fantom | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

Analysis

max time kernel
122s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
SSDEEP

3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score

10^/10

fantom discovery evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>n7yRK2vLWQ77LNow5sVpAfU8XaDDrii7O9QCLiBUf6yqmU2JXBe5MqlNNhCrolYSJ2R5IkZUpCSVozpZ2bq3uFq9T6RVvNXzR63g9OFOHd30NjBmkC/OiaBPvD8/khP7f2mM/Ff1Ohd4lPk7qlHWfWUgRmp60F2djjzBXGFfy0Zet+/XZJjMOS3qCQI9uK06MCj59GgK2imjQfWdy/mjuqECuEbBgWQpUHNDCF8Le+hggly8KmAMLLPYqEy/68KM1/Yue0QFBwFROQBjZEdmt6UADqY8MvL0vjGgO9JYolc0XQvRNj+V9LHnVDWjxVlKlqJpEpngT3NyH211KsZjeg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (1029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 1 IoCs

pid	Process
744	WindowsUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Large.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png	Fantom.exe
File created	C:\Program Files\Windows Security\BrowserCore\manifest.json	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_scale-100.png	Fantom.exe
File created	C:\Program Files\Java\jdk-1.8\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-100_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.css	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-32.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\lpcstrings.json	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	Fantom.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-96.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows Multimedia Platform\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\5.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-125.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MediumTile.scale-100_contrast-black.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	Fantom.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	Fantom.exe
Token: SeDebugPrivilege	1640	firefox.exe
Token: SeDebugPrivilege	1640	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 2824 wrote to memory of 1640	2824	firefox.exe	101
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3752	1640	firefox.exe	102
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103
PID 1640 wrote to memory of 3476	1640	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4a01f70-2fb4-4828-adba-615fb6f48975} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" gpu
    3⤵
    PID:3752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2356 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {308eafc5-ef8b-4499-a36d-d7a2c552cb52} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" socket
    3⤵
    - Checks processor information in registry
    PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 2680 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e81cb3c6-3120-414b-baad-97866fa88e79} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a467b91-90b1-4bbd-af81-c6f3fd67d565} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:1152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4748 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03987dd8-571d-4234-b4f3-3005f43cc48b} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" utility
    3⤵
    - Checks processor information in registry
    PID:5216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5280 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3db33b7-b4eb-46ce-b5c7-9ca18d85627b} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {642fb1cc-81d1-46cd-af9f-f18e29cdaf26} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:5636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81d7bf2e-d7c9-442e-b86d-0edac3d73de3} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
72a84ff2305ca57a8f3875bbccd68a1d

SHA1
b4b0339d0b59a87917e7d6bed141f57f832905ea

SHA256
d206e8b925661519f6de09f769eab5b3195852c477308616c0d17831f238180e

SHA512
e815ddc5e664a39c9bea2e0ba4985ff1933020bdfad7fca37b12a4458d7569b202f1b8a523fc411caaf02fa391c033771656344f7e2aabb5f1df24340a951672

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
00e23757352e760183d988e3c88d7226

SHA1
61ca7bdaf703b976f36b0645a94d947d46e1f702

SHA256
18fe6be68fc5209e5d5260a8b7c25da55bf8553c4c49b6f0b90ce01bd00c8d46

SHA512
57fa17cd6f656d4b3547ae1f6553b167dcc73366526d0d7679cad3d2373e118e07459bfb20576bd200a103b76365e330892ae36ae0c92a4d0f7be0debdf7c132

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
8c1b5e9fc81ecfddc39d53815be18535

SHA1
172c430b0fd8c3077d912aedf970c37987fe6cfd

SHA256
985dbacb74fb114724d4a368ae98ef404dd1efc361df1e6ddd41f54943daf950

SHA512
f6ddb9d2a3fb47211305c23afbd4581d725e82d8c3fa8920630bc774a5ebfdd4d7d656c14bd6c291fd69bdc3cd3c89a8027df123d7b0c7bb12d494997a4e6db3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
9b1aaee1642afe844e88a57e98684722

SHA1
96a8253d4daf401530d8f59f5307b7d02eaaf10c

SHA256
4664082ed3abddebb3b2e0778f3b432a0b76bda20d212715b35063cdf77c4bf8

SHA512
8a41377e3ea90ad9a53c694fd77b44cd65bc8f36ea3052b63d4f6f8a1637f005a49627b1e3be17621ef15cb78919848815dd044c98b4cd8514b53313f39b1c80

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
ff524d72440d5d3f46421e416727ea9d

SHA1
93e58227b0f43a413add9c6981f350c6e4c6eed3

SHA256
cf65a855e945b365ab6b37344bd3c339dc897f027afad48a697e98e193586814

SHA512
e7baa351097c8ad609aaac93c190372d1ad5255527d8600e12e7ca453cce0ba1efb3f6907c2fc88985633027254b3abf1e08512e623649ffd498fb0130290949

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
204e6717db3e3a90ea2c7a01e9cb0919

SHA1
3e9c65cfe6406389847282a2fcebd3d4e811d01d

SHA256
cfc58d0850c79ba336e5725c79e7fc73894a82f389f2ba0648688031e6932840

SHA512
989f8734922144ab66aa8986b601e952533b9fb671643631eb9fa7c99c095e4e6c483dbffe2a7d6c839beabb56b2ab8877369d8bc636e070961d57eedfef7253

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
fa9ca8b8e878884d54f30aa2aa02f051

SHA1
bb14f0b4055c87fc7c2a4eac0ce7c679ea673dfe

SHA256
f24958471ab3821a9d651593cc6356a1d4b762f01e3b19c13be5aaf1d1fa9cec

SHA512
0a6cd658bd6a1d093f447acef98d15792bcb4198d2cd715d71c0202542932ba9f314d4beac8df2f04cff75a64bc13ca23af4bd1235328b4194bbe8a2dc38088e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
ba73ab73e643bc5a7b073d1053783505

SHA1
edbfe4de1552b8e4ed0c168dc7a6fb843d6f81d3

SHA256
9c463633aa9b087348fc8d5ed06a868d883361d4736cce132eab74f6ba76fdd0

SHA512
fafdcfa5f3719099b51522758dc75232c64f25493fb848af8b43be1a88a29c482cfc5233d6fdabd132ec4f859bac6e939ec7e8daf787ea2470319d5843861a32

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
00e04601f12ae142ed3f9521374b5c70

SHA1
fa31f9cc164d1b6cb8bbccea7e3a2487e477f978

SHA256
e0007b8fd39f36555fe1811ebd5cf47044262e223aeabe3a72d5c2d9435c0164

SHA512
726337d70f747d7269021f1dc51b8c3d840328358cb137274b75507b1804637389f90759777e577779d31ce28686a16ac97456c8b7c6e960278b3bcf9e52a93a

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
eb252375665e56cb3ab9010fd2aae1fa

SHA1
fb5068ee33a437ecf78e557d9a369dbbb0ede9a0

SHA256
8d01f999bf366e342253a1d9a2f1ca2a4955208be912e76de57da8ce577e325c

SHA512
32c88b5b31def45635c003c914a95978410e173e791eed4250f471654731d06a9632df42dd77487a40a713d90d859cdc8799e0766d321b2a584cc629a3f5d966

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
d20353acf30db2de011000899d0af5e7

SHA1
0dd1d7bdd140a8f35fbe02c1649479ac3c933f3f

SHA256
e1acc823fe0c84248e49fdf3addb2d5acd153d854c7012979699c16b1bbc7e1f

SHA512
c32d9c317a0acdf55f3c02b82f2dcf08eb16fd3a15bedcac6a264b8c33bfdc2d45a55fa77a168cfaece587b5abd5a01faf6e490a186afc0875c5a8d96502c04b

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
f5f426a8113a2aac9db70d694f6816d7

SHA1
43358dcea135a956e22afbd8366f5898941f927c

SHA256
f27b9de232d775db6ffaa68468e568d1090e22df9f0e256c897baa57e3ab5f09

SHA512
9f30e9e970854cace8bd5fb886950aa7b51f01dd74f349ac7e9a3542645e9e1797ed971bd3eacd2f349537be0e71c6298aa3ce8fbe4dd0528d5c817e7999117d

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
fab0b8f968028685cf55842473f0dba3

SHA1
7bf156c4d3a275f0efdcbaf0ecde266e93ededac

SHA256
29771fc8f937fb9cd50e90cb421a91348000e7c63873e11a6c4d692ec7bbda1e

SHA512
90a11a1206133232b5900d2fca99e4644d0a60c4b5871fe0a1f45eae75e1f1e1a5e4d321f3a27c5154ef6a0d665df3335ef97e3c877552da17f62cbc2d488848

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
a87da1cabf9a1d06bec69d34198790be

SHA1
d1aacc03d5fc388be24840b1593b51ed4b1caffa

SHA256
16ddcbf420cdfdb61b80507666b80fc1b04a89c2adb4d94ee2e067e38031982e

SHA512
d22f53a1e7884a3ee9c7f315ff17e0766bad50516d53eac5637b640f9b5795a3ae6b09f849827cb75c2fefb4dc4a8ba333acb499ed203ec81fb57d43d8f797d1

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
0640e3dee45648d6a59bc9d7b1da76cd

SHA1
413fa203108e1f53d288345e894493d828f552e4

SHA256
e81e35b8b1bb44b42b2e896292b0867a7cd0ecdbf1af31050cfaf6d0df9f72d8

SHA512
676abbaa28645146e007411251549f1c6725ed9bd44b78b68fc1663e3959b9c07da1a077be850c816824152739964abdb77e9f03daa35b091c5f1f98e3eea435

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
3a1525988fe0e859e5d162fce68acbd6

SHA1
be5ca28ba5e827c8d46df8c24ccc5d698cb440a9

SHA256
c3024642e631520b7dcd429d86b9f37528b65167b82de3173c4eefc16020bc0d

SHA512
08fbb7b356c37e5e36736002dfe18c1cc48988a5469915fd6f473260961c3befe5034cb5defb1c12f01aceb378a05d58d8cece8ffea29d6381e8b9074ae30300

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
7a50a4248faf0475fedd2a25d92d0cad

SHA1
ee84729a1a1007f3a021fbb355e034d4f876bbf9

SHA256
44718c32644652d9c1c04cf775e7299375bb8c96b0a2f03b40decb94781a3a14

SHA512
7b71351d93190bab853aa9b0d0e02f6934409bdac0ed7e7604c53f9492e77aee34a4495a31a5a5b6733755cf30bce8eb012552f3144f84da1bcb6ba9063cb6e5

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
f2032a93aa1362950ba7f46e5c5f2252

SHA1
b7902cdbfb003c028b04542f0ea5046a188fa08a

SHA256
64f12ebed761f2b2b8802ec9aec5b07cb9e04463e73b79440780c31bd500b206

SHA512
10dd983c2b9088fcc0193a8df69832e52f83623cbc0cca5b0a32fac8b8ec240d7763571915aacbc6cd1d540aafc144a340707a69c5e0ae135472bd6ee4b2ba99

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
1b17262b31cc96b60a2387fc5c9eb45e

SHA1
325a3814abf843053b5182ef6d4c117227e29fd2

SHA256
dae90fe64ac0bd2f3d41548b6fd73b0430bb9877d8127819c378b31478649e6d

SHA512
83bc121df8d0b0113fc28fedd0250210985b42bd8f0a65fb3b7ec5de8307eef81b3576129154bd6764e302a25f7ba23d45d87608ebdde2dd3a00f57364b34256

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
f7ae54fb6f314855aed62a47dee27190

SHA1
d536f9d1aa24bbcd88aa0d83569466ecf1204005

SHA256
80fe4bc76b90012ea130868f8a35844166a25bab82247502cd3c1ae39ff8d22f

SHA512
2b1b336eb5b263dcd57cba39503c02d2e5e73243383abacc8b80adfe094aec4cb8a59ff0924ae0aa55efb8f9c3a539ef2083d731d842b0b0eb6e74d17451d140

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
eb519f0ea7dd285246825772724a960a

SHA1
148e1bfb9e861f308b06482af03ecb805d2455a5

SHA256
e8516c44cae1d5a98fee52f8a3c036c99a72317886695664c0f4fad4c4a6fcb6

SHA512
9562ed3679a3705613ae8319759fe0be72d4728048267129ff45f9e2926ac1e74d73985bfac5f064faddc396a0c11c240a4828c412b2d3cd00cd6faa199cd208

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
2b2fa0623f54702b9d2937f6a3e10480

SHA1
1c6ec51d3ff4649b0f8f905fc2dd46650d5831e4

SHA256
d4ef273a2bcc7f0ca535456201395be065b665171d110ff7cae858324b0260b6

SHA512
c93f407e5a3a2a7b4adfcbb2e7e4600e61d9e7ae9fb68bef779d7d7c76a6e009c9fa3d0d93ca76c4301d6ea65173b9a9278129b7cf13f67cf97c9280c508bed5

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
bfd6bcd07042d57e1730ab035abe8790

SHA1
2bf8a4caa56f1ef6e2ae442223fbfd529f681ba5

SHA256
0b67f2d67183e882506cbb709c0a6820ca8e71378506fa1b79592a1ada81f3b7

SHA512
f7695fc7e83d0b576664a37ab8d1fc2289af850569c2b62dd2d22ad58a30ec66edcd5424ed7037653e74f4dd0a3a341ce432cb1a1f9e1d13f85643f81335c268

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
7ef1edd884890983a769357ab762ba08

SHA1
a5407c48bb96f2830c7f86603edc0466a001e6c5

SHA256
66184e469c49bd0d346016ddf708467dab4c17caaf2a188b55813edee3a83dd0

SHA512
a19459ce5618189b94f7e7fcd146f7cdee960369c6c6eacf3347c6d5935ca7143ec05c2fbdb82692cd97d5e5a4e0a05a57fca6862c14d645ee471c3db0f5bfbd

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
3eda2cc60e483e235aadd7fb87b9b5d3

SHA1
94591e82429cf63e5a6770bd326a7aac334668eb

SHA256
a53785cae8fe3475bdda7c740bd932a7e0a7a0d6c54d9b1043cd2e41cbfd62f7

SHA512
f50a112601af14e209eed516271fb46b17030a1a9d103ce4ff0eb4f8599476c497aed382a707a1eefb1e51927187d46cc0580383fd76d7383c9034fafc083582

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
0d20b2cd2de9704533ac837a40d6afc0

SHA1
023fc5bf0cd86e942884666e8820b6a3f804d649

SHA256
4d0434a25a811aeedeefb3b5320852c3c4674a01d540e19961da89daf5855b6f

SHA512
3ee583dd95989ed6ebbe9cf50db42c589f1182cbe76ff7acc26b9fdafd1c6b52b64718d9e85e2226deb9f3f6e07ea59b8dc170282803993b01e740f1f74133b4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
7dca0ba60b72635bb28f3f79229b1b6d

SHA1
a6626e652322572d04c345c028334447d3844e61

SHA256
e9bb2ee03e572ce68e1551d6cfc4635e3d5d1c0fec5ab60a9b70ea6088f4e2da

SHA512
ce1730634995cca10df463294f48732706b18ff39d80e872bbfdab1fa9190848411dc9b1f1ba185f261e5e0bfe55047290bdd54c904e78ad2ed15169a0095792

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
e49bd529af3682d81a40dcee08f2e9c5

SHA1
c637760976d77fc05c549c399d20847d78473303

SHA256
b1240a7446164835acda5d5e613875b591575b6f5f50aff07b3ea99dc05d586b

SHA512
6cf547cbda6a650681bf5a13831051e4649d87d6ff895d52ac75099742abdb71253b6da02bcf8b7a946cec7e6184f7e95c59c5ab12181be56ea33d3dab4f595d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
ded72ed670fedb5485b798dac5e482cc

SHA1
8bc714c115ff7a8fc6ba1b6c329016f54cc38688

SHA256
cec77e549bbb802788d111c045131ba98b012832c6d11d72b9af12a8464839d1

SHA512
b18fe888c4b6fd18f608b9807d4ce3f54f86891ce3a313d4278d3237c773f71713aec945fc3d7c59250946efe66fb2f4062a679592342efd16f847efc94e2980

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
6dd4e3a06511b2936040bb3740a6501e

SHA1
9d1d47aefc8e0f117b37d40893528bd93b65cbe1

SHA256
9544f4c27fa7159cc17cc558f476f403b9f900c476e5adf840abfdba714cfd62

SHA512
0ff3ca50a03b9d75a485be0c49a3a9817d6b59659a7e9d543e19e3478bb8e73eef5976d068fe34ccefc56fd11ad2f4342a166aaac7aa8a524c4b6d77f7c02322

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
898d0c5c4275f6df739aedfd55c565be

SHA1
2f671dc993ec5b326d706dadc11914d6592823f6

SHA256
9f338351b230de569a87d881df6b7187d617bdfd0edfc1df568f9ce60f1bafe6

SHA512
2026b2b2859d87cbfac997a7457cf63eb88ec3cce095fb13d7de63be25f2bf0290340114d82b2df7a4aa355d7a96748d3411d81f9c354d9aa621f5ec43ed99eb

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
b76e79a0a643bad20b285ebbcbd68f2d

SHA1
a6b48275c43e1fa52f905028ab67b02757892cfb

SHA256
ce8e47e2e367231d63664a14bf3b7626b616b058c06049d72f9ab25579645f48

SHA512
33e48a5c3564050625e24d09fe057739d0ef7286d929ed12eef671032c68704b99424c7dfbbd184a0aa6ad331d381d91ede49a79108ac93d86e4168aefa3ed9d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
472874f127f4e672bfa4edbe0bbc67b7

SHA1
8939ed4564aecdf19913aa1ddfe709dcd5804add

SHA256
f62f7f0f9ffa5621bb7b3571a8ca539ff3aea539a7d2f32c165da75967d40cb7

SHA512
36a854d14a93952ba7027a30b8aeb0ec8779e0dc68653dbfb10f0b14f3c7d9ee235d1f359e6ad3b8f4f17b161c2448bcfde52b00dabb6cede368d33addb7bcf1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
20eac7e0ed3a97eba683fa61e2c89467

SHA1
5ec862c45bbcf408d0c8c44d5675c741eb78a740

SHA256
302c1191f98f80bdb92eaf7cd45e43a21bdba6b7fd01922bb2e79836834e1483

SHA512
b31a6f0713617ebc5584154fc5fbc0f8d281b7e25369ade63616a02a982325c8e5c08b00eced4dd9a8970a0e75396c27a21651d15cb12e59a09bddcfa8ce0dad

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
a5287ce65ab6aa0a25d57dbe141be7ea

SHA1
188fffec7e307db4e5ed9e7fcbf3620b46d26977

SHA256
2de3b9c915c2a1fff576e69f4151728ce095cee4d3941ff910c9510d75207c5f

SHA512
245e47588a8389cf406021f730182bde0888ac165eebbc6d3c1ac22fe5a2ccde3271a5d636d128150f74ac4ccb1e7dc35c373fff06a8604b67abc2412d22a3ea

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
11765a22ba45881087cfe17b568bff4d

SHA1
afaeae6cf8bb1c608a619ec322addbe43bd7e999

SHA256
5017516a8c5fa5a05568474433f0fcddc10bb930e66c4fa631ec073cc5428551

SHA512
91fae40e7bad0f05fff37b4c77d385bce8d913dc92da734428337781f078333da7f87bf34a8c5b8651b228388bb8c1a67921d947b064f2011ec75eb672e75d0d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
a1ba818596b916c2885d6173048f7999

SHA1
0b7f17100c9179bd22eff29a7e084856e3e7b62d

SHA256
1af6ce7710725af9c0fae20a4bbceb31aaafd9d2deec7ce6f2a151ad9889cbe7

SHA512
92b4c3cc3473d6c5241959059c3bc198f011a2963358b1be2435aeadc5270e4b2187ae6750c79ce1a6c122619bd3e504123f21c6b4ad8c0ebb2c091a401ba9f7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
9eedec1012b1f6b1d5ec5032a38fade2

SHA1
375a60fedadeafdf17777b3d6b6f3f63834700e5

SHA256
27ed62627b42884a8b1c371c231639e54a301e11fe7df7af3a695f8477a25b6d

SHA512
de6d41791d56cc097868256b33a32e3321e27d46ab309b264b82ebb32fdfbac6178f93b2247a8fbf1231977feb2a31697655714ff05814be6cdf7ea7ce7e4a3d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
dc6654dab8b4129ddce9c8628e151974

SHA1
a8acc7d551d960cfc88e541506698b6a20fa46b7

SHA256
f11568d052d178c7022a74209a1ade6fdcad21704cad908d3dc015dae13a5ee4

SHA512
931f14fc42727188d46c6c20a80b7e5746fea1063d7a4c21baec70fe213057cab63cc05e2b53290b9487ed39979eb0bd169cdeb02d89f6df477e365c2066c69e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
fb7909b7b83ec19bb2a474523b1f25fa

SHA1
7e58a0e0f7f9272c231337971d2c311b66f39ebb

SHA256
8f43faf89bf2a6b938921c362bed33ace59ab58b7fbd9d25d3f2415f41f47b4a

SHA512
e4aed577d5d8dca80108c930ef1cd63162d8bdba8162978e4a5718b6103a25a639d31a7c61003f43b15cc414f8083d7360979fd4fb8cec9cd4f5bb37f7ed4751

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
addc950af1863a635e6d80bce758bc71

SHA1
ece54f995172e587ade2e9351d31cb4a9e731fe0

SHA256
b624be532919b31058612383346a9e77f14664616e4cf4c05fae5732cc2ec18e

SHA512
2ac1a62a956f27d1b84c66581dd6d816cb4bb77bfe637fa0600e7a0e6e9cfef17ef056e4b46841538b104a67e7ddfd5b6070d27f22cf93208db4a5cf19689ffa

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
2027ebcdfa80c9b7a3d62adeffb27231

SHA1
7c64ccacf704509e3f13eaccb3a3b69d88d3bcc5

SHA256
bda634a4d5d456f54476c8927ea1a5628967ac2c5684363d2ad4e7ea35641a77

SHA512
82b3abc28f9ecd59aa11f007bc0ead58a972c8eaf295cd495a5c07d0901ff45217651b7430460915df4a2d626d81cbe21d070c5ac9dab624d4fdcdfc08d06eb9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
e11555c0ce754084160855f75c8a1b09

SHA1
a6ed4612677d31cc0c5294d97d5140b781e9d3d7

SHA256
7c0c7486ddd2082dc44fd5d6561cbc3706182745d19b7a50a8e83a94f68d061c

SHA512
994fda01c0a0c288aa6ae71258bfc726716ab41e472d3810235cb6a76a8b8ee694565cae1f05c236ec964dab96a9b34c38c18818d4fae4796dd104f65e864885

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
2f17eb7214747d8dfa8ed2703c134470

SHA1
5e2429b91bbed00d76fda2747dfd2d34e6853112

SHA256
e07b416a6c4b93beecbefcb7469d41567e603193aa45fa9c005ab03cd5e3da46

SHA512
22b0efc0f0fe846429de9d12af59c815f088ee6ad832678cf12adce7e4fcf3cb83ed464c747b73748dc5b69c443a4f6186a3de28b02dfe65970340d299615c14

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
4992d75ec0a36b18858c4a119ae234f2

SHA1
b8c312f923139c277d7d1f870ad61328917dbb91

SHA256
e06bdd9abe439ae5530836324ddfc6ae01cc0bf5204e36b406b7d0b74099c3ff

SHA512
dc6671e17784f00fbf07ce6ca7ba8bd91d0671d2ce17631a17fce7c354fe0cc1cdee6f190a328842b4efb9f839f109bd69b5384a2dfe0aac78ea61aa71b0b636

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
90471f2c462abac26a053adc8bbfadc4

SHA1
56bfb8295d8044fa1a804965f77ac6fc42a99f42

SHA256
1ae2586c00d002d1c4ab32addedb18e403fa0d36ec97927e439ad4ad99624ca8

SHA512
6f64fa3922fffa4c50ba48c998bd37332807a447adaeadabb8282e7b44d99a8557ba0af35c9e19cf8ba7c8451fe8171641ed7db111ea55c341d1e50b1171e83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
214062821c59f36ac6ed82f161d244fc

SHA1
ddecee49d78dba43a090f3174a1361e44be4f0aa

SHA256
4573b206ca2a1719b2b3939dd9298acfde158b04cf944fa1c75780ce39b668e6

SHA512
01aa91386a034459a2cb9554ef27f73d67cb529ef89e6dfdabdbc339d5f7a15e1aeecc526012b6d9e6628f9d3f09dcc2060d5a4f866400638dfe73c6b3d27db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\2e77708c-f0b0-41b7-bb62-0f1faa0a86d1

Filesize
982B

MD5
6a813166c6fa33a62ec7f173788c4d0a

SHA1
1230974b5984a99cd8a8470b8137171cd1d71abe

SHA256
26ff2c187ff745c60a743d46b766ca2c9e45d9a35e29912fdc8e97670f0227ff

SHA512
eecd7c53ad94d580260eed991e977bb4be45ec1d4bb04c6ba3b43c92f81d8aa2c07228ae08e65e32b3d930d1f5b331497e4bbe4bb565428e1832555c157f7ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\742cf04e-df65-42d9-9057-734ceb3a05a4

Filesize
27KB

MD5
094a440e705fb0aba368721e2f6548b4

SHA1
23ba3b603bc3effe65f5f3b0eb7b72bbc155ee9c

SHA256
9b00a1bf026eae91212f14f0675a43c20c2576e3c15677dad2a6b736785d9252

SHA512
8990694bafab21d6ea7e45b70632df162bd81063b330e192dcea8a1768e68e07cfdb6c05f7f5a156ed207f027f3811f4660ac10f004fd33316ee391372ae3097

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\c0346a7d-7e15-428b-9534-3ee270d67ffc

Filesize
671B

MD5
0e67c44bab17634facfdb584addfc66f

SHA1
f301a0e1656c1856340da1b583c348f8afb0ce05

SHA256
d16f29cdc3099b71e7e391f614a239b0d91abb66de37df6ee466ed82bcc4d072

SHA512
a5c6923494033f9aae6feeccc3991e6b81090ce7071ac71ebd47e95e323853354f53dec399bf50cefaa8f5a6042fc0af4c341b7c8263ca30d4745630c558e81f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

Filesize
10KB

MD5
3f6ce88d97b51053da82e754306ccf00

SHA1
a1849f8bab3e7e98ed2bc95a6f6dcd72d0f98795

SHA256
ca3f7596ca30ff5def29fdafe3aa7250bab7167c2c2e9d60b0c93de884778ac2

SHA512
4688d9cc4cd7607f06ff6b1fdebe8c33f4346c1b17929203077fa51a14ccc09ae12ef155d6bed4bc235b388cc360d26c979e532da65a14387a4572459e788622

Download Submit
memory/744-997-0x00007FFCB92B0000-0x00007FFCB9D71000-memory.dmp

Filesize
10.8MB

Download
memory/744-507-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/744-508-0x00007FFCB92B0000-0x00007FFCB9D71000-memory.dmp

Filesize
10.8MB

Download
memory/744-506-0x00007FFCB92B3000-0x00007FFCB92B5000-memory.dmp

Filesize
8KB

Download
memory/744-996-0x00007FFCB92B3000-0x00007FFCB92B5000-memory.dmp

Filesize
8KB

Download
memory/3016-48-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-34-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-135-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3016-134-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/3016-133-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/3016-5-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-6-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-8-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-10-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-14-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-18-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-20-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-22-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-24-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-28-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-30-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-36-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-42-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-46-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-494-0x0000000005770000-0x000000000577E000-memory.dmp

Filesize
56KB

Download
memory/3016-12-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-16-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-0-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/3016-27-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-130-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/3016-38-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-40-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-44-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-50-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-54-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-132-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/3016-56-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-58-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-60-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-62-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-64-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-129-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3016-131-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3016-32-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-66-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-68-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-52-0x0000000002670000-0x000000000269B000-memory.dmp

Filesize
172KB

Download
memory/3016-4-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3016-3-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3016-2-0x0000000002670000-0x00000000026A2000-memory.dmp

Filesize
200KB

Download
memory/3016-1-0x00000000022A0000-0x00000000022D2000-memory.dmp

Filesize
200KB

Download