netwalker | 489c7b7ee9ae9d46261f547b45d7b1dcce3c06e351217647b024603eee673046

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f5c1b02db3e7c002e7a706b410e62b6_JaffaCakes118.ps1
Size

783KB
MD5

1f5c1b02db3e7c002e7a706b410e62b6
SHA1

d09236b586997b3fc4f464cbe622eb57be759949
SHA256

489c7b7ee9ae9d46261f547b45d7b1dcce3c06e351217647b024603eee673046
SHA512

05ec966bf53e96aa82eea602705216acda51b9f2837ca3fdb883947d8ccf950afe69201026ff988265cbe8ed4730ff88163daa61b807b3ad6c10f464e662553c
SSDEEP

12288:hlh4g0ku6gV76xW5TevBIeMBZ9viXPK3EJFa:fBIeMBZ9viXPK3Eu

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Users\Admin\BEFC93-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .befc93 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_befc93: 5RyOvlqN//Km4ak5vLWHXYNaVWw9BLO00IpM5ZlN353hw9JHow 0kZvmy8f6jxXium38yjLCgEwa9Z6jyeAbr6h3JdwWnA7UOsEsr MCsziF122MX9UrjneWYmDZFBolINvZ63GpZZTMlbkiYwnomJKZ +OFvC5wDsAm1UEW4NOPoO9p1yZVdOo44yGftl0/KZSDUObjosY iynthzcpoRpYHHFc9OTeaFbl3XEzmyWIw2YMnspcJd+VZbrs35 VQQTqIG/Nsldx80hCWb4BF11HVl0uFT3W3jxyjWw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (7443) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214934.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00160_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.DPV	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105388.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98.POC	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\currency.data	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04235_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck.css	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar	Explorer.EXE
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\BEFC93-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234266.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	Explorer.EXE
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\BEFC93-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	Explorer.EXE
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\BEFC93-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
992	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
992	powershell.exe
992	powershell.exe
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE
1168	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	powershell.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeDebugPrivilege	1168	Explorer.EXE
Token: SeImpersonatePrivilege	1168	Explorer.EXE
Token: SeShutdownPrivilege	1168	Explorer.EXE
Token: SeShutdownPrivilege	1168	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2784	992	powershell.exe	29
PID 992 wrote to memory of 2784	992	powershell.exe	29
PID 992 wrote to memory of 2784	992	powershell.exe	29
PID 2784 wrote to memory of 2236	2784	csc.exe	30
PID 2784 wrote to memory of 2236	2784	csc.exe	30
PID 2784 wrote to memory of 2236	2784	csc.exe	30
PID 992 wrote to memory of 2788	992	powershell.exe	31
PID 992 wrote to memory of 2788	992	powershell.exe	31
PID 992 wrote to memory of 2788	992	powershell.exe	31
PID 2788 wrote to memory of 2688	2788	csc.exe	32
PID 2788 wrote to memory of 2688	2788	csc.exe	32
PID 2788 wrote to memory of 2688	2788	csc.exe	32
PID 992 wrote to memory of 1168	992	powershell.exe	21
PID 1168 wrote to memory of 8624	1168	Explorer.EXE	37
PID 1168 wrote to memory of 8624	1168	Explorer.EXE	37
PID 1168 wrote to memory of 8624	1168	Explorer.EXE	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1f5c1b02db3e7c002e7a706b410e62b6_JaffaCakes118.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpd4fimc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D9F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D9E.tmp"
      4⤵
      PID:2236
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e_jo_x5h.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F93.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F92.tmp"
      4⤵
      PID:2688
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BEFC93-Readme.txt"
  2⤵
  PID:8624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D.befc93

Filesize
12KB

MD5
a015f74dc07ffa2ca53bd3c7ab5cd50f

SHA1
9f4913902278219992c0851e3ab191631aa6e5a8

SHA256
f1d4fbd1bd48d3ff03ae5afb984d7409d15b9c493030797844ac1144a4ad3155

SHA512
e0e4ce3a4a5b3848c84a64a326612d935a1c199567cf139654e082e7b0eda261580d486d53bba8c2646196ebbba74baf16371e38a11c99118ae7fec15f0a5951

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.befc93

Filesize
229KB

MD5
f8cb17a255e9afd375b452883fb5e440

SHA1
735fe6e1cc51520a977166b3f8c6fdaa164105ae

SHA256
3a15904f7617ebf6c722dc4a6158cb6a477dce6a1d25822f3ea2cdb6418c12a5

SHA512
8ad91ce3dbf55dcf05de1334798f79c861ff5fbfb40bb49ac8138af39aa162235d73a086a416d19b44d57533507d9bb2cafefe009ef749a0ad20abb376b30800

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MAPIR.DLL.trx_dll.befc93

Filesize
287KB

MD5
c5ccc9ed8c47bdd2ba6ff9baae345606

SHA1
94a38d6d95ce238f80a8ac07ec89270bc042da68

SHA256
80ab098ebb1d81f86629919e0f7f32a52ad2ab72781d1e6a1af333e2f2648f9f

SHA512
d348f131e14a4d58d4e324edddde7ceed3ea8ef96fb523d8ee4087efef7f155cff9d5aee54c1b3a7ccf954b07c939ef81b56a33192c31176245c61753ea40b63

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll.befc93

Filesize
48KB

MD5
fb194df0b62834e92a9603a5d21066b5

SHA1
f1a14a0bc5422425c84280b86b0fff6bafe7d908

SHA256
48de852442dfd672ed616773070e031f91e6757a8634ab392137deaffec5733f

SHA512
bfc3b70750097d27e5b30bb9b1070f59183e5377e3a6aab9d9172622d0e446aff9cb5b646154474ad1996dd9dbe8f41d9109e05178557eded0af032cdb705104

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.DLL.trx_dll.befc93

Filesize
92KB

MD5
e88d0165c640cedddfdea360d5e4fbcd

SHA1
82d6a77b96a87d703f86a5aae127da322b258f08

SHA256
439c111292d31d78c0fd3edeb9c0c781a2ebb9884b3e7ba49249326ebdc83536

SHA512
4d25325edc0aa45cf9c6337c792fbd034bc13d31064c86bee92054820eeb53c49f7a807b1ac6600dd05d58a899384f5d4128d842b576fb812b3d63e53d1b8f3c

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll.befc93

Filesize
2.7MB

MD5
65299681c7a9a2eec15b2e6850ecead3

SHA1
fdfd27a6f5ce6bfdde8b68e78cfffbe044a9525d

SHA256
92728480e9cae8e5e1fbf5bd3d6113bbd1a1797e99ca2ee8f68526f00145e642

SHA512
57a7b64343722999a3f96b0a1c87f684b8ae7ea774646a2458abc1fe84fc5a1e257ea9ce5c6503d8f509c74867bf10ff9eab7b5e4877baa8dae410983178d425

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ONINTL.REST.trx_dll.befc93

Filesize
246KB

MD5
bd64ad7c5c5cde613a29e7b9e927a596

SHA1
6d988cf48701d7ae05d65de9607f7109cdeab0fa

SHA256
489ffc2ec7f215c2801d49e6301f71dbe9756c93b57dcd6187f89f5ac6d036ec

SHA512
d84c1ccdaf87fe258912658bc3ad1985e8bc4a9b856dd171178a95dc7f0ad3567a6db23f272879231be39bd4c2e35185857f98ffe6b6996dd9e57c434c3dea6f

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.DLL.trx_dll.befc93

Filesize
52KB

MD5
af664307a505cedf0b54600098b20e9e

SHA1
d411038cd6d757aa382924be3fcc0404116086b5

SHA256
a3e6339795a0f6710186a449729d31b34969f59799d0868073f2e0f509329630

SHA512
b8feeacf1e24a0b022e3acdc99c0c291b1a56ecabf07cdafbd8257bd66a696433cd42864f685c89f8cb363c65fea45b62ecf01efabeb754c07e93892c063d2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D9F.tmp

Filesize
1KB

MD5
209cf3d3e55c32ae71a9a7115572bf33

SHA1
171cf9868f7bd45a6dd321171bf8fd95caed5342

SHA256
096ef2726290b61e75d6c04307cb529ed7030983a11d52b3d26c514f846cd102

SHA512
071a08ae06afd157d6710a3e6bf37674b0f5101cd58ea358ead9ddb08e96778bddbc6fd396006d046ad4754f03a6d11cd16234c919271e4094b29207de9b078f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F93.tmp

Filesize
1KB

MD5
2f9fe5fcc0e384b073bc963445cb5715

SHA1
7f5f2b407ba0a1db12e19b323c04ca203c185326

SHA256
54a2fc986fb5185aaca96b9306d428b0b46f4b54164da7b0ff8cc2ca8757baaa

SHA512
f057a3dd22bb3b7944178c6d559fd52588e4110b55c4dea8772b51a2329994fa3c17b531aa53bd573e26b6fd7f6e74e1c15dbb0ac52cd89933357ce8fe7a57ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\e_jo_x5h.dll

Filesize
4KB

MD5
7a7ef40293c0a6c7f49488d43d11413b

SHA1
3b33f05a631488b8174c683253ce388736507a4f

SHA256
564af8adbc74bc837bf621fa1342c051166662d2209ff3bbf46915d6d7573764

SHA512
6de08e4e4aba44bb9cd6b416e9a6d811dff1a695179dd91a1249cde79fb81aae9415ccf5ed7d98bc0382c91ad29bb40be23fa9b157841d0515b37341c38dd992

Download Submit
C:\Users\Admin\AppData\Local\Temp\e_jo_x5h.pdb

Filesize
7KB

MD5
b4e847adcd948a93ea6cd95b7635d79e

SHA1
a9236a8e4111556f0692277adebdb8dc63343563

SHA256
be9dfc2b58506655d7a8bce711d8e0c2d9dd80bc68e4ed4cc4ff2f2ebd0020e7

SHA512
9cdcf2cdd7184fb42a6f4aebc557d83abace2bb9ff81479c626c0eac2da2f2471746aa028927e5c8a2c5e3dcc6a4ebd7d605831e7832021363f6e284f7850b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpd4fimc.dll

Filesize
6KB

MD5
432c152d970f63125d208da731b4a8cb

SHA1
89b0954ed543d4127e2a05cd00a82e9dda49c378

SHA256
9c4b3c578ac79dc90fb5ebdf1d2641f180910090d46a0b748c54a2008d436ac9

SHA512
c71af8ea28dbb6a69b9dddf0380468632defee4c15a7fe2e57efe4942b7231be8a1bdf9f92cc95105e27ee2bf5d7c0ee32f092169c5e77e4a63e6c72eca81f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpd4fimc.pdb

Filesize
7KB

MD5
4180f288a99e09c56592f2ed9ffee881

SHA1
43cc3888bba07f8dc45a59454193a6ef77249b22

SHA256
58ec08685854a1fc4db2737e737aae2d31ee682b45c152f3ece2355e7575ff1d

SHA512
36f3d9515cae6e3218d496ed20ac1fa2a6390e0ef859eab84ab18bf2d3076349ed1db7a142b5aa85673f4308e8e645cdd6ec0138879121835a6a636475eae37f

Download Submit
C:\Users\Admin\BEFC93-Readme.txt

Filesize
1KB

MD5
d441bcea11bd3e1ead0be0c6369e8625

SHA1
18f4203d2b20e2d14c52432d85fd7b1c61caddf4

SHA256
07f13d640857ea6189503f961991e33a831ae950b0baa5ea791457fc8af2bffe

SHA512
582fa31a60a9f95be3b4192467a5d79a136bb13cb6fa2b322997dcb3828ba2b2f85b4ad49d40bbddaa57222d94c65f3bdd9a3c6d54333123708b1f47192d3699

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D9E.tmp

Filesize
652B

MD5
253a097274eff2798c20436040f7861a

SHA1
84d8f524460b41a4adc8f309a33d920d89601dcf

SHA256
c6b238051324173c3270ba1f1653814f347c7eec8c8c13bda19f38567a50232f

SHA512
d0c9e75c7fca6a958ff66034bd2a47ab28e68c2f6db51542b9cdd66c8afb2eadf5b0a57054d2e7cac2a148dea6a7e42bb1988ce3b40875b7f6fffedc5726157d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F92.tmp

Filesize
652B

MD5
be643fd503e1d26c4ba041cf1b7467f9

SHA1
864331d452fbd46c1c35b894376fc7ee3f9e0ad8

SHA256
da1006732c528c5361103e3a651c0e712eb7d063b4581106ac476b380e122c69

SHA512
f8a0045d4a1e8bf644ec5bbd8602bef2bb03cf07f215ee98902d4e97cf2cd36082ac22f137b1b3a612f9583f8e85ed5f4c76c93e8283315e12c2fa6c9eab0f2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e_jo_x5h.0.cs

Filesize
2KB

MD5
a94bbced7809803c150aaffaec718dc2

SHA1
ddcd7f4271c76d143dab01c67e24032bc5d2d9bc

SHA256
856f43b0452528a5f588c1aaa15c401ad4595d71d9d20f53e5680b3a3f5b3e8b

SHA512
8556a5ee0ff799760a85074702b013c328ec58dbf60dd9087f4752f8475f956fd889cb493315360717e866edcda66812cec21914cb3d7be12cb8dff45848c3b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e_jo_x5h.cmdline

Filesize
309B

MD5
b0c8206cd50df0d94cc25003d59f1950

SHA1
5deecb189b11920aa3bccddb6b73b2a97ee3768d

SHA256
de5ed853f53fc6b2de99a3b2ba2aef21ac63f6fbb147db093b98d27af12ff981

SHA512
8cfb2aae01798833539064a0b05c7525ff5f857fba3ff047c4b41f4e0eb93c4c38a87b124d0f30d581ed8ea0b56756260b2617e362a924838d138264a0cb0c8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qpd4fimc.0.cs

Filesize
9KB

MD5
a26b857dd810c9e7a28cafb5a7e07785

SHA1
b8913e30d66ee752e52abdfe754ce8e16e8622a2

SHA256
8c48992bd621c6ff6cabf30a17fe2cc01619ffb95bba1bd6353ef80483eee693

SHA512
47714a16dc9e3e071d5da9f93b804be0ed5c593a4b57e507f111c98fe9fcb9e206618dc3de206aaf50c912d9c2a523051ba40dde28a09c74e85126ecebbab3cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qpd4fimc.cmdline

Filesize
309B

MD5
37ea75b9f59a435598ffc77ccca0900e

SHA1
02e7a8f61cbc5a6256695feb4e05c16b287d4eb4

SHA256
52f84cd7a02146c052555c9164a3c0a92d1e24ec6afbd83be2699c77377a93a4

SHA512
06fcf7f841ce5cc5359e5373fcae273619adb7a53a8fcae8c278986b43bbb0ad1a7102b423f68a31c21c2043c4d3baf88d8f0c9d5a8ae6c3a84185bfd39437b8

Download Submit
memory/992-8-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-45-0x000000001B4D0000-0x000000001B4EB000-memory.dmp

Filesize
108KB

Download
memory/992-46-0x000000001B4D0000-0x000000001B4EB000-memory.dmp

Filesize
108KB

Download
memory/992-50-0x000000001B4D0000-0x000000001B4EB000-memory.dmp

Filesize
108KB

Download
memory/992-49-0x000000001B4D0000-0x000000001B4EB000-memory.dmp

Filesize
108KB

Download
memory/992-48-0x000000001B4D0000-0x000000001B4EB000-memory.dmp

Filesize
108KB

Download
memory/992-47-0x000000001B4D0000-0x000000001B4EB000-memory.dmp

Filesize
108KB

Download
memory/992-42-0x0000000002A00000-0x0000000002A08000-memory.dmp

Filesize
32KB

Download
memory/992-26-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/992-10-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-9-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-7-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/992-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/992-6790-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-4-0x000007FEF54BE000-0x000007FEF54BF000-memory.dmp

Filesize
4KB

Download
memory/1168-73-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-89-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-56-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-69-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-68-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-67-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-103-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-88-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-85-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-59-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-109-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-108-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-107-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-106-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-105-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-104-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-102-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-101-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-100-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-99-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-98-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-97-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-96-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-95-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-94-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-93-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-92-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-91-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-90-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-58-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-87-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-86-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-84-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-83-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-82-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-81-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-80-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-79-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-78-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-77-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-76-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-75-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-74-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-72-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-71-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-70-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-60-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-66-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-62-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-63-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-64-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-65-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-61-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-57-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1168-54-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/2784-19-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-24-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download