fantom | 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

Resubmissions

31-03-2023 23:22

230331-3cpf7sff7w 7

31-03-2023 21:30

230331-1cv8mseh6x 10

Analysis

max time kernel
521s
max time network
513s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

84KB
MD5

9d15a3b314600b4c08682b0202700ee7
SHA1

208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA256

3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA512

9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
SSDEEP

1536:vpeW2JCTz5eDMn1Wi8N36flDRdHOjN0O02SHU00wCpEbE1PDai41lkgD:xH2JCTz5mmYoDRdHOB0O3d00wiEY134D

Score

10^/10

fantom evasion ransomware upx

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>EP1pdeXqNjEk/xNS42IZATAHZjlFcedYij4S2U0WHb4wTj93XP8G0tZOicpWIIT5frjAqI1/SSRhh5OJiWrjJZcCJTLSEKgHAYCoumB1iSlZUiiUWoDmxX/M1RfvzL1RyPXWMmlk6SIEqbswuHJbWwpRd1xzWHC3MYkU3LV4yXc8kShXQiKggyf8xRQJPFYlLBmW0RE+LT4YOoePHkj+6D58lD6hk9XilR+wTHEGgBQYYMcFL7JXa9m6G88mbgrmnQZ2KneMnpXuO5sUIHJ/RwjHbHuFIRrzEIQKV49APom7v+aG3tO4Ks0lLOJRUT6sl2OXSC9jhixyII7x9xF/Mg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
3508	WindowsUpdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4288-133-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4288-135-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4172-306-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2060-308-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Internet Explorer\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926556.profile.gz	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	Fantom.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
5064	4288	WerFault.exe	84
2828	4364	WerFault.exe	86
3260	4172	WerFault.exe	114
3820	2060	WerFault.exe	119
2216	840	WerFault.exe	122
1092	2472	WerFault.exe	125

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008834a10c2964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec6abf122964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa88f9112964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002245110d2964d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002773e1142964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4671c132964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c4d760c2964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019a533112964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fada0d162964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7567e0b2964d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081456b0b2964d901	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
1860	Fantom.exe
1860	Fantom.exe
4272	chrome.exe
4272	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3816	2552	SearchIndexer.exe	102
PID 2552 wrote to memory of 3816	2552	SearchIndexer.exe	102
PID 2552 wrote to memory of 1764	2552	SearchIndexer.exe	103
PID 2552 wrote to memory of 1764	2552	SearchIndexer.exe	103
PID 4828 wrote to memory of 1456	4828	chrome.exe	129
PID 4828 wrote to memory of 1456	4828	chrome.exe	129
PID 4996 wrote to memory of 1692	4996	chrome.exe	131
PID 4996 wrote to memory of 1692	4996	chrome.exe	131
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4828 wrote to memory of 3396	4828	chrome.exe	133
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134
PID 4996 wrote to memory of 1604	4996	chrome.exe	134

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:4288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 448
  2⤵
  - Program crash
  PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4288 -ip 4288
1⤵
PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 4364 -ip 4364
1⤵
PID:3480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4364 -s 848
1⤵
- Program crash
PID:2828

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3928
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  PID:908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:4172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 464
  2⤵
  - Program crash
  PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4172 -ip 4172
1⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:2060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 416
  2⤵
  - Program crash
  PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2060 -ip 2060
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 416
  2⤵
  - Program crash
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 840 -ip 840
1⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 416
  2⤵
  - Program crash
  PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2472 -ip 2472
1⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeb2989758,0x7ffeb2989768,0x7ffeb2989778
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1812,i,15147586262357879888,1063275637481371510,131072 /prefetch:2
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,15147586262357879888,1063275637481371510,131072 /prefetch:8
  2⤵
  PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffeb2989758,0x7ffeb2989768,0x7ffeb2989778
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=576 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:2
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5068 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5076 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 --field-trial-handle=1796,i,8403612056000714268,16782454906372471723,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1860
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:3508

C:\Users\Admin\AppData\Local\Temp\Temp1_Hydra.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hydra.zip\[email protected]"
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
ff6ecb4b594c7650810f12ef163cbb04

SHA1
e4dfe35e9225ae5221e308fa1128647cf61314e5

SHA256
155e85a1520ee6b6feaaf07da55037cd811d264a4865610132800133deb96525

SHA512
c079851fdef37ecc90dc57dea4370a2b9c373e1eca441d29b6502c51597cc68c8f486ff5b6754b0b2c8abb121c7132a9a970c6992c9c0bd3840603cf730b3c77

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
a93ce921422fb434c29f8fba65db4e29

SHA1
ece55a41a0e908aa209f2019ee811e8fdf7d7fdb

SHA256
9a50b7af90685fa40d565d44a07921408e7d12270e7ed8f17b355e8e1d570368

SHA512
1bd82d18af85de635761b43f108bc6b3ea9a5a0b2cb938ccccd752c113ad33d2652d2d26b973220689196315374b45fb71d68075e05a193c2be85d954b7a2e97

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
e7809c8afbe1dedb31487557f8d93b25

SHA1
bf6fc08fa23c6a3a52cabf18b747bbc28f39e319

SHA256
ec6daa697021e923763f2ee683396d6a694eef16e3df44445e86f8b9220c9c9c

SHA512
5d327cee7c9616d8791f6e64510504b89d56d044b99264e5fea6cbb2455105687e761f038a59e19d12e94af3caa58377f1ed141a7e038aa01171a3530e61a44c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
ae47eb85990d6ba5b523a1d9abb8cdf1

SHA1
9a791197674ef288a6732c5e42608634f972e892

SHA256
a7604acb6928984f6f9aab76dfd74aacf59278d008af475adf01483cbfe855c5

SHA512
a474b60d5c772ecd9e9af76279ef736f0031611edba2d85af13b6d8921f5ef39ab70756c03a67d17224e815eb87c05bc4c68953d6205f98f775f1194cb3d2206

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3f83cca75b781ae1db7e1a37648a65e5

SHA1
3c2bc7f8141a8a06f15426244033f669b92621ae

SHA256
9427a52705c500917d6434fd2bde51822201ee4fcb075814279ea8ebd439b376

SHA512
1a8474f31e0c6d14bdbc2e76213c7255a473a7c6c6a2ae3e0f13f562c37ec78cadbfa38e361d3cc28715e3ea02d46e4560a7feea7d2ffb54fb90384cfb79b03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bab948aab646d615b0fbbb90b55433ab

SHA1
0ee46cc7db939e55dcc3a5cd17e2fb893ece7a34

SHA256
e02daa351bf7a75dc1b7e9b11c5d716b89f108058e70326f0a8b7b8ba489ce0e

SHA512
a1f82c1aba6d15216d2313673a200d1fd24f99577b06245f4e326df99ab0bd4c3c509b2ddab14753225b47f4c973ce5ac0e08c90c75430bc65c61c48a5969fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bab948aab646d615b0fbbb90b55433ab

SHA1
0ee46cc7db939e55dcc3a5cd17e2fb893ece7a34

SHA256
e02daa351bf7a75dc1b7e9b11c5d716b89f108058e70326f0a8b7b8ba489ce0e

SHA512
a1f82c1aba6d15216d2313673a200d1fd24f99577b06245f4e326df99ab0bd4c3c509b2ddab14753225b47f4c973ce5ac0e08c90c75430bc65c61c48a5969fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bab948aab646d615b0fbbb90b55433ab

SHA1
0ee46cc7db939e55dcc3a5cd17e2fb893ece7a34

SHA256
e02daa351bf7a75dc1b7e9b11c5d716b89f108058e70326f0a8b7b8ba489ce0e

SHA512
a1f82c1aba6d15216d2313673a200d1fd24f99577b06245f4e326df99ab0bd4c3c509b2ddab14753225b47f4c973ce5ac0e08c90c75430bc65c61c48a5969fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bab948aab646d615b0fbbb90b55433ab

SHA1
0ee46cc7db939e55dcc3a5cd17e2fb893ece7a34

SHA256
e02daa351bf7a75dc1b7e9b11c5d716b89f108058e70326f0a8b7b8ba489ce0e

SHA512
a1f82c1aba6d15216d2313673a200d1fd24f99577b06245f4e326df99ab0bd4c3c509b2ddab14753225b47f4c973ce5ac0e08c90c75430bc65c61c48a5969fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
81c5e2be70307efa3454c29af594a665

SHA1
7c9a35fb20e3b3354fe4cbf642582a6a7d248a6f

SHA256
b0b2d418ba154a831ae4f47a15dfd676ed6c0a97e4649e8ed264e37decd7f847

SHA512
931297cf83110d390533e5f18b9aa4604c2127675c96da862c0bf02e3c2e1b621c8af7a49d62702d631bc0d89cffd16e42abbfefcdbbbf8b88f90d3366d5f336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
419618735b01717961fd0a24d77bf3ed

SHA1
4a6fa2bce146a298342bd10ab9ed859b46150e0b

SHA256
62a7393b53cd7e00146bf412f64382516b578fb52fd9ca6935c6398e24eec8d8

SHA512
d0a7eba7eb665c7aaa588bfed278892a863cdba6ec87eef5aad53074a5fd04258b12d3389508bf8c78522d21ebd99d6eaef353d7580956a774d6484ca33ed102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9e08608f59f47be1e1ea1ea9e0abd093

SHA1
f6a11682cb61023461653c1180f1af7cb76bef75

SHA256
0ad4e21ee1a050aeff1f1f7adbe5158a2bd6c92b1b277196e0342e86025dc47f

SHA512
673311765b7400318d72032a0e919372978c7aa38fbd7d00e6079da784ac9bed764c76061ce971beb18395eac8784908cd32e8a6e43a56398ff5a04609810a7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
569dd310e66f09eb99ef1443e81e9367

SHA1
5d7c51441994c37be8d4e4fb16016d0d8a179cd7

SHA256
51c241829e769f6442b5cd22106e57e1c102001812badcb3ade20adf016ede72

SHA512
4849479c3e9fd9bd8d4da55a63948baf0791334f19a89584fca80ac9a0b3d84fdbc166000ae0221e2f54938ea81d6ce281341e333d919474b8f9c2b8596eb2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
72c70b88f0ea34102d597c3d58e25a43

SHA1
6000a022e27eed91a608b8e17863454f65957b6c

SHA256
362820ddbdbc806e6bfd4925c7078a76d782a34db1160a96ee79a155db6f5518

SHA512
0b716b934dcb6ff72c65c9b6ed0fbcf0f885dd1566849a6a0b42d6b3a4cd00e0ce732ae7e7221e541f00f9ee081e067ca98c3f6553767961a17493613733deb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d22579e667cb30de4d990608b0f706c5

SHA1
0a358a4ee6e3686820504a55cf40c0356b72b1da

SHA256
f65f78e4cfb3e7a9c5219d77a1a06880a70019a6bfe489a09cc24d444a9d309f

SHA512
6cc02c62916c5d7f9b34d2365e14e49647e51575c718929162df67fcf6c60b4461f88e498e0f896131e79a140e5ea470ff1a27c80c1d355d2588fafd7e348d61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bf27573793dfe1d00375f25d881168cb

SHA1
89e549357caceec5c35931e50ec9f03debc1f120

SHA256
40a152623b3877fa7f50f22b4446249bd51aa368feb2422ccb72bc8bda34d879

SHA512
54d2ac2473a809047fd59ea90e02ef69afc75de4d277e77576496157405b60fb1ac1d3a061a262b95408497d512dfe0272eb84594ae899619a88a7e1a9343c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
63c4d2b13f240547ef16c6e737c596f2

SHA1
ed4b0cddf051ec5aea7266d708d6765fb05d4387

SHA256
bdd2667f7c2c3de143f38340d28322343a39508a3b555607480bdf55f2ec958e

SHA512
1042fd1a771f1ad92afb1619932fb23557597d652e97c76151b844574b182bff0be5923573ede0a30afc3d907429018f78ddbce5fb1be26823d0561ea032dc24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2d2bb335e13c9d7ba5dab85cabcf7268

SHA1
ba4e51e17b6382063f120616ad855b9161428ad4

SHA256
632944b14b66baba4859c9f08cabcab74959b820aa019b5e1e2047b30e80e002

SHA512
3c267d5459c27221e02d255de90353ae953db85595738c277bacac97796d6fe2bccbbb446cd72fb8954948fcafe00491e26cfedc2778084fcba1ec6b37c8d52f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
78f170e6b33ce063579d91a7aa0f9d73

SHA1
809711e551d971ad1c249358130ba6d0e13083b8

SHA256
56f5615f83e533c05ab431d1b01bbf378264d3a72a4cbfe08c392cacc1973f01

SHA512
695f7fc9b9cdca647c72bf7da8c5ca3139d12ff45f6cc0215c293af6593682a4b27bba554b6053d813b3998080bd124eacb30aef3b1be83dc07c568be938b91a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f75741fa8070fd964916e812e080eb77

SHA1
ec0889c01c7deb1685041c9ee4e3f1b4522726ff

SHA256
bc41f8e0fdebcc6e9b3af247754c27c32db07c35a4861c98884369479678b75c

SHA512
9cf6971a7b1bfc13c09d0908a0d8202f18a66d842841f69af50dd6207d78fa79fef8a4478f4f9d81edde263917e649565052f3661c20ccdd486d5c34722df35f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e02de5d28a87ff55a9a6b4fe04981a6b

SHA1
35ecb573f5add7c10050f1b9c47aab73e6438ad4

SHA256
67418f0ff853d10d4d3602ec163908742b99c57da96b8363de997ee7c9be0603

SHA512
11aa81a78c6207a6dd42d57c968fb167756294d19c389f31d041fa069bbaa514d2e93a96ba35d7cdfe8e2c4f4569f8c3dbd29ea1b7ac8b86c8e48a5ab57242a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
163f3ab87896f6a2cb997a642081bf74

SHA1
178f8f9534438165b759f0cb3e74515b08fe5c73

SHA256
8f61691a960aac31948af74acfaeaa0d0cdf311bae4f2b5d7bb6554fb14e0b5f

SHA512
da31b47723af92e344502c94af8909a375644928d6b8f4f532f8c3b693c5c17b237df6606f8a1bc47067e565a85a6e7e201d48aad3cd10f6b6b247ec9f54035e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ffc874cde02f51175e97ee999fff12a4

SHA1
9bf6daccf91d05120e26a96a4986373842c172e0

SHA256
ba253dc436c6dfedfe288e59292c559d56458186ea767a1dacdac2c459beba80

SHA512
c8bb707763dd37939819dc2b6810362026c92c655a5ab8f11554ca2be0722454835711858086e4ddaa97d460a3c3c25d4517389723cc591c49abacdeddc3a224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d27da8ffd9d61a8a88860f7f7a599d23

SHA1
42fb29b36fd2fc83bed2a72225c700ad15c36d1d

SHA256
48c1fe9ca0ec034afc38dad2f7fd66bf2cdf18c08ff3f0fc6955e0556ca7c0f9

SHA512
8ff432eba13233f04cd42b0f58e386f1b0a14ba05c77cd7e39e5aba0bc9c5de412234fdcbe3801c0ac821f0df71cb3ea6eb3e3949d6db4707c9260335aea0222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6da7ed9138147bb1b8f22a5e6a5d9182

SHA1
03c258bec816348be90bec2a337989aed35719b7

SHA256
ed6f95d0707ca925a96826f59fec9df9bac11b588ddbb2d4a270956f605cf1c7

SHA512
c7e46a16e74443c9c469c424da022bd12f55b3896b7e4391382f09bb439d847705d62226a7d573da3ab5c5fb43fddbba78e66eeb74eee447240981da6d2f1d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ce740de9-9afc-48db-9cae-de2060bfee30.tmp

Filesize
5KB

MD5
e2dbe2ec4b8cd6a3c769e393c64ac9d9

SHA1
32d1e7f76144c3e2d6a1efa184223a118cae81b2

SHA256
0847306ea37bb1c97c1d5f05c971af5d4885477f70af5c2d30467d1389ef8a38

SHA512
747fbac962d0dd46ff6254823793fd3413dc33a3ea05404bb3d439c0715d4c816faeaedc74b984469d03aa7470cb2fac0af87cf756cc3591681ef0814ad0d2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
5afd698e573aedc264d208ec12ef53f7

SHA1
0977a32f7fb5cfed6b81c09004962ef8606eb6e5

SHA256
e7d2d30b2f879d2752e737039d51ed9220d52e439bbfbfa476e7cd08fb5fa19e

SHA512
e08b0f4dd2a3f089d6b62753a510e3e3221af2da8f81a2bad5983de8113ec13e20dd2fb4f527c6b0685038a34b1b1fa2cdfb49af5a63a05136d50013613da35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
32c5757ac0b5b884a092201caf1d57d3

SHA1
fb8381d9efd8b5abdfda162cfb623463609e7882

SHA256
3f89f6d8867445c32cbf3961263f6ce5490c3e63687bd53de2e46531fa232de2

SHA512
f940b0688a46ff0fadf52f11f598dbd3147b3931f7a73e6787498d96729816c97625d38798fc2caa6733083c98327500fa5e4493010072c9de391dafd3d31d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
5afd698e573aedc264d208ec12ef53f7

SHA1
0977a32f7fb5cfed6b81c09004962ef8606eb6e5

SHA256
e7d2d30b2f879d2752e737039d51ed9220d52e439bbfbfa476e7cd08fb5fa19e

SHA512
e08b0f4dd2a3f089d6b62753a510e3e3221af2da8f81a2bad5983de8113ec13e20dd2fb4f527c6b0685038a34b1b1fa2cdfb49af5a63a05136d50013613da35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
21a69365a0122e0f95adfaad99c1c855

SHA1
a6811117da4fdf71da86e7ff8510f3229354e6b4

SHA256
e618286a967e42d35978d7fdb4842f6430cc5f02567baf8772e79e0c41042dc0

SHA512
ef0c5e30c898260f1fa256ae4ca881a8e06de4499371266962e1d6aba7484758c4d1938d1602417c8af841ac86b95e38af2660bba5251ba7895fb849026cb088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
90cdf4a42048749df22f228d581fec6b

SHA1
1735ef6e97e14421f13978b711ee230048d4d397

SHA256
3437df1a162419c7da9a1652113c0eecfa753473898ac5528e2a1b2f0b69e64c

SHA512
032f9040d957b6172e9de67b88cdb918ee80e66d97a8e1ee4f331187e4ad352a8cca9370a9fd31a144836998ae1104596e05c07066e6e09f3c49a517713304ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5caabe.TMP

Filesize
97KB

MD5
1463d9cfff1f19cc5221bfbfaa288bdd

SHA1
5f6334306dcef3956f800a9c5b105603e367d304

SHA256
e31f190336ec3b1695c06c8d9e5b0ee2dbf5e7f0b09256a00579e5e14bdcde21

SHA512
f24acd3b59453a819ec3072149e0afdbd111f4cec7a85e58a11da1fc4a1ac47e4d2a65f8f54c6dda7ecf662864b5875837305a97c422f29499cac83a19c15f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\Fantom.zip

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
C:\Users\Admin\Downloads\Fantom.zip

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
C:\Users\Admin\Downloads\ef0d37dd-e7e8-485b-b0fb-c8631bffdbcf.tmp

Filesize
11KB

MD5
357593a30fbf34ce95d7db2a5e71d90a

SHA1
153d3e93b95fecf22b9660660d376b0bde042140

SHA256
75f0265017e4c7d6df8a9087af92ca3e8f742a4b19ce5539e25f95316f925275

SHA512
8e96b7803d11b5a567361be18d24cff46c2e908202c067ac6f25b809589884abc327cecde7a46a0867a2b26888e9b2edce1466e20a5136272883bb60ac245cc1

Download Submit
memory/1764-190-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-175-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-172-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-213-0x000002BA860E0000-0x000002BA860E1000-memory.dmp

Filesize
4KB

Download
memory/1764-206-0x000002BA860E0000-0x000002BA860E1000-memory.dmp

Filesize
4KB

Download
memory/1764-198-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-202-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-200-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-201-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-199-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-197-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-196-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-194-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-195-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-193-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-192-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-191-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-173-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-189-0x000002BA860E0000-0x000002BA860E1000-memory.dmp

Filesize
4KB

Download
memory/1764-188-0x000002BA860D0000-0x000002BA860E0000-memory.dmp

Filesize
64KB

Download
memory/1764-179-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-181-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-186-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-187-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-174-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-176-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-177-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-178-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-180-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-183-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-182-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-184-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1764-185-0x000002BA860C0000-0x000002BA860D0000-memory.dmp

Filesize
64KB

Download
memory/1860-592-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-734-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-735-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-732-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-722-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/1860-721-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1860-720-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-719-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1860-718-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/1860-591-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-733-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1860-593-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/2060-308-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2552-170-0x0000028174880000-0x0000028174888000-memory.dmp

Filesize
32KB

Download
memory/2552-136-0x000002816EC40000-0x000002816EC50000-memory.dmp

Filesize
64KB

Download
memory/2552-152-0x000002816EE70000-0x000002816EE80000-memory.dmp

Filesize
64KB

Download
memory/2552-168-0x0000028173230000-0x0000028173238000-memory.dmp

Filesize
32KB

Download
memory/3396-792-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/3396-791-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/3396-803-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/3396-1010-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/3396-1103-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/3508-823-0x000000001ADA0000-0x000000001ADB0000-memory.dmp

Filesize
64KB

Download
memory/3508-1227-0x000000001ADA0000-0x000000001ADB0000-memory.dmp

Filesize
64KB

Download
memory/3508-813-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/4172-306-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4288-133-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4288-135-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4288-134-0x0000000000450000-0x0000000000453000-memory.dmp

Filesize
12KB

Download