fantom | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
133s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/criticalupdate01.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
SSDEEP

3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score

10^/10

fantom discovery evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>VvcMG66me1EYduYNMtO5I/S62kA4a3SzLrxrgzFJATGJ3iuyc3Axb0otp4OYil7E0XbTWBoIyFNDKa6vGlS0lnXKdiDT+KzYxczqPDFqhiCQmW8pBsxhnE55FdUOVoRpdUAdJeHCx2JUcoF/PitlTdhlwnX5iV8GakOUdDwliK5cHZuLzJMko2lhgrAZF5qu99sEFDxAK6us/gh9cr+ZxuK5u37KzqbqRiwHoqQqbuBuOrJGf20F2PCDLuFkRKI4urNI1xNlYP2NdJTo7q4Dh/nNyrdqNfmJBdwbHpu4n0NDemFrZ0sEv47lUG4UBw3jo1gPSwhQR6IeDT/nCMgBmg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (2511) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	criticalupdate01.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	criticalupdate01.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	criticalupdate01.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif	criticalupdate01.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx	criticalupdate01.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar	criticalupdate01.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files (x86)\Google\Update\Offline\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif	criticalupdate01.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	criticalupdate01.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	criticalupdate01.exe
File created	C:\Program Files (x86)\Common Files\System\ado\fr-FR\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js	criticalupdate01.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css	criticalupdate01.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	criticalupdate01.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	criticalupdate01.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	criticalupdate01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar	criticalupdate01.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg	criticalupdate01.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	criticalupdate01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	criticalupdate01.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	criticalupdate01.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_fr_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\29c55874e34f9d5cd3ea739262f48adc\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\fc1f3019656958a501eb5e410c498d1f\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0407\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Jscript.resources\8.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\usbhub\040C\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_fr_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\Globalization\MCT\MCT-US\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\ehiUPnP\6.1.0.0__31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\.NETFramework\0409\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Linq\b357f35e860204c5b74e1388f97db058\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cf61e09c5#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\Media\Afternoon\Windows Default.wav	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data.SqlServerCe\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\naphlpr\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_it_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\system.workflow.runtime.resources\3.0.0.0_es_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\.NET Memory Cache 4.0\0009\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0\9.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\c2a702d703816f85cc229d96cb1b0c5f\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime.Intl\14.0.0.0__71e9bce111e9429c\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\98a4068512ff6a2566204bc1e759b0be\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing.Desi#\aa8854bd55fca246dd3226a671092bfa\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.resources\2.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\45d6b68ea71f898fee71f67739c5b8a1\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\Globalization\MCT\MCT-ZA\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\ASP.NET_4.0.30319\0015\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\0013\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\EventViewer\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cb3b124c8#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\IME\IMEJP10\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0005\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_32\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.22cc68a8#\d6af9b93ec347c84ed702eb0e824f218\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File opened for modification	C:\Windows\setuperr.log	criticalupdate01.exe
File created	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.resources\2.0.0.0_it_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiiTv\4a7ec1155d9e9e4b40889b171d16a577\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\diagnostics\system\Audio\it-IT\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_de_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\664e4afe397442c26ea9ededbb639ce5\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\Media\Windows Recycle.wav	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\6f4c8aeb8f066adf5cafedbec0cac415\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\DECRYPT_YOUR_FILES.HTML	criticalupdate01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	criticalupdate01.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	criticalupdate01.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	criticalupdate01.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2948	1720	criticalupdate01.exe	31
PID 1720 wrote to memory of 2948	1720	criticalupdate01.exe	31
PID 1720 wrote to memory of 2948	1720	criticalupdate01.exe	31
PID 1720 wrote to memory of 2948	1720	criticalupdate01.exe	31

C:\Users\Admin\AppData\Local\Temp\Ransomware\criticalupdate01.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\criticalupdate01.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
f96ddd691859e36fa367de30939ca28d

SHA1
c2c31ed389d507c61135641bef4991c9b7c03122

SHA256
ecd5848ddfb52e8f8f312ecbfd6067d727e12dfae8b8648c94a39e5b6cff2d6d

SHA512
29795b953132951d5fe6026686f83d9ad46d74b7ba0c46b927f67cda168b21a775ef53a9216ef49dde96e929c37bd770a28c46db9a8a0a2a0c792e3f83ee7c61

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
352B

MD5
faf61b800491583d5711fc269d4b9d13

SHA1
8a48f8f52d6a411af84e953bd0dd01aa4631fb3b

SHA256
43abf59694c14f0ff734ad03cb5c9d1e81db3fc60f80d0b44d721c0c9d937f37

SHA512
7404ada43630a3abe591f1f31cbaa40a699529a89df5637a57c2a42cf9597eed0b0f274967834f3759e8cfeb85dd75d57468155315bc02b42fbc60f335f03a4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
224B

MD5
fb6ba9a737c6292dd8abc66744ded4c7

SHA1
6d8d4d68ff136b2dfd46317fc27d559ba655f13b

SHA256
3c507738964d1c735faa5ab9b12b6b14024838d73bb473eab03a2a6222d5d207

SHA512
c91a4f609bc534962351875bccca6599f83df6847c3c93e7278e51473d50e56dda758a9547ab26d0a0dedb2fac1114cd54a0514555c9af825698e87b6c7dff48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
6ce7c0b9570db7135173c377d082a9ec

SHA1
1a3aae9b5fc11a1ae1f4ec53e5ddd2eff319d4ad

SHA256
5a0747f587f2d9d7ebc0504faed2ed173101afef390c0e60178ec149df1dd6cc

SHA512
189bcc3ea2ca1ae7dde5c35c5df49c33c355a31d437c661cbb9ee2ef6fd9c79afab7c8f06aa8b170d177b3b0add5fb4fb8843fe8477e0f5c875fc92ec2678799

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
2a619c1c155e190939b6a173b41db29a

SHA1
9d8ffaf85bad3a5a21a9d7f311d1c365bbcec80e

SHA256
f83c9d302a1a481065215d0c75002a31102eaf10162071fc4b3cb44d90a09a84

SHA512
6c0762f9eab15d42094916671887a4af398a20d4b38595960e820bb8ab025020e8d49a6ad9d11947327710b8f534ab164e0bc26d5a70d48f559e79059dec2318

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
dfe731cf30bf6088fbc2fd3a648c1eb1

SHA1
627423f7bf7eb9d9a774a4fd6b59849de5c764f0

SHA256
6bfe17418ee285f5b949a795a2b4c92c0c107bfca8ecc9de9eeb343be2cd5b9a

SHA512
42e3ba7fccdb7fad8917b9b6f8c9e896d66e7fc3dc0cb26885d9818bf3b1b6d7e351aa54ecdb64ffa306092a592f324143ede177d3fdd85035e32072cc3e65f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
381eff4a70e43da5f86e31df3aba8fa6

SHA1
698fb79f56d460f317abef41926f9fdc0ea2d308

SHA256
98673d1502040159123edae810a695bbedbcccbbaa8adc685e67c52c4cacffcc

SHA512
f2be9bb97ff952ff42bf166c2f3b04b768e590ec162d06d006bd44f642a112ce40ec535c6aed2b99f9aedbb520a3d0f4228fb88f828c8eac4746f9adec05454a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
112B

MD5
f7e389cff29cc0316071d76816a2e805

SHA1
493299e3efdb28232fdfc42fd1056c5936d9e63e

SHA256
d65ce4dc2ae4611c6d43224391ec87a4496fec1efd9384d0a6c413561876a6c9

SHA512
c86009f9ac36318698de5694a5999de4a43a6f06e6107c33b5aad92070fb6e94b6168b70c5609e9de0d78995af0d318b156d61279352ae94d59ea777c55e8e1f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
324225baf8a112da7b7a513a6172db3b

SHA1
f8ebdf57f3bc711833a39e9722001b98f968cbaf

SHA256
6090bbaa0bb0775615481d030e68edfd58507ad2d3dfc14264f0b153aecf8067

SHA512
b72d6f024724ffdcd46ac092e3c0d0994052b4c1a952880ea945f9db1ee8822e36ce0f704caf5a8f0a8a55f416758cd0131b248ed9543cb113db286408ab6844

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
73d0f607db04b265d349e802f1ba1acf

SHA1
d328dca03b5132974f97ab8e7c236caac26b0c59

SHA256
faabcb58d778db5113d12f7828f377bd0ad370e4d24f0bb3dc753de045b01c30

SHA512
31276453af4c09dc871a8c6e25171c089c3f1977816cf7c0f19257f9e57cb04a886ac1c044bfb4eb049d9becc7eae3dd61895253c5d1d188167f136474f97738

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
b1bee823418f3babd2d10664c4db7c93

SHA1
aaf5c314606c016fc2d600ab8c013620e6264db9

SHA256
3295978c6e5cc49ae27b98e7ed316e72b531f4cff0551f1a6b86171ef9059eaf

SHA512
ee9a1549fa77597d420957db2a4ca97509c412cc76131c279c8d652e7c558ad35729338f713f86fe3e1a197dd16e178f8fb428dde87c9af4d9b8b9fff177bdc9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
eaf154713908edface93e0980a12f2a8

SHA1
fec06131a1b0178cb7dc5a2de6a498121e989b70

SHA256
5ea5a67f0d8730ae1533f22e6b032752301ee15765826dca14bc19540938a785

SHA512
6834379bc2b8d5d001348b04917d34121e79e8c052b6de490a8be120a0b1ff9c38748e4c70f79bc3a6d52ddaba65a1a9cee89cb26d9897e56d41c03594f42ff2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
cc5551ae2edc7d01f9da20d4430e675a

SHA1
aa2cbf0ae43ae839d5fdb45430fc122185a02e71

SHA256
191b96e7257ff67a8dbcb37d4f176d1f0cab8bcf63ea0c405f8e5cd093773067

SHA512
7da57c8c0655fffca0930b4955b04c38ed9ff5d030d82b1d98dc108657ce72ca1fbf556a556128f3c15af812d5ff9761dc0b7315d50dbd2cfb7d65ae5889dbdc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
4572856dd6e807b1b10e9393d3c72fe0

SHA1
27eed5577cf736bc551ad9fa670b5b9bc9bb4ef4

SHA256
0b379691757a106304e2040b586a88107556f914732822f4f70ec0b0c0567ef7

SHA512
a8a0f7afbbfbfa417119f9bb06ac92a91527cfd36872bfedb44d45e6d3a4018fa723a8bb964de1e823879a3ab63955ce3e999754e4a58d4b909984b3148b6bb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
d2c08119b183f9501392632c7d85399f

SHA1
201800eb57fdff60858138b903aed14483d766a2

SHA256
d35b508f88396edd4e37b574dd14f98a706feb8a818b59bbd3159a42e632dd62

SHA512
2081196a175f43998a3260a2439c8922cc6327e0c066ff5b2e47f0dd74a78d24a2ce40ff203838f844753d184ccf35dea7e7773f299e9746e3b5ec62d3a3772b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
1e074c5f275cd2cfb8bd17c8159c21f1

SHA1
4154afe75dcb53719486a2bb016b2a7056982534

SHA256
783eedcca0f1300f07fa75130380c8e25ab817c46b1bdacf5cae3fbb3df16866

SHA512
7ce5754bd9c270e8015905e6617423d4ab2d6e99f7470b6be95cd609db846573923aae8cb4f6386333327a77705ad11df223a388b8f5248d1e6e31d8c6759f84

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
7c893307c583042ea55449a011386f70

SHA1
2267cb51f4f643d099579251495eb4fa967af967

SHA256
39bac39411bcca570026dd82ad8b862b6bd36bd1d78f94a6cee982b291283dcb

SHA512
a6e6442f1e5d41e78757cfe3805143b22963674d86bade815a43899033d6750e25506795d1a2dc959c4f37eb4a289ccef797e9516e6aab49d1bb5d9c116c5378

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
800b5c47517c4d3c38632f064ec2d321

SHA1
d87805ef8312f69b4c788a09df2aa8ab4ee16f63

SHA256
a4736d4a47572bf39a26b43f110ffccaf4d77aac4b6c9a5b52459f40f6300944

SHA512
279c80fd1401f0b502a75bb54e990608fe67338b3d5bc6b0da427ab43792f663b2f6818146e55bc7d63207f75c984cae678b8c0647ed2a7b3d504013e85720a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
bc8cd76cd10c57e83d45090acfa07c88

SHA1
9cae50d16c73a0350da5d7dba1add95984ca844d

SHA256
d539fef6725578c0c82e86436268c9782c37e1204a148feb3b1bbe8ce43a2ba2

SHA512
86cbba1d15179be18eb72abb43f9784014b8bf0dc6349ba9a4893ce936597acec898ac4f5f72807800362b90c96efed6f50018cbf3a5d81d14d3cd5b828a8e65

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
15c6c940302aa48431235d315e191b8e

SHA1
91d003157e8efddb5fcb27103afde7595544e871

SHA256
cf7d6d94342e82c2497682b9b95d5ed72f91c54e621098aa0959a9dc6771db12

SHA512
1dfaf99b0cf12ca5a042ef5bf0e637067e6582d346eb8f8c540634760e49ff4a47816269d86265226bf07e8006f46dcf1d01f236bf56ccd356e9d6d9562fd3a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
1bd44973be76969bbb7f93e4a6f6b97c

SHA1
c295120ead0f3516b3158c510955c5f4b206c961

SHA256
06cf13e2be4400729a139e6627455b7d2c5c5f0d33f33ab7f20b8423a4cd16ca

SHA512
be7dc54b5ce6b522c7dcb380ae6e90dd55a428984517f4739d6ee4687d4d95a74842fbcf95261ee90a00c8e3e2053ba9f036c03a7a0f7138a8e09078f4f563c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
73ea557880b387b65ee9e47c88a750cb

SHA1
e5a08f3b3d2d8b13cc5fea8af4167180824b7f17

SHA256
d409750ddc494fe3204007cc19ca54de2fb3ee7e845379705400a398ffb030de

SHA512
1f473907e178b39d0aea5f1d48eea17eb3f1adf252e93cd087b28dd2bdbb4378ff6793256d1d6b5a04eb6b0373e7c370722935a72ecdae2e93cac0e327fadb41

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
7a472c1245e93c80ce03037bf5755cab

SHA1
5b480d3f2c9503665e2295d185178fd223043518

SHA256
5fac564ad085952fc700ac364392c09e33e86f726a046c306d0167be3a9da04a

SHA512
803fb76ace7a0727ad4f07a58c39b345780785c19e3dc76dc731aba8e1039262d6e0dceec4d92a4b4a8474561818c9c557f12836b95d528ce3248126eb998fce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
611b68c75025b0603c56c09c58a90fca

SHA1
6f2b3399917120bf3ed6f25168739df11346f593

SHA256
3f1afddf4935817e9f65a2f31645739a50fc8c2154765c263417ad815e74cc41

SHA512
9c24e77b93ac105cb47db569c02d612273f9c5d70d11c8fe891758317c5bdf392e3a6bf95394cb52b65cea9048ab51488f07fe732d84da06928916787501e8fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
e666cc130b93658e82b1b59915112847

SHA1
d5012bc6114c33ad8adf289ff3bc1d5ed5619a24

SHA256
5b735b62711edffd59eb03d6e5e71311a3129e302c19461fa6bd2a5f0c4dc5a4

SHA512
dc75b134d1cb55ae4314ab4dfbb37885cfeabcdfa21afd9a91604f9ceed6cfb654982b05f0100e4e6979805a6aa46ba17d89101cca238f9c0c6422db50830581

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
802923c3907ab0d661b8fddc6bf4f7ac

SHA1
9b690755862602084eacda9510d0802e1fea14b8

SHA256
47cc7a8405ecc14ca4f84c576cc712312171acd15230fbc06b22ed80e21436da

SHA512
ffa4b0c3320c51c15d0f96f012da464810ff662beb44e4ceb93f5b505cf9a426ebbe503708c59f0942c39afcff1f45cbb97c040e6119c62356f954818b858b16

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
864B

MD5
12484145336897d562d61e837e60110a

SHA1
4b0848a650a3563de2547b7f6ef754d5cf3fe7d7

SHA256
b12c025498269814e76c76a209cb067105a6fdf559c42f49b0b2ae34baa0379e

SHA512
86ea90031d3244e0f56ea104910fa2e81faac2cd0faa64873215c2d3b49b5721c91f4e2b35359ccdc595fc36b7e01fd509c6e06f304f36ba4fe55282a2586fbf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
198efe3dc41e474efc1b1a032b685146

SHA1
c7cda45c23252c11ec0fea21e5316a417fc2f4d7

SHA256
edfc4b26fda14ce972de593cdceca1fe5d9f4fa6312317105f8f42fc65cbf2fa

SHA512
199cd4d3f9484d6cddddcf7ad1b40d11bab20c1e1da6f2653e114ee39695faf149b641cc6e0a523501b14234cda68c96e1ee1356c938b48b66d2ef0f46d31658

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
20d876fa717a5653accb686fad183dcd

SHA1
e4c67ae117ccd40bef4338812b69e84b661dab61

SHA256
9457e2c6627b93e8fbdfbfcaf4d46aaec8644cd48ca1ec585beee762ac4ae01e

SHA512
24d0c72b6d4912f834c60ec7b2b4ba74492e220e92ad8db6b122135d1227066fcfb77d8948baa4793bc02a7ac47ad4a96ef7928d99a828febce3613e1f995c4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
a4048ef80e24d78a2421cc57fcd91b89

SHA1
0ec254d647bce442c053758e6dab04aa1ee7496b

SHA256
53dee5c61d8f2aa35dbd78efe24681fd62123441cfa82f9bd8817542c82c6f6a

SHA512
531c7e066c8101a623b75fb8664605caf467c0e22b2f06355ef29bac87746dbbc6fd0c39e51f757a14274ff08a5595e0cf8685e7218324a18025e6be4ba44af4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
ba8d4f20554b48edc34c9dbf00eb10b1

SHA1
7aa19b1c25f6df75dfda62659cbe0d6f6a0d606b

SHA256
396b5957ed0b631e4eb1056522d4f676152a885bd66d39e748403e6ca86348f9

SHA512
c764fd1fc7a1eee70316574cd66d0ffb76a40e1b6a4dc0b05951b90c78b116ee6941c44ade90c3d721a3ffad4b603b507c0c70c704fa935a3348a7f8e48a0a38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
164ecffeda0d8b587beed2af770cb063

SHA1
6ea4c97f7f4e8aa42f2a66570e5ff2d0f71cce0d

SHA256
dbc48acfeae24eef88a879e5400b9e61de4956fe76bbc25fa1ed6eb79153b86b

SHA512
b75467e965019f23dc60579cbd5f87cee19a00ee1f19dce4af157f39542a91c9c6444535a9e59f47f57fce3d56db144912accb2032bd1061355625c58f029d08

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
28f334d2a2f3430f9eb81959ceef5543

SHA1
37df646ea5769543635ddfed394306fb344b7924

SHA256
d41bdfa0098fbc2715782b6a9d639941a28586f95635c39da4fa9a4addf108c1

SHA512
1851f04944c63cc4c7c6771d8e5fb485ef3ca203c471d14ef446d94e8f9c3f5a92673f15f91c953b784e915503862c8068b6a395afc624eab1cedf7ba9f02338

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
11467376fd150c18740715ecf795dbdc

SHA1
aa61461cccd0ebce7931272f8309ba79297f8166

SHA256
c30f5c588941e4f4fe20264e25b976e27fc6185018d32b6d7b2c349640d02161

SHA512
46762cbc20600196c49e6ae630b3440596b495874da299cbd72ebdf4524952e2a8a7b3b0012b750d0f44dfcf43c2d2dc4be7aecd94393f17a8ab5e3117448061

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
2d0ed1c812f0b1669e4c8d6e41daed51

SHA1
84b7bf06ffd9632829b03075ff059371a8938cdb

SHA256
bd7ed9947f6e8c575405e4377b96b6eef47b18fb2b644bd2e8f47d95558bf641

SHA512
58ae84f9234e1646ac6dfb2623506899cbd6aee4e3bbe9a3075958bca39cbd2f469f650b27b2693866e91ed48102a190d22a3eb0e9642d72937411eb38941c33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
f1f85d92a090d138913c3b431c551f07

SHA1
b328605e68ec057681eeab355a17408455345b8b

SHA256
d99fe757711b0bb484a99690e705ac36ada560a2a8d69f25fc8fa5ff66d2ddb0

SHA512
eab755715854fc0c51a7f9e8fe1c44118ce8e9ecac6198a5112ffa969cfc2fa4367c1a10f354c21b2ddfd89149b066047bd70bc11c282e9867c03626ac56d185

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
d6a761a56213a57c696bb8c40eed6ce9

SHA1
c1c2a5e425fc6bdc498833bcadb07002c52b68d7

SHA256
863d1aa6b170f9c594769e426a035dd4d356f11a6505505b6f05d0d39517f861

SHA512
b835dd330a43c470f525904d0100d38231d5e2b727dc474dabc79dd57a0c5e89e2d2301314ac0abc0a47892939b8bf110d84d999772ba48620c17f67cd4348f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
3cebcb1282266dd36e0ccece694da645

SHA1
d9313e0147448f903f304094b44c59c646daf051

SHA256
75ee35a56604a07974b058f7ff02d246a8b42cb545627d68e2d5761ec7ddb3bc

SHA512
e1dc20cff2a7a864bef3e66a9ecee1a31b34725ad585d04db001998ea417186a397952ded108c613060d3d3511efe49786ac9c156b3c8f7b34449b13568d5d4d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
6a87c90c1a3304b6e51939421fceb8ba

SHA1
9b66ad05bb2ca6f2f7342c90d9b789c6d52052a8

SHA256
eec7453e97c10f9f1ad7be4dfb721dce7ed79354e55eab4cac7b4227ec5a2df9

SHA512
2ae3fb184da411e4e44547c54838d26032ebf92943e7c12b51295b605676c1ba6cec880cc9581a664f9e3a83a43b14cf2adb7aef9a8cef02960389a92be7ae4d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
2182cb116676548cfc82fb5f51af7b9a

SHA1
2558a58382cb3ec6ba10e1df68987f1d5788cfd9

SHA256
c7a68976b6b696f4c7f4d1006d70b5bfefeec75aa476408b0a72433a120a74e3

SHA512
f912243d7102e094d9414c22d258a3b0adf4e705f862e1e200dab556615d515fd1b926106200ed21278679a99a963c90754baed91454737a4ac4024e30e75ad5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
b0bd5ffd7b30fdb5c8d3f0a26fb0a5ab

SHA1
eb42fe23e7bda55441c267841070c9bce1c513d9

SHA256
ecaab038defb54fe17009463524f759256b11ea8122a4fcc41d75e6047f47c9a

SHA512
b8a040b8447df0c991a642217109c8e7914821b83c4cd6218ab08953c47f1b6aa059f7f7edbfa17a464c838ec787181caf3bda4724d0c2dd0a1218bfa29a2bcd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e83a7ae6b126b4d2e6bebcb9f740859a

SHA1
59911c1cb8015265843f578b1a853f51a37e799c

SHA256
448e5747c9ac205fba26dab09545606d227270d471e7a1e364d1a027f01907eb

SHA512
230a35fb683011b897bd080eff9f3b3b6363e292f834264159e989c5f013fb8f7003d5c373ba5d46ca7972ed1a6761f9b77fb59d8e48bfe9fdf9b3d71a0aa21c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
882d595dc3264de7e208df5014f5e6ba

SHA1
824baefcecadce4ef13c92299c3f2e9cd8e90502

SHA256
4dfe0b0e61f31acc413ae91b775a92d99d2ee7673185ad3a301ffca391c77bcf

SHA512
85dea0ce664c83ab7e1c1c1b6883e4ad1cace63964cfcef97d561a72319739c82b776a58aca50832a8437d5b920057f574e61f7eb14e0ef37ef30ec07c3fea91

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
acb452075e93e49b372c86f2ab7bb508

SHA1
0ef466ff9605093e8a4dc693a9b898e9466091a1

SHA256
38f5e25fe9b6f0534411ad119b24d72085cdb60fe5d6e9b9c2082184615be6de

SHA512
a4220889e257f7b8787cb18ac426fd7510c96644d4acc64708f23389e191092b5051b963c9cbe7d615c82812330c700ab053839b30a7ac57513594f9c80ad317

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
16B

MD5
0856309a1d91a69d30361660541393ba

SHA1
9d4255d860283284ecd2a5ff0f3080127f90bc8a

SHA256
54c79dcf4abeea0d9948ae894b8c5dd5515465c0ad66543db3d02b990a7603c6

SHA512
d36c4432a2009307ec762ca08b2207b6fe7ea6bfd36e3636bbb4c133ce692e604a87752fc135b5ee54a160dd6512c7587c0cffc492378b16444bf3afbcf0d43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051529186.html

Filesize
1.1MB

MD5
85bd882c8a0cf4b1c9e73f9cf7cad26a

SHA1
38ab8c1eef0e82fcfe3e8621c5a4d1ebce9d840c

SHA256
71015e2fa6adb70e858927efd18a317d12c2764c3326bfa8fab2abac7cc0fdf9

SHA512
002be9c45180c151a05c961ed464a0664923505c84d4466748187d94519db1290b6f3b2966b3d47b60a1ef92e76cb1ef9959551792189d5e6457a37e26a40eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Documents\ConvertToLimit.xlsx

Filesize
10KB

MD5
8df6bab00353ace25584551f718d8564

SHA1
c8e373aa5c2735311031fb52a84d73d887745a72

SHA256
f040f663dc79f3fe79f6b6556bc83013c2470596168e0d3cae7aa5fd3cbe7a24

SHA512
1bf42855f14624e7c77dd3dd37115ab05ec6da422b3c25e29c183502e20c413431bdacd724c5b9832d239059bb1fa9ca6c0b6d5ac85b8c89c00e873e223ff857

Download Submit
memory/1720-55-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-51-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-1-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/1720-2-0x0000000000570000-0x00000000005A2000-memory.dmp

Filesize
200KB

Download
memory/1720-3-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-4-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-133-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/1720-132-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-131-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/1720-23-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-25-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-27-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-29-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-31-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-33-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-37-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-49-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-53-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-13-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-15-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-17-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-45-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-47-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-5-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-0-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/1720-58-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-59-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-61-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-65-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-130-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-69-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-19-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-22-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-63-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-67-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-39-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-41-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-43-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-35-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-6-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-9-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-7-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1720-11-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/2948-620-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-140-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

Filesize
4KB

Download
memory/2948-141-0x00000000010A0000-0x00000000010AC000-memory.dmp

Filesize
48KB

Download
memory/2948-142-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-617-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

Filesize
4KB

Download