fantom | hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows/Source

Analysis

max time kernel
199s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows/Source

Score

10^/10

fantom troldesh discovery evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>CDM/tqDYHN+HOccMPvrvXK4PP93RRvFwWfMMJmMO0UAr+Ej9UY7BXW/9EbwS3DSt1slnz5yGE7JuurpdqkQ927QZOEIIpLeyIcgXDvodEF6EjrqF4xdKWABqskYrCsjuZ5t0jpm/0BcUrCeKypvdpntWQbMFX3iAfJ9nzck3CbFHWaurd6/o2M+R7+hxnLB02ZrL3I4a+RhbfoNzfuEEdOqnn+pPfqjnqbmrjSYAzJBz6s6r+/PmAEyFnoEtoX3nUZ4TvOkB6spLndOVnYBiqp0U29DdZDFpDKVIQmizskUdMYQ/9vEqb4cuWVrLOVgGpbEZH3BSlr0zco3VkQ6QeA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: NrbzjR/mVU8GUTG2qQTcR7mXmXmjWmsJbYLqa7ZXmk5MXZs5EuZE7welc3vv809+yxqVwebHcVRXrj0amktqt+SYiMueHOA3d5ygXxHQea5aNwSEccu+ZNzhPJe7VxiFbff8Q3uDig/UTtOxjxEpZ+5/tfeikfBSTg06QzkCcVRFUqdBR+UIhZUin6jClNzI+tK7wNANi4wLB/NzRRWXTXBzaMjEPttfTVMDfWJWMNmcp11qFPxBkcwLFtRJkXt7dQTXGZZz3tTFItXtZx6X1YWP2vlKBOlBFf8KRlc5CfdIIJGiUVUTe2ABGIP9g2TD+SRPNEm1yribk4+1LvsP7g==ZW4tVVM=

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>gHBlMePrpUEpYIePBCy3zXzJCbAKyJddbZkv2OiRBbWSsrAIfC1jqVrqil/o/7kuGXmaQDCAoPlUpGJbLvqa/o8eBaCFb3Y7uPGdpdq27t4BTIsAyfL/TUzx+3YjXB06BrQ/BambpejP7fNOwWO9XxIzOeHiJFgNSKPy/w/Sp04+v9XLmCALItqeZ0uXLTOtmICyoCiZBQTmdyh7SfK8RCQ4yuCdMZ9dh5FfZ59gMPhzKjZQW/R/fvSOFgKqmoPsyzHP9UA5G4iD84bPzZPpVq0WdHAGg6oYaFIRVtuVpgtUlScZiNCViCoUGobGYp6YLbkKxMTNsjKXu3zfgASBHg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Renames multiple (1029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 9 IoCs

pid	Process
736	Fantom.exe
952	Fantom.exe
4152	Fantom.exe
5168	NoMoreRansom.exe
5284	NoMoreRansom.exe
5216	NoMoreRansom.exe
5368	NoMoreRansom.exe
5404	NoMoreRansom.exe
3600	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
135	raw.githubusercontent.com
136	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Lighting.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\12.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\styles.css	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\3DViewerProductDescription-universal.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-96_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\progress.gif	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\CottonCandy.png	Fantom.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\15.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\3DViewerProductDescription-universal.xml	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\ModifiableWindowsApps\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-20.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-lightunplated.png	Fantom.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-200.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Retail\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_OwlEye.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-100.png	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 902786.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 197056.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
4076	msedge.exe
4076	msedge.exe
932	identity_helper.exe
932	identity_helper.exe
1396	msedge.exe
1396	msedge.exe
4000	chrome.exe
4000	chrome.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
6116	msedge.exe
6116	msedge.exe
5168	NoMoreRansom.exe
5168	NoMoreRansom.exe
5168	NoMoreRansom.exe
5168	NoMoreRansom.exe
5284	NoMoreRansom.exe
5284	NoMoreRansom.exe
5216	NoMoreRansom.exe
5216	NoMoreRansom.exe
5284	NoMoreRansom.exe
5284	NoMoreRansom.exe
5216	NoMoreRansom.exe
5216	NoMoreRansom.exe
5368	NoMoreRansom.exe
5404	NoMoreRansom.exe
5368	NoMoreRansom.exe
5404	NoMoreRansom.exe
5368	NoMoreRansom.exe
5404	NoMoreRansom.exe
5368	NoMoreRansom.exe
5404	NoMoreRansom.exe
736	Fantom.exe
736	Fantom.exe
952	Fantom.exe
952	Fantom.exe
4152	Fantom.exe
4152	Fantom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4076	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	Fantom.exe
Token: SeDebugPrivilege	952	Fantom.exe
Token: SeDebugPrivilege	4152	Fantom.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3692	4076	msedge.exe	84
PID 4076 wrote to memory of 3692	4076	msedge.exe	84
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 2192	4076	msedge.exe	85
PID 4076 wrote to memory of 1640	4076	msedge.exe	86
PID 4076 wrote to memory of 1640	4076	msedge.exe	86
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87
PID 4076 wrote to memory of 3820	4076	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Source
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff697146f8,0x7fff69714708,0x7fff69714718
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2140 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:3600
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,13949792619944457841,16103195121258830426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6116
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5168
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5284
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5368
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4584

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff583bcc40,0x7fff583bcc4c,0x7fff583bcc58
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3800,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4416,i,17191240144367140359,17303660632868301253,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:5216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
f32aa15db031f193e1e02ac7e27a1d7a

SHA1
7efcc17eb8f20a9f7c0f17c34911bd3346654f72

SHA256
02b6afc15c62158984d5ea2006971d26cff6df212f0025071aa2a64d619d892f

SHA512
08685d3587060ee45415fef8007e3d5f7e01303b41179b9d9152658e5f42902910cfaf73abe50df487de767098fdfd50b0072357dbf83f54f31addcf65c8e0a5

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
d0dfe182bb2ecf3fcfeeb97ae9633004

SHA1
a21818d2e56d5be21c1bb409894a1e2432cb6e83

SHA256
83078ff00197b6204e0d43a0aa6b7e2eee554089d35ba05979b6ba9a3391ced3

SHA512
a8603861f37fb0bf65102dcf46f12a22f148be0cca46a70e7f2487231824c49c7d3b9f82b2b9791af05c1be4d4f5f7a0a2cddb2d30069d69cc4148e140a5db5b

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
dccb53a2387ea4b4a7ff6a315056aad3

SHA1
a3d3e666a73bc88dee7577d7c9af49f0fee2320e

SHA256
dbe582da4e913c763c7cdef743644fff58841badfebed59570bc183c02019f87

SHA512
b071ce3f0e205f61db2ba57d71aeaf1ec30ecf031578edcd30b16a9ffd0af9afb30a84e3b548c8d04b4d0dac670efd39a1e4eb9c08087497ddb553076dacd9b8

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
15209fbdeaba1f6ab536ad0697b5c76b

SHA1
b392e3331745aa35dcf87cbbcb525897e9f7dc30

SHA256
8e94f1ec29a4ce31aedcc30a0b2d87fe5bf30538b9c8c25604dde80dd036e857

SHA512
af60b4c8a0a69c876b7ce973d9f2e4fa644e36ff18a348f6e10de97586e78553150f63c055604f071895355117af461efae406ce8dcd061c7cbf5a5caa4bf5be

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
41698f941cbaed17752e716c5b9d9b44

SHA1
b639bfa335e78cbaa03307dc3ca44ce81529bbdf

SHA256
9812bc7fd8c176ebc63968e9ac75c5d6f541e9958ef0020333274e4e3916315e

SHA512
a9e2272119b9eddff19708f4714b68ca90db93bda32d4d4a65a845f77a40429942bfa51be37b0dfbdc307193d50d859c2e6ae95ee8134c4757e52f73f49b392a

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
176B

MD5
aa9e316e06d8f9ff5e8a2d6acd1266ab

SHA1
c21424c7d0632018856f3c5fd3fad03cda424352

SHA256
ee2055b36e97ab3dd56562f9f246b583afc4ff249b0fe20268639d5191e0ee99

SHA512
f10549736d68bd785471ee6cd3cc6c8ad02a1248a999db1e4471487b8039b6e9cc33e6a9a5b93dad51f7bc61f04753434161c61e25369571fb85f71ba0d1f8a3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
2715ef6a5716b933aeffaeb70df1f8d6

SHA1
a8eacd9178b04236f8bb8794932d98f25990b1d3

SHA256
4b03013a28a6d32df7cabb33d5de9d7025e824dfa455943fb90b0f837d4a8165

SHA512
1c5d36bc673160b5174b2793c5127886bdd0e59f959fc194dc297d65ef945765264c0b8cf57f40e931ece11961de8b31ac1d0822a68197cfabcfc0148777e65b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
3a7222a4d2ba26aa2f6ac87a83f742ee

SHA1
ce068581a1a3db7d83236a87fb79c547f7e06ec7

SHA256
52a2c5911956b0fe6e1bf55f0ff26e48438766dacd2ec29c5eccf86d9e256a39

SHA512
5675abcf9a188443a85683255ab106123d780fb96f53f67fff7b831b019ddba968602378ca08a527fcae69d833088c021dd32cfbaf8f31d2538323fe56221188

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
a227bd418afe8cd3b89b1a9e325adf7c

SHA1
16e5cfe4925c6cf79f10e14d9cec9df18190fde7

SHA256
4b9b9021aa5525c00aaa43d4149e5a134a1b2bab5d98de595fe9c3ef22337260

SHA512
6ef9028556f85d13d45d4ce24199f8fd4b5c9fb55331d91c98be280bdc57743c47c3f40668930e3d83192070f150e9815fbb31c63db713a549335d8813621756

Download Submit
C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.fantom

Filesize
1KB

MD5
7ac11b3d55f4b8cb5df27e0e06636429

SHA1
ec5ec34ea6f6326ad6c491049ce9cbbf99d7a9e0

SHA256
cd8fbc8702cfb78aa15cb9e8a441b6e86407ac493e8c6b3a1dbfb9817840621d

SHA512
700695b043371d5c1cf19006c5c06930e296df9ef50e3ce07ab5bf01c49f600cc6dbfd71e083e8e8a1f2a3ffe17e05a7d56949d8ad1284861618dd2cd1e0b991

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
254473adfafed97a21dcdbddfbfd83b7

SHA1
4572f6d0fdf0017fafda379a12a97b47edcb975f

SHA256
d46f503aa95d50449c2d3cf248c996ecc595ac4d5c8818a18114abe6f464cb49

SHA512
5c5b946170ba9d9c3579a75523bbf954a4f8ab0d4c3735659736b7ee03cc8caac7e6d023dd66980efa38da741a7666db46866f35c778324e94763b9c2697a49c

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
9643370755362681d8831ceb284a3bd7

SHA1
79eaf67ac1e8639a19dedc0530b163bbb20797f6

SHA256
db01a766d317f9550b5dc47fe5ff7a437c38f03e57c36c46f24ad0ae6f9a80a6

SHA512
70b6102c5043ce7566bbe616205fd7f5c97b0b80855004a2ba08c738420f195eaec6943d7ebf61c59cc7a70274939a173571abdc403f124c876d2725f4ce32bd

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
fd24a2631b94aaf792ce2ebd8fed1705

SHA1
2cd2523bc59479614ba844555f5902d961035ff6

SHA256
02c441696058405c0b817d2659bb1f5258d51ccbd2c729da9ce53e0cf319a168

SHA512
13069ce8cb9de5ae43065ce32da5e9a323dc30bde803e471d9e1fa944a908d818aae6f32e9eb85c463b36611266f86f6b44ff83cbe385f3933d1b64839383656

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
ce061198802a9293827c97f7b4b3541d

SHA1
21727aa649ec1e618a806c8f785e9e23c24d39af

SHA256
5689c0c79381697b2f44e8eb0863d119608ab52f581aeea62640790e5e24fb80

SHA512
494d3b192188a98d533ec8f431647c7adbde7278054f420d6470f578e21d96af1221720bb714da98030400c00a07a836c76c1856e5ad8cedda1543e8aaf8cf33

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
cd1884e0aec6b9cccf8fb493cb2bda08

SHA1
92cea6f8611a0509b368f59c88e080fa3888bf10

SHA256
28a87facd1919be842efe17eab12276dd856de492c9da73fd8c9580cc78c38c6

SHA512
108a82c664a698bc7af645fbc46449874c1dfb64c134a09f2e7f639bab71236d4850b36efdf4e73a77b69c99dfd4f066682b8177d4284760aac50029d294ebd7

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
4c302146b439dfff1d5491e47bdea35c

SHA1
3008a332de166018df3602a702878f871f8e04eb

SHA256
7c063397f4c13a05f251adbd4076d1039a43e7b47a1ca5f85752a163899a385e

SHA512
a9615e145cd72d657b68c367f488de04164ec3489bd2c8852d391deec7ea657ccf45093497ab8205d3c6fc8d4ff300b9affa7b851076a6da8ed46d7b136901c8

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
0e424e662d0e148568cce6b91a2636b7

SHA1
51250dd5851ab73956a653e4cb3ef8ecc4fa393d

SHA256
63f0f9b0ded39107e4cde380b04335504e11e9df6e4027e8423e779d8c09aab5

SHA512
ee8efb5a622883f9ae186bb6a96136bd8729205f230ae20f9806b13a66bc9ec2bc817b554e428a9a39311e60ae16b9dd508154cf478517acf59a881758a2a0f9

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
51df0f82bfabbbf88bb9ba0fe4f969b5

SHA1
9bc8c4d0fe95c7a745ce0c897657d6e73a010326

SHA256
c064dbf25f87c09ad4caf376bed1c5626bab108e6b0c97fe16beac5612bb0c45

SHA512
68921bbf31465825ed11723f7f20570b7756f23b307f52fa13312cabc98bec6a041382d80a0ab8f69e82cc7a3608113f5e1b207e816b80b3d2940f33fa40161f

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
d1a27b54b5409c46d3226bcb0a1447be

SHA1
7a6b1cc24bd61c3c075d4ba3f3e22de95127aa66

SHA256
dcc62c7340a5a7af149b5e312b8cf093ab27a6370c7d96c979862b3ab5f4830f

SHA512
3e04541db18966f7ab71e3186570ce73d3405f1d33954aa4d741ebe46f0b3931f3006493d83b55ffc0fc53b7b2f9e8ec09120b7e82fb943eed73e0470be1be84

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
76d94807dbceae5357c0d017421b38c2

SHA1
60a49476bd0f5df486c28d9b8a2f2d13f0a3c980

SHA256
82e4c5156e39e2748d5fbfd23b05382b587952cdd3109bd8adb41a43b39a6a67

SHA512
ff0dfb1d09a1e794aaf93fd5899c32b57a561dbd056d4905814b727f9aeb1b935529b73f1e7e81a3c89ed8e22bb4fdf1c2a36bf2822a8775b64789057c57ad61

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
4827909d77a1337009c00df840888762

SHA1
ae553ba03be2d66b6c03489084666788a9815787

SHA256
0ffeb24b3859718a71a270577e348d5ce834786c67648f7abedbf4a53e5d2f84

SHA512
8f1d1bd38b3ebfd4cdc926e12628acc87946b6dbc1d2bbf1ab8e27985a01076b5b78026c838b07373287690364a786661b1722c9299fd543a56163c164290671

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
a3f166d6f1e59a864e3e06c8c5cf95dc

SHA1
6a9698f74868b4719ca71c6eb33991330dc1fc93

SHA256
019c339603f0b22ffe9fe532a8af28f1dda0e1ec472940c783581ffcca0c6afd

SHA512
6d07c9dd33a5f85f61274d8ce9e8309cf28034caad5d8201c6cdb02efc1bd49f57ad6f87c59d955ac59d80844d8993b70f49936df25751e2e4511a1a66c962f1

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
f4c1ccb2c776a672abf931459d67ee01

SHA1
3ad17f6048858394c6bb0626491abc13f61c2a61

SHA256
a319ac3b308fe655f928f0faf5e8edfa9c52dcb8fcc8cb812018b35956be344c

SHA512
163b717e1104e637e498b0f51ce036f281c77133e6d0e44bf82074bb7223a8d138e7dc75558e5464426e82c000c2481873720d0e12af764cbfc14732d8946262

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
4541cd081c336c7303a56fc155eeac22

SHA1
64546d2a5a500152096f7ad205035db4a9f981bf

SHA256
91f9f2d39178a637bf80bfe7f8a0284ccb837ebf751a883ea9739b63eb0979f1

SHA512
3a62734a54bbf778713464ca68b1f9631b505134cea510ae5085abc5084e06a653731edcde7e9e12ef80cfa97f42a43741dc2cdb1eb9c45596d81685f57db5c9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
361fe800bfef0649d34a1d3d79a9c7d2

SHA1
86b0be54a9a0414ffa6b5876280b54d19aed1553

SHA256
4f94bc54f2beedc788dc228625ecdb9dda4936c6537f1075abd6b9a0a7868685

SHA512
247b8bd2fb00c7b55c75c154cebb1fd8caa1aaa15f909cc2ca198582d3a0a543c5b9182e060ce4d5bdf4e23e3f8521e261ec3f4cf8b938d831998081463063a2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
7a05a99d287eb52352ff5602916eef20

SHA1
c0b98874fe9be4b5988233a80fe08d868c49921a

SHA256
59f088e3a14300e0047bbe7c3be529831f2385dc13479ae515f588a51f00dfb1

SHA512
f4bd2fa851a14d8063c4697adefedcb710f77ab0798b8c4784518d16d657cfee8d8648873775018e93e3295718999ac5543b31167ff48e9f1879b32af76f5ee2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
1d53600d11af82837b900e666cc41c35

SHA1
956d40081508942c86231936fca52672db6817b1

SHA256
cfe6dfe7360a24d8c38020c45efb5eca09a1078f2a3b94c6356a60019a613d27

SHA512
8ddff48413aaef5fb5d186fa57fb7e6e84bdc16d220f591d6808d7a9a184d1c07959ea70b28cf04f51bc66d7685198402de37ff3f4bfda8f21885283fffddce0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
08428a2a1694078e1c88664520989e4a

SHA1
d19fd0ca6e6c8e21c4287888fbdf4c7827429695

SHA256
aef3e7965df2f621e5c398786eb656281ca44f1e7df32c590df339a85675e957

SHA512
c082c059fcb9da1bb13dec4c56d8d7f56ffab87ade8f90bb76e40f97b82a77f4a9352f2d3482138d0bec635fd5b20b94a27843b3e1dcccc390fc1b4cb60b32cb

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
3c6fa4d8d8aabfe06bec1bf8feec7fab

SHA1
bd8e04520cf65769ef118a2ee2deb4d629290359

SHA256
317ca4453f0a4477f8448bace3570cc65f99a79466d04de840c7cacaa5937b20

SHA512
fbe780417f3c0b09e4acc6e9e764e70352f3c09eb250fb5ebb5cf2ebed442bd6c6807875cb19aabc03c83ac81e7eb2c71265f39ac8022094279d36a5da17db19

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
d13b6ae50b7cdf90f3102f086e2f1bf3

SHA1
98866b64638f51ac0750b9e115e2d4a054bb74b4

SHA256
95aeb64b2bd594f3cee7c4622e9509d5dc127ece50a0760296dfb38457b640e1

SHA512
da39d08ae93789ce4dad7ad93fb3e1a103b073cef5ecc84cb25bcc7807c5f196cd2322a26af081165641e86c4de91256eb87c3d0b4e8944b994d86b53adf5f95

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
c7286198efc233a6ccd38e7cfd82caae

SHA1
8cc8e277fa5fa62c01fd8e74faf3f90f89e4d460

SHA256
3e00fd9cc5dbf77ec2480933c57ef9376e27af4a06de7b6738f62ce9675a2c2d

SHA512
9f9874994faecdee0f8e467356f68757de2a49733c6c9f9cabc0acc6affade224df2e975b849f07ef2a2ccd0fec5b57c063b42d98575d06ea377620ee7f4805c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
a571153c8be95f742c58b20907ab68c2

SHA1
23d8a158257fcdb45f61d84d02dd3c813e25a4c0

SHA256
e86525fc203b204fdd488d9bac5b7ecf99f41870177782356e32da965a17836f

SHA512
a34974d5269e743a1201db6cb48e45c06688d4e45dee46244e78326916a169dab2ca524ec5881c0cb6a49cef4228babb9f208ae8f6af9f94c6e761955b380d90

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.fantom

Filesize
28KB

MD5
838c58d80f856d2281fcba0791c08ffb

SHA1
c75ee2f99f5a97f1860e5ac4573a05ec34a74cd1

SHA256
6e6347d7cf746e4aaaa4931097d8f5830144c47b05f62dc64c13560477e6b592

SHA512
fa63a3fffe3f9a9ff5a370eabd98e664b79e8aeb64bc9203762308ca14d899497b465ad8ec6a18495824840f0864f1aa4beba1894abb4aa0dbe19925fd11c531

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.fantom

Filesize
2KB

MD5
be0381d43a00930be2e089c0403d0a30

SHA1
23cb5c02e596fa3df44b499a41fd0dcd5cccf379

SHA256
3762e62762f0eb065af9755e0a9a96c7c95559bb0f2fd6e6946807e8eb7c0dc7

SHA512
db727c2d68c44deca8ca5f81544947a15802cf6d1bb3411ce960bbed20783d3c8eb0986e4b4949cea40923bfb1c3e4d1a487f40a6c2fc904bc561aa72bf75066

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
bafb1a6f247659bc8e9f876963dd3028

SHA1
cdc3150819c771b8f1d866ce60beb1527c90468a

SHA256
9bdbba20409fa9c4f2053f54af27793d92d3c8ffec8642aba753adc69560a619

SHA512
a88eacf0916883ae749bd309fe4812de8534f7f172d85ee001940fca2f5bc0ca27f4a4c5eb41bdf3478fac4d916bff8d88f43ecaad745f381abf60ff51431893

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
105f0b7ae08df9e3098c80f390c82bb3

SHA1
7a312830b73e543b7e2e58e925e3fb21a5706ff1

SHA256
da2beaf1beaea426b596b859875e87347be6ca94e40504eef06c8fe76f6aa550

SHA512
7ae737650c35b4f4f6de42913b79de661f0ff03ef0990dbeb72021ea45dd11c40243f48b27887b1ea3f59805f2095917ea6430424d852e0a7ec37e0280f82d32

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
16cb38e88d9d480462907f0efd7ab7dc

SHA1
abee1e9ab9f8130708faaa46af194151e47fff43

SHA256
55c891f2ba96e5e09ecd38f319a80b113e68b97502499a046c85d602f302a7b0

SHA512
f5a69bfbbeb28ad1eba10eb037fb9d355b161a89583b542dfd4c65edc10a09f27d14f4066d9b5d6e6f110821c8f39f21db4d4deed2a531c4b10c1e4b89973c7c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
56c92b9c07e85bec397578a53e31c5bb

SHA1
46053b1725d85145c2d21f2b9d6a642ca216b256

SHA256
48187efd1d449032dc4eb34b77e52a32aa400c45becf6b47b92f6692481530b7

SHA512
ac670fbaa247f2be1b2c310abf4a6282a100ccc75d2239ae9f564605b76a29b201e664968fc47c6749b5df3395a3fdb8b97e9aa3bb7dc483ac7f6e451a6295ad

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
eab1e1888d848a1a075a1a399fdb12da

SHA1
bcefe7129d62eea4dd69d867be9cd2092a4be2a2

SHA256
ca780f7e1d9d689cd547c844e93d8ffb58aee37d0e31035a605153f0487cb04d

SHA512
c2296a412dcf002316cdad6fb33c739673b261a06d425ed8bce584c8f05ebf126445c4c262225786f22bd15fb836c316554d6453bf153eb2176608c1b1728df3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
763e0b7647b465d847abb923f458e3ad

SHA1
e488b52df74c72b6f03c5126ee789bc3486836d9

SHA256
427507526619f4d82608c2b259a8255b40b16d8e44d0907c6a8fcc736a58cf96

SHA512
6c37d65891552b6c352d5d9b51ac9c9363a4e0c35861f1766abe694be59d4a204eaa0ebceb3da743e28c80cdd895ec3a745b9988377c0a7ac16ed9fb2fe1cf01

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
51b3f9838c10552257d77934853974ff

SHA1
c0cfb52b49bfd046c5fee99910fadb4eae7a752b

SHA256
8c0b3be8ee35f5d063187730145fdea54a426478207bb50d6c838876d900fd16

SHA512
62b89a1ba58693ed43960f39a79ec097a97db9e387f90e0dc1de5f5edfcce69877590abeb6336d608b3d0af423a62c1ebe021e92c7a0ffa75c79e3b6acb8b586

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
f7eda1dd14fb8bea43d52141507ce095

SHA1
0f32c5c86556e5258685a82a02fe7a6c204a08a1

SHA256
fcd1bfcc23dc472ebdfcdf6e5f93a18723de9969de50186f2388c21f0ef683f1

SHA512
272406775c7123f1b72bb7c3b60e127cb01edf2b820cb8e9927b30ee6cfbbf79a9855ef7d8d948a74ac009e334d3ae2f3ead19e1bae542b76c9c1cc6ac802a7a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
ea1e46f9515250cce5195f03dea23843

SHA1
ebcc3f6b99e464ecc7cdf7b16ff45abe3dab60e2

SHA256
74de0aebcdcf049963ebe29c6a0f0d23423989395ef257f81c499c8e7a3e4a30

SHA512
bdc827e6eb002e394a55a3c9561304453e4761102bfd289a9221cbed7b1c8ac03e2ef5485229e65051d3e3fa826e37d3cf88d6fd3c1506dcbeb682a9940e764e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
827e4a5c80b624ef46fb25c0d1bdd41a

SHA1
cda277e9a6ca74405093ae710d4acd3098c7a940

SHA256
6410be7460f3ec42319378df62e65c2996a66612a422a731ad322a1e8429d9f9

SHA512
2fae9a890aafd34ed5559837191103e5ec07311f6ce5ff66ef909209f421487995f3bdf8cd1bb39eae0daba9e1ee6dca5990f20d0a569d81a42c5396644327e7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
fe5ababa68fcf51eb4452e5376eed03f

SHA1
939dea4a20f9e471aed2958e199f1c9fd955bb63

SHA256
644386439c4abc0ef9715edfa9424c9a3ab0dcd6aadaaa69a2f51c20e6e61ab6

SHA512
703d5a9727a38c0f3211c87c42fdcdaac4c6dab8f5b0d0e61be2acb033ef0e16f469064a405b4d67a656e535bb671e55f6256103f056387643d3fb35438c3c82

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
a51fef962268d3244e907d5a2b48dff6

SHA1
88017411167e4db8663c8894a7c55109c35ef732

SHA256
a2ef95a55fc6bda9f1d06d49880b8fe7a00d4ca0206c54b7f5bb7d7c9ec81c21

SHA512
603ea39d084a485e9ab16e5dff5d99ff3be9fcf86d1c547794284986b48ad669022c6588756d2e4161727fc64317f5bebc99c0238eec7600d430ba8d6f59ba7c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
53868251b154093a667684b02ca42560

SHA1
1b006e8d2c9f21a4aa8405ad948fedbbdd78f8ba

SHA256
d9ec1453c9aecb629c9c11906dbb39d8c57eab95b353250cf7b10dea444cacd9

SHA512
ee0e69f5e1a0dd0b9caa7db0040d75c1467620a6df4a92b93ff91f8686d0769c26270dac5a0d19056f2e8a7b1498614fda29b50477dbbd7052c8d28747022983

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
a052e3e92bda3c382adb80d36fe20464

SHA1
e5e810556fbd11267a492e6e809a3b08332e0876

SHA256
03b084835ebde83021bf1423e6c03bd83e9b1ed4a5c0d972619c6cda70e1081c

SHA512
d9f38381b855c44ffbe01ca40ea91bc8bc11845cf0471a38f6aadda09de37357e3eb16a2ecb4fda2543adb78869d837d370d50d12570516a4c40cc046e617b04

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
86aba55c1b749d59198c209e3b0d9b43

SHA1
11009ee99b0b096b3c7bc3a783aff1935f33f530

SHA256
a9d49796c04d8892b0e7283f3cad1a63ddfe9aaa3236eb35e063c5070a1e5a5c

SHA512
2407e104cd9d8b694ea188e21736d154e14e9f280a8154079ee5813ceff88c35d4eab3dde917cadfe33318603f2a1b373f2e7c32609a8e8cf9ddd8659fc78e05

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
003485104b470fe52f2d9ca06160947a

SHA1
4eed1624db85dac608e73b68b0b4f3c332ead052

SHA256
58a5a830244ab25b3763aa649c4803c418eb419cbafb09d33ab81662520d750f

SHA512
de593d6949c627b21123b8afda86469f8b2d4078dc702bab478a5b13625f8fb8439260e0c7ded46b15fe14cbd34529c755934a5bd94625d650d60d2bd8cc67bf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
43b5c4fef18658ecd8cb9240ad58a1e6

SHA1
69fb951835a6719101102cf3c9491e3444436736

SHA256
25b1b574c4c4e17b2e8ba960098b27dca2076a7aa81764aa19db8aba99a08caf

SHA512
a2c75b766818367f016168d8a4c266e2bbcb94af2396405e857ed8ccddd6e539d9890ae1bb0705c6dd4e1c7e2810e54f2740f973dfebf115b2142293c1aeb90f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
b161f2eb7dfec01f42f3c30cd632972e

SHA1
2a65e61a1ea54dbc957bc527402b8549c09fb0e6

SHA256
c9e6877c791b7a9f53c21b61062e88c2e3f44a4c6f0b08d5b170451a1557499f

SHA512
b6991b0de47afb8fb5287059a4be0bf100f849ad2a24ffb6b7fd9f758fb67632502d401c9389689d21ad4fef674ecefc8a18c9fcb5f49084bfbf60dcaa048de2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
2af865757651dda49c36bbbda15891dc

SHA1
cc2ac447c2b9a13e9f7ebb915b3e00116ab47337

SHA256
5d7772f2d9af77726ae36b021a13accef61f5a3aded6f0c276cd7f62b82bf229

SHA512
8c4fc3c5703394b8adf0ab8597909b350c685164fd840616440e4e2e11c6202460c01e7a09c460dfd95a4d88c9d29c865fc323566f8f66c4cbe459ab0496eea6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
27023666caf4618e762abe0ecc5bdbaf

SHA1
58fc280d03439c733dac5caa608a33dfc1af28ec

SHA256
50882678eb82c04c2eeb72e4d1f80faea382618c6939cb54823f17037eb6267c

SHA512
2e69a76bb1f4e53e7531691aea941f1b68317e3897f1d522d423d6dc3dc50a2c8c427850b4b35b43187e8da84a89723dc387480b3856418a7cc83e07de12d496

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
f791344d4bc75996b64eeac39ea9bb45

SHA1
c29f0c282a6e5b0599cb617d0a417c9933042693

SHA256
0f20c13a37890a47140ffe0e083b3d63ed2eab7013a632966812280a6527b012

SHA512
5f944480a4faaaf837936793b01fe4fb1fd2e7bb32a5236dcd0732993b15abddecd3374575a05d7923c2fa1716149d56107e925a042ef6a6e7b54a38a9a3a34b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
67bdf7fcd870c0f418ac1086d8b6054b

SHA1
b3739e890eaebd2bdf5f0347efbc9608812322ae

SHA256
a0d5c7a53ec9d4bb862e3458d7ed29b5125162c891733c179e81a73be9270ded

SHA512
f3b429a85a41e74c862199a578cbd987576e76a6402d8906a0ab673a1bfa2a044d11b376eb9a328a4a53b2e0e6bc69ceed94d9be1cbe54157eb219b1a5402828

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
1ac264cc5534a138a1fcfad4e7f90cb9

SHA1
1cd91bc78c4903c3129fa3581508d6a6a6c1cd65

SHA256
7331e0703bb08f853c46d5de6f53309e6ffa753580228106ce409df2ade66d3e

SHA512
c54079efca48666ecc64935b4f6a015495cb20d216dab5704d1e54a36a15505a339b816859a629f69e021ffc89192152aff9fc8fd35525c419af501a66c5780b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
956a77364dfc096d4d722bf49f7eb0df

SHA1
c2468aeed93da24c9052e111222df535bfcd2e5d

SHA256
a20b5a32d0e5f91deec3c931b569ff9db95732a709caa144c09492854912d4f7

SHA512
3b9a6c5288b013defcf8235decc4b2f6683eeb94cf6bfc80bd6797ccf53f90ded9148e87d9d0bb5cb967fb548a7f9ca8d1e4da88df3b5faa44d45694270da506

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
cc8fa6c639cc25feb5e74abae37c07be

SHA1
99454ba51c66604b13ab1d1488f4333c232c4c9f

SHA256
f9136d4890b728ac223e8a20cdd230ce0721240030ae5a3ff33c511d3dda3e4d

SHA512
d99e5d0a65dbc5fbf562a014c49a2ee944a8a50f2132c2f36b04cc68820e272763958b02ee05a9468f4908db5f55d41c538f7c784672bf10324535209d20ea1e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
0205e26d56df17a96d53f39a2b168888

SHA1
fea161de3c3edd1a18d3e6eaa7f7827deef461c8

SHA256
151f580281d1c4bc6a058a3acf83c037aa7d51a3842c6ba3debc185b72ed2841

SHA512
189b0e4bc0bb628513ea658bf9fbaeb4b59347bdf570418b05c44a119cfa7720d4c25d776e31fb231257dd63f5ce2fb29242f4db1ede2698d8947ad63d72fd25

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
3827c861bcd553c98044f54abe3f632c

SHA1
228c19df67b2c5323141323b9058f7a20a1ad29d

SHA256
dcf940b471c250d459d465386d3a51bc30aefb756a63ab558313abeb22d50c9c

SHA512
8b9388bfb4325a2f53e0b79c23555d9a8d1f1bf27c67d0b371db75e4ac5dfe91cad1d644a45ab6b1f582fb60d85edf8ebc8cec8c8e918319438edea4af5a8859

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
21465252728d40e8bfbc1b5aa07f4512

SHA1
0c2726fc08c15ca32537752fff176f16f9ea0e48

SHA256
1fab81e532644df4572d2b14972059fbbeec2419c1fd70ad1da8ba02bd25dd7c

SHA512
22af3097dd602d98ea13b896e2d9185cb4f894f6f101c36dce91406c72dd05a7b2b81b668007d9fac22366a394e7d9fd65ae7c5a9f8da3b0e0acb0411addf533

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
3e93aab8974841def79300b5f53ef3c0

SHA1
cec057ae99b74b935883cebfae7a9f3ef0817d7f

SHA256
38ccb12c0842d550425761370f1e361f7a14a7b66eb7ced150ad6c51bf268b9b

SHA512
677372bab5036155aacf3bcf1ed430601570809d0b30616f7b557c69fb0e1182a6945336eebce188aba6e224cf5c0d1546e82efbf04a922fb1c43507fea45508

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt

Filesize
48B

MD5
78e03f8de8ce01fc7ad98923afa953ff

SHA1
c2fddef91776980d156afca2335582fc17884c9c

SHA256
74c0dce75b8b50b5914ef2cb39aaadc13daab3ba1458197ef7f72b2d1a840bb9

SHA512
0bb138acfbeedd8b4219df735810599b4705f941abcc95799eeae907dfcd7a4fdc42a599b61f2a4331f34c1bcbe7859e450811d2fd9873581a3a1a4f5cd80c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9d2703153566d0b3dee907a12883e448

SHA1
b101b1257d3d5fa3d7c77c1f2fa4229d4a052fbe

SHA256
e21c057aea5bfcbf93e857882f8e45636fa05f362122945c243e0b6ce7dc46ab

SHA512
92b82527524c5fbe1cbf6c6372abcc395a43a1290b93772fd00086ed544a84f275c67c4c64c4261271d19eee90f8dc7da526c065cc5e66421957640171ba4669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b218f19b55ef36572227e83ea5bc6511

SHA1
0f81a57f2e4c54ab13596206feb0bd145da0e9ae

SHA256
eec7436d0b56430027c4b148260945e4d1a1f46dc07399747f4ebb4324a233ab

SHA512
a6620eee4a46729a14f8e7e5e04fd0b1332a3defea7d6bde6b7ee810e6fb4946ab346f621cbb8ec44ae6c44e3be9fcbbf086bb1fe78bba9329452f4bc8e33cce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6e8712cbc76486e24a5acfefa8ac659f

SHA1
6fff61529a1e32ef09fb60c37996cb000f554fca

SHA256
0badc0d65567e7df9494e453d8bdc65a4729a8675a9a8f065b282f3c17997c5a

SHA512
e987e3112f243de96c4b4ae76b1357f64a9607fea56868ba4bd041ad25daf4822cbda9cf1e5ee1023679ed2889f37559e0f2931a5e05d091664cdfc968105b71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
af444a1e14b94c3971b77926c3b214fd

SHA1
5915e020c088a7672b4fa5580fe75bb65c8307ab

SHA256
b4c7eff124322301c25cccc947d9239ab45a40f7f42de44df2673382830d7cad

SHA512
7a886dd74f251d7f70ab5e41c63d92d33e3a5ea290299188e155e9592c99de50276381b4094a0567f163a7c1e763d907dcdad5030ae360c1231fad9af5e06e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f566bd5117a022c43038fea24a1060ae

SHA1
3f05f8d8ef6fd66e8eb0009e10f43e49c010bcff

SHA256
ba92da07b46cdaba2167222bb9af1f362bb299490880356b94e73ee0e35c7205

SHA512
56b4c37adfb9272b8182529f3a10c96bd937bd56a42d4e3eb86e3bc67289bc5a69852e6dd2618c8bec7c0f20449c7db88c492f4389b4f17bc8537e0ae52c35da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b74911bbf567ae69a746f58fe858f87e

SHA1
e4e67e27cd3f2bc7c0861abfe1e54d68edd56e1a

SHA256
927a1090922dff9ff4be5d0b7ff7748ef3acf37b4a620bc497a29e367303fc9f

SHA512
ef167c1f8cedc1e55ff0c1fd902dead82e4d58ef225281b12324fd0dc8df32b56e9ac4d7d150f730b043906a027be52af84d0dac9a2cead67019c87cf6a9c1b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1011B

MD5
3045d62fda288a5e2ecb98c9639db224

SHA1
99ff9a0a891f9baf64510d4aaff69233711a804a

SHA256
c32d086e789f63135f1410203529068e652345be3a0909427869930a9259ca6e

SHA512
93a29ad5b8fcaca18d5939539b4396c870600d2c72e17a9ed8d8449927d236a5b9ac542873f698519613e0caf98de686f0214c418655163945d41387caf9a13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
772B

MD5
57602b3fc8032307d6ff3b2d938c2f37

SHA1
c0eea8bdc1dba42405c59640dfb0c944865500ca

SHA256
940cada075915193cb30020debfe53bf9fc3100c1ac12a7b858b9e9a8981290e

SHA512
9e3d3bea350032f0c00cd091b3a5432667b2a569398fac2c9e1cfcaaa8c8b4af1f4d215a8d26197a7e2b98fccdd2bd2db35cadf744980e4cbc2c7f7deafe79c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
984eb5419cc451981049232a65c3cd32

SHA1
91ad9c299674c8babda83922b35da8b73ccb628c

SHA256
d236c1b08426d95a43957f04ebd82593a44fdf260c7c02f1275608a8ca40b05b

SHA512
832b7e5d883bd49ce34052d1f8135b78358f0f1a6da3b5d6f64736535ad68dc956d5ab2b83138ade4c0182c317d70a427da6a006723ffa03a7a3dba17c41b1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
858998b056b9fe3ffe111403adf00416

SHA1
4e7251c54e83b0d0d6d15474d096ff26bea5dac0

SHA256
44e0b0e2cc65cffb1893e0932b7f381e692d5c854bdc8be0acfd0678b1b481f7

SHA512
7af6fcaa829632683fb88804edbfc47c2a9e455a59475c9b6e0b5075a1c84d5b84c8ea97f93d952ebf52ade02712772e7f70774fe09f930e4c4465afd94f1324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85de78a39c1b9e2d508a6eaf192e9c6a

SHA1
f3d07307976f260d04554b98d740c5ae90d9bfc6

SHA256
216d8d6bee239ce345c288b10e08024627f1b69143b0eca96a90880b145b2607

SHA512
91d7a256f30abefd8f75f4a6b38af8b962471ed8f82cde7d016e47a44f333409a0ed48c7939def8f581aba7d22792d0f6a5f9c8ff4e9dededdfdb1ad5cfd4bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
321697b6b5b1f22f101af115a506b41d

SHA1
2efa608fd84359241fdbf71aae754633f4090e77

SHA256
53ef21afbb10c3921f620777c1af13a69808a9effc73da6d9d68b293aad9fedd

SHA512
dadfe8628c4ac21a021560e5a98d874fee3993cad80ab451ae326003c3fc6415e5312a62923b0afd38deb8f00bdb2cdb827a7aeda04e387b87fa281afe223850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e7d07bf518b7156b4a1f07ef8d0b91fe

SHA1
a0afdaa00587803980b020c96b037c5709e60581

SHA256
da81419711f59dce780d165c108ca21b261240b98544c4fdd765ee70f7a05f61

SHA512
a57c402e77033a3b82fae689f00363ab5cc04614f9af68f341c520443331b58aee080794ed7dd8ed7f25b58f66a0200918c5c64fdf4090b442bcb013215e0c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f02b0f754241003c185bd7f53a8b1084

SHA1
e7e8731d291ad4862bb3c2b97231cc10f2048a69

SHA256
b834927008574bc92813fa62c6f7d873f8b06ecc8eeb900fc7841c0644d246ce

SHA512
5e2f4d084e20dcb56fce43d01321fbc4389880313bb5b7800aa343097dd457e182d1de41feaef1e0971a1bbc74380a7a315cb54b7641067cf3e1b051e6a30e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
451b6f9358e38b4b5d9c877457622c4a

SHA1
522ab5c989022af7288d42cdedcf476ec848d64e

SHA256
96de30ddcccfdab0d84afe9c32606e036fa4119c8f3879935b80fc67c6844b07

SHA512
dddbfe1d200cddb8b9392403d998b6422e1490af11ed0fb702df9824b05ff1351e78cd7e89b21de31d44cc970a8b889968512ef05c122ad8ee32a4a846b7b9d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bc395f59a9d1734ef48d5ebcafc78d4f

SHA1
1036f6411cc85d1fec7a3f21248b1368ee944f06

SHA256
ac6246ae3ae8e281b1119f3b562965419dabc75c9d1f131c2dfa6955811baf65

SHA512
1079227569ca827fff12c031beca29f859cb74f61787b2f7bc6c60684632759df56f4be9933c4579d87a031318ce50c7983a72bc3c195a8837e4f43193aa5e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4afe918eb651c3b35b9932c04dfbfa8f

SHA1
5d742c06bf7fb959f2ebe99fb4a3e9eb94754b19

SHA256
017b758152093215428dc339804d58527fd77dd063898f2b80e5575aee62186a

SHA512
d80a928cded7f49e8a6aee72055eb08945ad0327449875b2b2204c90ebd146f2702066861cc97c599107b09765f1e26a956e9604deb67ff1b7a52bfa773db838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79ff9fe49c0e3b63a51e39625fafafca

SHA1
f7721c96348c039cec9fc37e671f23dd6c972f4c

SHA256
de3e48315ad7dbefe2f386a95f513eebf56c78f0103f6c230ffc367a85e05455

SHA512
1253b91fa2b01225719174838f2a298addf3aa8a4b29401f2afeb6259404ece8f4ee441d6a1d8443174e6ce6b557c98d18a4b6aa5c10e11699fb15f9353e92c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
566e0a14e7016770a7323dc5ef450cf6

SHA1
a0a003daf72d4cf742d8f4ae53bccb5732d8892e

SHA256
76d9889066b5449699d757ff191a9f2797ae3b5ed4a0c7d9299cf1b8a9dd67a5

SHA512
5478132a2f51c54916524962c86f7244f22832fbc822351de626336d2a0314e450ba006e84c3051cbfccddce0b9b4100046b99a04917a41260ce4dd0413c5ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd079984862a57d6d22cfbd1b10c502a

SHA1
b1dbbf64b810f2942da649e373726ed22c7e2f9d

SHA256
ff44710c5d8894bcb8cecc77ed1f79e9a87c299e3bf544baaae6688ccd64e175

SHA512
c2c7827e89a722670f4e394f4a0a8717b02ecac1d1ad246fa1503a0de9b2a44e74b99d9600bdafc6188f0e2c6003c70c9a4d0cef456f2423f79078521baeb919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
67d59060033133806abd287bd2929fcd

SHA1
3f642ca4603b45136a609779403117120ef5430c

SHA256
835b1542f270fdd35049d83d552a48061a8be51d0ab1c6494f86c41f902103d0

SHA512
c9b799d8c3b8446dd0228bd4cad00fbc6d3d1c4794b87e5de0ea230bddb0d458166cf2630aa38acc09c2565198353bfe54d2e4b83d46f332ad89df7017dca522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580bd2.TMP

Filesize
874B

MD5
5b5fe4fc087d29b543b91d2a956e05df

SHA1
93f3412d88d3d6b6a8f894f9af991d819b4222c5

SHA256
61da890faa4515792419c472c933c5f7a465887982487d7044a73994646006cd

SHA512
43a627b69db0cc6c78291cf12e94a95f52a3edca52bc48c2e8e04e5f33b10a2ef9b5f9af9d7e5265a3dd2831b81d3839cd63c02aed7302c99145ccd451afa00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc461c3f572412dd86eee8a79495e407

SHA1
9290eb47a665cb642d39fefa2a3c37337bda5d09

SHA256
63a9f030e5374fd108615491115f49778c27dc6853b594e93bf82a618afae527

SHA512
e875d53b22cb2b20888d447645ed98a3db7b2992f68e71ac5fa145880843d79920ddac0e57fc9cd6d37cc6d9f2fecea5be02e001c3f35d98c92c8088467063d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a8ec9e2e2a6c6644ef92276c65bbd723

SHA1
cf5cde2b654fd07d29d012788d3679e335fb0d50

SHA256
276d223d2e1725784a674f04d3348ad03dfb3705b442b4ec9b97704139119392

SHA512
a5804ed5106106b7da0ad9c0880aef8cda32d35b872b14ad598e44eb0211a0e3b8eba69a0755aa5c4fcdec5b567713eded83f6a66fcf4ce063c21a029ecc7827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c2216522fddb59e9191069058ba75408

SHA1
6fcbe73bef0c5d40a03817229045cccfe075daec

SHA256
5657357cda026c7f504a4ddefb6a40a57022f20be8bb72ac3530e1d1262b5017

SHA512
2a27f0fddab959048ed912c0effa7379fc07cd5d8a5be00485429fd4f36e5b9d5a936e128a4b95414d7abe8b2411c78ab143dc500a445722e91128caaa1c505e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
34733ab23b157584ca327b19549f0587

SHA1
ba840472e87ced48fbde419d73efc45b68c837e3

SHA256
57274e494c2c5b71f13270c1ac92fff5d33dba16dbeafd9089db9c8542f6d401

SHA512
5afdc3abf88256b16f8cf38c92e8c8df2c764a569d5933080c6f5174a732af9e501fad6dd7fc20d3866888948cff0cdf4db249a8ce176752ae8b52d4b7c94ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 197056.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 902786.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
memory/736-378-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-352-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-344-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-380-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-386-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-384-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-350-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-382-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-354-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-356-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-358-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-360-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-362-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-364-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-366-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-368-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-370-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-372-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-377-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-996-0x0000000006020000-0x000000000602E000-memory.dmp

Filesize
56KB

Download
memory/736-374-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-343-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-348-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-388-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-390-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-392-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-394-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-396-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-469-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/736-398-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-467-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/736-468-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/736-400-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-404-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-406-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-402-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-346-0x0000000004AB0000-0x0000000004ADB000-memory.dmp

Filesize
172KB

Download
memory/736-342-0x0000000004AB0000-0x0000000004AE2000-memory.dmp

Filesize
200KB

Download
memory/736-341-0x00000000025B0000-0x00000000025E2000-memory.dmp

Filesize
200KB

Download
memory/952-489-0x00000000048F0000-0x0000000004922000-memory.dmp

Filesize
200KB

Download
memory/3600-1008-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download