fantom | 7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

Analysis

max time kernel
210s
max time network
64s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-06-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
SSDEEP

3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score

10^/10

fantom evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>jFUShoAhUB5whJ0P4ZvymoPD12a57sJ+1dfBiyMWhckQP77e/2ZPhymUpUzfHCCPBNcrlt491qe88vtLecqTwT3V2pZp4jqEV4bT5SCJfToGqXesvifOJZ6Q+1kvBDRFoiIrfKmhHDkxapicP4fpUBmJInDzPHWhj2QZgyylbPdwaRypz3ntScHZB17veWgvOlaouYp75OdEQsw+yQbZhKDw+Y3FjmAbgD8zEzuG7KbgeCkMZyfXLWGXHse/njZkKWnQPju7LldoVrR1uvGLmjShGNhqJ45H1a62EutDY4n22LcJjUSRWXlgBmMGC5OFQeSkLA/OKWEVq1zzylqJDg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (2457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertToSet.raw => C:\Users\Admin\Pictures\ConvertToSet.raw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\GrantWait.png => C:\Users\Admin\Pictures\GrantWait.png.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\ImportComplete.raw => C:\Users\Admin\Pictures\ImportComplete.raw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\UnregisterGrant.raw => C:\Users\Admin\Pictures\UnregisterGrant.raw.fantom	Fantom.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	Fantom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	Fantom.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Executive.thmx	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	Fantom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	Fantom.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	Fantom.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\UnblockRegister.txt	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif	Fantom.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\OliveGreen.css	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak	Fantom.exe
File created	C:\Program Files\Internet Explorer\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\e7904d77bcee77868d534546ed2a61b6\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\0728af1479c3388cadf85ccfc2b12582\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_fr_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_ja_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\267f03b78a9514be8c1ebd278f03e3ff\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Linq\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\XsdBuildTask\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Routing.resources\3.5.0.0_de_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_fr_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.iTV.Media\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\3.5.0.0_it_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.resources\2.0.0.0_de_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\ehome\CreateDisc\sonic.xml	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.ServiceProce#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\diagnostics\system\WindowsUpdate\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\1.0.0.0_it_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\221fa10bd3cb407e43b7476af5039090\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcGlidHostObj\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.BusinessData\14.0.0.0__71e9bce111e9429c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\diagnostics\system\Networking\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\ehome\mcetuningoverrides.xml	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\mscorlib.resources\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\SrpUxSnapIn\780e5b2898b2cd49f5823dffac3b5e93\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\afee8437a90f473862f2d364b3669041\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\542518fc2bf2725a9e6b77957456c26e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml.84e525b7#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Jscript.resources\8.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.install.resources\3.0.0.0_fr_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity.#\8f1dcb9771b151969c5afdae76376d5c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Boot\EFI\tr-TR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\diagnostics\system\Power\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Workfffcbcd8#\8e020cc06c4052a50083fa7eb060e92c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Boot\PCAT\zh-CN\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_de_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl\14.0.0.0__71e9bce111e9429c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe.Entity\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\8391072310ccd84eecefe797cfd4a4a5\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	Fantom.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	Fantom.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1608	2040	Fantom.exe	28
PID 2040 wrote to memory of 1608	2040	Fantom.exe	28
PID 2040 wrote to memory of 1608	2040	Fantom.exe	28
PID 2040 wrote to memory of 1608	2040	Fantom.exe	28

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
7513fbb7d7080956fd024d9e5a2be379

SHA1
0f5f11050393bd1e9639b8d850d9086a59d48131

SHA256
413cb6666b56e9ecee243723b7618cd7d6371b270043d0ee27bf42ed9ad8f54a

SHA512
057663b891bf122909cacf1c71cc1fc26ff89319d6ff2541a10519b2bacf9da6019c9d9405cd5ea5e203f2421764eb6707db16b1eca42727e0a5393f27bd3611

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
352B

MD5
5958f32db1e87212383e7deba198d479

SHA1
3ecde473c09d01b807933d9eae6343adc71f590d

SHA256
a2846c8a222a1ae2c5dc8ad3be8a6857e174e2dd28685319ab5566d3a7a70d23

SHA512
1f84db3a6192ca8e397777eefb40d18a7fd0a75bd81896fe785eee1c55f3c7fca0d5824a557a5da58b94a0c14f65c0bb08b22b6a5cac8b62f611ad4901c9438f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
224B

MD5
9c553f60a834db2df1a581aa87c3d0c6

SHA1
e3d60a41724d952d9af3be2729bf29402ea65edc

SHA256
e024ecab1d022f3e87747918ad052c6eaa2df92f268c4f486760d721872b7bf8

SHA512
94881294d6b3aeb0d6b2e01c8d6275cb78bb6951940dea8a1e4b90747d64abf95c8dd93a9bbe9de326ab8eece7c3cd7022b2b4ded0725bad006cc41b199960f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
197ef13bf755504fee920a57406633d1

SHA1
ee319c29e1262e292ca6e600920e0ae60c8a295e

SHA256
457f989f80dbb9ae94861ba59506a7fc67b02bf4b3b06c283944e60d2cbbe406

SHA512
9575c31f5a1cb0ec0a590b0f5ee78d3103c089d70bda15017f3498909a901bd1351c5b04b187778e3f835171f12fdc2d9fff93a35e3c6a4f47e7f6621b62ff90

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
7be3ddf4a99d0dcd2d42b7c73e720187

SHA1
436331a4e20dc506d25950065b8e7cee48041e58

SHA256
b5113b5e887bbd2dc333573dc0ca1831bcaf5b68a6eb788c6a93ff4910f81e9d

SHA512
44f6b6f0eb34e8d28930e01e07f8a6aa2c6d273a247c4a6b37d63a94cfcc6fb017a5e9f7f89a55252cbaf07caffa7784b42861c49bcff4696166d1ad28a5838e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
9648f1fe7fea3c2870f1898dff7be388

SHA1
71a5fd0ba54ac41043d371277577f674f3c1871a

SHA256
df913b9f1f248dd22f7962ac1de5590d06648f1d86248b009c9bd0e8b3fdd576

SHA512
720c28dfa9605a7f1995962311fa7e8390325e0ede4bd3fff63941e2265b250c1f3a7c2d0a4235d2dceff2cc103f656af5b4d41baa779863217d29780aea1fe3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
c40e33f08f7f712d548d0eaf9b6fbfec

SHA1
5626557b0d7d9a9fd38cbc72aa5f5a2a83ffc4e7

SHA256
d7e24f2de73e560f4b4d6b9db2a70660d9dccc94dac0d1f5d4f6c5bff880bf17

SHA512
37bdb35d86a724404cfdcc43a69f0b51d341e890a081956c8f661d5322a2d4c34b28fb67cfd20c8ae9f73ffde9d8cca5cde935e1ff0a866f2d28eadd5dd4cdf6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
112B

MD5
621dcec5afe8acaec26eaa60ed3ade43

SHA1
6e081023d44280bde20716cae7cb03c2bd0e0e83

SHA256
15c430d6e660be0cb2db4765259ff1c69b2f4945fe78f5577a62bca827896c9d

SHA512
f0369a55f57a6a79fd578d814c982ab6ca2911c01932b8be3aa39c64c3150253479b0539f53885a7a6669a74b0f8d03b8bf5ce8b077ad351bd2521723453b8d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
c536da03d4ff373e4fa9bf057153dbaa

SHA1
f6b552f5206cc2df23e81b5cea8962b5f1a43c25

SHA256
22896fdfb07d5e0dbca1576231ca5be47dbe78cccaa9a91c7b17fed7bcc25b40

SHA512
007603b64314731fded75288429634b170dd8ea374c8ddb5aea1e3b6dc8f96c4e88bcccf1447ac98977b433bfd613644d6f86503e827a1979556e61f2ea45817

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
456f4076e7c463125822416d8821f07c

SHA1
8654d7e03b2db5ed1aa48a30cfa933387ea91dd8

SHA256
e0a67588d35237f8a96efb71ff5c3172b77268f91d3e1315634c4f9162c04396

SHA512
43d9490787a450dcac61e2f605b45dd93c530bfb15aa788ddbd5da466da820c5377b64dfd8487be5fecfbfa2e151c7e5dd3a4f08215d71d1dba10949af4bfb0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
ff49a79c97f0091c6735d8ba92ccd01d

SHA1
0e42c609351bb50ee6b196cfc8cf1fad641c1e49

SHA256
00d5ce5a26dd512a322da77e4babe260d4c8dd98ca4e13432fa9b6aa93751d72

SHA512
ee48d15bbd9041c18a80cd0d50d83e5a94722b618bbf1fcd6c67af81c663fd1dccf4925b768737162c8d5f513211d5101201556b4b5a4ed481314fa143ebbed0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
c9df173f83df85d98a593f04e4a2f4b0

SHA1
add5134b5658a83132fccc175e7321365db80e0a

SHA256
e63300c598ddf9d4add72d0082795f8b8dc550dae03303f7339b1c262c627b8f

SHA512
6e7a2e44fc6fdb6869f4e16e10388be05e6039cfcb9cec849b3501e61610796513c7e061039c65e3e0349d8e4baed010fa128014014b4cffd75f7c77f838ccc5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
a08737f55d654f37d07b912402464e33

SHA1
9dd9b8b3715f6e5638d6861c874669b73ac79cae

SHA256
84d5509a6db446c7ec13d73253bd82fa92c4e4365550b4d4305c31ffd819aa2b

SHA512
2d60d0c690098f878785a5ab500b37365c43b6f6222f4a3064eb72b7186a4dce05eeaf26f87110dad45997c3f11bb7882a3cf1eb9d5c55468e6690388898496b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
ecac6a5f5abefe72bf8e37afb87595b3

SHA1
f10628770994698e48402a710bcdb12b42999bd4

SHA256
c9c17dd4878f6631b8b169de3b3fa7655cf21472e8daa8e7098b2382cbc873ef

SHA512
2df4e764b40f51fcc6bd9c6af80e7706cf3c60b9c95acb52764a46cd056d85cb55a5bbcbdddd99f8b7a0128fdecc9aff61dd77513b0d1a0256d35182362c800c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
8628961f04617936013ce19252a8e047

SHA1
c225793be61efb16cb1ea3636995e4a3081eec5f

SHA256
2a2117bebd3a7f1b9bb364fd8730356952468528a1edacdf1797cb3175641389

SHA512
1d6dfdc0c29fc99cd72d843d4d0da02fedfc8ff7a0dfbe7d5124892904b9877498d36fb880aa7cf94aaef7567c38478b39c9d7e73821b605b91577ee7fd95f73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
3ddb7932a3c8809348eb0766454cea9f

SHA1
218f9dc968d9d63c118baab2ccbf82807d5a656d

SHA256
2f5323b12ab7fb3962574c0f145e3e3c7a29a09d0e4705fadf2b31a8653a136d

SHA512
1952ffbbaaf8d641d9b9f6f123a10656b6d98d9de19aaf59dd9863f73f31420c7f41abee2b71ba97a95a9e118fb1905d97d1e7a5a2322ba32d2319f322ff919c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
fc8bd3c71054974a065242a2ec175e69

SHA1
ac65700afdb89189b762cc356db2e3bbe6edfe2d

SHA256
c59af72dfde1197385543adb32bede958409338d482eb9531a3addcba2dc1a5a

SHA512
fc0880bf9f01bed8078a7924863d2c27696c7d6031d6324a511fa6075d923c084f6bc16138294e4ad5f2c645fa079d0cfc03de6a5c295d7e351c9f4b853341fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
d4590daea9a9b0cec65c87051af61e8e

SHA1
0274c5f8bcd9f85dec9e55b5cd9c25f914098c14

SHA256
4744fdcaa131b5edd5e172ee5e45dd3dfa047d68781614c92d2ed287b1dcba5f

SHA512
1208f8d302e724e282b85c5565fb148727a914554e134a6e56cf6b2d8e9372e5915cea06adf109c4bf5fb7ac3d685e3e3b8a36ebc73fe3d0424ffcba455b2d1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
0539742178965ea4e8f3186d729b718e

SHA1
face76fb6d3d38ba29112861f9eec9a3ed8c5a76

SHA256
854ef4b21d801c4b011e06ca86e8111edb349087ef1a9e0da8c97e21b236ad07

SHA512
9be036abc2de4f92e561ae600599215b378d760c82e72dc14d2fdd7a310f44c482d7123fe3bdb6dd1dc7bc7a6118eef0e0569d89fd52ae9aba70ce44e23e7dc9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
1be58c9efc594464118516318dc7fa2d

SHA1
5055a0b80643934ed5dc9a6c6bdda64ca9ef7a19

SHA256
f53f22c5b0874cf59f764215eeae331f3961776e01a0312c9bb69532d97933ae

SHA512
5c2f3a4d25858af5ee2e3c86dc2203392161fea44746105bc35ee01cef65e0b30b0dc81e3e5dc53c107dfcaa3fe0561369940ab303e90e2f7509ee68223085bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
e919b55d790ef3158d69922574e85ea6

SHA1
ce5488f1ae5571e31b47417fb3602053b9ce38de

SHA256
5e2c3645df39805bf5d0bb7d780d6849920eeb14be1cc20f095ed2c0800be25e

SHA512
f5cd0078c77d89efd42a6d700c32c1a78c652bab65daea6f266d1fe14858493557b6cb9efbd019693186ad7a71846bf87d054237b55a0ba4fa03631a9a6df1d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
796d0f6f9fd015fddded14aabb86a206

SHA1
2349e0bb0ba71b28652abad2c0a5d897551ec53c

SHA256
fcc6b20f9f84b11f8c293bda4f337f96b4919c324b2d3531efc9cd5473257c59

SHA512
fddb7348fcfafecfe3e732a38c669996120084a720676e0b3cef7b32ecc0309a408d990f009167e9b5160583dd3065305d860ca603af64aedeebc9f1af2b3e3b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
06ea87f411b11c3c76d943aacb674528

SHA1
b8861dc75fef8dc2218b99567d44696afa7b35f0

SHA256
e560c53d9fe2d077b1816f5aef88071a94cf94d4227b4d6f17344f804ccf3dbb

SHA512
f10bdbecdde271875aa1c91bb8b2a6c71b7aad53469ce1913fa7a3195b8320364901c467c2e927b566a3920af296175f76954350fa9713f868a6459dc0bcf309

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
a198a43713278cdd0435f40688251877

SHA1
070f6a76fe84a83eaa01a0f9e515b2afbeedbdcc

SHA256
76720f88421b4a8f2987b7f3a1e455ec52d3ebcca5c61c6058ed440a063eeeb6

SHA512
76b46cdb0ca0195cfea906a16a270dfaea1e4da7d7b2684f2a4b19f4ec7db56e636c1d76d18a8f8b9aea3963954492cca11fd4bd4b57a72ecf58b1b11ed9a9c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
e3cc2b1fae154b2f085ed9828cc21d21

SHA1
eae2cf999580f0b100f8bfbdf64aade82ed10114

SHA256
c9afaab135950db1ce22155943214b3ecb7302be3f0c983e0e53d55e5478c4b5

SHA512
8ce01368cbd8b974720f7368c695bfcf4b48af825fca2487baf2d0d8e7411d050a2d163d538088d62a05bf6dddbfd890db6a78a5f6e2161f8415a19b88f63dc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
a57fde597519ef55de61d66365b2ba8e

SHA1
1b80fb46074d040f671c65c772a93b9cbba922bb

SHA256
0d0fa9f5567e842cceebc245c290fd1a9b117a56e88a068c28cd76455948010b

SHA512
d1f8ea522f856fe30320b23c8d724322c43e4a98f78a432b1e3a13d2de3bc921b91bea58c8c9f9583b08e5d91390cc626222239d8cb17f252949a00c7b5182b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif.fantom

Filesize
864B

MD5
e7c23f468d9a2415422af375c24ac420

SHA1
7404a7e10e121c3e4eca96f11ef6595f99c4c1eb

SHA256
4bec28a98619e4c396c5715ac7cd9f22949bd67e83ff4918bc7239afd0afe45e

SHA512
93b051a9e1c5c7f76a563717dfecbd636d60d4fa043ceef02bd46c3981578d668956e0e4d64ffc362f5fd476733c58b08393e93c53b131a56641b53ce42ee428

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
277b1d945a5c13b1190972480965484f

SHA1
6dec3fd87af2f34caa2539ab086852b3edc7edd6

SHA256
958698e548dc8110ff89579dd2504c9bf199cb49c9a9a9e31de56cb58268d34d

SHA512
cbf31804c83adf3fcaed422f20e963ecb69f90397ae24f01d1a856c099ed5119a8f44424c2a27ceb8337affb90d5f2dd6827c3e157d2d5cb4c528884165abd6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
a4c61fd9e964ab9c567927e4b07da7bd

SHA1
effbf07ae73134915e786deee6938842902ff18d

SHA256
f0e41f530f2a61a9668fb3275b3c79dc7c2651649a9f9c96bdba99845adaa41e

SHA512
a365f4ccb629ac4d423554b74011dc5c8270790318028743aefe47dd678a3b45efb66da5ee7cac37733ce6c9520c97f9954d25df41e429c77b406366e38bce89

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
ebbae2038bc072af127fbcadc3a0b36a

SHA1
f89de4fab9f71b968214cd15e088d3ac16b0ed54

SHA256
9cc905d02295b1740f76208cb50a164c15bbac0beac4c9397b85dcfb2a28c354

SHA512
226c1f235ad5b26bfd90d186df406c475e257871fb70a932eee8fc0c0352e946d8b31d5a4cb1669999af5d0d6e35079dcb6593239477e1b87b0deb78cb370111

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
9d4c41a8baa45d0a526247c2f17d5dee

SHA1
a4c7ff25eea95d0d6dd0589cc6dc0dd78949dfc2

SHA256
54fd0c891b00270f0aca4be9d0f85efb8ab59fb2e019b8c1183f5707996de1eb

SHA512
8cf629f6e6df216dbe5c9640a6e42a7cd745fb37f8fbe6d4ff34a2a160a686c954bffffc88f0310d6aba1fe5d2b5ef466db32967ebb1c7a9d00446afe64e6045

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
bf637aa923766367faea5089928542de

SHA1
d1990417401b2edcb151083d539f2fae45ab4b57

SHA256
b46039ab1d0aa0f5dc33117cd546e0aa5da8871f600241989c6d1de1716b6602

SHA512
e891d62a4b9ed31330a71ce6535fc2312c7211e2a36bf4b34dcaa4df91f729a611fc5ec3f49cdb6470ac6f1f50fa10770ec3c37db3d545ad2d862a61b22d37ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
04c4d5ee76a70f472f4622d8144a9221

SHA1
4b53913d812d7ad4cc1b5ba7aa39df1da89a1036

SHA256
ec3eef46470039bb39a95a77f878f99921342f252a5b7d44805ffecbc0e96309

SHA512
08584d36af9cf19cf0373b1960201c186eb113ee1046e0f43827d48bb649dc6f6866c0dae57ff213ce800f15e6be99f7e90d63b0e16318630cf222a4b150ff8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
ddf0a8221f50d9b57f79750cda974544

SHA1
48973a11969865410c49f085bec44c305bd016bc

SHA256
283217e8886d0694f1b3a938bacfc6e77c15b7c837811cf877db2dd2b236e769

SHA512
a104b5229f9a8ae292327bd46077793fa863131819fb92f57221d3422e55f8f53755f78a76d61969e542936c8fc61dcafad3f67cbeed164cdac3fa02744f25d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
64b6e6fcbd7ebf32163393a2750e12ea

SHA1
f29696097283b9d488d8b1ba28d3a6aeb7551be7

SHA256
2ee3b56958ed4fb01d79d786363c3dcd4dd4b18e2317c780e5dbe24cfec96b6e

SHA512
70935b2bf7620553f1d16d12c4106aa8c22d3fb39a08b12e60c7dc344534088b7ae6a713a055122d2249adf56680053701eaf23f289b73cae2707a487fc89c70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
3187ebe85447676df710ea637a1e2d9b

SHA1
5f2f433279be6ad85009d229023be714fa4f5f18

SHA256
8e77f293b2f7ecab47bdc1e69d0c8842f616ca1d602dc73e33e7682c8e1fd2cb

SHA512
df96935d1b39d611435633b6169cee3bd2824ce4777f0cf244dea36f3cfbb5a9a8d0e89bbdceecbea3fd620728fbf1026713591787435321537772a4fb9e4120

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
58ded2fb73205e05e613dd46f4197b4e

SHA1
17073b800455c6c5320d3353156d45b264e35108

SHA256
0e484bfb185707f4391af1dee7fa5e3fb6bf73784530a8635f8de37ebea28b3e

SHA512
490b8c7eebb58e7c7e9a5d2b942dae00338ddd1c5dc4743844f6a2e6425ca0d4fcca96a6c8fc070a211af58243b7c5414de6e036a0c6246977b3367288b258b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
29b98e006f5df1c6d3f7f2746079dc39

SHA1
9e467cb7054c6f6196c3f32db63c5332b44d2dd6

SHA256
f518b2b1785770d3bcf08e56b9ecbb69b440efcbbf8925c9b0fb4cba51f66df7

SHA512
1bcf9dab82833e2af9ce96d9e9b56c1e21a66da0fa6a7c202b2d4154945e65f9df71d18da165130dd5c12f3be6d0d0754eb90144eaf27ee42f310ec3e1a2f849

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
efa32cafaa210b68d09705f3e4357fe1

SHA1
0ef1b5a08ba27f51f258b9e6b22a8cca1d2f95d1

SHA256
b040b088ccbd3ba621107de7e30bfb722b9bc4e5a0f78af128b431a2a705a7ac

SHA512
53ec41b7aa31509ea364a7c181b9fd55210c9368567ba0ae6da1bebe031460181ab1567d904d0705009e8a92a1d57d70d4fc64fc1e5ddabbb8031b521a3d6136

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
9e2e48ee0324939bfa1c7e6c55fc2372

SHA1
7660ba8d43b373d5704644d349978f32e8e0fdac

SHA256
a3e73338bc9622a42cffb05b60add9c4e6fe90ea5d4b74895681629407d1778e

SHA512
8dbc9dba6106c16e3991e3a3a507f4b9722626817fc2f33f26bc5b07a998af3c68e19f83d7ac76bb8e5020ea24ad97bdaea448611f17db976f1ac78c79809e41

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
66090dae6b92f304945c52241595c48a

SHA1
c3b70f43452a6f8cd4a2652a4c096ec27ffe031f

SHA256
5bff11964d1fc19c1b043f4a2cedbee125635e9106ba573e6ea33c38e16e01da

SHA512
e60396bc916ee250d38e96832123c51a1dd346291314d1e5908f129c36a7e7c3796775a58243c0ad8ae31b9c48b704829d6de32ca6a69c614d517f5fd10fe71a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f3b2af0170e81ec1bee34ee228de20bc

SHA1
629dac1ef8314115ae9b59953f0432a44a178a38

SHA256
8eb16fb7125e70fe6ab83ad9d429dac77533ef7fdec3f4b5ec7d2b733f508f0f

SHA512
d153d0b7a81344c39cc1957ed5e76d7f74df5c342d36eed3f6242d74bb5b4c004fa673adb59e6c0bd1bc4dc18724c22943cc5883eb3ad7885f3eb66a93ac2f6d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
415d9d6e13f1d8dd0454027271b80a55

SHA1
c3414f818939eea7d9add56cc902203c9821bee8

SHA256
9045787de245fc23ddd6d902a7dedff8039a4c1558b3aed056d1f90351177629

SHA512
2c7bbcd91fea858e6bda98cfbc040b8f975e01f81e1bbda03f5c283cfdcedcfa502211d9208843223c7377dac26c80cb6d6820e4ec48b0b442feb58f46868123

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.fantom

Filesize
172KB

MD5
b34433b3cbb7b8dbaee66c381374bde8

SHA1
1095a51098b51b585ee0137799bc8c67b23de848

SHA256
dee22819be927298ff5d37eb0f5b29ff1263e541fbdea19b8e6fef1d0fd1a7fa

SHA512
388fe7189da3b68094efa7e8b31c8d0bbe5380dc32e42438d4e4f311faa5ec9f1155eb78b74e4119dfaebe1f7c52e470da71ed972408f26680ff8b520c9b6528

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
16B

MD5
e50c2ecd7289849f4cfb84402323162f

SHA1
1da38c9e613309b44f76e3d4665ea8367a4cf09d

SHA256
3bda48534f4dec22a5b11bac7b315036ede835decb81959e9801168263fb078e

SHA512
bbcf5a2da1d5a930f93bff8b420f3d1bce5bba835158ec995772948250a8882307fbbbddeef8fc02cb67628dc93b081d1eb96996bb736ea024f0c15186300938

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_225644811.html

Filesize
1.1MB

MD5
017075f727ab1d1bde9859b2432d52fc

SHA1
65e2d5829ccb9fa7d040f94cc7c494a7eb8ce556

SHA256
f9f74a8e35b3fc20b43bc83168ee49dc2e730f581cfd5819f8b60d89636cc120

SHA512
1559eb1396bd49d3eba6388f21179b480d91726a20cd24ec59c35f805999f711746f51517075c8762c46a9e0d792f8a04837ab45845f214565fce866b149d5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
memory/1608-193-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1608-191-0x00000000011A0000-0x00000000011AC000-memory.dmp

Filesize
48KB

Download
memory/1608-635-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1608-194-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/2040-111-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-61-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-121-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-184-0x0000000001FE0000-0x0000000001FEE000-memory.dmp

Filesize
56KB

Download
memory/2040-183-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2040-182-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2040-56-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-119-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-65-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-69-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-75-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-77-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-115-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-85-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-89-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-101-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-103-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-107-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2040-108-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2040-634-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2040-81-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-192-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2040-54-0x0000000001F10000-0x0000000001F42000-memory.dmp

Filesize
200KB

Download
memory/2040-117-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-113-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-109-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-105-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-93-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-97-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-99-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-95-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-91-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-87-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-83-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-79-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-73-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-71-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-67-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-63-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-59-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-57-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/2040-55-0x0000000001F40000-0x0000000001F72000-memory.dmp

Filesize
200KB

Download