a6b7c624323178f202524793da560915e05d0d6c423fc716c1d722a62230cab093d0adcadf8fb91d5991776b9c
-
Filesize
11KB
MD5e078b6263bdd685926dc4a12cde47a03
SHA16eba6606569bc3f0617c982ab18215bdf7c07585
SHA256c16c8301777988bcedb3bceb4101cfbec5990bf5551fdb299407b53be256226e
SHA512b1f9ec99d32f4746737247e106ccb694a29a6a26ea1148faf99e21299d7bdc2d4a1d2119de0752ae2086540fceee00f625d59695fc9cb1c8f8358b6e6b396371
-
Filesize
1KB
MD572925f67742f3e57831c5bad34949210
SHA1d8acc705adddda42bc7dad76b6caa4f24b2ba387
SHA25639c0145eb75906cd091f6ea86e8a1288737b57c9b6acb7e3a4807a5f76b2881c
SHA512de27105efb8873d5a4d996f0abde297a8d1d264932e41c6f39b8cfb04f91dd42562e600f99a03b4221f320b403871cd36a001d4fae32aeea1bfce0208dc764e0
-
Filesize
2KB
MD51d8323e4194a5f683fa24a3f37b7fe81
SHA1655d6c8ff01c9250878f66b17f371d8b375131af
SHA256b2dc94f4c6b972324f6602d5454d5200395b39c761cee6687bcfef52422189d7
SHA512fbc9ebb24d84db95acd4d1ea283703d2b508010ab5d11221bca54b477c44af3e784ae2957baab84f8df52bef7defa7d0400559fbf5ab86e3e2125313fe9e8217
-
Filesize
11KB
MD595733793649ab4147c5fcd54a20e8c4c
SHA1047fe5e9ca63ceea9085562e65bb43617fcce56c
SHA256cea05c4266acd306b174a85beed817aff137ef80d041d1806f602644c59b54fe
SHA512873928daf2abcb351ea6e6bb604b61be6e8d78733ab342e4c625b45eb5debb3c4631c625651c250d3518356a17b39c72925071cece335da311096d1d5f237d08
-
Filesize
11KB
MD5504f8f8c03aec9c47dc484f92c7219cb
SHA1e432e02ec26c1367fdfa0bebca6f5c9a9a991356
SHA256d7921e8760f22cc69ca1c77a08cf4d008b9378230a6be6ad76f03e1da1541481
SHA512f162a3ad2ac6909936451087256820618177d0dc539f39acaa26c36f7130d5d916ec1bd4384ec34cf1419002ca8b4256200c610146fcbed9d0353008e5a32640
-
Filesize
11KB
MD51b0007b5ee36c1428670691402a5c1e9
SHA17b941926c6ca84361e04d9b4063a69cd954b2833
SHA2563f0332813c3efd7a1b8953755c4c782313ac7c49da429be06e8465ec8b92de8b
SHA512d736d73d75534baf294bb5759f13247c14d15171807c6f575cd1694253407c1571b2a6cd6c89cc21d318750d5b819cddaf922c03b8c1d6915a84c8286fb84b35
-
Filesize
1011B
MD5478d1b7d51abe37a14aa9144b1cd3d92
SHA17f8d547de5534f8d2bcca68cc8d0f985f8774434
SHA25604e3ddbb8cfd270c3b780c2def2d184b3cd46e25a9c30f1ea7fcbc52279e4fab
SHA512917bb9c2c978c807f31df898fc803868811bbf8be2872e2b6a206536b58714be8c58226b7cbbb784b78fc2928ff5b5ead0c48385322c41cac5e3d4e2feecf39f
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5069c37bf9e39b121efb7a28ece933aee
SHA1eaef2e55b66e543a14a6780c23bb83fe60f2f04d
SHA256485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8
SHA512f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5eed640164203d0d0a2a1e7919a6fdbdf
SHA19af74121e090cf2970beee82d22ef4ebb886c0ae
SHA2564ca7fe712b4322fdb497733e015f4ae4496d3998772a6c37305da3cbba3eb7ae
SHA5121bf6de193ae00189525ea9a685bbe3dc7722eceb6ccfb83c70adc766b6301b4978abf73b2f8f41b865f1521925308e4f96285dca569e9c2b2c61e79db1100e3d
-
Filesize
407B
MD530f6cade378618c6e9dc777ad2e274b7
SHA1ce94ac4b712d2b7aa9b36e50f7d9a9c96a200f20
SHA256872be5aa3e7662c53478f6d92ecc1299ee69af57bbc365e0df19e5ed1bb9026f
SHA5127f4bde656c7671249e6ed14569d88e63fe73cde01326bed41aca03d2cebcee43d887e694c4f1e9fb34d97ef2ed7cecceb9fdde57edfe89ca128e36ddc3fda990
-
Filesize
21KB
MD595e26a99f1735b921594c263341ce2c1
SHA101b3a9a236573f120f0c786124ee9ff2ba96f700
SHA25659105a9f1c1c11ca4e7abb87a266e7b2bc594d6a9d4b49d51bd4afc958b4713b
SHA51230ee1538d076d742a8e684d157c16d71daa37f7054711bb9368e3d2f69a2795a0f972fcb298becb527eaf1dae4632aae86db09e210af75f1ad554eb07e8a484c
-
Filesize
1KB
MD541526eaef057cc772abb093fcf3a2f09
SHA17ac26633f72ef4e634f665242977ceb9405bc983
SHA25670964a3775e2d2e9dbc68ac218fb0a30b45460f8327d0dce70eefa439f9de82d
SHA51289d44d65d738891559d0ee3e78fe3dfa46476d7418b5be8d989f3788d19a09914b41b2c8cdcdb126b2e1fc106832382038a2a201d2df6e531bd375fcca38162a
-
Filesize
952B
MD566c643fe3add0b511f0667f7190daa3d
SHA1bede5464a77e2b9241103883351d67591f3c829c
SHA25653841b17be03947251789fd8843814b2d686a330e353d0934ba59e8a42d440c5
SHA512ed3f84325e86115948b8b59a534f5cd7153b9b9e1fa6e532ba092ec77eb60fd43f57bc3056bcca6f171ca59dcabe5964a864c2b9299846e0a9163a1ce9e28578
-
Filesize
121B
MD5c4c893bd72e7f20347c96166150212be
SHA1b521785d1972475fc0451b4e185b69d70a0f002d
SHA256b3065b47d6999dd2dff7f1cbd2a490a1a0cc14925264e77ffe4a78c40f2fa014
SHA512d9a994ad6d864e2b890047e14a55cb354d03a782387276f45dce56019ce32daf4e25d01d59ffe337e54645f7f94ff790ae81218ba04a37b941295066e11e5da5
-
Filesize
1KB
MD592ca8e0fcf7c5f1c4094b66090b90391
SHA173f9dada15010e660e996c270b7e66dd4fdd4cff
SHA256e3bcfd660c68d3dcb98f84447d260f4adccacbea46f6deec8dfc315a0ae8366a
SHA5121df478d4a29b9b853d4f4270a48d1233afe397537ef6685e2a9145b00e89fba82780c4638afe6fc8dd14ebfb17b5429a8492c40e531fe674df41bc674ac6057d
-
Filesize
8KB
MD548d0e43e1ff4c61cbb4819b6cc87b8e9
SHA178b5ed201b438366946419de394450d6dd63adcd
SHA256f8642f052cfe5bc6543252bc9ac14dd3d5323d7e9cafe0e2e0d4d8ce08224f6d
SHA512d7ace69436d70f1b19b0069ef55773d8e9a2a9b8ce5795649141deb9ec2ba83b42b836830e3bf53f2be66ff3f6b14a7ac208b908864f100ed492048158240750
-
Filesize
914B
MD591f00ff2312c7974c0d2902391da8399
SHA14f8ad04d575cc8914fc6cf58695429836eaf711e
SHA256542013c56fb0fa58084282b35891362bf8d2a516cfcc418ea3efc7e8a37db86b
SHA51242ec7fd1e2646ce908e60480d51c021ab4fc78aae43e8004b33400d38d620c3fbbb4454d61cd7ee8db84d7742085ad2eecac0e2ac090af52c642d942614bf2a0
-
Filesize
90B
MD574a92b45e5cded1b5af9fcb568ef242d
SHA1c5d110452493c1b92cf3db67b39779e5a3e7ec6f
SHA25693afba154fd15e29879528cd877791b73dd2acbd8549020b912450ca3e26dd59
SHA51272eff94a1b385c602720d437e8d1ca273c0c7556b2dfeefe571e455ab884574ab80e2e19770572cdbda0330fe5d19388aa8da7d82d703c4a5dfc53163e8b8c8b
-
Filesize
90B
MD5c184ee4c96058287f30cac484bd9ee8d
SHA17a8ee8b9769d276b1aeea044fc74c1cd441a3d6d
SHA25645ee7e26cb782243f7ae1f50c99dd6bfc77fe844dccf875d349781ef044ba4c4
SHA512a40597141e860e48bf58f8a6f9d41edb8ea01a6cf3baa82d86242898c4b44821471722b5bd12c3b42ac15f8c989ad9697c724026555d8585c9ac25792418e495
-
Filesize
328B
MD5e464aeb5dfe85b1a1ccb00ef09935905
SHA1f89e3586da1385be7826f4a3163bbe75ae84594a
SHA256ab393467312bd56b428392b869cef5ad1778ff3af8cdc4c58d636600cc597078
SHA5123efa2c00c0b96e566a3aa9d5b0ab04a75116655a7d8af0e45795e26992e31ac8f8f5f696b76573c2b208232ea53b8b8b33514d957fb9a25ba719733c641f77e8
-
Filesize
1KB
MD56e7f2dd48c147b13d485f6c839d41846
SHA1ab257d2d00400f165c3848af78e984f9cb6bf767
SHA256f7e05c4121962c4c052c81b0b8c0151afa4ae01eb2b52c37f4c626c2f9a22b05
SHA5127f36fbfad0aeeb038ecbdd3bdd182cdecbfd624db8f7c69e58f569e35e29c592db66dbed0aab025ecaa9c1f7cf6c6df9957195207288c42feec72f6de0814789
-
Filesize
162B
MD5744e7b23d328c836034fd5ca01423ddf
SHA1b1e81e0d03a722341145e2e4e17dd69dd2285010
SHA256727ea69cbf7f5d1e7bfb12d05ca3adb4ed647b548a41eadcf7ea66508aecdd4a
SHA512f7c9facf0e90e8a091465fe124389b89793c55b7eed21bab610da5a606d57e9009ce9c394b60ee6cdcbf118b628cdf9f37d58d49c0a8370c3f1a95edf81f1ad5
-
Filesize
586B
MD5f1d235b8ead9bae3004d2828c13c95f6
SHA1d88007a4623301884d63365b7f5f5576adea7e92
SHA256feca6b69af4912dd3b1f04dfc091bd73070f2f29abcdc38ef69f185526f5c769
SHA51207af1cd5cc2e753b056d2ef70f1775f40b814721672229f243f6cfe0f2a3a0ad7952ec1b903e870c355f135a65d0a1334403e3370c72d71b0fa6e36cbca97577
-
Filesize
124B
MD50cba4e5e16ab58e7b932c885915de1d2
SHA107cdfdd0dd483b5200e3e8a838cce317365534a9
SHA2566ae30d8599094052b05af2e94519d3f0f8905a425ed9e6538ee3b65980f9bce3
SHA512366d986db2aec0158a48d079f1f12dc30d7cf1db717cf1608d95d971d0d9850752a87e938533f3062a8c15126c5fc3a13249a0d2b44b58fbbbfcfc997cd08e73
-
Filesize
8KB
MD526ba333e7a7d012f740b211ac508d149
SHA1ec4b64c6de7c16249ef9aa7ad2c28cce782f7140
SHA256315291cc7a3b5aa1fc7eed56347bdd68fdff3cd77240ee58ad07b73388408de3
SHA5120acaa61a8b6f6984137d20389a7c6085afbde06df45cff2fb112bf9884280b7dba6a38ceb9cd92124f53c1d1a9ffea0691a371525da4048c2ba8358f57f621bc
-
Filesize
880B
MD57344a100eae6134cca920134ba6f3d1d
SHA102659c0b1d95addb9498beac7faf7d0acac7e34f
SHA2568f6ab273a64fb63622e6c307b270f5d5c9c6ce9012b385ed5e5426801899eba0
SHA512d61814141277177fe26dd04f86bf736d705cd655db9342031945d1a89f5a39913f3d2d1ac2a7826ce1561a544dfd6a8bd0f24cc6459ddafe54f8f49da1274607
-
Filesize
1KB
MD5c91b066a1b530051bce4a7f151360a30
SHA153d692c382654a2e0367b3883615afec6d19a84e
SHA2560665431f66eaa96cc58429173f6038595bc8a804a5b22f36f99706393135c6bd
SHA51248a1da5e7b8f21bfcb404858e752225bcd658a2ab80be4686dbabbe2595783e260733401af567cefc46e8547b90e7fc114bfcacb93e32bccc1078631fe8c522b
-
Filesize
1KB
MD5d699ee58b59a5fd70a6a9ec0c9008d28
SHA160c79962f0e97acbf50b5aee77069bdb8d25e7e8
SHA256d13dd805537bb9daf623c22e3ea786253548d4f6cd0d6a671169d07e8a11dab2
SHA512ed94abf926a7c9ca2645b3e38a61b222d59438f112ae07bb3ed1bc517eaf3d5980ebac97e7c62cfab5af4deb0665fe279b22bf8edb6c486ea28ae5aa9e8119ab
-
Filesize
1KB
MD554d9dec62c5e50e662d0dc25668a93df
SHA18b1913cb98d4e6d8a04106c57531dd68dc5c5886
SHA2568fa9074d1df2ca313abceb75c82408bcc1e1bd740d916f51ab9f3fff67793b4b
SHA51248cb6ed223d6fbb8803e3c81fb2d3c9a263e5b67967b3d9976856f03f523888180c22a220d280fe33d12abd30104b9c651287ad3c1d5e076a54edd20bc01867f
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk
Filesize1KB
MD5197b8c4cd38e024f9fc67f494fd45163
SHA1ec3ea42d155de56f09bc5e1774207685cfa18301
SHA256077878b3392822aa4f63dca1b5dc48a98b442c5d5f1f022e62f7377188383446
SHA5129036a3d553b18f0117c3fe0f023ce2016d99b60f862094a357d5dd7b0cbf6129c30923b67ceb2bc4f0bbf7d4d91659a28fb468e542aeddbf54260520e6dd07ec
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk
Filesize1KB
MD51fab9d1a05875bfc3ebd76e5de2f9ce9
SHA177dcbcfa6b335033787308e0ddcf62ebb3038426
SHA25670e15f7cef50cca926cd68397d41afb1b0528a9afda5333c03a3323381bcf577
SHA51273adc099b8f474caa9d75b60ed3ac4b222c06b35d79465f6e3d6b8c8cee7f0a676e3c2557b5e0bd2fd537de62e44df489f346fd43ab5888c698d5e37cd148b15
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk
Filesize1021B
MD580409a71641f2992ca4afaf6f7c8bf35
SHA1cb266f557225af36d425c423825dce435f341e89
SHA25658d295b012e27baa0680ed3c306d0f0435ba582355b34afb89296124f209b250
SHA5120cca876b77c4a20aea33d1d73e44de24341466b2892e807fafd473c7831f130852eb992a0af5e5086e8f61a029c97cb271f162b5058e906b4a6d8c9ff770bea0
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Windows Terminal.lnk
Filesize1KB
MD5492c1bbb017f9273a63c2c57950782d5
SHA1ec9f3d04cb7bbdb9f0c969abcf55cece6cf4a448
SHA2564c74cd1819b25224016aa9d15ef2c9e5a09afa81dcec3093f7af5cc900b8a90e
SHA5125c1b6d0cba989c3384d8296c1d172a1503af7eb2e3edc80bb2db7c343caafcf6cd815ad364b8881ff0568e9be7dc493a050c8930b291f4f82cc17e85a4e00f06
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Windows Terminal.lnk
Filesize1KB
MD51e099311a903eb0b3aeba0fd96722141
SHA15bc78ab0bd9b5686b842f03342cad3e5ced34825
SHA2568d7b13d64a077e6703652bce6a19c61ceed22d8c6ca1dc76894062f426242b30
SHA5129b476ba1e26a34c1cd9dd3fcd8546150d6fe6280fd07c709283edd091b38fc783f8220703013a8ab223b4ccdacb0a986063dee46eb88f62785b979747da79377
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk
Filesize1015B
MD5048c96bc4f18f0d14a0e1b733ec9cbe9
SHA1fe84da663980058c9b92bbc073185cca5e9cf963
SHA256bfcc837d38d966d0de421a07625fe883a646e1aa36e99a2cc24c45e802f5c348
SHA51282a507db83b73c33b2ae7e2df4518b2f04536566121a49313b2ba04b2385520917803c0e8f741a173ab326d2517bfcafae347de7b55c93075987d6a9292d5928
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk
Filesize1015B
MD5520ced1129ddfb0d8454ae117c72cf43
SHA1b5f746b2ffd9e4590274a0c46681e428d2ca3ec8
SHA2562504dd32ac30cc846c41ac8e15158fd240b956b996fa2b17b198a29d11a28ca3
SHA512837a28006fc291f2eb13882e98b9ff37bab2fe0c936a79e2acc1e7a7ebf177c2f3224d344c35d6b010738ab9c79dd8d7b1b3567966dcc12722d66126a9fec2ad
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk
Filesize1KB
MD5da1489b2b965a88b1c8e045e0989ec28
SHA1bd02cfdbaf3bedad233858a86c97a6c0f54fc1a2
SHA256e7073ed51a40c1c998158542cfef0a9b5d19f0a5fd01739d44ea29dfdd4ce5f3
SHA5123f332e0db8ae579904731a754ef86a7a85f86444ac359f3b9468e442f4ad48433622a5a02d5a8ff919b2fe25a5b95efe76b42227c42de28b329827fa974d6653
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk
Filesize1KB
MD53a9c4066595b9570089ea4dcef87490a
SHA1b504092392cda25c986f02737b0eb291ffa13651
SHA25683fd31b533bde176e75ace9c4bc68a17f295f3b7aa09867bd05d42d6a30b771a
SHA512d96c37df5558470ade88ed0617a03a906e3353b6539aeaf5800491732eff4da89a72e19170310c87b896901ed85dd0b2fcfe38160975b8c7dad1e41c0d745143
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk
Filesize1KB
MD50cea9835df63a3c9e50cf9351e11b05a
SHA1a67d00e57bc390b7b127e8d0b6fff79ee76e50ae
SHA2563b855979e44b473a2c602eed2ab0645efaa6cae78e4831b84e8f41b0b562eca1
SHA512e96a22691e0aa2ffe151f6fb111d542e721604218c2c95ec23a21dd72603b7d23446aec22879679f84cadbb90e5ad44e569d6d6666ddb07352aac49c6ca36d99
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk
Filesize1015B
MD594f2854105a4500197bcb11d51f3fc7d
SHA18ebe5dd4a745a5a87caf17f123b52e1fe2dab47a
SHA25634fb0761596919a95478020644d8b4e6e41830d4f6659728bc32b510ac831b0b
SHA512c8db9ca36175cac6f0080de6d7655b85ed6f0f9f2174d20b0e32a9c2a59f6814db7b8e3822343df9576998bde842d4550da67ab954fe8f24e8a95ffbec0f2de4
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk
Filesize1KB
MD59cdfcbf2b0d1b285acc256f7ddc852cf
SHA1763143705df7fbbf16467c1d5b30eef7e07a00e0
SHA2566c678dd4db578c2a955105dac18370337aeb79a2e8489ec203ccab8df39b2595
SHA51230866baf903ca7950fe5f44547a768cb00cd52203391e7b9c5a987acbbbab94f2535f00fc787930c54d0b37b0a1b23f679186dfe22ca8ecbb4343ceddd79246d
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk
Filesize1015B
MD5112e2ddb55610636ffe807082b7c8239
SHA1454b66cd1e654b93fab014a1270472c0febec6d4
SHA256ef1427b4073ad7789b144d2ff507f7e377d983592eb219c12edb45c039c686bb
SHA51273de138154ed5ed487d1eea658df44d17cc3fc4442d7948d10b9ca72ec979fe2821126716af54e48d9aad54f2abdc538cb2f402f1228063dd3129b796a241572
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk
Filesize1KB
MD573d95331ea801ab4c38782f8f5f191e3
SHA1bfedb2e9962238cb903db4392f93dc7439c7e62f
SHA25639ddc6d346de6b782e9b2c9dcee23dd1d409b68e8368791e3257473c5643a9af
SHA5120562b2574504bcf1c2ee16f9fbfc9a020b12e04fbb56a66dee43c38b156dd3dfc2d69166cbd1c50d237e5972a573abd4ed0a7b818aba33ccdcf5e59e5ed92067
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
Filesize352B
MD567d9bfe3ec21cd2c3155d2c0271f4663
SHA1b3d7ef2414f2840ff726ca43b65729fc5a8d70fc
SHA2564303e608dbd410e1c30fbf5b18ba6af5be54bdcc0652b8e6a0b0c77e9999e562
SHA51231fb557627f393fc9704fc76dcb749d100527ab7fd8f6e9b71c004cc3da404e0f16d59f9e815844df291b654cf543eae3c8c55d4379e5fdee4ef44a8193af46e
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
Filesize334B
MD5f37ab8968a057eb9252c2b3554d86f60
SHA1836d06606a165aef703b5ac8df1032d85056c2cb
SHA2560d575122f783456d96730628683f8173d04c710ef42788f3dc6be27c5f85906c
SHA512ac6eaea23de9a98acbf8f572d8fb9f101a7058c7e00133402421a67bc822464dd36f5a8354e9eef58a0e329a4fc03881a2a8a83de0c960ef399cf417b16abf57
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk
Filesize1KB
MD50a31dd22b97b31b434c66306c8770ee1
SHA1904ab000e6a9f0bde89b2792b376e96e14f78e4e
SHA25602df4a5e9442390cc39dcc23575f25a8464ae24a9e7076ca8e6fb457ec62137a
SHA512db3a823e251fb2cb8924ce96bfb39bed4f2ba0b47b157c9b12b6aaccdcb80a8ba60a6281241dd135c104c6a349f76d3b34e551a773bc4116c54231b376867705
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk
Filesize1KB
MD566d95dab8c867c757e286847efaa0039
SHA188f017d787da5d0924c22d9daacfdcf9c2b5241c
SHA25640a14b95a9ea5ceb499c5087312caff53757f5fc9a31da0248e6819cdce7e6db
SHA5125014da183bf3842e85aa199f7db1b4958904ba289f6c696c462157d389daafd11d9a74d88b6928b7ef0655f9e2db70b7b734dfd82b363a60fee1c526f06e160b
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk
Filesize1KB
MD51d6b2348d9ca540e2047dcf9296edc2a
SHA18d3f6f72851350c2189ad8c6f731e98cf57bc60b
SHA2568c507b0b1fcb06c4a10a0a8c014e7a8459a9ce6ca7e630ee80e1c59ee3bf4977
SHA51299027a4a0579d124cd81d6fa1636187ca13e192feb30c9f5a0035b1020ddcbc7eefbd80c42320e0783248524c140ff58b931ef4609d44bee9e5a64a8bad514dc
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk
Filesize1KB
MD5b04d613e7b3a74d757a89101c51cf873
SHA12782dbafbbe100f889e1846b1be736230c8c3e2a
SHA2564b0fef85e8fb781bfe90d719ef473da1e844ee877d5f46dacb4ad10fbcbf0973
SHA512011d0ead131abfc1934a50f14807977378ce4a7bc706249fdecd32726fce70966612d71f6794043c67853fa7157b1fe00a4de31b195f5f96ebb29b5aba62f8af
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk
Filesize1KB
MD5ff3f6b3f1496386c6584046ab5dd7ad6
SHA1316b2d38aa5951e40401657d71f70f07e5f88e49
SHA256beb24ddb693005c3c27af72465ccfb2abf51612a13e5c788a4c65859f8e84297
SHA5126bac0ac2ceb3260c718101f611c8223594f3938ee1bf3cfbc9e45f46c6a3ca4732c9e793f302f3f24066e032fb0f4203ad54daac6d402afcc8b32dfcf2857287
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk
Filesize405B
MD5ad798bfb325c0e5ad6d33f2acb06b9a4
SHA1b98ada32e1691b9271ccd872c68d78812efecc13
SHA25619d31f773e164f7b9d70cb254c2c28d4dd3d4d7edf9891fdc4fa39a597317158
SHA5124eb415ec370ecc8bdb53f7c6bf9c0bacb8cc8fa2c766aa92131a02c3536fec7d33d5340fd2ad44d7a9e01c3152ee76c4ec9e4ffe736488c9f2d980652301fc00
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk
Filesize409B
MD52c18b295a5862b229ee119980fd74ebf
SHA1463df16e00f05d2fda7c12f3e5351b762e319def
SHA2564ea289652baa7648a0c1a5401637ef59d7d7521d49bb94f27f0e430549e3fbad
SHA51269297d405ff48849ba3205da013329490abb4892c6ad1d96b6062730f2c39c70efa67ec5407b4856438465a7c90508e2a96797b87c84dd8389e3493664ae671f
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk
Filesize2KB
MD566c703a2c6489050e0d7871239fb0252
SHA18faddf0337fe1c1611e825e7668756bea288361c
SHA2564936528b2b484bb1554e4ae33a9e8cba747d3896d420b4c98c42db469fcecdff
SHA512d9bce55c5a92496aaa8eb0d6e18a48dcbf527dde55001ecc20af6d8fe2af4773c9678215da19ad2f2c0f83cab6647baabf88ecf77ad11a48a5e4a7a5fb415bb6
-
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk
Filesize2KB
MD58f1af98de0136bc2ce5f44d23564a5f2
SHA1393f83ff76a4a05df6fef9cf3514073f73d7293a
SHA256509b59f61aa21d3cd240365b4a16f551a857647c5e61e5d006d05053e659aefd
SHA512d43747740f3baccc4b9b53b374fc84cc5af4cb04e78d773da892eacd75c42cd769ad1dfc5c8e3894a6c235a9288866a8749bb15d13907076d0b28df86db9ca06