netwalker | f01f25a6a6ea86833987ee1a4f6f43c1349258e04e49656765c8830b78720fc4

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a008c96c6e8790772a2c2f782eef57f7_JaffaCakes118.ps1
Size

909KB
MD5

a008c96c6e8790772a2c2f782eef57f7
SHA1

e0a6fc502a846bf41e945cf97b5645f0b750dc8e
SHA256

f01f25a6a6ea86833987ee1a4f6f43c1349258e04e49656765c8830b78720fc4
SHA512

639eae5e1ebb44d10dc9b8763cf45b9e5a74ec50ddf972a6dda3cabc532416ec481ea5c3e47eeb6d0d700f9a7dd1ca54d988beb0c9da70039928d2ed3ba375eb
SSDEEP

12288:dXcAeyJRoWaf5Fs02EMSPiYUfRLfQkRftpRmPyRf7XcNHiqueRvpkLZJXuGynNe1:Z

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\4868DA-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .4868da -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_4868da: V17CxxM12F14aw1rm6t/O9SCJasbD83v7rNfDkUUNMm0QbiQKv UX2dgbUAj8OoKipIezo6s1LXVA3bNMDBcD8VvUUUQ64X9F9eFr p4Lmnhl0NpZ/TKBbSu4O9JbEAh4XwBL1L5685ZNtCYOVrjK0dU rtwjYS+dP85vMwvNkYLw7CFKhaYIucXN/jEWPtJ2IUHEn80K/F sI554I9OjE+Z7JCH57mW8z0Xmf7rQL04zrUGZzlO+6E+k9e1Yd 8aBu+EGoOdTgV2ceFoc3It0vhs7Ro2pjaPMT7lTw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (7466) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172035.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02127_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF	Explorer.EXE
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\4868DA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER11.POC	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0093905.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boise	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml	Explorer.EXE
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\4868DA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Porto_Velho	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\New_York	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2304 powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
2304	powershell.exe
2304	powershell.exe
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exevssvc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeImpersonatePrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

powershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 2304 wrote to memory of 2612	2304	powershell.exe	csc.exe
PID 2304 wrote to memory of 2612	2304	powershell.exe	csc.exe
PID 2304 wrote to memory of 2612	2304	powershell.exe	csc.exe
PID 2612 wrote to memory of 2068	2612	csc.exe	cvtres.exe
PID 2612 wrote to memory of 2068	2612	csc.exe	cvtres.exe
PID 2612 wrote to memory of 2068	2612	csc.exe	cvtres.exe
PID 2304 wrote to memory of 2712	2304	powershell.exe	csc.exe
PID 2304 wrote to memory of 2712	2304	powershell.exe	csc.exe
PID 2304 wrote to memory of 2712	2304	powershell.exe	csc.exe
PID 2712 wrote to memory of 2920	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2920	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2920	2712	csc.exe	cvtres.exe
PID 2304 wrote to memory of 1244	2304	powershell.exe	Explorer.EXE
PID 1244 wrote to memory of 7048	1244	Explorer.EXE	notepad.exe
PID 1244 wrote to memory of 7048	1244	Explorer.EXE	notepad.exe
PID 1244 wrote to memory of 7048	1244	Explorer.EXE	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a008c96c6e8790772a2c2f782eef57f7_JaffaCakes118.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ohjiq9z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BFA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1BF9.tmp"
      4⤵
      PID:2068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_cn8evun.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1DEC.tmp"
      4⤵
      PID:2920
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\4868DA-Readme.txt"
  2⤵
  PID:7048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\4868DA-Readme.txt

Filesize
1KB

MD5
811560f10f7ec8b09d2975b5115d26a7

SHA1
8af17af3c9d975addc0546e1cc32db2723345401

SHA256
7344cefb3e3c13f0f4c4e1cc7ee9012ece0f28ade1bce76faa292f87f575a51f

SHA512
8a633fd34a5c70c9057a0a5d078fdc628fcd1cebe0c87521c2beb539c009f8d76973c6c75730511d6aacd202e8e4ae281a562e0b9a7eb75cc2d4a0c2b4c0f7e9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.4868da

Filesize
229KB

MD5
1c3447cd3a14d2998504ac99a7b6984d

SHA1
e9642bb29fce754685a492709aa4c81f2f43fbb2

SHA256
3cade122a8c47c423d3d52af7a5fc51742724a5ffd08cfa11a9a79df7632f4a8

SHA512
b86c01bac326258bb1e30ee0e0444dfb4f73ba07c8d76b928cf27fc73d0fd29179292fa29b66d3dd5c7aa9763f1e39a6a970ef4f0e3dc628425a87435a47f40d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.4868da

Filesize
201KB

MD5
088fc511709ad9d57ca5f0506bf7ad65

SHA1
cf1fa9b80ca3fd5980851b77bdb15cfe587cd58a

SHA256
18bc16e7e42dc6cde2e8b80e5b9cde2f4c51732d711f988be93c6e28c5a3d686

SHA512
0ae2ec911c837f1d2383a091e49b99e9c21beb83106d9a53acd4798f077212932ac465db7b51b61b99397cd7adb770d64f124c623368cf70440b7df423ec9033

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.4868da

Filesize
491KB

MD5
af951ad1e99ec581571414a8fb793ded

SHA1
baf0ebf9fe96a072a01d0a35f79c85c13047dde3

SHA256
f87a267c632832fa3f80076301a4100d5d4aba3324d3c1a77354ed6f2b6cb90f

SHA512
4785b8674709abea649e12058a3841fa8beaeb1ca8cb7ac368ae8053a229c456cb20a583b92b5423691c3215420c81b00ff5d6434a6a2153604958add30c83a6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.4868da

Filesize
14KB

MD5
f09e15a9baaa98fbb73f65dce4a0bd26

SHA1
da6be343b7a03e951484bc69e957c44fbe5ea5b4

SHA256
d9fcb458715c5a5328321939803dd317e610a73294d4a9d9f6873f28a6b1773a

SHA512
6626ee730f780ab35cb4cdc3057ba584a1bb0c13cd9da88b333c9ab81bdcc11bc38d7b9d067158fef5b855a9a1e02ba0c7ade4e95698aecb97ba13d2cbc3ae1f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck.4868da

Filesize
284B

MD5
e51ace737dfb554e214cbbd998a847ba

SHA1
3d56aad187727040a7f0f16d27f8c4961010f8c1

SHA256
0bbbd0bfdd78e55a2e902c3efbcec133f8d8754dbd690b4ef45ea54401947033

SHA512
1ff4576a3eb9d9754aaf5c48872af21f88078aafbe3c0d6ca8bb7e94d130baa58378337891264c1822fb83c5392636a9ecd8a9cc97a9fc495d82754d1088b28a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.4868da

Filesize
864KB

MD5
5866906d508007d0b8357c12cbba4357

SHA1
3a3ab9ca956747fbbb4113878a2f63d890875a4e

SHA256
dd5fc322c75524f4ff1a8ec2f67dd99725eccbd771d09d9d75437297dbd2cd04

SHA512
ae92da6b5adc2905622c7c799ca14cbfe9cfd5cc90b414bd547954703c0f18024d947f7cec081de6f3b3f466ba91e8d8ee9cf747ef2f30f8fd61cdd987e535bb

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.REST.trx_dll.4868da

Filesize
637KB

MD5
da81e8367728a03b4a4c12ff2e04b12b

SHA1
db452f9aa0f2997e9712c7b87d245a74396e31e3

SHA256
78690b330cabf006d8d4ad7316a07efc22662ee36a83f7909c3b0bc1e552bfd2

SHA512
5a3f83a5f83f7ad3d16056c7b359ec93761906ab82aa15de8e5991aef2b04629407f0489c7afb42310255ade246928426d42d97d7b6eb0f87b2e2e126b19c401

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLWVW.DLL.trx_dll.4868da

Filesize
11KB

MD5
51fd9b3e557e97312c7df8fe9437be79

SHA1
e5c075e6234c43970e0ca9a1da6b75c93ceb5fc0

SHA256
02d7cbf08496a13e30871c0c8e998bceb33444f7943c71438e9e33a576a87b98

SHA512
394e9368db80c0ce4506b7c8a97b1b7d3834cd7de36aa99c749cb2ecb93143cbbc757217b1ebf88cefdbfbbc1eb0082f6d1ea2b586dabc50c0de21e569a5b7c7

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.REST.trx_dll.4868da

Filesize
269KB

MD5
89c0f0b600650e651d9a21a8813f4dd6

SHA1
3f590459979a4bed8022b441c755f2f403f9bbf3

SHA256
74d25e86f159824f03f0eac06cac498d00b4e2449cb5bc74b2d1f34dc14c9df4

SHA512
6c2981f051ab2b3870e85e06359265aff8a3cdc51c882135e5c65558e3f5a3ff0b3003eed74e271e80f8086e8bd39ef1671634609630ab9b7004910f65d771c8

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.DLL.trx_dll.4868da

Filesize
105KB

MD5
8d68ad7251976b2c9de7c881e751e709

SHA1
66e29ed1e0fc9caa84180f76228d85e4ef3aef74

SHA256
e42a905941a6ed5a8e778b1f7aa48e941fbcc1d1f3ebfa1c0895d6c61454d128

SHA512
01c8a4c276d5eb47e395dc0cd4fa439cacf45fba18efb56555c83120fba553bd7ee992131a00c3b20247c4056128b8cf1e4616b36c2a0e6812c27bc0acfdcc74

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll.4868da

Filesize
544KB

MD5
276014a01b3987291103bbe1013a0110

SHA1
8f03456c73b8317e39484d0461789eb41c0008a8

SHA256
bdaeb28fde30da31b85b47122783aa1e6d662e903a5450868a023fb800a24a9b

SHA512
11a5f3d4d2a9af9819204acdf3c73e48c32d6bdbde33cee36fb212b19a4c1124f159f89725c72da1ba76a18d3f881af7f587f25754ee475e80c58165a9448439

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll.4868da

Filesize
352KB

MD5
c1c1e08098560111a996f8a256e5d095

SHA1
905cc302960413438bdd6345c109628532fb1853

SHA256
172b63ca18b097170ff0ddcc8c74a8e8597c9a87fc3628c2af23f6e599769544

SHA512
f5db8bc096374bbd9299cab94207a62064ec5c5924304d1469c64f907a7cee74a83f2149b12f7574d5b1941c9c65e5e96e542f4647c5081904e986355ab56f7a

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISBRRES.DLL.trx_dll.4868da

Filesize
26KB

MD5
a6613703cdeda3ef6965e118fa6cd5a9

SHA1
843afc747baa225edb9abd5f1bf1e31a4edfeb85

SHA256
429aa6f66c529fb2575bbc6d5579b82c3a198889b32e76c0f3778218eda389a6

SHA512
eb6c966f324bd2df5715fa3ca34cb8435a2a62f34a1e725298c8a9fe320fcc87d843f6c58e5cfccd23be12da30123236dbfb325c78d0f301e71f866700e73ebb

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.DLL.trx_dll.4868da

Filesize
145KB

MD5
d1312c204c49d1eaaee82de53cb18d9a

SHA1
82fceeb0bd29b33e2b6e6bc9e411a00da8e18d65

SHA256
8c5102e44374437a9cf606eeb2d2fa52ea5cbe666abca52da8d12c4e2a7f5106

SHA512
69bfc83e5edf50bce733d0df6aa0498d2a7d5b2557e09ef935933390878b920f0ff24b476e4fc851177b1b11f826749f4e8993e17f54a1fb402a375146ada328

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.DLL.trx_dll.4868da

Filesize
142KB

MD5
144a86239ff4ec7c6488e06440aa54d9

SHA1
6a993f184da4a0bea4cf27915d7e0f0bc8868555

SHA256
f4d06245d900683c05625592ea5048dcb31238cebd1b113df2307b33bdb943f9

SHA512
953f9101412840f11dc1cd8907389662124ce15482c0798feb2dd0f993789b4a79565c815cba61e941042dd9c78aa52c5df58ee2e026d8ee2603a2c0003ff076

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll.4868da

Filesize
14KB

MD5
05b1fb48a321740b917b0d164c6774c2

SHA1
d6cd3f04bf57c8019b7d69462a20be9f90148d64

SHA256
12bce3872536b3d9eff62bc794405dd9a0b07ff56a8881c66ea8f20e680bf385

SHA512
5ddc3b6da023129fbd36303bd3915c92137eb3148776e179b4e8c97442dcf774b9acbcaae4de53ea057f456c56cc882cb3054c3eccae9674207e868af1c85a8f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.4868da

Filesize
1.0MB

MD5
d16b5a4ff40124e815f89222a309a3ea

SHA1
0ec973bacae9e52fc1bbd04c71b84fe01529f6f7

SHA256
9206dd52fcf4dc2669cfc1e1b81baf1680208ad6027c84b1441b7b856703c6ff

SHA512
df26021144771ab50c58051519a5acb5969e30bdb5abbf8d80711e8e6c46be251b53f76bdf15f976b745cd4d8122383d77b28970efe8c43b79f3eb2fe9f363a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ohjiq9z.dll

Filesize
6KB

MD5
85743f25bc34f3f948818a86485d5479

SHA1
cf53dd81cb486fa647e2e0f298d5443e2d5efe2b

SHA256
a5ea781b7b0cde9cf0015b74c83b62b27aa3e129da8321a71a6985e37186935c

SHA512
7256cdd02479fbfd4399664b9a0c28724b972b89aa7433b45235d52f76b18e484913c8dc720cbd8cd47d72fb39279a756c1b7b08899434272e8588b3deecd805

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ohjiq9z.pdb

Filesize
7KB

MD5
02679fd7b1883a11dadf157a9c8bb458

SHA1
6a3eab4414e451ffbbdb20487c7c1864279ff872

SHA256
a4fd64bbe47ebcfc55d63ef6471fce8a63ea91b3396c53873ffd87fca8281728

SHA512
a8ba52eca06d038149b21cf9c825c64b18ea787817f1362ed11d3e939ded4cd51dffbe7a2ce99033c23f7ff23aa04feae40398a1837ca67ce086452ec855221e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BFA.tmp

Filesize
1KB

MD5
a07a70aa2a6757ee55837ed69e0a2532

SHA1
bcd1eb130121911a2848c43e2b104f7528a50fd1

SHA256
2c846b287bf35de936094b8e230d2dc164e7b38ed160caa9d93ca5f3de6f4cb1

SHA512
ff0d7b42de59bb6e0b2c057452eb67d81b45a57ec2d6a2e0d6a019aacecfc367f2b0f57f9897f3d38dfbfa376e29e5645216baa6f58ec54ebb9938d7b4d54f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DED.tmp

Filesize
1KB

MD5
43ccb818a73b1e798bfb459b43b922c5

SHA1
0d1d11835f63131b20731a2ee51eecd80a07018e

SHA256
1cadb3b226ba737eb71326d9881937a58b542cee1bad6b596da8f732a32d88d4

SHA512
9a3c79b997075d2030d7fad40c3d71becd339c772f05d2043e924b6fbcd9270d04137ce674cc46fcb66c661e4638ec7779c5eeb1e8896c78e4dd892dc37727c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cn8evun.dll

Filesize
4KB

MD5
32b7762fc219ed6a823c83e41f34b752

SHA1
5e83ad4955980edbebc1b17cadb659b6c4b1373d

SHA256
de5273534fb74178eb731ba8b887e4f9ab0c9ed96cd84f4f32e9363e0abdd913

SHA512
a3b860db89ae2e3387346be1a049ad4b8d2eae47cd917546e853bbecb5054fdc92a4a499c52a00c1c7e1f4fca86c8f4cdaa791d4c92534cc98024452734b4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cn8evun.pdb

Filesize
7KB

MD5
3ec30cf9d656d091d843acc5c42b401e

SHA1
15418d68c34052253b4f292e9a80ec8e6f4c9bf0

SHA256
96dc21545c8e1f21caf012709b1e2353024829388df3ba5dc7a3e6b338b84961

SHA512
52ae1f4379cf81c289bc209f47f493336a0e33ef519668758cb4de40c129bebf691c8fd5c77096bb43773b56682d5b2bad64f194c03d2e32d936e24a7b6f5e1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ohjiq9z.0.cs

Filesize
8KB

MD5
adb821d681853bdb5f96815a435533c3

SHA1
f10358ae09199affc58a4c4b9b31677612252762

SHA256
42fd2b1e45721ff7f27ec7ba2f9fd7840f03d38442da3fbf25ea687c4e5fcf68

SHA512
14f6a680c227635e826b5e3b6b843b95d4b02f2a99581e9d67cf53fe4d08dae1217f6ecc42c2ac1409887e3b88fc65c0589b06beeec80dfb5441ca117a58777e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ohjiq9z.cmdline

Filesize
309B

MD5
604e4788aaa077169595dfe8d7b70fd6

SHA1
3c0b2cd27c58a088b821dc8fd6d3d46f79a51e69

SHA256
886893bb579d981adf42c273a9ae419a9616f14ce1002ca7fa02cc62078ffa2e

SHA512
bd61b1289e666fdd34d2070e0d9c656e1537d8cf2b3fd24909c1eb35f109576c4fc0f9886899d9648b24c7721fe0752b7a52956a9c0a4c363c15706357681142

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1BF9.tmp

Filesize
652B

MD5
253cb724bd2dc07fe2c40ae4b31d1993

SHA1
caf5ed93024d4364cc54215435d81434dea295d6

SHA256
941dad5eadfdaeebb080d2cfc7649173c62e47c84b689861d9f53b3d88129443

SHA512
5d353ca0a61b882a68284edaad0c820a9ca5db860ee7fb30dd77e5d1aaa0d192a3b82fa6fb02dca25e3172be3fb190fe674ae7df4a13b410527cb9a382088303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1DEC.tmp

Filesize
652B

MD5
26bffa3bd5a87b6d588bcd72c05759bb

SHA1
777afe8f1929a101a6bc6c5da11a77839bb2506e

SHA256
a7b60cb895bc69619fec9fc420b32968d3079724130de960a088ee41c0719e8d

SHA512
f8a732f2749b842a644fdd279212530e836238e306063e4d59bd7d232d4d0a3e49c014ae9436c5a0688a027c1b0ac51b6ac41cc72eae7831431b0ecec49492da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_cn8evun.0.cs

Filesize
2KB

MD5
aefa890f6d791978020f664840a0e823

SHA1
0c6fe24d21f924ae96244b34fb0581bdede8f3b4

SHA256
9590adbe5616b3efb6439412a0fd56f95cad0264467735846457f914abcd940d

SHA512
6fe262134fc58d8ef3d3fd8fcf5695e0e7957d14e35915fc6d78abf677f13fe73c22d5950e6c6a6acaab3b02002250647b58ed826d1a7bdbe6f3068fa1ccb0ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_cn8evun.cmdline

Filesize
309B

MD5
d935481bd40e4da2ead7040bece01544

SHA1
ccf2076fb25815c778dc07bb1f963a38f1a2e85c

SHA256
32a93cbcb4dc0e2d0e65225df21c638e93c3bc49cab0468c7009af5dac3dc02c

SHA512
16cfdebc472ff4954df0a13e9adadfa21ec9e92ca9bdaf20e065a827db648ab5f56cc891646249041cb2a0347d5c815988c76a749fbdcb82a5e497473d3ebce8

Download Submit
memory/1244-106-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-81-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-57-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-66-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-64-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-63-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-62-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-71-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-72-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-74-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-73-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-78-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-65-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-92-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-96-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-68-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-67-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-69-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-70-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-110-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-75-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-76-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-77-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-79-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-80-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-83-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-82-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-84-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-90-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-91-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-89-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-88-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-87-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-86-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-85-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-56-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-93-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-94-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-95-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-97-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-98-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-99-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-104-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-107-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-109-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-100-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-105-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-103-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-102-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/1244-101-0x0000000002E20000-0x0000000002E42000-memory.dmp

Filesize
136KB

Download
memory/2304-27-0x0000000002A80000-0x0000000002A88000-memory.dmp

Filesize
32KB

Download
memory/2304-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2304-9245-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-49-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-50-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-51-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-52-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-4-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

Filesize
4KB

Download
memory/2304-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2304-46-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-48-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-47-0x0000000002DF0000-0x0000000002E12000-memory.dmp

Filesize
136KB

Download
memory/2304-7-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-11-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-10-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-9-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-43-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/2612-20-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2612-25-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download