fantom | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
153s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

fantom discovery evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>JJ8O9EmfTIyKg5x3k2zO/boCZNm+CrFk0BhWVPQR1GRegGs5Lg3FIorQAT5v0UY/oKr2pNDSUTBEaVT6ut2ySrYFLWX09A6YOeVXmFsj20UcladwqJ02ELHupBNayAM31i9naDjlwKI+ancjheNRYt76t1yAtTWydFvBjC/NR4TsV/s0fFfFhshpnnkabEhcD7BbYZwnkM57ev5U2GHEgVIWqnXcu6dqBjvjn9Nm8GZlcFMnbjZXTH4Rs7QUbDIaIUdhxGAdqY4lXycka0y2ry6U49CDmd/vlFTxFvTHzFiWffnP15H4Um3lFgmje1Ny+7+1iBpJII0rLaiDrpXaeQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>a4fP76PQVhrkJW9Asba5iPItRdh1FwiirJtplX4Uith899OR09tzdFslCWfaochz7IM5ft8SkqmdS6u434pcvZ6TBBP0PuiSRFe89R3RyYegzxeMjcsK42Ni+JRal2EmpnB+7FCeoYR5rp4pmVWyMjTPV7x4UnHDBW9HR4qLXY0L3uO9bi+NXik9TGcK45FGr04/wd1KhTGXxslDi/OyKnBL9188lVWZQHzbz7LJio2zmuxPxSymRsTfb4bPfHgm2+6OkLYFLClwkKi3SsQY3deq37uERG6M+S9QKB//PfrkOE2EibuvzNMyRNKtbWZJeEdKfdVhc/nDCYz1+ysx/g==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>hWuFuauorU5qJOeFfAxcaC6nhV7Mrml9D9mUTb2TlI/rSoMNdPZ06nb8pnyjbpHnzYSk46gX4PgzhaoPD7fguvx9jq9oVzXpMRWom9dxD3bNtQoFiiarSkGWxn+YWHSc2JFXIbUM8+haoSlJG/ONShgSf7ndXo3wIp9wWFqnh47xy2zNkt7vGIBXbzCK80MetKeemgSAPjbW4dwhhwgL18To2H+fRhBCIP3014NZ/Kkgj43rDrG1aeOZlU5qRsqcVGixGb9pfGr/m8D+XHFm2LSmC6HBKDLRoNc204BF686v7a6gpzRjh9g7QFLMNhLbwJaJwNADfEPMpdBFXdDomA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>eCWKujY97mTpsDSDctPoBzfSb1qknA/HKAxzlmSLP2bOOOstlObnxpO9SK7ufM/aUyMlunNuzCd7n/6vMFHVFl+ayzuymVaABuKWt+l4rXYEOm0Ko8KZSfK24Kw5RC+NKd9vW/bBEsmB+gSK7EANt9IquxzqXMBkW/UTdnNjeqwnrwKJoSOqgtfO7o/3HV3UQ7oYFhMFL8LIaML2HD+f9pcb5QRHb4Fufei2HnZRUYaQe2oKpNTz7oeYkdI5MibTSX88kEOu6T0I2rxWxvvPBeble36tUSDgOcdotSt6gSR/bT8GCdd9zp/2FG8NQfCG1FkyDxh5tvdvN5DrHuOTDg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (1028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
5460	WindowsUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
71	raw.githubusercontent.com
72	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_altform-lightunplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png	Fantom.exe
File created	C:\Program Files\ModifiableWindowsApps\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Windows Sidebar\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\203.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.html	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\VideoThumbnail.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-100.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-24.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-100.jpg	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5224	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2356	msedge.exe
2356	msedge.exe
4724	identity_helper.exe
4724	identity_helper.exe
4780	msedge.exe
4780	msedge.exe
5256	msedge.exe
5256	msedge.exe
3576	Fantom.exe
3576	Fantom.exe
6056	Fantom.exe
6056	Fantom.exe
5588	Fantom.exe
5588	Fantom.exe
5892	Fantom.exe
5892	Fantom.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	Fantom.exe
Token: SeDebugPrivilege	6056	Fantom.exe
Token: SeDebugPrivilege	5588	Fantom.exe
Token: SeDebugPrivilege	5892	Fantom.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE
5224	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 5032	2356	msedge.exe	85
PID 2356 wrote to memory of 5032	2356	msedge.exe	85
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 3776	2356	msedge.exe	86
PID 2356 wrote to memory of 2604	2356	msedge.exe	87
PID 2356 wrote to memory of 2604	2356	msedge.exe	87
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88
PID 2356 wrote to memory of 3008	2356	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90de746f8,0x7ff90de74708,0x7ff90de74718
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3526599485546611508,15185405681012076370,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5776 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:5460

C:\Users\Admin\Downloads\Fantom\Fantom.exe
"C:\Users\Admin\Downloads\Fantom\Fantom.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Users\Admin\Downloads\Fantom\Fantom.exe
"C:\Users\Admin\Downloads\Fantom\Fantom.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Users\Admin\Downloads\Fantom\Fantom.exe
"C:\Users\Admin\Downloads\Fantom\Fantom.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnpublishPop.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
159bfa625e418cf49818214ac14eb8c7

SHA1
4e262a847d5206744c17b2129a152696fe271a6d

SHA256
db85e17d07a368d3065296387be08904a0b55d278cde757b2109a393833799aa

SHA512
79386ccf793d4ab89a8a15a89c8cb82964ac1e7e628212659746272ef7166332182a42911c545e17cd7df282dbd79f85aef44e397acfd84a603dc9f5bf83bccf

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
0e695c31c751b061fe6fca793ecad016

SHA1
18eb6774aad418ab8a8995d3a897639cffa03679

SHA256
b5d9c84f2a30d9982d3c017beac979e642f2badb3e4600ab4a85cd16f018d26e

SHA512
8df96e33d14e50ca44371e6c154cf044fa12ef845be19a52590f2810bb35b6d4a3266dc2a4a176e20b96183d1c1f45fed4adf0bc1b12de754355762c30e5d615

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
bd0c795867de21efe97097f5bda27f54

SHA1
a22eeb20774e60529e3d578eea597f9255e48c6b

SHA256
3b7f3570dc69d0e09eb1f36f35b0f5c567913ee08e392f95005ec16d0babdbfc

SHA512
8e202bd512d720cc8895fadc6f4a93669f1857a3d6c5fabef77d49f712d2dc3aa02524cf89337359e641c2c85bbcf8adf4dd3e9e7b2ed6629051f44f0fef410c

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
40621a25033e96dc6bd626470a58b0ca

SHA1
7992de70e149bad58a2c8087c1a010e6361e58e3

SHA256
800bfcbf7074a6a0315b28fa4c11f428b4a91d044a9912e249fe2dc5b406b8e9

SHA512
f6baa8f5097efcce42782f99d815028f8a0f52254583bdc9d8bf534587e858084c942f300073d427ae403160060dc00d5b067df649df5657aecf045af61aca23

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
ba8d9bb882e24074f74546f2933e77f3

SHA1
7ea542f7c5019232699ee1f38931bbfdff390f51

SHA256
650c5c4e6c2ce282cad2af96536afe321dc344a05d0ed8afcf038c0805a3146e

SHA512
f7e90aa77cd78e7bf09970a56c7e13cc34e093637183cb2f4145698a4f822e3f6e9e51fd490baff28c24eb8ed843db71b34da5d5f4d870460315e4f47bedab57

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
f0aca86190924815797fc7a6acec1f40

SHA1
5bb6a43592706b88655a0f0c554f93c43a941f34

SHA256
32a5f69a21b705f17a4d034376ca82052b36a19723000b3aac0fb4327bd4c173

SHA512
e30ec648ef81bba2acd195a05df6749a6cc4bb3804572e44d078714439d8d36dc8420002df17706412fe43a74accdd33899c7fcb548d4e3df0003a5fb838e9ae

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
5e8649380502490b28a57f7c49d8a0cb

SHA1
2de992af5092ac472baf06042d6daa01fd6c935b

SHA256
220ca3da8882516d40556dd898dbe60378398b857c289ef4a730d5cff9d4e4a7

SHA512
4104f3db06d81f091172560522b505ffe42d54bbe4e36637a24f5ff9ffae08dd478c07121b641e464037aa3ea9e10b39ad128f3e4197b325fcaf2a4ad4d8e125

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
8f88b94028ad62cb6b02d03703cc0fad

SHA1
c319debda8aef49f309ccc4cbc3f190ae37553d9

SHA256
bcaf254556086093a7524cbae662eec7a79a9b7ababf9b897b01963c58dfb342

SHA512
c987b54d9d3b1a4a5c76573d4829f8f4c10f9e5f6082c8287ca359ab2d1d01085bb92c364319d8055e310a209e8c542d400c11bb463a89dc50859d0f75d57f85

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
8fbfeb47a2fe83831fa6d242c97f83d8

SHA1
3b4be2e1dbe2305bb03d0931b0b9f0253a1afafd

SHA256
b286c2307333f933d246777d962d7a7008a79d60b572f6ba4991219743388304

SHA512
ed30b5ed382ffcfa99442f71f6f4b3c03ed47727437b84a41aede9270878fef454bab44e3b9bf58d9eda4837f5de86c13110df6eb6d6fa2e5b4060c0e99639c5

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
8325d823e1cc0a352161360ed2971f19

SHA1
55de05e4da0ffa46d0dd234adc62311f261bc159

SHA256
67cd165a7b243a295e8b9d0bc95d38246bc31d79a9f00fea5dfbaf4d0d403166

SHA512
fadbd18510fdae588a717418d1aa76facbdfeca99919ad5c2fd2e951edc7599f22f0e3059cdf2b83ec544ac8fd39ef580621aee48dfcc23417485ee8d6bc4906

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
f628b2bb07e101554600c34a626081f0

SHA1
e43265f18288ca8f11ee49c882d2edaa6c98e18f

SHA256
2fbe3afcff16b818070bbc396de4562941976d0ea5dc4fdd79ebd9cd045f8d36

SHA512
b6b7928ef1864c4b474975c792078f2e12e40e1aad7895465bc214bd7b4f31ad53975abb4bc090ce94954013921e1141aa7ebe5769a2df176325e72afaad2112

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
fccc61c43e01fee4c02472fc3053fdbc

SHA1
b04a7d9f86c912f0d215625153ea048a469fbb6f

SHA256
90885bd52ee982c8d9f9287b6b3d086d8711ab791ce31cb01bbf679271eeecb6

SHA512
b2fdc37b0b080de991ceb0d8401ff4a269417a75a7f99cdacf25271b825d40e72b9d8d583c366efe3ce951ec66fe716fb132fbc72357280606c54ff987539fda

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
9e152eaef01bb13d174bef76de7c25f2

SHA1
6ba11e0af1c097000f4de482fe9112f69a6c7fae

SHA256
c251e1602614699f91310b6c29d437890603afe57bbd10720dd5e37f159899bc

SHA512
e188eb9867458851c92c7c5b44e0de7ba2991a8f96f7d69a7f4f7bf5157b7f2c3b1b301863aab203c98171ab285d6b76e04b3a025f71ff660071306e16748b9f

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
08b05582b30aaeb54aa3957f03561c85

SHA1
4069ccf7f88626f857902444c332eaeff25634a0

SHA256
487bb0a51bc6bf9cbce5c0aa70a3f59f3d150ea7705db9d6cdcb32effb304916

SHA512
796131f196ee3a01d36f57fa4dc84db1410a0555f4dc0ccba46421fe9e516e997bac56a69c5fbaffe298ecc050a79e1592a075f95583f6462dce9b499ced14a7

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
4eb6374709a5cd1ff30681566d272519

SHA1
c38499d69b228bcc3212a22233e35f301f38fa7a

SHA256
0260dc666a2fa061469057360d2782bbf5bdb36fdbd4e46e55feaec719776f59

SHA512
81826758c922f4f5b743138a03d28db3f5020581c0e79c6d2366d6ebd17d5c8317f9f9b2117911cf9055b65bb4f0a3b27539aacc663d26f9404636797484b358

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
bffe1f49f2eaf87d0d1f810408cf3540

SHA1
34c92f3cc304f7a7b34135c5f23b5f6bde0d06fe

SHA256
c9090d058c27223d1917a0dec87185c07377ee5f508a51fcc5bdee05bb626d4f

SHA512
595ba3e24a62c9384af14ac3dcbcd3e5d177a2ed57cc359a86690b815e78bebad470d93a47d2464b2fa8d86bbc42993e9575a4bdf82c5b557dbcfc5f1a5074dc

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
f00cef3f537fee3d6ac8d9a1df2f177f

SHA1
fee9cd8f991d1c1bedcae2229e6e90eced21c7de

SHA256
e4b63893b1bf4a1c56c95f3e434cc2ad18b3e3fad2f509ac1cb50d3b9c0f9a87

SHA512
370709b46a9578e4ff9450127bb652d35ffa10985a4889b8f0349622f41fe84aefeb3da5fff95b5aa811785f8f58a3636cd19343b376300f6428a3b438932009

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
246045822499dd9469e3b7c5cf74ac68

SHA1
0792155a2eae329d2e43f4015409aacf9e581bce

SHA256
c7611a7914c8c6da53f937de6677c6ede56e6b0dd44971163112d1eaef45fb84

SHA512
e73bdf24cd596591357acc8259fb41b8429aa4fd1de054a680ccb34650aa346cf32bdfac9e3de734c1d4f812491afef9534c30f704782f4f11f3dd675d7e1ee4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
9880b94c12ac1612c62f2733462a232f

SHA1
5aee833b20cf5ba776f22e0cd2838f4de10bcd84

SHA256
cd6e7cfee83dd4aaddc4877f0fbab8e91dfa59d0d7f28bd92ae15d4e8376d4a1

SHA512
6d3880a2378da644809f363637b224c6f158b320c81e7312e317f57382ef99898537ecdaa621137208a5fe7693853a9d3d66f7a5439f5a05f3338cc5d46f2f42

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
c4d0382ad678691b26abc94481a739c7

SHA1
c1810c471875dccc1a8fde36665afc600798fbfb

SHA256
cde43ae59e6f8a12abd64eef772d5e16cd7eb5179b484f12e8f5a10ee7038dde

SHA512
73093408f65e4f1d59b82b3f76587b8672e8122f270458c4d0ab47ab8858ddd9849a2b16aeffc519ddfcc6bf7feab237cc64691fcc590c2bb99d86d47126ee51

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
99219b37304f92060297bfe1658aa4bd

SHA1
329af6a86d3d53539bc65997b093a978648e89e5

SHA256
b159eb10184cec7ce92cc92bd405e045bf0696644f60fe478476b8704252ae9b

SHA512
441b87d4950e34deb86bd9d6f745d52a8b3b503f786d388fefbb5c2a89c510e4b522dff7810064da104e9397d20097deb8850482ee0d9e07474a293a15ed4a33

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
83c4fa9e33cd0f69ba2c89ec7cdb69a9

SHA1
a422f273c41f4c521963219fe16b4645011f5487

SHA256
b6940c87f75d65c1b94d5fd01f773ee67427d9b2306e2ef427ad3a629756a876

SHA512
53f3c9d044cbcd937403e73d4016af2f8e956a1bbb7d6fa4b626f16ff4ead6ee1a9dbf86551e2cb054299d9a6e88dbebaa368d4e0c2683ce570c30829db9eb87

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
da4e651f321abb285bad495c6835ed5d

SHA1
fdfa6ec685e68dae9c50e24cffe1c019891da080

SHA256
b71ade9c6337741a82a9b38a1b7053224de298eaa659e52a30fd2e11408a405b

SHA512
e5adaa874021a49e189770c2db7728c3ffcaaabba945739111d3fad2fc1375aa9e525e14c6a87bfc67cfac52b9698995be5da18c1971a6b77568f98adf94bbdf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
27c6266fdf12a067caa342ff46032215

SHA1
cb20acd60c2ca32d17f680de8f6c784ef94fbf8c

SHA256
f962b4c924e5370d49b875419a24e40f18d6bbb62f5ce8d5072e57230a42d670

SHA512
3dae0092fc89e53d8016b6bc730e201123d5d14c890a61590c456f29ea9b019c6b5b00f5a63d1ae7234262f7c4934bd978eb18f69bc880a3dc0d99b2483a95e1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
3da5ca94582e3209a6ad2c92499cf6be

SHA1
355bd7b13ad08dc7f7c876da835b037ca9d41499

SHA256
cef8a3ca7ddb2fff3df1c232d19169f8e44d13c8689721765c5778249ef41993

SHA512
286b2771ab762792f58739fef4531a6a21b145ab361c8096a24bedd48ffce763bec5aedffb879046a350ef252277042d76bb2ec5c5e619297f34a74f8ae61831

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
4a1bcbf5c5cb58caa24743bd69f89585

SHA1
dc68d80c80bee4b09bf4ae23f44801698d2d97cf

SHA256
072b9ff39fce602ff0b1ac2cdf622f06e35248a40d9b0eb087f4df259bf31030

SHA512
aa11c853b098dcb8d937b943dbe6ed5df3254760df6197204e898d8bef2d9acf122f4139ec6013a00ca9218159948285ea928644ac57627937cf0a2459e12282

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
e2627bcd938fd44e78d4695843ad0800

SHA1
5241615206d4f460a63f271dcfeac42a7499eb9b

SHA256
e679b039efab746e48cd85790cc2149bc8d3c4220521524c2c222648e480e88a

SHA512
591643079c23db3d53bc535e9fd3ff89c480254c5c474ff14ab2ba464d0bb64ff7a48f37cf5983ba6894da2a38e5a1f52f8b247ed4cbdb51badfba8a08299b4d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
38c86352bccfab408f37d2bb5697f414

SHA1
05d70fdc226991b09f4cd50ebcb0ad41446daba4

SHA256
814ef20250e91f83194ebae86a63ff683d2ebccd86acdd7483fb46b716851d32

SHA512
bd6acd681a1ead11443e354075aceefc5344f7b3117a12c7b7962d3183ec12ca9b4f3fe18780598cf538bef74e110f51770300f90e253865597f043c2bf2cdf9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
f57893a9d2793e728b9b97f1076fa013

SHA1
9837a448a34c77b027d520414358f5e78368e60c

SHA256
2d174c69151887c326d01274dbeb2096385aaec7cef8aa860df4e90a77cf9575

SHA512
acfaea44d513872fc11bcdd2edb8404d3788c39d2f8b83280f519b18d49e5b87449badfe91129b237cd333b1db764583251e5a1d77d1e094088d408cc59cdb79

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
b25090791327e0ddad0d84afa11cf996

SHA1
fb36b7a72e20dce744ff635662283289716b580f

SHA256
23e04bdfd9ae7e72a0cd64ca116676bdce31339a2c04ff7f51d93e9698659bb7

SHA512
3e7e5a3d9886b9f3d2d0de778d0bbaab6dc781ad27d110630743297dcc3f96372fb45f76581b660ab4daa0ef1e08f6a124622a91ba2bbf0fb0cb3902d770efb3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
d6c96500c9ba7992dd21c3af1ef693f7

SHA1
8c87cdc1924d108be4112fdfdf84cde590b0a171

SHA256
72ef730ed19ebc2adb641f1f4ae3936b2b6a3cfbcbcb0c87d3b0b17b2c4db285

SHA512
83b3396670f7aa74433fa51763a0ccb9482de1573a18d7d2f20affeaa7753aaa5c8e266fa56db6c44211704df64a1b23d5c8bf8497a5a85102c982b5ac2a0103

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
2d0ba42b82a3b928ed02ae4468827503

SHA1
0666394a17c8856107b1576ad8ea7561686e0e61

SHA256
03b666474093be65a969d9d19d8b807874782cb7771608dd55126edae2701ebf

SHA512
d9debbef3094ac7ac16c428b9adeceabcb3a22879d7c496f6a32d2698441de7e501ce2099c91ec0d84e2af413966eef912b1a0f8fa73e4c0e3c7be76da31976a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
c379ada3ce30ee82cad5142ae4a2f28d

SHA1
e50f95a537c6c39d3878443c116586224395d926

SHA256
f670f3d09139b331ef0354ba3d7b7558aac45adbd95ba1bad01317db0a9093b7

SHA512
c1f9aebc907335bb4597ff2a10bc4dab5f5af8aa967f6dbb17a5ca6fea6ce5afc5f615b9effb903a27f52d3610e6adcef4c6a0a7079a02a15c46016a6e2a74bf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
41367e80bda6e1aa88af6070b28c1b00

SHA1
9f4166022ae853a613d53d681454415ec8b708e4

SHA256
600354edc5ac518e59c45a3ca2995cd5a14f75b86c693249f637f877946507c9

SHA512
decf31e84a8b3f3a49e58f1577a57db38a3002a05afbcb29be6ae957ba5b8a893dc0313ebdad8e573ba444ec1a083eeba0c6de9e210bf0514bbe1c794559312c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
fdb1a75c40b4a7d61c88a7b5a7e59f31

SHA1
0862376c0a1f241c1e5c2b588efdcd926597d96e

SHA256
3da386f4cfcbb311660d0802ef8b6f2ce8a956607da58131de564fa21bfdc568

SHA512
824c7be647894e8957655fcea308750ea0c4e07145940d8041e613a07e47931597ae3089cbcf1cf222a5c1311d770028e9d530ba0561f3e910f405e1f958bf74

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
71e00beb6607902cd6cf3432a606800a

SHA1
a08359df064cea10edbc5809b14d5fb8fe8e6307

SHA256
f12739ae6d156dbd1c4ae7ca367b39de97bcdfc481a4ff28c6fe34e8d88344f4

SHA512
38250fbb0198fe23cd89be1becab548d9cd86c22b3d0c80e149d8b0feb8981a7649738c9d651eacc34e0949ef6bc1ebeb263f6339afb59dffd39f476f857c5d6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
82c7e629cee8bfc1b45747da370d9b50

SHA1
8370b254bad7541ef25bf6c1fbbe36a94c0e5467

SHA256
dcfbac570f4c13ee2e433446ed921f4c6e4d1c201ffdb3232bdf0099e3e8f695

SHA512
a6462a2c3fa7298f472d7f271261a2dbfd93df2494857180d40cb8e96dfc1db53eed1e6687c43fbe8948afb245c872d2c2c4c75f501598f0f4d317e9532d0fbf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
a1fecbe1d99c6afa127d369b6111d75c

SHA1
37afac10db7744be5b8feef69ffad8568dee6f62

SHA256
c89f0ca55954450330aa437d554147294909a21a462ca552c352b411c319adc9

SHA512
2e950e08f6ac3f4a7558e4f35d7f586694b1b3404f530999e55edb3e5b2fbbe888ff490dd552db89a86dd5e9e64627e40669af5d98b4ec110931ae6aafcff6ec

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
587f234edcaf0a7d6ef62e1a2a058d60

SHA1
002761a8f7091e52dd0d7f6318faddf9b0e7bf71

SHA256
d93c491985829ca77139f68d379772600f5756776dd2f2a2094e1c5f9951ddca

SHA512
f77d0ff034c953b7604fa2350f88b852df9985fbb86287be486c1e82ade463b26c5cc9e5986081f9b6b497c0e8e92df1504a5f216b13ebb418c125d653ea4010

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
afa609ae91bb9c03aa068aab9faf7c3b

SHA1
137a173d91d9f8db4e6ab99cccc036a4f8bac38f

SHA256
d31a40f5c562959db8ccdbefb35ed2a0d383339dbb3a9f1d667a19aaed079104

SHA512
0d15b79a9c36d81faec42a60be42c29715952c4ce9964c322f30a33f4dd6d50489dda40f1ddfc3af7bae6d2c5d5dabfe8edb5b5247ab1cce890bd57ade845fd9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
8b18b36e8743f5a1b2c84221452746d6

SHA1
af221362b83f5cceb7e62b613d4a3d8d6b01525a

SHA256
4aef222e071b4a681f29f82fe143c1f3a3259aff81b0df70133eec22ca2ae981

SHA512
f9820e61dfc3cc40f509164c2d14361724e89e23d25c3996376891ffe1003ae49f0fc1b11ea2e6b512fe9baa28d174ded3841954474f9bc350715837b4557550

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
395b599de21312d1b5aada55e9e127b8

SHA1
2e227c915a0e5343d1c2f2eb0b90be53a0f04852

SHA256
e539f0e7c028f256ab02edce6668d9142a796fd7aaf552f0ad7008ef9a1fb15d

SHA512
f8b6a5c71a3bff07dcbee79cff34984f5d475580f6c02bbf376d575ac6729a27a00f3cec79047960ecf76bb2e405f276628461b814126eb6f1156cc3532f5036

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
f4620cc7a705fea2f4ffa0eeb3a3d225

SHA1
60ab8e4b15294744c2570445e2d2aa01c6b8f951

SHA256
206058580a3164cc9f46b403b1d0477591dc8acc471a0132de619cf357756cb6

SHA512
1a5d529cc2546d8b315084df609dd7ab4f519b22b4d8d8446e35216b82afa42759360f8ce82434282fc2de801c2231b19012e41ea368b3d7fed7abf759d3b338

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
ad54a167e955674f3ede4460abd0d322

SHA1
35d1456a6f08aeac3ac832bb75bfef34b0911136

SHA256
c1f630c12ecc0e1efaa1773da1d48905d7f14a1ad5bf1162e7584b182f7a4e16

SHA512
abbd414d9fff38e50c2f83ed23872ad8f3876a3d739b7bc7d6b754589dfdfde7de4605ce4c9c4c75cd4c61c6ae47a9f12e0773baab699d8a8a69101a97a5b42d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
40d319b379f9c7be7cd1788cfcca8376

SHA1
5b3c0207eea386fed2935212ae92c37ccfa5f419

SHA256
f20197d27c73c20592f4a5d7fa6c7233a96c6c1a3d4fa63a86aa201fdde1ddff

SHA512
b9b964a7fbb40cc4d3776acb52c6ba15d6889be9a4085a85e8993795ce2d7c25ed5cd85dd5fb197eaa4c3b2d4df415d3e65a87099d9e40bc4fcc69e2805bd22f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
03e739263facf99df9a9f7b7b6540e65

SHA1
c4de755a8ee5e4386e558c79a52de5da9acb4920

SHA256
8f45434ee20b5e20bd2eaf0d7705c6e9d85027a3f848a4ef5901bee7b1b8129c

SHA512
2e14d77c07d74847c80ba6cee7d56b9dd62a6193932d2d11ebd54ccf54e2801ec20691c2ea3df241cb7c4b9bac90e10a1ad712b1d0b2bbd0d7d73431e2d9b0cb

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
b5c9963350a88a76e5dde3ccab664bce

SHA1
e7b4a16eb0a7d011ac2a42f1646359df67c1d80d

SHA256
3e661b9067be6f39bacfe96cb68e314f53f6f2db181fd781cab215440fe328b1

SHA512
adbb2b6c14a84f6b4b877eb48ff0427bffe454437a7eac2b8f78b788243c8e6536eb7f6ea0a206497e88befd9da953150b31a5cea4d823fa623086228477232e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
6d92218cf3f86da38f5dae1ea647b064

SHA1
be5794533d4cc404e9d76f334eae42558c807514

SHA256
d8135afc379e1a68f76323b147d214d21d83123a530081d6e99f667d300739b4

SHA512
a3ef6ee0c26ca60853a5f9cf7c0048bfa2c4dfa9208a5b1ff8c3117306a0c713226b269677b917a4a5088bcb80b832a2863e06aaa3839e641177b3cddcffb2bc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
6853f97c5c094ec07770c1ee83e57b08

SHA1
0507826623816c069ff28b85b4ce77ab5495ced2

SHA256
ce915a111d46ef3f0f379724ba20640c4a039837744ded170399c211c0788404

SHA512
a5ade89ad45a383487359b438126f6dc9b7605f5e163807eb5f5fe4fef3bb02610da61f10829afa44d6709d49bb56831d8ed04834d466f3dc2f8f5b1fe4b7f67

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt

Filesize
48B

MD5
d286dcce81dab6a2083efcd326236472

SHA1
baa73c6423c3ecad7f2b923a8fcdd91f91da02eb

SHA256
f02665c4652b8459e2a42fa9606cc59337bfcd4d2bb732e4251a5a06084000c1

SHA512
8bec7d2dff1b7e9a87f6b607ac6821d7ff5760fb54eb72bd6b8954046bcba4b315ec0ab022f24f2c1a105447e74201e5b278a8066934a6b7e4c3de1ce3f0109a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\19abb3c2-594b-424e-b83c-baa20bfd1681.tmp

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bd904c5de425b3fbcf3fd685aac071b8

SHA1
733ac616a416829c052908d94f95ff609d5771e6

SHA256
5aafd32d7e36aa9fe193d94378e1474fc794bec33b4fe705b2c9630094ee4496

SHA512
5ea431a1c54f12cc509d46c83fb5047c36b0bea92d0c11b3e57f4e38840b01170db8c0a19542b64ef71b5ae3274c12549cec269aa44045541f7fd09322f5e028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d00ebeea5019078bcef5426a4093da6

SHA1
6c40287394ca63284a4233d98fe3013e62075b07

SHA256
da1761a88817f0f6e31c444fad31ebf9920c7a9f905823b89f9d01f660c03a6b

SHA512
f1ec2055099d0fc6fd4e256333d261a629daddb2ad7b6f96b323e719f9352a489f97dc61c52d10c95a8e08caf397c40af262c7d74dc5afbdb8c257cff0421bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
500d5ee2e3916ec9916c4230514d69bb

SHA1
c3303fa473459565c5ed5daf54fc720a19c22383

SHA256
2a9e31c5b519e5ad96ab05c49f5f9449da46834dfe082a1e3038fc5eaf9ae0d9

SHA512
2feb4e61a25bcf730b95d110c479559542972dbaace1158e78c6121e2418cb6845c242531d815428d28a1dcb6a1eecd9b9114d1bfaef9d8709f4ad1cd8d289ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
871e80a6ecd8dcbc413578f19c74f2a3

SHA1
9256187a30938a69eaf66ebd5009eb8329305fbf

SHA256
a5430d572f8cece8adfe39598c13ee1e6372f4955556422b60349dedef00a309

SHA512
69875a2199c9e8ab61a3cd782983d14d0d5bcecc6d9f8846e2a1477639e2dc825707bebd57acfc5d66eec13aa9bdddd56b436e58c2d698c694dd6da463398eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbb93da40f3493952fdb255ed7a6e80a

SHA1
85c4ca66749c9e891474ad4665c3f9d21e4ba035

SHA256
e037753dd17123f76b835292e47eef9241b45aef618d9906c0179e6899659631

SHA512
928230cb2ee8c1bc5eeed2744f7141b5fa2afd85f5d244454b9a97735ca298d4434f61a29ee53fb4008d6cc6538385c1f1ec034963a64c10508e7d5efacebcea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
186623cf7de5e9e2798cee16fe1a84e7

SHA1
eefbde00044a1c51bbac4339462be3f8369a0a5c

SHA256
e7580c1c454ac659aa98d3068de10e8d4f33238fa664835232137afc2570b8db

SHA512
26b5cb30454ecdd056af655ffed33c7e36e7af23d8bbc72605dc6d9f7ac8242c6b1b0aefafd331ff93e542e6f1b1e0309459b163c49881478eb1bbe3f64889cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5e7b6c3fdca20a4963554c3b05ee962e

SHA1
637d541740df82223947f2ea95daac8e0e5af314

SHA256
a4dfa450111202de06c331f0a92aa4e3eae0d0920cfc018b6bf15918e5b4551f

SHA512
f1714896018080c5e48020d392bc2a31ec66cd2d7745237903bc46e5c61793636b5d51ce1640ba3f5046d15f02ce8fcd1d03871071817fff78c518970d101a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ea8e5e1009dbe336d007e3d97b941d1

SHA1
930a9a292e9d200bce0fc1ff4ec61bc79c189a41

SHA256
b45ee551ac2cb569499bc869aee9c18017c9c89f0e3244ff79a1dc44cb2d2227

SHA512
857ddd5effdc0e59061fa16af1211fd11f0f6aa25ac07f4fbec2d0f767f57454cb81eef28de3dda7531d5b5b5426dc5e2c984e3c06ac4f380850d378636d461b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dea8.TMP

Filesize
1KB

MD5
001b02186fd11aeb10a24d6eb6ec9942

SHA1
5285998bab40943be1a60be2f4d617631d627042

SHA256
978142fa2983388400572e5d611884087559a7c6b943d749dcf5843a92ddae30

SHA512
fbf16e4e9f08850494dd94ccea65311c5c2e26ef224494dc68e57e30a60b5abde0b72f1e767557126b2852779e1a7fd0d600249d8f3ca5c364eb1c14b5d2c8a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3354adf0900b3816b2045272599c63c6

SHA1
623176a2c86421b4dd39fff7024d332318aae6d5

SHA256
99139666cfc49c338996c81d3f6beffbd01b744ab62e5e9521c11db9c43562b2

SHA512
80d0e4a4c17633e531e614be3b7513cfd1cfa40f4090e335b039122be8dda9046afdad07eede7f98a33c862f4313a1976ee12e373fb1928e415a14505298623b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e955ffe1c739d908f994114e1a6d5e24

SHA1
6ebd0a9f6d412e33e0f130a26b933cc637caccf6

SHA256
f6c3a1c7a512d4240faf39df6957f5929e9efce8575ed9632716512fc4d8c0d6

SHA512
54cabb6a16c85ff1945e43aa45d4d6004b9a40f4bc44634cdf01892001698716e8e3426b39ffd059c714d0bce95533ba51aa2069e4cd91c0dde1fbf60b9548cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ef6b2a61ff4e8657c449c10ef39319c

SHA1
0650f05f1a42336b27d66ea9f1ff791a9b550166

SHA256
47628162b8dd09ab7b995f6087ac6f8b35ac3fe0ef1274bfc9c357fc76412aec

SHA512
6dd7b470d9e1c8f61f95c5c65122b64b78fc7f729771248e5361dd52c8f54f09e89c773cb53fb29bdef905def84750bf46b0c5a069900041f65c5da54550a94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
2532fd4c195e22ddb22e811278f634bb

SHA1
4e52bbefb98bc950f2dcf857a55c0fe96f13f9d1

SHA256
6e11fdf5cec5cf07b9b2e8c69c1e6919a4f8757f5a60c82c0da11733d9d7ff21

SHA512
5ccfd04f1a8f3da09abfaa16e6a3b7be38f9f132cfdfe221fb3a3ed43829d44ae93478c5008b20043e10c0842156164b23425db383acbd69ce828042d2470865

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
319B

MD5
513859cdcfd1d5c5ae988e31671e3dca

SHA1
03b53f9ca9e693cebf3dfa0e6fc2291b0303217d

SHA256
136121f506cc8e84e8b95292409d324f4f99390c57495a557ec9b3a6196d2743

SHA512
9ef5672c7787a5ec27477f1185f45ae88ddd470b27d9ccd292b8f713e9f7f6806ae850b3564ab098a40b9a78b3e4a603a562c4b18ca7d47d4dd1b1f6ac4d28ce

Download Submit
C:\Users\Admin\Downloads\Fantom.zip

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
C:\Users\Admin\Downloads\ViraLock.zip

Filesize
132KB

MD5
6a47990541c573d44444f9ad5aa61774

SHA1
f230fff199a57a07a972e2ee7169bc074d9e0cd5

SHA256
b161c762c5894d820cc10d9027f2404a6fec3bc9f8fd84d23ff1daef98493115

SHA512
fe8a4fd268106817efc0222c94cb26ad4ae0a39f99aacaa86880b8a2caa83767ffe8a3dd5b0cdcc38b61f1b4d0196064856bd0191b9c2d7a8d8297c864a7716d

Download Submit
memory/3576-280-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-283-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-243-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-251-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-271-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-253-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-255-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-257-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-259-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-261-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-263-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-266-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-267-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-269-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-274-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-275-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-277-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-883-0x00000000060D0000-0x00000000060DE000-memory.dmp

Filesize
56KB

Download
memory/3576-281-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-242-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-285-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-287-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-291-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-293-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-295-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-297-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-366-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/3576-367-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/3576-299-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-301-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-303-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-305-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-289-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-247-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-249-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-245-0x0000000004AA0000-0x0000000004ACB000-memory.dmp

Filesize
172KB

Download
memory/3576-241-0x0000000004AA0000-0x0000000004AD2000-memory.dmp

Filesize
200KB

Download
memory/3576-240-0x00000000025A0000-0x00000000025D2000-memory.dmp

Filesize
200KB

Download
memory/3576-368-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/5460-904-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download