fantom | hxxp://roblox[.]com

Analysis

max time kernel
451s
max time network
437s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

10^/10

fantom evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>LNYaQ52CvcC7LwEUfG+ds/nb3VqUWkDjDhgKHCdjJlrLULeHxps29qA1rTUrcPhB1aasriBqRatF3+wOT41pb4Na51TTKajUrM1rkeM7SEIhhkOmZZpoWiTAB5jAogK1OsJtBq2N5MfFRvq38cuK8tEQcCJsszVSMrDvKDHotMLs8ePqq+9meveV7o6oCZAl1QaL7TGA6z+de6LcwelwNLkbwyfwf3gV4z0RX+gUoHdZiiPKzlnJRBpAyjJip4NZ8Va8J9UhUPv/2UwUN2DWMs871HZ5emPzxzC+bxjfEGAw/X+mzwcAjJY12UiRqj/JJpqSlpuXyxnYHn9XwanEdg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
3864	WindowsUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496937509.profile.gz	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	Fantom.exe
File created	C:\Program Files\Internet Explorer\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	Fantom.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.roblox.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.roblox.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026178"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "54"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "759840004"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe3000000000200000000001066000000010000200000004c71a67ee4e3070db056c57ddeb5cec40bc6639e8c76d5d643139a8f66352b8f000000000e8000000002000020000000a27992dd519172630a69156e3c0102d91d7e14d99617775cfc52b908e060dd05200000003ff188da13f6b881ba7719b915d689e34042f84560e90640c5e110b2df066fac40000000921e2a83b1865cc0a5bd55f03cafb93979ec7f95417fb32f7e6947f2affd54ef6e4ee08692c2ceeee9e9ae3cd5ed829726fe70f5460829ba8768cb58c84a478a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.roblox.com\ = "54"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026178"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "780308105"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.roblox.com\ = "110"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "56"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026178"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387933403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.roblox.com\ = "56"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800a8632026cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5850CC11-D7F5-11ED-9EF6-E2BD7878EA51} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.roblox.com\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "759840004"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000f02459222e8821e9fd3a3f3a95756622205fd07ad3ae57e9d01ad6d12f2af0c6000000000e8000000002000020000000f6f861e595139211cf4887efdb6248a80a76b717810c33a425bb961ee309089a20000000116ca64ed80e2f2c8a296504e0e970ac065503392c14b4077c553d3832696b8a400000008a5bb6fd78de9e72b193d4d152ab245cef6239d1b5a00c802ad0efc77664ca8826ac9b1e64873e31b05d9850192b847b47cbe42f0883ade86aab3bde5d49387a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com\Total = "56"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com\Total = "54"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f77232026cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\roblox.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "110"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\roblox.com\Total = "110"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133256421909594263"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4776	chrome.exe
4776	chrome.exe
948	Fantom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3520	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3520	iexplore.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3520	iexplore.exe
3520	iexplore.exe
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4928	3520	iexplore.exe	85
PID 3520 wrote to memory of 4928	3520	iexplore.exe	85
PID 3520 wrote to memory of 4928	3520	iexplore.exe	85
PID 4448 wrote to memory of 2308	4448	chrome.exe	98
PID 4448 wrote to memory of 2308	4448	chrome.exe	98
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 5016	4448	chrome.exe	101
PID 4448 wrote to memory of 3536	4448	chrome.exe	102
PID 4448 wrote to memory of 3536	4448	chrome.exe	102
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103
PID 4448 wrote to memory of 1448	4448	chrome.exe	103

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://roblox.com
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa79079758,0x7ffa79079768,0x7ffa79079778
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:2
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3244 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3384 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4584 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5208 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 --field-trial-handle=1840,i,17234487097263661061,3839308973374893318,131072 /prefetch:8
  2⤵
  PID:1128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1956

C:\Users\Admin\Downloads\Fantom\Fantom.exe
"C:\Users\Admin\Downloads\Fantom\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:948
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
c4c8a65009c0f4c7cddd0d7aca9b25d4

SHA1
e73aacbcd423c360f62cc04f3cc426b0d4357a31

SHA256
8444a434bfdc0d8fd932aef981187d459028cba6e346ad596cffcad225c10e43

SHA512
9e1795d2a166c25f5f4fc48b846ab93849de506ecc36b9ea85eba958134cab90dae7570f5226b7ce32b1051e12bef107096be32f02799e6b209ea8ee8769a6fa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
1c83adff132f9592b15d9b8bf33db660

SHA1
74c2db6c2464ff0a39ef47c41896c4a88f79b3fb

SHA256
75c6b9a11f060b6d6b504eb3b89ef43e5b38ff6f3a3963bc622336edd20fb4e5

SHA512
55d7c785bac738b5fc97adbe20c62cd694676d3b3f5ab4bea53ea6d24985915a6becd5db6cb320dd6166c236798b3d25b78004b0eee6a382b2702c252150101a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
d1c67899b9980ce6ed453da3d4f6524b

SHA1
8c1f84f2fd67a8c8f350952c0f18a23973214b9c

SHA256
edea5d350171ba21003916ab333dda70302df8c93cd255dba7cbc8787e3aec01

SHA512
ca1fa72fe8c1b7dab4982ac53d51c886f08880c77f80f20ab699badfe609f8f705f00373404f2a7597926624f0a9eef4df5503ed611fb80b10d7d4deb2a63b48

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
34f26551219fe63388defcaf9b5b65f7

SHA1
15cf1f54e6712cf446e21913fb1e33569d27a138

SHA256
9adb5c6e2872c063c34090d949927c2d2dd0566ad782dd2a66c554c73cebc8f1

SHA512
c27dcbc21b65a1882d3049b88e3e7bec42d65a72c89e5014b4e98590343e9b1e97d4f2ebcec5ae52a15d90a9178a53cec5bb673bc92a69001756e4b30b03c6b1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
837067f0d192fd18da26031e455668c2

SHA1
37e46e7e803886d23a8b3d744054d5684e8de81f

SHA256
8e439a802120f503698b96776051cde3e3c3a89d688e9e858986ccb9d14926be

SHA512
ffc0c8a61e3fdba43c2d85dbed8fe8f43259f87258c2fce9e558b1777e88ca12941a4212b2f11a04fc39979d291f0d55ea40939a88b14fdae9fa781f588d23b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
039163eea0986bf8a9ac6d02542345a5

SHA1
9d3ffcca8ebb6513124633a8c9520f7c751e7026

SHA256
c2e84c3cd90569f88de1241a752fdbd31200ec4f4568bea18d4d61670001680d

SHA512
9dc570e8a30419d9825bf28e8f8f5f602c085a17e86c54bbc95aca0d236b0e7ae50dba7256cc637c77d6d181fef9ddf5bafa2383918d4e26948e668bacb562c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9d7d180f2de0b32edd9f9ba978b4eb0d

SHA1
9bf1008285df462813b1e16c7f8076cd51845ea9

SHA256
a15a3c7ba09d8274c9ac4af92269a12079065383d57b0db0fae614a2936ef64b

SHA512
77b7b8f810d51f1923a41838cfe1fde471b03bd65e571e422f9c8ed8eb00191e536a61d4f82f42c27c03df87d4e497abedef00156e24bedbc57f9f465e0bdf68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
acbc9c53c66f6227d3e13587ce3d34c2

SHA1
6f64bc5d48f60fa7e26c64a42b31dd0dab5fc8ae

SHA256
47e4e5a5b3ff282a5ff5796b6a6149b53d79ad444cd71b74536d5bd56c077fdd

SHA512
1d07e95a5b98d15dfe261ab985d18c386023d3d40c9a8cb995f2d657ffb67e4ec5b22a99575b3232d4758170db4efeb7fe950d9db11c5237daddb138f0fb5093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
e5ea93492df247349d51865580a8ce21

SHA1
02e7de7f173c3beac12a08c0a53006a2286b9345

SHA256
19de9e27083b68d34d9261c5a886fd9bd42eb3d0bc6072ec92918b1d0f70dc7f

SHA512
37956e141df39b42c53c296d83f82fbad0af276575ac969da1a3bd0ef12a28a2d34f7549ce696fd9a6de16234abffa657fc2a7e2be62b436d86e9b36efb171b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
68bdbbb198363d788faa18d2ec2ad045

SHA1
1b9ca9991d0ac9823c9c5e7b32b50de72782f588

SHA256
b7d9d48006d22f0207ae9de2c4a527052ca755dbd001f483023830bfad25341f

SHA512
29bba679b3c5dff8de40b7645d8c29c7a5c63f61729c618bdda4e01a6ec68978d0cbab709b76e6b37039cd1f7fe3d62bdf291f9cb84621038f0c12499f55c14b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
ba21300cd01ac82d0902a7914db592cb

SHA1
81a4f391f12bbae4c09cdf72f431c8338d1435c0

SHA256
4c36fc7d46bad6590c96c8353ad556807431ab31e8636cff1f9a97bb0e9f412a

SHA512
714469abe835464f92d8d66c38537051884be36cf31a88ac0cec706ba1be078716246c0af3a2bb86f891abaa4529c25d08de5dfd62e32cd565e22f9af8664bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
31d02a12421bbf9a79a08c84d6675ad4

SHA1
d763eabe7a3d388fea3640f670f4914560548b0e

SHA256
0450a3258a130e329bd41362ccf66882a17b66f8210e50b1f697d0daa00ecada

SHA512
0173d3943620cf758f950d8801152549a58a9afa4a819994881182be0a61a57141bad7b679fd8638116aeba02b66efcf515fc00336a46580fee43fa726a9465c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
41KB

MD5
7ce2d0575146333174e57502c6638074

SHA1
65e1fc6f5c7f4f81994e4ac2a8cf34ddfb8cb689

SHA256
85348cb8bfdde444192b30cfbbede5f699e287035d98dd192cf909468a76d821

SHA512
5d345ae53014ef95edf42e5c8024a154f96bd5c8917fac131d0eef803d7701e3a8650c826de60afde5d8a665fa780fd441c1f3d74f9763a004a3a967487c6b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
39KB

MD5
a6610b935518f832204086e138b7d954

SHA1
01926d4bf2b84a82c4a0b648800b60aa4b55b1bc

SHA256
5fb7581d10007dfedc76901c503d878a9cb3489018f21edf392d66d19025012b

SHA512
263db8c54e5ca07840b5a00ce9a113f6233fcb17e3fa111b76d5245b7659414e1824d6ceba2b8bffbaea5f544a12ba5fff992f992181f7f53c49758d3e034dff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
31KB

MD5
b1de6a1b0e55bf48e8423ef4f232f506

SHA1
ae7dbb2e80dd5d0da0feaa10ce0457facc6ba598

SHA256
f403191c2289f94c90cb23fac47e731f9fe050629d772988736f7b8c84e50b24

SHA512
8268b68a1bcfa27bbdfb86de5d6df2ac45d6cf46e33282f73bedcaa80852e9125ebe1432dcc8c83826191002ceeaa49b9b1c7447dd8931b971d80a67e86eef1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
27KB

MD5
be669d8cab649d89ea0f7f8d07157e58

SHA1
caeae1b1c97ea9ee709630bd791e8058072b2e47

SHA256
f65d1928cf157ac4aafc5ba993e85f999f6bcf0897424e49a95126f8589cfc9c

SHA512
10d496f85403db20fd40e76ee092768df65d503285654b7e975555a1d4858a058e177cc8f3de197238f0a75e53cf116efedc276a129dcf2e4620365b656e3127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
a444ca61280ae2caf1c35b6350041dcb

SHA1
5d43d8d9a0cbb0fc7d6b273476ba29565c888c70

SHA256
7ab2508e2b147cad251ab86fbceaffbb347110b0fb46e5bd43436d433d0379ec

SHA512
80142b7092e4d3ada2cf26a05ceb42ac85324e959ccd12b13e4743f14c6251930240564b160c1f4b980ab209dfd7727dda6f9d0a149b16c9d080982d5eb9ecbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd3d38fba9d3cc18859eaa6438cb89e7

SHA1
83a8ce1749e2ee04972967c944b8415d1a07b261

SHA256
d852e7059fb06f62c919bebad2815a85c6294426dd297ecad3acc60108201601

SHA512
45b163cd03f40893da245cd62ae78de277e3ec396a11aeee0ea894a26ef4d7021617154d4f2427495692b32d7dce98fa855e8432abae4651bf075759b9aa97b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f676f170ec3e14aaecfb8da30802cea5

SHA1
0bdbb71c6588e6d2a37fc1722a881e753e0700f8

SHA256
ec8f7c407b0c908d899aaf189c77bdf05c458dff5c9ba956c3ea82154bafc4fe

SHA512
3abee656df7dde44e2ee78cfea4df72c6c7a9f5fd352f12c89b775c6844094423a112f2997f9d183daaa1b8d18a6c2c2c3851ecb902a91e914197ee52f7d6462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8651962b86935a8ea88345343c187fc6

SHA1
8ed0798213dfdbc8c0e866e669f9f6a8c2833c4f

SHA256
91d7305444a220621e07642c266368b3c43fa3d2c2f83f1a830cb47c45600518

SHA512
bcd49bf32d8fc9369125cbf9ceec06f79b54e145193a3b37bd46604bf28b2d85d852df8b126da635ff52490ac619a5f7547267da65b1d35ac1709daebb22f435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
926c303d65dcbedef63168cd43ab08bf

SHA1
2f177d55f300f8398de8600c410ae4f389f3205e

SHA256
5cfa3cb486a1aa65e94996656e74d42b3333d8863fe9b660793b265ab4e5fd5a

SHA512
94a6e506c8d80bc43e8c9c56e454e876cb9e01290a4be9e7335f422ea6e4a9d1091b4e5d1989aa6aa9e8f07d629d18c707ae03db3eca09c9c1e110195604cfea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1dbd69d7f18eb758700168142a2b8b82

SHA1
276acc6af7b27ddf10b7e32cd172c46a9314fd78

SHA256
3c75c51b89aa9c4b4a94df6d659bd1f81d283d42104c96ccf26b4cf9a986bd7f

SHA512
19e49f51f64514d3e48ae17a966d587bf6912240ece10352f66ab92a70e208000745ce69e47f2b8bc92743356776eb238e7fccb9b1918a578e279fb7ac88021f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8442e1122131746b90afa009fa93f48b

SHA1
a900400d642af4b1737f87927a2143e4b7b35b81

SHA256
6a43cb15fa7f4a628909bc22c3522e35d65745bafee87e1158339a0dbb6b810a

SHA512
7393ee57cbb91b1204ee997038d60413a7343c88a2996e2f2611da9e84de8c5e24d948e39333595c744ecf99d0a5bef72de6f872266ff350d996fc7e9e950b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
81bb6efd99cdce5c48676db0ffacd087

SHA1
ea7141fe1bd3f4d441665d12e918d5fd75ade33f

SHA256
cf39049a920a91c08efef677426ae773a0f40ff75b979ef4b64a083ff655817b

SHA512
9e94b7971ad42c33b810ddc4a4eeaadd925f32f2be1fe516fed2f6c8aeede2ff4dfc1276c4b8373b0dfeacf010cbc4945746266f1dd9aefb6b6b03aaa63e0688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7aece03766be994554450a02ed3cc462

SHA1
f195f6e7783dfae7492461f56c5fbf2c56dc9ba1

SHA256
92646941d658a14a8baac7f55df8ffab30a0bf86995f35d05008179a92f4d792

SHA512
3471010cd9525ddd1a189bb2abf65dc5de215e1f4a4ac89fd3eabfb83a8f596e4faa514d4f7a92df51a12179c952cad9ef1cd653b3e59180aed6e4589f21f1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
c89367db4e44018d955b2645e860fccd

SHA1
11ee839625ee8afe5149b5a7610f333976f63d67

SHA256
89d4d13e1eed1276902cb58e16c714bffbdbc45e40167f9e8dee3d6b7fceab12

SHA512
79a8687b8f3c5180311e8bad5903b0faddd840541ca745a5d22cf4002591dac611ecfd01cca30ee103834020877f6f13269f5abbed420f3f7f8cb0e54769ee47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
81672d8e180d32c4655249ce9a5d4864

SHA1
8855c86eba696ed95444a237b142ab57cab3a737

SHA256
d06669a2963b9e628c73bcd4f086c5c5960eacc7f30c092dc569ec5dfd6c7f96

SHA512
203267c2771c9cfddc77b929d2d2ac5ca199a6ad7f7ba16c8806b2cc04e3c72997968eec46977a955d82e1748bb2a1ca75bc8246fe9fb74aaeddefead6f08a4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2c35b32cb33690e400bf78e7df973eec

SHA1
c08bfd30288a710a0a3dc5b4551122cacf8f3308

SHA256
cf1348eb8b1e3bf25571cc1d4f2bef728f4e918eb611f870ae277997784e3f09

SHA512
c9d7600d9f4c147793d74f169acbdbf54b8011063636d29a144fb103ba639a22c45c07f20d1dce7cd38408619c187cdd4a46dc2a0c4a69d4876ed03ea242cd18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
61ef6755f1b0b5dfef7c79e93710de86

SHA1
ec0b7569823a3280c5bacbc813b7da1814a67812

SHA256
6928a0a4b38e626f2e24d2df43edef47d094aa9dd7ec80e28bcf1d5476c952f6

SHA512
163d3be47b63b5ef7e8e39c643ff0a05cdafd22bfd83a4aa2fe0f210aa4e185ae872eeeab664dd9ee90d1ab1dadf49ddd88e749570e7c336cc47c12ff453f6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7dee390f03560acb6c747a7824798052

SHA1
31a593cbbcb9cb3786b46732df8ad9b27aadbc91

SHA256
08ab759abb984dffddcd4c78235efef77c3f51a40627be388fc08f0b6093841e

SHA512
0a1965b1de5e581a7235a5680ba8120723f661e21b64561f9a68b2bf4096298c88d179ee2a60e8d5dcff1561dd438721c06bd710c38651fdae82f64f1197a4af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
71ca05a0e762bc374459ee5851f7b25c

SHA1
e6d93a71cc1e1d92e8fe4ac0d676b40269321ab0

SHA256
45e81397d5adc0f91832e4f8054b8d06e02146ab519d1dc5a7508a3368f5922d

SHA512
27a033b6d605d02a5561080ed0789aecfd48ca6fe603d388921a93d5636964294b5e712cc5a8c2484b5861506c8b79d7902a5fe770d6d5780b4b88dd32fd959a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c2b705d27be1a6420d1ecdcc3b7bd985

SHA1
db3f00fc294e6744213f50ed5375612fae8c46ac

SHA256
f92ae21f6814736bdd569665bf834ea7c2ed85a5b61e69e6d6a2f7e169636e4e

SHA512
c41a393bd5397ce797445e075394e5187a33c310645cd1fde74ea194f3448b2a566ced905f3db422e8f6b959ff83657a2b75c7feaae8293d3cbd401f41bbe534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6113ae5fdb2a0967ab1b1984e1f34215

SHA1
3c996e070fe024503f35ff5a9886f401b141608a

SHA256
bda632fb89e2fe2575fffb6247e53c38da468f1f0a95d4ca6c80d2e72da43961

SHA512
cafbf50a28f24a332d5ce78c2f6e9a7bbfe124d361e0607d71cb33cdd9be188c7645fa499aef47bb6066d696dae289912f5bb71fd56cedac4a003eaa17f7f633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f47244c59ae59aaba7fb4098ec5c76d0

SHA1
3b9e74653dbda1ce6030e46be1837db5874ed7e1

SHA256
cbbea1f717b5a206ffc4639831244648ce9cbad9593f9141efe76a17c39d5baf

SHA512
fdd19d52c85c2dea6a563f8c99ed5dd2c7e966ed37ff0b3018eef4e63691f0a65a8c39eb15867fb2c5b573b53d2d6f3ac87e607b178b0e8b10c3cfd410aa93e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc85a93636626c37b8c3ce4a03c76c34

SHA1
69d226a2db5fd9025b748fd193729990a3a1e9e9

SHA256
d6704eb7ba596b7c6b15562e12cc18c663a4a61bfa8d9961f2d2c4a725d3d113

SHA512
76278e77f3970789a9d2e4ee0e1ae96927b9a67308b702eae02bf04cfe4555f2851b2169c866f1989ac22d89d2c4a4cf817e996a4c6395efa25c636512da9eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d2df788b2c290a92c05367b2e53863f1

SHA1
707230bbb954ead6cd5ffe4f3ade3368e4dbe831

SHA256
cd7de02a9c5ef7905518c14016555103840df379bff3d794c6e0feb78e31c3fd

SHA512
a5c470c6bfba3ed3354563373d529f2729d94131960a225c0a866bdd9738556e956b9ffb76b73747d730aa13f080ee552fd1cbd5193ce7c08e324b8c25f3953d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0a071e778f3a68fb2330432d2bca1a77

SHA1
db9b5c88ec4e78a14c8525a18db04e0f19369a8d

SHA256
0bc9148f0d406514bdade0036693c0161bc548bf3b095dcd12a51ec2729b2c83

SHA512
cf774dcb051341ce89b529c658ab5aa7532940e8e21819940789be0e27a3ac626b24cac9b9890b3a69082ea500bebf243972780d4ed8573e8ccfc0c46f6ff126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ef7ecc0bf9f161a51044856d8feacd40

SHA1
c40e1b7d51d3014a74d2b6b3f84151dfe62a92aa

SHA256
7b064974db99573f92bcbe56c37bd8b226c1336ab7aea1182fb77710cd7d8b34

SHA512
1e7cc2165552f6ff6f822bcb15191a6886cabf2d13cb81213ae61e40179e8632bee92f34a82ecefdae9b09a8293a17c2a60185b29a101d97f1876847f2d7e5d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d43860e646a2e3ba4a8c4140002b3cb1

SHA1
d1d645132428da4e7f22fba0e5de9413d6f6e109

SHA256
374faca799bcecde4101e458b8d56d545c3cca49c7021f9affeb98d794b5a345

SHA512
b43f31b0a862d14d56a0373ab76ceeb678d0985b33c75d13453877a3b575bd2903db3e7c91526ac89df6e18e845431314fb303485d467da341b2a15464d44ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
770bc9a7f6087f8503b82e540018a2ff

SHA1
674e30c2bbeb8dc2820aa650bee259665110ce7f

SHA256
18941c73e9b8a116d7dd620d64223b3d064a09dd3961a6357f0b6728786b2b9c

SHA512
68d43d6660baf989645d82a3ad0981be256beed18236675fa11476bf22ac96c8202f44df53140dc6428650ea84b0d0028d980c48a4e105e96d2c4fd5b56cee60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b7411b78b0a9869c79e211df25e9ffc7

SHA1
e663fe5762c55658580037953997f5ce45c18699

SHA256
40146665b715e3181e09456ffa1510a17fc76716cc82f01a39200e9636c3b021

SHA512
c311b7d89925656665776e85a5a12b7acd7ca6738d1e96972353e0cd9c2c428ed35fa34861083fa2740b0074e023faecda402eda11346430f60db4f27d93316a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3d090774f7b630560893201750db9eb1

SHA1
137906dd623ce19068813d3d0c8da4901ca72885

SHA256
787a35597d9320132a48200fb5d8f1b6ae4ae7d0a12da6d2954f8cc9e822fc62

SHA512
6e767a19312692f063e782858ba1b2475a8e7e97fe3097c5f2fbba98b4c4c7c8f8985422f1fae10bf39662b8b3e3903bac9bcfa777a4741e85e14efb272ac45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d26370c2-33e8-4415-85dc-fcc15b5f6419.tmp

Filesize
6KB

MD5
14f1fd78e603f27b5ee21ea66172fb7a

SHA1
375add2ea2d1887d25abcfb30f81138a4e5eca38

SHA256
f125ad95e8fba7e0833d871d856bb65267a770f45e3cedcde30ae6f24e9acf3e

SHA512
d5fa8d07858a7c4e5c690bebf755d7cc9afe08ccf483dc76e673f6388414086dfff708a8904eb380f33ad992d14ed0b224f6e50a45ce8a8fd88aa1cf8d4c1b6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
549070463bfe3d7b5041d4f6a5cd1256

SHA1
e4e9841a156cd9b736e53779ff9f7cabacfbadd1

SHA256
12e81cb7581a57f506f20ea0b1ec23537f57b1780a22bbd98ee99a3ed325f64a

SHA512
60b327df8bfc017ab0f89d72eb17fb5061f84595743b5a3401fe72f0366d0bcf28552743ce739104dfdf69551727a6223b69f80742070835ca74b990db5b2695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
88c3a545c733ebee59fadff965dcfb39

SHA1
f2fb88ab00688a1aa1c7a29e5233fddf07d4fa18

SHA256
20e7266d042de79f57e750657d3f55acd641bd0a301a8d37f6d273a3bb877134

SHA512
5444886c69dec93886b31dbc9ed41a7479193ae41a4d6ecb23d8d2477a46a0bed5e89b5489b9c926e7218c77b6c41a826a19eaddec58609ac3f9c722302f0cd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5bccf1.TMP

Filesize
97KB

MD5
8d671afe9dd3379ac35d7957007443c1

SHA1
45e9daf3b66dfa294cf328bb6a99f62fc77c67c5

SHA256
91465e6ca2d3917f19954f345e14fd40df5965c8656a360081d14fbe33cb2d4b

SHA512
bd9d1fddea51ab043a993b2c391c1ba7b94cee6384ad256e3be6d56c8af028f4241c384de8467b8d4a23507c7fd5296fd16cbb8ee1cef53da7991b6d59ad6d96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\IQW6HI00\www.roblox[1].xml

Filesize
207B

MD5
9fe16a66209c1775259d6834225a3b00

SHA1
f7da8728fce2808b8fa97d534b9613634c63380f

SHA256
736bbda4d1f70c25f67ac9f3de5fec7ae79070d49836bd07f986fdda08529f51

SHA512
1afb9cbd190376268bebf1c796d35a88eb6402f9cd76abdbb5fc7e76c5260a6091b44f9d46e7bd0a23883fd10304a8c41ec455aa5a09bda44b7605c822d6bb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat

Filesize
4KB

MD5
a08fa724cd2de03987658a24b5adfd8b

SHA1
9ea626e97ebec3972a050dfe218bb78dbb5a0f3d

SHA256
e36809bdac395ca20b36a57dffdb1ef9cef015012df0ef9708e594384211e249

SHA512
5c390d67ab870dea5adf6654d54f017c3e2931abd3773fdd7d7d29b2859f9c08769b9cff0fe9ef9149d7f14060f59a14954ca09c88c3898e6cf0576d5016e03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\7bba321f4d8328683d6e59487ce514eb[1].ico

Filesize
4KB

MD5
7bba321f4d8328683d6e59487ce514eb

SHA1
ae0edd3d76e39c564740b30e4fe605b4cd50ad48

SHA256
68984ffee2a03c1cdb6296fd383d64cc2c75e13471221a4bcb4d93fcfa8dab54

SHA512
ed6a932f8818d5340e2e2c09dcc61693e9f9032c7201e05a0ce21c6c521b4ac7dd9204affbbfffd3bcebbebe88337fbd32091eaa1e35469b861834f2523c800d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\e[3].png

Filesize
68B

MD5
2a637d3d825673c0e3462fa4ed9a1c5c

SHA1
81668d396da22832d75a986407ff10035e0d5899

SHA256
69539b5b3777cffda28a66d7f2aa9b17c91ee1ec8fd50c00c442af91753a60f7

SHA512
dc7c40381b3d22919e32c1b700ccb77b1b0aea2690642d01c1ac802561e135c01d5a4d2a0ea18efc0ec3362e8c549814a10a23563f1f56bd62aee0ced7e2bd99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF22F3C6B64E1A0FFA.TMP

Filesize
16KB

MD5
db4885eb2200cebd22d948814eb8b179

SHA1
074fc8ff019d75bfae67aed3b782cf47d058e71e

SHA256
98407e456fb6e590032b914c4d10e8abb73b0b93acf7c5376c367e3bd4a6caae

SHA512
356109fdbe7a07efdaa06596ce249fab8b4a18518d76ef08d24c3d5b7b2af213d3cbaa95da6c71c0761242ce9ec91f43ec0086c964f3ac58d0d06a22f7ddd572

Download Submit
C:\Users\Admin\Downloads\Fantom.zip.crdownload

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
memory/948-1109-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1166-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1127-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1129-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1131-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1133-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1135-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1136-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1138-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1140-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1139-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1142-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1144-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1146-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1148-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1150-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1152-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1154-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1156-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1158-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1160-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1162-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1164-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1125-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1168-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1229-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/948-1230-0x0000000004A00000-0x0000000004A92000-memory.dmp

Filesize
584KB

Download
memory/948-1231-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1232-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/948-1233-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/948-1234-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1235-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1236-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1237-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/948-1123-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1121-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1119-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1117-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1115-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1113-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1102-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1103-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1111-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1105-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/948-1107-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/3864-1662-0x000000001B920000-0x000000001B930000-memory.dmp

Filesize
64KB

Download
memory/3864-1335-0x000000001B920000-0x000000001B930000-memory.dmp

Filesize
64KB

Download
memory/3864-1276-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download