fantom | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
390s
max time network
386s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

fantom evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>iERT+YKRa3zOq9BPxdo0/oJw7ehtNHd5ZO77JoYQidRbcJdFx0HZFVCAVnlk+2dRsrKaHfj2wQltoEB58/Rs4wz/1yuDYVWWsf/jRk9XjBtUqVrjapf3XP0x0YjnBWtQYXG2fMy9VqtLP3e4pBlIrnIsGjDUtISVamBZS3aCWmRbud23F93+q+TdI/HfPNk/3nP7ztIbm24SyWCrxM8WGPhWaP9QV4QMgJ5sE/zFE4tpo1a9hQmc6G5mL1xUnG6JFIf18LzuaNMQ4uA1OLLuI3I3HlktIGW5YQn0Hwo/srYRh9Zk7mbWl6tyVf1ppvVVpD8G+aF4peyGOnudBCh/+g==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
4120	WindowsUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-72_altform-lightunplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-200_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-200_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-24_altform-unplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\hand.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-96_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\6px.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-60_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-lightunplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\PackageLogo.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3.jpg	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-16_altform-unplated.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-60_altform-lightunplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v1.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-200.png	Fantom.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133256191683182385"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
3764	chrome.exe
3764	chrome.exe
3328	Fantom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2468	1880	chrome.exe	82
PID 1880 wrote to memory of 2468	1880	chrome.exe	82
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4480	1880	chrome.exe	83
PID 1880 wrote to memory of 4836	1880	chrome.exe	84
PID 1880 wrote to memory of 4836	1880	chrome.exe	84
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85
PID 1880 wrote to memory of 4736	1880	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b699758,0x7ff92b699768,0x7ff92b699778
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=952 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1736,i,5104646957102732515,2069489814631718419,131072 /prefetch:8
  2⤵
  PID:1972

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3328
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
16B

MD5
af5f97f55a12e452a45008b4bd8556ff

SHA1
255858810e817f1b2a16165cd370d526d2ae1c41

SHA256
cf2393cdc04eaaf889cbe632f687230cc03045e8916436114cd779ff9c886337

SHA512
2a6e047613c106ff85ef5319a43b72c687bdc505904956051bce2cf3a6b79536c0a9a01106002d278bc770a3d23aa49353f3c2b2cc3ef680f6ae4d4d5e9a3f6a

Download Submit
C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
ddb76c98bfe23682bbee2c3d60e19f9f

SHA1
1f72eddad9489a944a022fa87965cf0d0c6a8fa1

SHA256
fcbf1ec2ec098597aaae9740e3618e934c82ce1bcc914e7d584ec7d110f2e268

SHA512
c67a28ed25210e5db086daf5634916a4c54073856af504a6ac1bbcebfb580834fd5e8921b772312996561db85905a05d1c5c1b8626bd09319b6299f833afbc07

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
da2d77a1490b75a0bc1a6878c23db10c

SHA1
a6e23dcd80b41103d1d80e6f717fc947c408d7d9

SHA256
a2617006d32d9eba127a7c7105eb2c76795c6c2ae3eb44079e87bdff2a2d9c29

SHA512
5fa1224110b11d7f8f6c78e61b588526a9f67b6cd542bfa8b105776e39f76e4973a7415cd9d670ccc29b97c49b80e44b4f85671072287e39d74762b287c24931

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
e4f145073230346e9a3a9686d68b0d29

SHA1
65b7b722532fafb845b5c586659571b1ea7c4ccf

SHA256
3704113c3b6cb55a1cc780160fd4d18207312dd4ca8377230919cef1e3eb93a6

SHA512
8f52db56213d2e8b6d656747f4ad33df0cd5f3912b0fa298b082a5ce2d78cfd6cd42a85a639c6736828523a0ff1451fcc98e4cf06b240f529147bc947345f34f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
4405acd8dcd73218fc0eb3861af24de9

SHA1
0f17c872247d0d1f8a3ccda18ee860c127cdee4a

SHA256
796c0bed8a928f0c52c34ac9c94a43f9d2e605e7c31b09b3e3adc603b65dd3bc

SHA512
20d33709a7e49c8c8ed5c40f703b29f83e8bc167a6b0df0808a3b6f1d26d1d77ea16ad967ed3a1fe1fce718d9d934bef7203cb37c2c052225d5d39dba9319c0e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
855ee0f2ca25bc6d103ed2e3bf40f987

SHA1
8b5ad406880ee2b20bc1ccb305341630543468b9

SHA256
dee38e2154cf9d7a2b8080250220d4d8601c04806be45edb618a0f4eb15d3a64

SHA512
f85a93a02be6c93bd9ebbcf4772c9fe4555f809f3e01a032dc62cbe14e6ebf0dde1fb991b01cf60ed81b52094026f65112e519fb4cecd02f3523746fc6af99ca

Download Submit
C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
107KB

MD5
334b2d778c30a3b99cf8b516ee9ca7e8

SHA1
65653704b736706214614cf31f33f645a391dd0a

SHA256
efa0c02deaa3dfc5cf3669c6ed2f912941e6bed5b27ebff9a34d6f890999485d

SHA512
d8cbc6ba79cfb10efbc2e64e6bec3fe7c425cf42bf0daf41b82fdcc128d8725393cb29925c240b027feaec35127013bc0e97076e84ffa8b7778dc2f5588d26c5

Download Submit
C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
98afb802b93a1d41413b637368ac26d0

SHA1
47e306c56cd660b1d5835ede06bc00e9df753753

SHA256
f6fe25de1c38be1edbeaea3071be5c2d1a13422e39e876ae6bcf77fb903057f3

SHA512
0020b075a6da9b472b338d07c8c59c1792d1150ead3012962d31fd8446618c5b4debc16d0fd05a5a25d35450509858bceb26fd98281b807f2e8eeeb5edcfde49

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
8607f4b4306c083394e0b740e19a9db6

SHA1
2f6a6bdab670eaa8f40c5139e0d8262c315ac704

SHA256
12ff6c0a25f38317984bf989330cef4c38e28b412c51bf6af9fc128568234747

SHA512
d5bf12a7e475b22b5cb44b9c8f44be6a4ff73d253e7447c51721cfd4a6354667e7c512423d01d31ce8469d67dfc3e932de3a37906de352c17eec0d0b6efc52db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d42c318b61b06d10336d4a6f7322efa8

SHA1
ecf078bfb3eab2e2d0044b9995d799c34786f572

SHA256
484ce00168d5be1b86548b3f16e6bb270e59d068f0ff0a1e3410f23b56d562ce

SHA512
193e3ac2deda86b0ab5cc4b5acfb5566535feafb1023cd1d37b55421e32fdf0ed8b919ee0a8e36598b64fa58199bed2cefe0d4ce2ed061c9d5aaeb40a9ac3678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0a658f84ff1f03208c2f47830d32b5c5

SHA1
b9683af29c6634f8b1c443737a1817c976c67e2d

SHA256
49da61f2ac8bad9b0ed6b14e2895bb407800148f88ec7ba99e359030ea862034

SHA512
cb88ff8d2bc308c839d1f3395058a6ab652273c8eda4a1c3e335e4e43ffc1edbbffc89094a02054bab804739950f7cc4bff5026ff23551196c7bb298e6a6dabb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5db5ad0466d49a041c26260f7e591cb7

SHA1
cf8db41cc171237cda3add4a650c13a07ffcf51f

SHA256
4680a6ffb1c45ff0f473eda68b7b4d6847f16ea4b9a383e5e105e81e1a0d7150

SHA512
994e19301fe672e1ccfaa330857b4b988f13f32b0fa7ef853cf3951ea1e8e166421460f2ded9def981f77fba717fa43168bfd7ebc995c2347ba92731358ca46d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\14117ef1-4aca-458e-9172-b0788438e015.tmp

Filesize
1KB

MD5
27aa604dd97c1f7a10cea9bf2e37fd92

SHA1
7406f8793869a1221bb834ea50146726e19bfbbf

SHA256
dc530f62305ffe8c93e7ad5399dab7c72455c9171904b4223bec849f706dbcbc

SHA512
96dcd648e6e255cac347622d9a4a4a02495d6e8185916c958ca590030bc4011c919b9e714a15b7c0ca356e3e4b1dd2464a5dda029de5f7537079167402260d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e91b90c483bf115b3a93bad7528dfc67

SHA1
e40ed8813007ffccd273e5f408229ce2564e0530

SHA256
831ba18f207e7eb72ff7e5e8411b028b8578ccc78ee2dcf2be20b39c7ffa2afc

SHA512
d332b2952ac432d90677b0145e12cca9a51f8c3a008854954174854e10a3d1da379d5f9d207cd8a0c8464827ecc72bc4d290b7d645d18cb0930b48cebd3004f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
10d8f86bef2b31193edf3ab80429175a

SHA1
e5a9ade4bc8649d583d8dfca507891ef2889308d

SHA256
65709ebf9cb7a5fd68f1d37e258a323aa4ab4dcc5411700e91f9dee8b2da41e8

SHA512
a69d66a47a69199a7b92bee1473d78a6804472d988dbe1168efde7760fe1d4ea76f0ab56a8618a8e706e08da2207cd2be6eacd080416229e7b08dda8b666f345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b116709141e30c38167021e818778a95

SHA1
1317c22cb11dd130aae634f8997c3271fb731851

SHA256
0244481008ebd2de714580be657f27a895e4230ed035a582dc15f8b0ea16ce9b

SHA512
85baee459cbc4ade79197860031974469897d47e6165c3da4cc875ab01f28a99afba43c8ba21e60bd42f62959d984c2a9ac548abbb9d9ea109c8c286dce836ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0de07a5ade826c039bbe0eabf6d37e58

SHA1
1e75ce8c1444aab6cb9c670eae8c9516781fd05c

SHA256
662625afad821316a8a0de7a5cb54d877499ade3c7fa348835d91a090197d2c8

SHA512
78124cbd031e6327288c3572ab051f4eaa53d6f1554f24cbf1a0187059bcc9d799b04d8c7bef2d9d6028a2ff075e8b464b6a362a96c245c1b8a20145fb0f8bca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
50c506707498f9fe971600d66b50cd86

SHA1
50b40ec84b7e82d78c2f33854247ec37ab1d7e56

SHA256
30e5ebf6246393b755e30c41b297dd3eff193fb38b41438ae676e1d197c41dee

SHA512
b0b02d6673f605b4c592a2e1b62abfbcf66b056ff6700732efc1d12c4d7596e757bc1085242d9e044c3bc5b2eb47cb2268f4bf3362924f68acf7fbf5eba5c7b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a06cb7560d4e8bcee2251631d0bebbf

SHA1
a569955a959ed779c0816b16422f704e5f377a7c

SHA256
3a6191540f56f655cfb1c056323d79ea765035fe15983d2245158c3d2553a3ec

SHA512
da457332a7f1af315d026c9517e70884007a750c06b68d677c8ba05bec634c9ca2cbce6e0a93add2d56efa8787c9141d00b4cf978c4b3a8fcd52896c4f327a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a3d2bc9aeda02a20bd910426fcdba7a7

SHA1
8a3616cc7e961ed0d5d2cbf3421afc4e3752a435

SHA256
1dd2455b99f46b4b3396ffea1f4dcdd175a0c3debd9729c9f7040efeb4d72b57

SHA512
329d6d35c572ee1c72f53b7c6e7925c4a9f4453e445834fe3d82e24d237c2076863ea4d476d69a12b46478e4803dcccc168104a7f9c929bd5d8ce36fba3c124b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
917526ae45df81fda24139dc40901b93

SHA1
56de2dc504ceac6e841a9a8cc350b69df9184973

SHA256
d1b1fe410e1aaaea29ac43b775d70e4914a65829517f47cbce64880c2db0ea74

SHA512
542c2723685977986ebcf9ee9b4f8f975fa42e590c4a1c47939df2074d02a06bae53d34ecbfb11573e7401269eb303ec80143173b20a8e2ebe04f95d6684db1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f29088ff1f78619bf21368d8aea6c741

SHA1
30c86793043e282a8bdcec4744e279d0aa79df2f

SHA256
b3ea3ea17117c81a29bee73ae4280991ec55f5968f076a66c4e0f77deef9c56c

SHA512
6fc23012e7e907deb5033ecf78aac36eb7540b2ee25777aec133bea4ab59ac6b3f38b40953a7adc7a0a4cd08bce9e200f83985ceec1cf7e1081309840e395bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7f024eb2d21fb59f1bcad7145b911845

SHA1
ea1236bdd69ca2474332e74eda2eb17b3bdb887c

SHA256
0a875149c97c29dc47cae9f2ce88e62c01dc716f2e2988581b1c20029380e8fd

SHA512
a6924ad68c1d3abe461d1f276aa6e7ce868cc3682f14cf2b57e7fb045c49750ce935d4f1c8591b62fa52cc57235e4ea7e7a1e965ad0f73154bf50ba51d1cd63f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ff4a4b0f534c1a5a571071866e607dee

SHA1
3b18eb37ad7aa578efe3efa7d6ec66785ab6d662

SHA256
226894013b6dd1788dfde97528cc42df8913981ee22ca3bccf272f3a7dc1bdf7

SHA512
2c107d78c398f5df7614178a6c09987373a5a3b3567d2b8ddda3cc5fb49cd8733bc3a8f6fd93634a36720a4289cfdfbbc9ba778adb08181dd6a3ea4efd7e1328

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dbdb4521898c068ba6a722e49ffc78c3

SHA1
79880a3fcdd4273df8cfe5a2f6c0ca57a809937c

SHA256
a6376eb4ce15896956703140f8d4a33528def7dc72c1983413f5cc3155c47623

SHA512
5915fc7b200b5fd1f340d1ee2ea05d9510ff10bdac2209d64f8a62a4907fa1c3f6a56a70613837798172f866db39afbc87fb62d726b76b82a559bcd7b308d8b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed3f32a36bb4cec35b55fb77d0983f85

SHA1
103d7400c9f8321503410b836c94f1bd37f68c3d

SHA256
f60643a1e94cd1dba693e575b46272250e833953d0c50d91fc65a26f1c8fd098

SHA512
529916658e2e68d8e6165e9a04041791d70e4becd7ed4564a1fec044de86cebd6b54776a5c6f07e6af7d8641cc9209a5f1cd02b845693c76292a862645b5aa3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
47b87f9cd17f6006d5e12e660070b85a

SHA1
90ec4bfcdf9b4de0e46dfef58568704f0b831610

SHA256
0675eed93864dd8d8587df1f622ff2395f93bd9d7b60edb3f67abea7c2dd566c

SHA512
29651033b86d668ba5a0cfdf10dcaa17d95d33d03bb56a366d94cc698ae77bede069ff0488f644fe1210413cdcfd053b0c8d6a528d585ea4641dcf2d76594913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
cb1853025338fd782c2730bd6eb20d37

SHA1
1363f91a774cb8848d1ebdb5fbb6bb5b5a53895c

SHA256
a6376d9079fd23068a37f7a9beaf87724aeacf9cb43432dcb0d80ea10a149c81

SHA512
fa80028a77a43990906b616c0335dd7a3f85bc9cf806e5e5eacbcb40f44f9adc70da7d8c89d70c95290dbb39997b4d88da30edc9e81af32baf3d78fa0db1f15e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
879d4eb1e3e1a08fda9e7289c7d73b49

SHA1
2a4c9d6b6e681e739a21e1df132c8b02453ca577

SHA256
5a679e98d7f9e198fedc109b32ad1e42d6456a3825c8f909b1c5dd87d23572af

SHA512
57a8f42aa28df7af9ae1f50a879b10c6339b251bd3310f5f134bce0ca9c7e141b749259a616630e09c97bf991144efcca01384453afdfd9afea9a7dffa3095bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
d371b2e993ffd25fb6839a3a3312cfc3

SHA1
485db8dd3f2d92b509e52ca79d5416cc3a4a4f94

SHA256
30c44cde1cbf04f6a5e4b90d3652d2921a51d6f47e2b96408986f9e95fab250e

SHA512
bf7aadf5eb66af9650ff435acfac54289e8f78154c5a1a26cf158a73bc3e50547889fa828929c116ab7245d6ee45434e9f21c1b3b227c8c978a84b925bb76d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe577d0f.TMP

Filesize
97KB

MD5
acb5e5be56ced7f60528265e269ee7ed

SHA1
8228d2addb2f48fc6b1a6b30c6e3c3a88abd2e84

SHA256
b07bf4dd0da351e07e3c4b5b1f954889400702453520aa9c551c262bcc00feea

SHA512
a9696f55944f968f36c4f779544f385226534511f26e1a78ebf89eed5db555ff23df2467f813b2be749e2f34d2d9751ca790700111615b65e77ee2eba62da9e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\Fantom.zip.crdownload

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
memory/3328-329-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-359-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-367-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-369-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-371-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-373-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-375-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-377-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-379-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-381-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-383-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-385-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-387-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-389-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-450-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/3328-451-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/3328-452-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3328-453-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3328-454-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/3328-455-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3328-456-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3328-363-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-361-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-365-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-357-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-355-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-353-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-351-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-349-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-324-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3328-325-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3328-347-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-339-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-326-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-341-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-345-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-343-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-337-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-335-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-333-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-331-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/3328-327-0x0000000002640000-0x000000000266B000-memory.dmp

Filesize
172KB

Download
memory/4120-937-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/4120-539-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/4120-528-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download