fantom | 7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

Resubmissions

26/02/2025, 16:56

250226-vf3t1awqz3 10

23/02/2025, 02:33

250223-c18xmsvket 10

23/02/2025, 02:32

250223-c1kj2svqgl 10

Analysis

max time kernel
296s
max time network
304s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/02/2025, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
SSDEEP

3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score

10^/10

fantom defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>eWxss82nrgIgPxVU2q4ceYT6pKPdCzhMss/uIeYerQ5bs3pWBjpyrrkzLQ71o+KO1VLN3xSsjIr91DkWIxF9Y2ZarL4sTQUt9wn/YhZ8AZT07CtZppMMlT+O+wL/P/FRaOy3BGNUW4/mSNCJyY2aZBIHR8I80xpyzh99lwydx5WpMo0xAUUAUatZIn6s/Hh2Z+Kv56QmYOPgYrKKjl13CVZjKM5gSCO5/kK+IUUQ9teqkLPdW1D3UoSPcKtpZaSilWha6zVuLH3obbPaA24GVNNBSMM5DxXCyaJN232o4CCTHz24yS3NfCyWzedeHG0gGo69qDRVhCF5ScnuOeOALQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (3042) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 29 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	Fantom.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\it-IT\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttp.inf_amd64_neutral_18b899bdc8a755fa\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateN\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\GroupPolicy-CSE-SoftwareInstallation-DL.man	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\sppui\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_neutral_8b1e6b55729c3283\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_neutral_fca91999602b0343\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-ActiveDirectory-WebServices-DL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0816\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WS-Management_Cmdlets.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumN\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\IME\imekr8\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_neutral_d7bf942e99bb1d41\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\Temp\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Language_Keywords.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\tcpbidi.xml	Fantom.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.vdf	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer-Migration-DL.man	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasicE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\ras\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_neutral_15940559c66fe8d9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.cfg	Fantom.exe
File created	C:\Windows\SysWOW64\Setup\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_neutral_2415474b9db0a888\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\RasCMAK-DL.man	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_split.help.txt	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_neutral_e3be362bfab667d2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png	Fantom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	Fantom.exe
File created	C:\Program Files\DVD Maker\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	Fantom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ropertypageprovider_31bf3856ad364e35_6.1.7600.16385_none_82e750d3de5469dc\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..moregames.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd54bd2dbd5436da\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsfin.xml	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dskquoui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_64c5085eaf460d33\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\46.png	Fantom.exe
File created	C:\Windows\winsxs\x86_netfx-mscorsecr_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_7a1cc834aad2869b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Narrator\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml.Hosting\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\PLA\Rules\en-US\Rules.System.Network.xml	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4fa69b72b4eb0267\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-9.htm	Fantom.exe
File created	C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony.dvd	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.1.7601.17514_none_ff1b74d24817a82b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sstext3d.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3c7191880d8a4343\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiiTv\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_79b8d8cfc8e56a7e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_08e3747fa83e48bc\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_pcmcia.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2704f2b7c177fbfc\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_74c08aa44dd33c76\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_b4c7e8f4ae2a1921\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..etcapture.resources_31bf3856ad364e35_6.1.7600.16385_de-de_70ec82384c6a6c5a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..lity-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8209e84af0c0893f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00020445_31bf3856ad364e35_6.1.7600.16385_none_958e09ee9648353e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-v..ure-filter-tvanalog_31bf3856ad364e35_6.1.7601.17514_none_cbbb4f7d8270f34a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_en_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\ehome\wow\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AspNetMMCExt\v4.0_4.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Language_Keywords.help.txt	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Services\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_brmfcmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_628b3dbdafeb4174\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_mdmbr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6350318f60f895fb\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnphotplugui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_319deb101e79659c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-profsvc_31bf3856ad364e35_6.1.7601.17514_none_59d75cdc494c95ea\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-whea-troubleshooter_31bf3856ad364e35_6.1.7600.16385_none_124dff546524b2a8\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_prompts.help.txt	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_fdfbc5f949b9a49e\iis-powershellprovider-rm.man	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-21027_31bf3856ad364e35_6.1.7600.16385_none_ae312e30ffe3b415\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rndis-usb-microport_31bf3856ad364e35_6.1.7600.16385_none_20e1b69f6c5c4250\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_22a34e763adae493\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..ption-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c52959c144e62a13\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.scanmanagement.resources_31bf3856ad364e35_6.1.7601.17514_de-de_12b865f7f31eeb72\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_8088b2b69e386963\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cdfd33b21b9a0a10\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0411\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-netwpr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c518a20a8a2aac75\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_prnnr003.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8407a9ae0c40ec82\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_ricoh.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_51ab611009c79649\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-setx.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c151eea339270e9a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0001043a_31bf3856ad364e35_6.1.7600.16385_none_fb9e6e4362cb039d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_requires.help.txt	Fantom.exe
File created	C:\Windows\winsxs\amd64_synth3dvsc.inf.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d89070a25867cdff\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ehome-ehuihlp_31bf3856ad364e35_6.1.7601.17514_none_a485be43763dc314\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_76e5c15750993720\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_mdmbr002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_52822c9cd175a059\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_588756b8b7ec6ba3\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\currency.js	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_40de2380e46761c3\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_amdsata.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_caf2228b22a5aa9d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_faxcn001.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1dffd1cc74e78b9a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbc7c5d1d33a67b5\clock.html	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Scene_loop_PAL.wmv	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2112	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{586052B1-F463-11EF-A701-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	Fantom.exe
2908	Fantom.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	Fantom.exe
Token: SeBackupPrivilege	2108	vssvc.exe
Token: SeRestorePrivilege	2108	vssvc.exe
Token: SeAuditPrivilege	2108	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2808	iexplore.exe
2808	iexplore.exe
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1700	2908	Fantom.exe	30
PID 2908 wrote to memory of 1700	2908	Fantom.exe	30
PID 2908 wrote to memory of 1700	2908	Fantom.exe	30
PID 2908 wrote to memory of 1700	2908	Fantom.exe	30
PID 2908 wrote to memory of 2228	2908	Fantom.exe	31
PID 2908 wrote to memory of 2228	2908	Fantom.exe	31
PID 2908 wrote to memory of 2228	2908	Fantom.exe	31
PID 2908 wrote to memory of 2228	2908	Fantom.exe	31
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 1580	2908	Fantom.exe	33
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2908 wrote to memory of 300	2908	Fantom.exe	35
PID 2228 wrote to memory of 2112	2228	cmd.exe	38
PID 2228 wrote to memory of 2112	2228	cmd.exe	38
PID 2228 wrote to memory of 2112	2228	cmd.exe	38
PID 2228 wrote to memory of 2112	2228	cmd.exe	38
PID 2808 wrote to memory of 2916	2808	iexplore.exe	41
PID 2808 wrote to memory of 2916	2808	iexplore.exe	41
PID 2808 wrote to memory of 2916	2808	iexplore.exe	41
PID 2808 wrote to memory of 2916	2808	iexplore.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DECRYPT_YOUR_FILES.HTML
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
b0076bc8a70395d4d244e0df2fe838ec

SHA1
3e1f8d340b1f0b19e3885056213c0e8f7d7a9894

SHA256
3fbd5f1bad145f878c805bb9208f57cbbd7a3e8e4805da2cef733466957b4323

SHA512
cf52fa56eb67486bffafaa6a354438f3f88c4e2036af79fe645edfa6f319622ccb2b1a93b7011e1a75d7b763a9aa1161b505cfdb930ce5a7e3cdcc40eee4b065

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
352B

MD5
112d57ecc2567af5df5640b468fcff90

SHA1
d313c3d3ef029d70cf18d43f82e6dd29c9185c3b

SHA256
91c7a6f99940eb7b3596da818c5b854718c923cc06798b8c36580e5ed200c3a1

SHA512
affbabfe579a87a63a76c2a7ed6deac7b25dc31bbc14707e35252c1787f9ceb19d8f739bb3c476aa8748cd961a68c44e2cbf9ccf998fd4aa852bffabfd8798a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
224B

MD5
89914a386a1f802b7bb3ab567e6ce24d

SHA1
268508a780101d535a47b4160054f9daa2f20c55

SHA256
7253eb937c0e7e11671a551efa5118c71b8d26106a70e3eb2fdb87eb03b0a280

SHA512
0211a40c89ade007558273bfe90069dc7a709ea5889625656a25a1920fa6e17686f80327f2079e4ee067b76bfb109f9e237ada72e601a2d4f2ff1d35c323e6eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
e4304547416b02dd865776dbbf09cad1

SHA1
5993aef687b0e0f93cde680d54d78c4e34c0316e

SHA256
edf62ecdf699b313a8eade11727726665f747bb9aedce98b2d030bb94ad22607

SHA512
e8d296264ac1069d8887eee9302844a33cbf3788439b69293b94b46f7c4d52359ff57409b7092562031fcd1202709b45555b05c8c2e841fb22db4bdbf5b30fa9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
9f753225fc2183b36b63cb236139e0d2

SHA1
138adeee3ad9f10887aa33f91897f1425cf7a76f

SHA256
4775192d5006e29c1694b88d98ff486eb476d920f526ed03201cb3c324f986c8

SHA512
b459ce087b336d17e51accfdef781827d456d49f813c9459bd1ff13f1bb2e04f75befb95f85b9074bd4153204252e7ecd1f0763b00421e9668ecff23fe119c29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
4a690d4e6e1963ecef82f55e386926c5

SHA1
2d7ae201e468b6984a968f7d47fb25c7e5322b21

SHA256
d6a8c5cdd0be4ae98dbcc01b0eca6d9d161dfe48f2cb59af819437596c8b0182

SHA512
c846a7cd25a388a3709931c3a7edb2beb657992a127fc984a989764eadfb4d42d4fc77b28166649572c572422f2e37138856cde5edc59789f5c800fd2e7435f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
3189130770ed885d2d11c5d206e5df8c

SHA1
cab11111979ef2a55ac8d798faec1a0096545dfe

SHA256
1d5725aec4b942834f4863bd252a83442b9851ce23f6d6ca98f420817126b743

SHA512
10242a6c87e73cc478ced130745c7c96aa4c947d7e580089c8c521b8766993381164cf3ef632fbda86c19ad680b75b28ec0c622617766023ecd8457419fc6322

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
112B

MD5
a01bc22cf07045ca4e02f894b666e229

SHA1
086030899d4b25048bcfe184640b5a2ea6294b6c

SHA256
6e949ec49644352833043d3fd96fd570378b0a7425ab7b7060ac4eee0d76328c

SHA512
d2399dfe43ea713c6be939e0f5dd8bcc144551a6ddf80fa9c28a2333c721a338c91b0ce86da4e49a69bcd78ef23422ea35756ffcb4fff26df3c4a75659a93587

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
56893d5abec159af3f13e6fa27ce4c54

SHA1
62edd3def5f19eb61ba1c2c6d43cd093b9e35d45

SHA256
a9851b4597a6e88afcbd7513416dd60bf9e6b86f4f2d3a12cdc43ad20bfd2c86

SHA512
e95592c256e2a0600327217cd8506c384217c4c23180a9181fcf934cbec7d656e66122d2046a8d06112e4e6dc07162dbd5b7bc475109f6bf824b32859ad29763

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
7cc3c9fda076e8e167095e18cfde26fb

SHA1
222c1017769026a381737b1c7b83c8332f97665f

SHA256
538a6fc7afc32dd02f73674a1f657dca5c58112dbe73ff6c781c48e3fe1a5bd0

SHA512
f2e8d8092b7d69b1982397fbdbccf99eb861f31638999ad18c61c8cd505f394667beff2e01ad5ece0b5214ffee64767e9e4ffff9fc0f72661ed318743b4b76c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
001794309b81189e9bcfbf5bd7912d49

SHA1
921538ac7c5d8e16f0640da7ba6b90fffe10aab9

SHA256
087af801aa58dce0d7f4601f483821787a5a5654ead63288fd77e901959a78b4

SHA512
4fc30a4e35c13915d5fc40add19b9b924426c705242728652d555ccbae7ca1fab2bf9bb4c64f7aded616984f4e1b4a79b3bba66196e3bbfba295191930975627

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
c17af7c45192ac2c012a47edbb7da9b3

SHA1
9cb74c80c6eeec46684920da0067b71aff280695

SHA256
3e515fd1d48b424870a48c6813dca038d0f4e7a61cb376059bb53250173837f9

SHA512
7d438fb632ceaf159c6902b33dc8a80ce4386946138e2ac358e02d5422b3a575813f2a81bbf483e692f0aada850b985b8c35ffff2eb4b4b3402013b87ae755fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
b17253dcdfe5a1d4690fd4583a170221

SHA1
e01576abccf5483efd47cacbc3452a9b7808ea1b

SHA256
30e4c0c761f883c46935038b1c63628e272a0e353dc6a8445b61c5c105924324

SHA512
bdcb0a7ba5120b911b4bc75ae7765b35e0e745d205b414058e53d957e08483287c98eae7402f13472969f725db943ead6cacf40a7a34334fdcf345dfd6e5b9c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
a480fad61b0c873f077e7614df136a94

SHA1
04c932c99f34a556b3d11ee5dae2fc1aa37335a2

SHA256
f32ff971c697600b564dc1eef3d18243a4f6baa891dca1ee8cc2858e2f729af7

SHA512
71eb4351424dc63591f534dcb3938518fdd7f063405e8098859284936e6fbf2088c7f4cfcc04a7db5c6e01e44c31c55a4b4b92cafc79d953da928df9ddc9bf1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
c03cac00667b6115e6f27fd5f7f1127b

SHA1
867fd424532926342ad25f93b7f7ea1b97888e23

SHA256
f9c22cadfa159674c66e85ed230d44e22a35511f3b6922dda86110916c0fe6e2

SHA512
fdbf3fa43dde5d748cb53f824b0d727e1b1d78c7fa7b063089494e7b23a9732c7169d4b9b65c1c6733569a4e1685ed559f13911fc9b04306a506294eaedf7756

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
5eccb3a22db831ec73bdfe805848fd36

SHA1
4cc4775afc22b64e37e6da9748d7f9e17c9c2a73

SHA256
2ffcce3af29b8a3c3b42664bc6927674cf967d877971a6e27f6337e5e07149ce

SHA512
1d903275244c949e8dd0c8ec03950e410b8721d54fae2f82458d12af9b491d2d8340336039a0b704469aaefcf34188a91d75e4eba24f524eb825c5f9f6e73917

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
13940e4267af9a5d6ed6bc82846b94d3

SHA1
29feba619fa9d4a35436aae1072dc5145f0a59be

SHA256
41e87501dadb793b4155253b30a26e803b319910105af602fc9b1305a891953d

SHA512
d560f9530b20782079c54ace880bddcce3d285b9169fbde67d718e12fd62c354f70e19807f6ca4ac4acb5274cde9cf4b2ee712a1a2e3743cbc7d38bcd59640da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
886823f2d812db0688035fe0b436525e

SHA1
5f05e910886fbb90cd6e3caeb2ef16138f2f19f8

SHA256
85dcc38f66070f119807564c59d0c80f9b27dd6c09d2a1235fcad6dc1fcffc2c

SHA512
e469d37ea14343aec9321a71773b7837fa5b3fa602e33e47e366f702aca93e6320020a7a2c4737ebd6c01314ac9e86db308e95d5722030725ff2f8f38ea4bc02

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
29130466dbcfc71182434f4457bbe579

SHA1
78e3908e19fefabd3f2c8eeb3ad00236d703854d

SHA256
22a1010fd71e91edfa5d784f17ef1e5bd0596d24433c3d855ad74d6eed4feb2e

SHA512
ab672efdadb28b71e806280e86edd2a0ebc284a286ea3b098654b0d50e8257ea0f1ec96c6b939a4077cabcbc9ca2f908410306e648dc7764c3272e96084cd287

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
bb84df8922346affa19adcb4b4bd445b

SHA1
5d397d2e33be5676bd991f2ffd62cbb8d2e0bfe9

SHA256
8c2bce9a447b678a61ae1aaac64a52a78f8a43ce9ea6b8d29b66c8dc3fdc9d65

SHA512
a8d8c2ecd7355bcc7e322057bd0652bcbfbc55dad36aa96f2ffd07c3122398b6629525a2f4adae3f6f12701a1834e112d1ffda81c5f05baee93ac2a22e2e8340

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
9eba080ad2d722a84b2deb66875f02b1

SHA1
b78198a01a6e03cd197f65c73ff65dc474becfa5

SHA256
9df0cacb535eca0988a7d9af2b2de8258947dcfe6977af785ce037f1b8b15696

SHA512
bee258535add1a94f203c56b663ca9d2aa7999c70e28c8dc63d58471ce9c9519924549bbfa3515883d74dde199ace4c3262bfd28313f32d13c615815bbdddf2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
2c7af74fd912f8653bd2dca251ee911a

SHA1
c1b409169ac888d25325e8cab3f0784d16ea1c49

SHA256
073f815e19afe2265cc4dcc0d547e219e3ec04be98d03c374914c1a289aa2630

SHA512
3e1dc7c0ac70adf77c81597a1219799f4c1516507ee4d0e8950b086a407617c5d863ef8d42cf910d1e0aeb5eccd16671c140d4511424d0008a69083af96c495a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
e05822945bec72c10f9e27527f55c5a2

SHA1
cee10641a4cca4751d15bd604f538152cdd04440

SHA256
5423cbfe467cabb605290ec6a506d7b0d591cc5295c57a8b2abdc368354c9274

SHA512
e9c2c49224081ba85da7eae7ee4ce29e017479397e36714d768780cf55bf5ace19a4bf98bfa221d78303db3f7617ca4f28bfa6660c1a3949d646e999d54fc782

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
6b35b7d752c1a2792743d9f00eded184

SHA1
8c3b00739d677d2d635c7cf5e94f673d391caaab

SHA256
1d2257f6459b98ecc973addd30fa904f331b21f28ebc90507372b0a441154e08

SHA512
aac6544e473083957519890ec88aadd17fb01ff5d60a4be470d6151516f9f342244c057a678b2bcc110aff532fe6815e756e21866fb262a4f7de456c6e25a877

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
ed17ff437c16ab885a9e57b3d02fe7e2

SHA1
431c7e79075d8873aa4cb5aa807d2ff5ce790615

SHA256
028e93eb4da154bcbefc2db5962ac4a62c38faec9007c2ba13ee4a46b6dafa4c

SHA512
232f2f3e347e44c71cb3181b53be45f8e22a27b0dfc99f3b01619e2f202fb7510a9f66b2dbf8b70a794d2cc5496052fc02ad92c52211772ba5adc00621b2962e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
3a01b42eb93b3d277a91730c66f8ac36

SHA1
cb6cf552dc7c40f4ce67d36cdfdac9991094ea46

SHA256
92dfacb9a347e976773e1b9da0500e820da398ff1ba694a0c4714d27c08ef52f

SHA512
58926f3c0740cd97bf79c1201bdb88abdaf3248654f0692310fe1663131e987e4fc43f0ecca9283d3297b25600f69e30ce0f491259b5c5c8b93214bc6f69004a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
864B

MD5
c7a5428fe3dd6c165f928a9c4283838d

SHA1
10c59522a1ad209a160980aae1ca78b20ed9d51c

SHA256
1f8ee94e7ca6ec9c74855b6ccd493a6eb9c06cae8a56f40ec9c539443ed38150

SHA512
2a42abdb6bf67bf997d8bae547ee3d8f8479829fc683edfd52877bbe3162fe0c9570ea9d79284f40db5f48bffb83d4df5a786cf3d7a483fc7a59f1e90a2da2d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
53834d7204a8e145586a574ecb78681a

SHA1
ad2a09bc9509a888b52c51345ca25deb811becec

SHA256
e304cd74256f80b76b76673469893ac00d3a72c2060574f72ae85c220466f8fb

SHA512
41459836e82ea94f17d76ef8e37729f6786dab276de0bea681c22d8d712b2165872a21c061c5a6be76fc83f632f2b31ffc97e79b51735fd0a56f7b9023074cec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
e62ecd8656b2a09ec3a7ad990c489485

SHA1
523dd7e917246d3edfd5017d9e09bcdcefef2e06

SHA256
0c2eccd19aa84cd4b2746ed6520556acf3f0a2fe08bc46a782cbb342d9ebe1e3

SHA512
2df95f0e21f583d10c358baa93bdc9b5ae40dd32684d95883ccc471567f4f1abc21df7c5028194b94d2260162eb53d46be2ffd5e5baaaa7f27e33d6e5e4a9545

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
e8a6748d2a39c26c44218d002f538452

SHA1
8002f12f0f801523236707745f0c827f9c824abe

SHA256
6d2b47ca761ef8b239a21c0a3873322b922eef73fe8c42c21605122ab3ca8497

SHA512
65293c4ebb5599844d7bd4d727c6257b92c14d102fc17bf5faf94548c0eb36744d45044fde32ae04857b4797942b4116d1d46330f7af339a097559072cdb0ec1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
159338e651f57aff481b73d1e4f25b15

SHA1
65e685f5404f76c8a982c35238ac9491329fc30a

SHA256
e072d6a7bce8faf078ed1c056f41a12174627c51a4c77570c5a014803854054b

SHA512
583baf226b737772c378a299f042ce73b5fd784e6a6e644f341d16be6346194b47b7f79133c777b4b03a8fccb499cd538641f9b43bd1f37e16e107e0f94b88bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
09863ea6736ea0b74630c2eab315b52c

SHA1
ff8b4d76494f7993528189a28110dbed9c2eaddc

SHA256
0f40cfec3f403c8b8510c7d091af679589f4174382828dc3f7af8dbd027782d1

SHA512
3616203d46eb0a76aebac7f94535b5788d313b36db0899a0162b23ddb3944264b374b0a29630d30712100189ad59de9ff30820f7b630aedfa8521ae3f049213c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
f5d2bb3fe671fbf46dd5fb9ff29bd3cc

SHA1
49213946a2808cac4d242fdb5f45e95030823b87

SHA256
ce83c6087c6c970efffaee6a7ef7c27c965d5038bc4878e055111b45a0783b57

SHA512
a48e7c2934077df73fc1c7b19865799ac00ac089ab2129977ca8059f07a38f64e6ed56a6af487944d81fafef3e24a9042754335957f99b3bfcb58c94771af7f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
1bb597d9c825f5a7833177bf6040c4de

SHA1
64a629ee35aace1dcf065e35614ccd1ffe6b6adb

SHA256
b869dd65f4d947d496e04dd5e0feffe40dd07e8a56dbf3268c803034d0a77225

SHA512
981f9bff44eb9968d5778ffb6c771a363f179ceb6cdaffdcba070b7e76c3bce7376f4447e379c7b84cddf312074f2d71fb8c7e8b39fcc743d3c5eefddb6063ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
87929a64a82b2dc82bb60dcbee43b80b

SHA1
0e19919b0e7bfc62bdc6ab80d1ae5427fec58f5a

SHA256
c042153f7963acee9689bbbd3c878711fa14293762886e7d084c690cb99058b3

SHA512
759ad44fecfc56cfcf5c042018afac06ef96aeff079c340a6cd6fde462f5daca8f5edcf9f3a98611006cfcb90d63a7c0db325180cc60883e7e597049814b43f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
4b80b23b79a3fb8e1df9d1f50eaba972

SHA1
0c2fe08b3a11c8742b6d600d849b30a1c31bf7fa

SHA256
c72cd39f6cb3c3bfa6501bb7516013678a736fb4880915ca1ac81710defe22c6

SHA512
78d6f5bb982be199a325ec05108a89b8d86bde2c4b4465c1ff6921f208c28ec40051e2f4fa81815046986eccaa923252b083111547e271ae3b5ed8fba02233fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
d22df3875fa2e2dfd9d45f19aa01358b

SHA1
4e2bb9b7aa1bfee55ff58562f127c198449c923b

SHA256
424027cf052ba96e7a8830789c004d9025b3a1dc4017e1a5322fb8adcebf89f0

SHA512
f4b78f424abe871b7ecc19431450e8ce7ed82c9000fe6f37d18c753ed55c50f533a45d23e935add17fdfcfe34a364496a9f7a3148a2248e16096b2f41b46a190

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
107954e06791abc4701286d2437f4376

SHA1
7b1aadfee252491bee6931fe3a5f35793cc49fae

SHA256
12d2e1111c6e7bb85d8471f51cfc8c3eae43746b2cbf531b7fdbbcb9ce643a18

SHA512
ab358475a1f0d3c61f074dec15ab701f1cc4f42c9eceee5c54e05937a3fab62bceb08dfd02c0beddd50ecb5144746399be01c60ec3f1d60f31cd94588c5e0810

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
cc765120af3a8f784507aaf607a3c6a7

SHA1
e29c1fd691ed82cc6d0a02789c9d80f008046984

SHA256
7693b02a07c12f3c3b3676836e1043ac9a78e172796b078ebe2846001c974121

SHA512
f7f274824747464cdb60227eeb989c7755f9bd95210b196bc0187cf67b5a93b6dc9ba579d7ffea1b3899b57971e15296d9caa230017f48d10bc0eda33a6085de

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
34d640f21e7d53e4ce8169e35ed4f08c

SHA1
d4de8eab85a5a088faacd77fb5827bcbd558d5a4

SHA256
160eeedb91d0197962496e76679b94e6cac643f5c77245e317d3857c24ba20b2

SHA512
dc8573d9fdc3ad62783616f7353eef0024d7e709bb479739280f22a99decc45bcbd019d3b7e37424014365fcb68fa682b239513b105e77a6e2045e2640bbc552

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d59425054fd3284b42789b1b09892f8c

SHA1
d88a7b7d3c4383427569e5e76726e0df02f53b4d

SHA256
bea5e938dc218685ff205db77d30508861934bd02b0dbfe4d53ffd83a6db8c47

SHA512
3c8d343e8b67fe202e8275715922d4521c245a0de541c6408b1db75ca98545b93f7e6ea366c7779c88245e35d585dc4563db9bf14e1f825c1095262e4c2a306a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
0fdea494707f67727de5096beee43a1b

SHA1
5ddb82782ef8bea6296a385065e49b79c44ac0fb

SHA256
004d3a7eff366614a2dc0eba1b9cc335252868767a838ba0c86a9da32c96b3fd

SHA512
976ee0e0799910dd6e3d12a611aaa21bef0a640e405b463602426c775cb5d0d61dc20af7ca17d530513e2485d7e0119551e6ccbd614c2030db72bf8cf0279957

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.fantom

Filesize
109KB

MD5
e48231665f48bceff7f4493eba48cbaa

SHA1
ffb7139d75116e1db4a00cd406cbfa400950a971

SHA256
96387166557b627c187c72dc9c3562bad33ab055c9d1e2f8bb3079796851a62a

SHA512
6799bc9adb8c3c38cfacccb81b5f66e7a6fb7fd1020c96e6304f4dbb45116524b42ef651204fc638c83554d8e99fee207ab5ebef7aef335116380123e43ee8cb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
e102a677be4521fef46e2f0119033cf4

SHA1
fb11b6e38ee57a485f262bbbccdabac66dbc1b2e

SHA256
94b3223b8e6774318d961b05587a507f964955c9459bf9b39fc3af9c7b616302

SHA512
2d4b9a2b79c7a0749cc60421e8510513b1021eaf20cbeaf120f0e31f853636b44e63264a60c17a58c3c5ff112e8078b07c0c0db9734b076c20db1955a5bf7534

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
16B

MD5
ed24d47371e79c0c85543d24b7a1dba7

SHA1
404a134843b0dc10cbe7fd6a8f29bec664e12f96

SHA256
8afc39d7469cded9bcd3917a9ad0640c16108c5ea82ea8fa72680893bb802a33

SHA512
a3bc88332d6171e7fcc55340bfe38510385604f552efe8df5922b66281b858c9caa86cee4e26a3e6dc0f5721b59fcead5f471fa25d196ceaf2d7d17caa9e11ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051533049.html

Filesize
1.1MB

MD5
974d638c682da7361b18973ba768c2e2

SHA1
9c93ac23985d4060136156364047d108b70f9b9f

SHA256
5f15370ca3cd2e052a2595977657ab77bd235e45eb55d6a38357c13fb99c5f72

SHA512
3e5675ff514deb30ab7400e202ce5b2c041b751409864c5a5d8618c09f0a3d6988b610ba4a333e877c4df379ff91d0de19be421b6337fd49565993ea311e8d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
71B

MD5
b132f4472ca04d3aa18bb37aaa230630

SHA1
fe549c6c96c7d9341fd13e12fc24d3551b0c1f67

SHA256
75ffe7befe62da3753a0c83c65e269ad159a6083ae893acf2651557f9f1a3c2c

SHA512
c11ea34e3c696dffd66acf2353cbe12796fef417bccacdeaede500a3222fac4b8efc18747d8c726212623cf8cf99046527978686ebd329e40592837688f54605

Download Submit
C:\Users\Admin\AppData\Local\Temp\update0.bat

Filesize
78B

MD5
397dc7373e23f1980ecf849a29708041

SHA1
6c91608ebe57a3d9375f646ff287e46a9f18c861

SHA256
3ffedf213b18d61561cdbdf3de6946284c7b0541a69a89ebda74add1aff7fd5a

SHA512
9c8cf8355cde0402b71fb4e713d14ed12a1031c3120b4a1af6e10ce02dd5828b8d27345ef28f40c34da329e47b36f4f0da74c7cd4cf3d3964d004a16e72096fb

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
35B

MD5
d41ac96c53b4fe0dfbe1b080649141c1

SHA1
b4d75213c61646b5bd48eadf723542fa9aef8b00

SHA256
325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238

SHA512
a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563

Download Submit
C:\Users\Admin\Documents\SwitchWrite.xlsx

Filesize
10KB

MD5
ba1d8532a453c6803c7e3d7e3b8c6b56

SHA1
d573f2cc75f03dc28ff881135d53b3a9722cde63

SHA256
382d309aacce68c8497d02516d1a981a5d7e4b04363d62e48304ad6026801085

SHA512
b9971b7dbe43ef680d00721aa20a3a45ae393a029003b91bc82bec392ad5bbf8332132cacca9385e086d1beeb4c49b4b24486be3d83ed8a7e1c1911dc58fe5f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

Filesize
64B

MD5
c4475ce80baa09c792c09b817fc7492e

SHA1
e4923bd2925e0d62b513b72684236276c393b3ec

SHA256
e0685dea96df1e248f825a8484d704fc27e08f7fbdeb764b390ead98e026d7d8

SHA512
d773170c722e22ebe6eaf69d5cc44f118debc93d957d45ec4714625c191c950768af644a96133287360ac63f4708ac52365f565d062432a95a8e5404c5ac0646

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
80B

MD5
a4ed71d1287e200c3da540b7844dc2f0

SHA1
2d1310fce611c8ead48a74a732b9155d654df2d4

SHA256
f93bee5722c76b3220a9aa770cd63bf482583d49040d9f369b63345b33fecd73

SHA512
356114ecb002023516f31e0a624d089ee1ea604621ed4005761d6c181d3abc4cf087caf445aa9a7587de44a35ee30d7ded5fb92306d5ca37c701e41f43f6e062

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
80B

MD5
89df2f11dd59ac866fe00524d754e538

SHA1
8dece9252f9a94eadbfaac7c4f2a6b023e9564af

SHA256
7ae5b359e834883fe54d35cf5ebf91727cf3ffa49152a42ce09474a3869a5c45

SHA512
9b7dc4629d364867f1ec5450f719c87b0406ed0b87f78d7c63d10e252bb6a581fe652135f892aeb81945408116fd81d0293e8b39b832db4c26cf4eb090bf3d59

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
76f672075607164133de80601f93e2d6

SHA1
7d1366e90f606744708da6c44ede5c5ecdffb522

SHA256
37760452638a38d30b8d3853f96907fc8061cd0e96149a11f233e13b0850ea05

SHA512
e7b8c19ab3e3d335d748205febcd4d9c7dbd992cd61194e0603486058054179fba8c612a7ea2e994e3843a6b3e418d849f911b6dd47059764903fc5907b03d84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
9a4f23f75764c470696696e5c5740c16

SHA1
052c79c70be0f2500360b602ea17dd19e4978899

SHA256
a60aca64c44b566afd4d46ff78582a7956c7a9a897a492bec2401ba05b9614af

SHA512
48be1e8d10152b6ffa6da74dfb6d07b5ee003548ddfbd7a85a262053a7688f62110500c5dd353043fdd3598427a6a531c8dc06122d25633138d5b8cef06314cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
3KB

MD5
16c9771a2ae42746f0a2c0ec992a0af7

SHA1
58f736a30c5d238b252c897139644d5c29eb29b0

SHA256
2b4f28fb0bbfc72495416370779c4ccf19eabefefbfd36e588f1ce736c6936dc

SHA512
0aabe270e38ec38f871bac11a3a220e42fbe2a649048a82a617305ff4831d18578055e52d872074c9d6f0b6f795a7dda31de1e2c26bedca99f34409b25432f74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
3b0affcb57736ae935d3951f968f3c23

SHA1
d721dca61f762b86b752ff6b184687ab982971e1

SHA256
8227d70a3ffdecd52ff51a1f86fe51960975b6e35e98539f2b46a4d23b9ae3a8

SHA512
e4d31240f900267b110a575ae037423d7be4bad013a5db9bce88165d267b1fa6c85688e0a6d8710df15d5fed32f1c72cce9a6ec8bc40aa0e6becd5051e7c60d9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
ba56a438469cd2db6705512324486122

SHA1
6cd7e9decbb7f5a6f909900a2d98fa9863c0d7ce

SHA256
2ccad3802c7239dc1650416b9f637a5143e49b38c71331d51e7b8fd348b86f1b

SHA512
6413873ccd3afb6ff75a1ca5d7a19965dc64d0caa75aa098c33613d5589145ec198f9171f33cfe16dae0c243cf665c5d26aa656888a43022d5bcd5158aa092c0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
955e260533aba4f9666acbf02d47a914

SHA1
8efeb89207ea007ea7f2be910bea0c651b5c4dc2

SHA256
a86f337c385aff7badb20869a36f7c05cf28512a34e34569ce4d6a53bfd1e6e0

SHA512
80e18b354d768cbd5b3a0e77081d512079c35ec348fac45e097b7725b140080f4e4b535f07b941fc366f2bdd7b562e74161939876627ca3c786500d5bc7793b5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
081b048a133cb5b4ce88f63df591c6cd

SHA1
779c15f33173a733af51e065b2b9345d52394e9c

SHA256
a0c60fcc3d75ea0cb44a3b11af679fcc550068eea8f5da62f888a73dca04d78e

SHA512
5c39a0b9ee2ee8a574bb56ab5c0ec7a0965bdb609ecfda88205e610be36d56af12acb4a47c2f6e637acba4f385539c669237256ea8b561445b79fc3a9c7e06b6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
01ec3df572b0214dacd12bc392f88c74

SHA1
3d1e05f2613026d477ef8db04762b67445a55a76

SHA256
5d649667e7097ac9233f84b17e559823601ef0784dc0a076ff68a66949f962f9

SHA512
442e32dee172c6bbfa07f248045f2f55806514b822923583f9479d90940b3492cfb5663860952fbc8dcf041d6bc0db65bdec013946b4e69e201f2ec2e6d96e04

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
5ae554ed4f334f70d2e9417b52d79090

SHA1
04f03ade614abd3feacb5180d742480d2bbf91e0

SHA256
a71ae1c3b79318990233b0fef65517aa2e3dbf29d828c2bcc70a79f0951d8cd7

SHA512
6f2d0035244864879ecfcbfbfd2366b482934183fa0b28d7ffba428af337b281db2a46d7694851f163f2afe5c2c5434e8ea1a293e8344b57ceb9847d68f61f54

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql.fantom

Filesize
34KB

MD5
4142bea8b92349f537d6a3402afbe0d0

SHA1
96f389be904c8589b93246295c2d47ff71ea8190

SHA256
03d884b34da15d740b0f26a2999ea490049992bfcaf13ff136838d88fd127d8c

SHA512
a870a83eb5e5dee74148492933f829df23b023bdbbb8698db85d7caeb13aade658233d09718b74e97bb9a16732284639c6b31c5c21b2f92db4d84b92083769fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
119d9eb433c1776b453747bfb31e9db2

SHA1
7020538277c3da754348b9786c569545468b856b

SHA256
3574bfcb2a7f1a57356d95896ac2c9ee2ef3e42419dcb1847364477737c15607

SHA512
6d57487c620b53faac0c638e8ac70536d54babe9c18364c5f08eb1a67cd3abf2638f416325e441ac1a6029c84406f8f2407db92148275483e2c599784a79ee95

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
35bca8d37639c9e00dc310eb9392dff0

SHA1
94227f86ebdcbecb7c07d6f54a07e39b623df822

SHA256
8fe9c1c28cc6e7ca6972bd1aeedc4473f980463f7646f862fbfc3c72199489c4

SHA512
bdd2ac15f1051a3d7e8edd7ba84e211f47c9ce191866cde0e8c5ae3bd626f67a59ce3ff4393da47bf4947f872dadae776a3586daafafdee4762e0c8d2b334321

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
ae26dc46d779fa15caa1b32aef536c14

SHA1
c961912b621c9de78ccd1139785695a1d88a58b6

SHA256
3b3e92b44b60c76aef1508dfe7489957a299b5f1bd0ac2e3ada0a3d35acedbba

SHA512
8eb20ae6c44dcd05a2137b601528f61518eefc08f399e6683eb3959d9a1fe0273bc349aab8d2942c8c4f95c95a514465b3a237a42ffa936dded93728176eb466

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
6c6e747bc645bf3b8cc076fbcc2d5301

SHA1
2cf458c8b1acddafc5cdb0bb7e0d4cbd2be5029a

SHA256
6b0232e79c3f67cee117c1097bc5ef5c89b360b4c5b4a11ae3ef7ecef946a4a5

SHA512
41e05bf8b3b14786577a7bb93bc3a3f0132ca9fbfd00d993602e594b8403b216bba16e1dd9c1748a8d1b305b26dbe461ab8ea18d30c9c5257c5afc2d2e0e038c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
45c6961729f2027855923809e4798682

SHA1
c241f6bb1d7973a7a0083957195a318b91ef9da9

SHA256
c116d6517fc0b40097728c09cd6d39f5d297ef77922f65d5a69c96b3fa7db1c9

SHA512
7fafcf7234da2bda3c096c16c4991766bb59106d6a9a8172610fced8402bffd93572dbf57b7bd4bd3712db6ed6e9b4c93633972b1f513df7ede0dfc804b5267c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
56ce82db441be8843f449a30a9601e04

SHA1
15efd084ed8e92e467c12c49c26cc3e3a3a24f5c

SHA256
951cc83a67d400ba5ed431c3ec74ca22b9c9c219d681c8ec0d33a0537538dfc1

SHA512
ceed4da2da10605ee4fed7b4b8da293028dcc7e0ceefca0732d0e86a21f6f1098a2b30bab08d4a7d56a26f38d9579bbc7f0a7546dbb044ae3efe41e03f6f395d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
d90ccaa2690b9892e883a8681ca2fea3

SHA1
ea95444dfd2011bf3bf8ac9a192997210611bf2d

SHA256
7d3629fee9862ae54618b646b1cd0d3df9db7ef2856ea643509ec209088105fb

SHA512
57787fdf79c988322b516b0bdf6c223cced64432c223fb37c09fd0e0494fd86c0b0af8393b0c17491e38dfb909fad907496b35c3d40f752674f39a052b0cdd84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
1285f8e7c9cd662cc7a36764be44a46d

SHA1
c1c72c4b91f816da6daa0f131423855f5ccb96fc

SHA256
72046c2412192aa64c2c9a6dc31044331eb00764bee14aa8a1ec6b29e6f1099d

SHA512
257b7c82a004fa3f20f45c62b45c4fcdfc117a403d949260d650e6642bb1f9d5870fbabd37bb81068b06ccf56e34dc728c17941c46000f9f4668f7bca0c6b14a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
66f7262aa6c97af5ab1dc29896a03e21

SHA1
83e6cff6683264bff74e31c9b171d9ecf5ccd8dd

SHA256
81ee1e7e9320b0f12ab14db59a33cd63ea60dbc14fedd04b5ac35f7bd93a3863

SHA512
f6238ae070bdb8cb663346298258ddf1ccd252f013faa401ad87e642aa868785c385d6e017cfb16b475c8bceba721f2cc50389250db89e1255a840fdd25b53be

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
f0ebe90618c3a4b6b271315593bca10a

SHA1
dca575471017d9bc7f3afa983f1c0b26614f45e4

SHA256
ad3fd758c5ad71694f08f4c2a1f3bf88d9395b1e5bba1ecb6d6f2c76c26fb958

SHA512
523828658b26bd7c4335ecb21114bbdbe2f10e5256a805bbcfe98b00c4f021cea5693b953f40014a12bd5ce19af2144a30119be6939ca0845b9194d3b63e2e17

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
222d12c9b50bd6e9be2d9a3759457e14

SHA1
9e8f77573eee01278ba0b0fc73eef9fa34b25186

SHA256
5c8ccaec534ff3ce5a27dae15958989121771878d7fa137acc89f7a0284aecd5

SHA512
1fb6965d7bf6d6530608a6b90ec565db2eb1533a403e7b111a0a4ed36e4ffc759207361ac66b89a3bbcc3bbaf18429982af266c027fc394060ced01f882b5b49

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
73ea7ae64b6a81a683bddd6de67d8b35

SHA1
ca6d5f6b7aca2e2984de94c94eaf91be6f2a38b1

SHA256
637cfeacabec538cf3d1680fe6bda53342b48ea6172da2e446040b2c53df04eb

SHA512
d533297396f6fc4aebdcc2c3ad73f77559708baa8080f7a891db1e13eb45ecbec4bff96bf2cec23edf6ddb704d762aec689af053bc159112dd11170705e81419

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
8d978daf7ec739a2ab7b5d9b2dd6f824

SHA1
dccb43fefc748ce8f5fdf8b05e972227161c7545

SHA256
43b2e731ab87ce29e69c5ba788ebed5511252e017d32964928c0e2f0ae14ea80

SHA512
d06f4c4acc78e5c8d6d70282f6d8a9426cf781cc91cb3b9b2c8524b00c7d230f096bffe9e4967aee6d008a3b7a8d120cf0f0deebc0026992bbf3ed8a6d5aafaf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
1d565eb6c666a61f77fb7f31ee0366dd

SHA1
84c3f2190ada4622dd034f81d2f046c4f6242c11

SHA256
9f457d9207d0f83500ead463ff73d09609d729d5136c647b868d43263dd9e4eb

SHA512
56028438a79058b70eab6cc51758485ab4f1ddf099c2b3d6aeb75ec788d1228b8b7b535ca854750501b4636bf38661c21929447c8666e58bff2006c0188a8797

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
1bd30b7501dc8d0f462808bdf02a8961

SHA1
f9285f69603e4f17057d43ef6666ce60d859718f

SHA256
473eef979b82de22044610df29f2e9a4382b6fb93a67ae27fc510cede01405ef

SHA512
f9da4db437e3df4eee87cd688945a2697b91192529b55cbb80ca0ce375520a2e976340ff105f68c87dc0361e699f8daaaace54e43084687900efe656bf656973

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
320B

MD5
8b5f9e27e3da4a582ed1f29ff6d14a14

SHA1
fad679fc61f91c13613c69bbf787e96893245de5

SHA256
be55a97dbcfd5319867470f3b7403353de5f06166923b67a27770776383b7b41

SHA512
233a7259dfa9776ee4251b534621b5d25027a1d153b06506696942f38201c1fbea514385533e0e2af988bed5135935c4a548ae28839af5702fec02bf0817d25f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
c54894543a178ebcbc7025059be16e90

SHA1
d232eb7f85e4f6458dbc1c56a4bc5833c250b8a0

SHA256
bd2dacea92aa7540a176306d0ba1f6e62aac9772b4b4f3c8963995e26d9a6e9c

SHA512
9f2b6532146e757ea94f7433754fb34fcd9055e0680b7f9b652f622f834ba4b1230f356cf910de2517aeb9f0e151c0ab3df4a7fd99e1a85f43ccf26334de049e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
01907cf77f5045d0bf75caec271c0b42

SHA1
635a8fd2dc142350890d6d43797b0fc972509b7a

SHA256
41e969df0e889b9d61099ca3eac8b1211e19d638d176c35a7bb6deebfc770c10

SHA512
043039652bc8d61f55733375def963c61e573d76fb11af86f44d7b33f97d5562d944ecc7d7e1a16aea6b03f3589040975c38437bb2d162b46e1d09dbc6d46424

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
960B

MD5
6fa1ccbdc115d068ff3c5043921ef4e3

SHA1
c8c6bf1d52ed55e82322234caeb90819f3440b54

SHA256
77b28b3debeca2edae2d4fb3069322dd438bf80ffcd4bbc93bfa8da5f1626508

SHA512
477a714fb2433d1ebe318611431daea195273a0d06ffc30c17186ac72e2e0680fa9c8334b746be6851f193fe1d027ae9147ec44e8c13924c7892a745bc619254

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
128B

MD5
80928f9ddfea57113db27721aeccb484

SHA1
5f1c88dba2bc5f2479bb02f6fc2c7da0b12281bf

SHA256
88b36051d80e8472bede8f53eae1bd00d1940c233f385c6af10bcc24129fdf30

SHA512
ff09d8e0483e37e99f80af9fedfa47edddabcba9661df3cb3d0b67bf52a2bf3433d5515974b8c6a6b7dd73ec10b36cda870bd1ce6acdfe47e26a360f4d313d3b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
5566b72c12654af44ef73431801095f6

SHA1
73b53ddea654f584e25fc1cda62daf0b3ad1f93b

SHA256
4665a50c03a40570168308da41c7313a00c72d876d68011b2d5dc8015a953c5a

SHA512
c9b8b05365f2a34ef4bbe074ad42e34fad09179f136fd2dc5acf70bb1628bb5643778ca915c0455106bd7cdf49b012b323baa4d1b19669b334940d8c080c47ab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
a0b13206feb0901d72d447d55ee7cabe

SHA1
3473edbb63292f771c0031579fc9b57f68f37a19

SHA256
8c11826f4225e0b704579279a92f1b727099a8ffd0cd47431407605abb229062

SHA512
7f16227c8c71c6369958be269a159817f39bc1778642f6babccc80fe55d55c890c9419da43ab99ffb3795ea425fecebe2a10bdd1743c6c427834e4225047323d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
64B

MD5
8ffdb8fcbeb409d6a39510f1840a9cd3

SHA1
a36e06a29600fc008142548fcc4d9dc21657a616

SHA256
e0df268e829acbab32b64b404fc4d65552425a391c71f8232e0f65c49133493f

SHA512
7efcd9df1664d42f4e64aa3ec2dda01e5b76c28364f805dc9a9a81145daab38faaa3eaa41690de2fbc53abf5e952a636238a04bab64496d4cbf1b8ac41859fe3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
928B

MD5
dca08b045caf3d38a432a9eb9d026eb0

SHA1
a07442c1867c554f483f404540231f4407c4fdfd

SHA256
f18c0b18767f9995ba41b354d0e1dfa137071bd113963b634e31880936939628

SHA512
4fba6d963238357bd4042267b2bbb2e330570f01b9bb913f8e05623e869b3f54e546d284f31191b1cdeb7384d2d565763b376d1516f10f0650e4b5d417931abb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
96B

MD5
b12d00e25b0f6bb753b6c0784bc4646a

SHA1
0c683045486f34ca9672e525f005ca47b7893878

SHA256
87b4b15fd0bd5c46a3163148e92af57122d5fb48424533eca1aea86ac23eba1c

SHA512
1e826098393d0aaf5a657e3ee77dc4c0283dc92fe4a8328261134ef8d57635d666e7ac5cf44c89fea0ad03dfe4b0ff0611eb5206649e54ded4c12c427ad8002f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
96B

MD5
f6321fea539b95fc79690424bc28e7c7

SHA1
fa57976259c227fc61915a6503c325b70fe2e03e

SHA256
bc445872f24fbfc2886be0762f7c256e3ee5fbfba50ac7187dd32ff7fed3e95a

SHA512
8e2b051b5b7442175a261e0a6b3e677149b0ba210db2a1f8270c9b5cd12f51bd098b0e47359feeacab39709480285518d80f081c0edad9d2f1d58f305b8aa481

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
336B

MD5
14ed63052bf97d1bc6ee9c5c7746c38f

SHA1
2bfcd2212007586fbf2a45ba3c42e51355cdd1e7

SHA256
448b8724de2fa2a51d49e952b59118a2e8d5759c38058ecbac1fd4d3eb8651c4

SHA512
935797e2921786f6ff95867db0cbd6e58a067ce9cbf913694121f650e8f36c1a55a4d96c1d2ef248cd5fb316606e4a58c4a46a09db5d0ec69a49de9263d189ad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
6f6cd261f9bb331b561d8f42153cd123

SHA1
f8beb9132cb96474e6c51b57007c7f8fa0e2f2c4

SHA256
f4b278567569d5378bbee4166d9d669bcbe71b9860c22cc7c3cdd855110e3533

SHA512
60210f1bba317fe530b517da0de7e9674021ff43fae6be159d1cdd00ff47a927558b70b5d9c640ea2e47d9a115abafa9353d2ee2076a33a780a8136ce4c3ab3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
176B

MD5
cfd3bf4b8539b83f3549705ce7b1416c

SHA1
00de996bccfe804d21ecba0ae5ece53c9b574252

SHA256
cba535632c4851551042eb7756322b693791debc9891c8ef1c6748efcf861d15

SHA512
cfda2b518ade6f3080baf72c10619b305574ddad8ed61a94eead3d455a71d01dfde8502c03ee8aff22e4897216b30cace808ad49c9bd4351cdbe7f7a99b9d785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
592B

MD5
8cf783d979f71b3ca47875e2a3603ca8

SHA1
2dcf4701cffaeb7baa2a01b39bde60167847011c

SHA256
1a69f21791878bfa202ddecdcf336e8b24af54a99d151a129d47360b5db99c56

SHA512
b8f4d6eeb166c62bd7eedef40139abcf230d4e56f4dd4d0d46d3c1ef6aa80b9f00369a6df73b0c7799e190edebf22a69aa08b679b8ca0b5d4b42866e84e8eaac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
128B

MD5
d6c7738f683c22eea3f20b99544d9510

SHA1
f96fd65ea63bf69476f17a01e2a64c78eab1751f

SHA256
e25cb222be971268cff44a9daab677a82c568d54e50596eb60c88c60b7bcdf76

SHA512
da200bbb6acd2735bba062eb1c20698ff961069c3dc844f8b6d1a1ac16cd55ba794de7d3e506b110599e00f6ee5255cbea1958f3eea2fe8396bcae6dcea89fcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
66872379d665c52287d65bc5431340a6

SHA1
839e2a2a9e055608d5d90bc2cd9378aae5ea8250

SHA256
4a15895ac3956a6ce7c64ecfa0a5fe830abcfd2f8f8afe4cb2de77920dd68f16

SHA512
a401f7fc7e97a3cc25ffdd36abedfcaa79ba161640dc9e7a58bdb082dc4d037c1e588f5d164a4b18eeb72bcea9a400871ad6973ccf21e21231a4d14303f7e31e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
896B

MD5
adf1063fe92fa21816fe19f648dc5df8

SHA1
e13e0c405695f0375a21f77a0a481400abaa95d7

SHA256
8402b81a6ecf17066878c917f969a2b3ab87c1fc55c864327e6b3f06c67ad42f

SHA512
1f34633c6c3a36de2079f5cc616d8f0c1d2318e409758696e295fb59ddf8c6580c5ce224e6b5d5f558f2d72a121794e598cce3b5a6fe5cb77fc0dc9075d1f28d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
df6a7e38b46fb41804be8108a724de5e

SHA1
5eafcfd719e056a4331977d173276d812ffd25d7

SHA256
78211ac01a5d1c07e83ef073f2cbb0349fddc3dace75f6f8defad8fdb6bdb47c

SHA512
a084311e17d049b3ce153f98a64940ab515d605fcbdaf0197ce17bbd8b26ff7a13da928d78a56b6327c241f5b94f174799ca279a9ede63b67ea816b4a9537866

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
7b6bcd0f3c9d3ebdf6aa30fc737eae8c

SHA1
587f6179303f4eb30f54024d812dc090acb0ccd8

SHA256
f265348b069e345e64b65a340e27705026f03999740789adf67fdadcaeb5910b

SHA512
4a9f08af948bb1022837d86a7742034146c30ac674cb4b96c2dc0227674fa27223c9f230ce6ee6622845228edb775ed98bca038a53d51b9a855fbf5f9f344bdc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ProviderList.ascx

Filesize
9KB

MD5
caaf65119d1768de6bbefd5e607b2b99

SHA1
917e77c11b0d805719b0283e0255120fa425645e

SHA256
db9b4e071e3a65278794c05278690eec85a88eed8313130fc1e71d82338a9113

SHA512
f1086fe1e56c8473285b2b1739150580741c97303bb018b5d82af92de96c941e37c5f5364834dd84dbaa0e2fe5638473573b34669995f007cb99e089f5cba392

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
a1b1aba625e7f49a600b7927fa103976

SHA1
2da782e40a893137f870ebce68e279de22f125be

SHA256
f6fdb17a6708bbe946641bc2387c3d34e71cc5c72be4e8c8f049da720059c73c

SHA512
dcd07ac608b490bb978517fdc9724b53fa9ab5d69469f935f47dc8ddd8317c471173c0aca0c49328acc93847202495e6e99f1d0c2a00a90db8d718dfbd3884fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
55e6f4093e06c92997c114424f08fc25

SHA1
ff63708b7dabac91868224fe5b425f46ec764291

SHA256
bfd0e1947d4d7eb1d49ca0c19298a0b8a89ce6003340b6f28db7297da886a23c

SHA512
1d59fffc03365aa1ca0ef3da6a31c9004926aae1e673f3d66966f2d19da7b2b8b18d57618fef9c62e9ca214ee917ad681793b2ea869eadcefae57df86a31322b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
b5ff5a7e4cf71adc38acb894ccf49ea9

SHA1
d00cc86c9a9b9e49784d8116fc0afe16c11f98c6

SHA256
93368f9a2a98aa6f3afba282d720514d7df459c1406d74795ef03bcb92b5d1db

SHA512
d2ed54d0cb6264f1cd392c2a539fe7b65278e58987aacdde74b53eeb95632df16b22c1162a2d161c264f7b0dd36b461539a65d92d67175f19a80d4982000121f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
cf71f59157b5a27c6dfa8d69ad644192

SHA1
d07c27d28737ef94fd0f167bb49298b760010c04

SHA256
caf85e152a791a8a0216c571097ee203ac9af65f7cd18bec72c50ff207019190

SHA512
a244f91ab2978c922be5311a3bb6861e189200a6363438c2e10e73a4b37555adbb0dcd3d8806a23fe76e6791b0a98ac7766401b3dd2451f83b3391de19890268

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
4f56fd36b16d4ff858f704c4c6e36684

SHA1
eee123316c03486023347f33c3c42d44c9dbcfa1

SHA256
2ebd9c438712d0934fbbfdc4533c89483252cc9526f4791231513fe1fdb679f1

SHA512
c11c86a0e37e36d5d8968a2bf3aa95c428b7f37484baf725b64cfe98fb0206b314ac4f5f1474f5c24ee23c0779ec9353976fd9acd32f197c8f072bf04b4e52d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx

Filesize
2KB

MD5
377ae2c8ee301a4ad9f65ca882903f9c

SHA1
d5f17a6d2e94f167023593d7d55cfbab50170210

SHA256
083f44a036587f0ad3d88903c3b38235f180c6ed934bc1c37460763538a476b5

SHA512
8712b3ba4f9d6353725541bbd4a679bee6661a62be423b10184a6c0ac319734aa01f10fe9334c87855bfbccc478c87ef0124ee35b9890d3cfc2facfcd21b66e0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardCreateRoles.ascx

Filesize
7KB

MD5
a0b176d1649cdfd8c1c9406ffdec48c0

SHA1
ae9775483228419a9dc40058e63cbd658b344289

SHA256
266c46f505ddb71a802490f9502da1331925d295347b4168c6c4fe50c9192e56

SHA512
ef78d5c23261441ace4e04ef5e17e025075264f907077bd589134372583960506da26c04697849fe21ceb35a902a57e299db948cdd56f85965b8a87597a37555

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx

Filesize
272B

MD5
6f19d33819372b6eb41db61a09d45991

SHA1
1291a6bbef081c511a2eedd0cc5de4a40fb2a71d

SHA256
df101bdf45b00753d80dad680647cca84afc973fcba7837729631f6fedad51ed

SHA512
e437978268cdc5d7d7a772b770104ad8232fc47aab08ba1104c208d2907299383cb945356ac65a809aef87e5b5cfd873df1fcc40d48015575251d1adef743312

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx

Filesize
496B

MD5
49095bb89fdcc40b25112b5a1bb1a4f6

SHA1
7068ab0c50d6c4a5ffc4308ab9386aaf10911204

SHA256
ef17d6519ba4a7ab6d899b659b644886cab7babc22b35fa8715a8c2796131783

SHA512
134e5390faa5251d36ddf01d32aa2938b83ee1e1a0319c5ac7f6644626bd3b912eb7e8e356e5d5e19ef9fdbe4dcbdbfb21bca8a04384673bc528c61268ef4058

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardPermission.ascx

Filesize
24KB

MD5
aeee72cda65c88796c89a293e28f9994

SHA1
839006bed1edf754d33f3c969f272e5ded8d32e3

SHA256
0b6b0be6c9bd9607985b786a85dc8c3336c5ffb89eed48aa6316c66d4ebed617

SHA512
4f09353a7a71f523b1b980f5df3f55a6bc2d9a3ba5d49ddb3e2d33f88e9bfd362f90942632fe6a671c9e633eb944fe445ad904a9edff811321b23914778b8659

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx

Filesize
1KB

MD5
d491c4adb9095d0f1620bcc7ba754e3f

SHA1
4110d93e46d8ec463738fec52836137dd546683e

SHA256
93162671c9cd67587c79d1f267cb284a369b10421ad10ee643115a63d7d845f1

SHA512
4a227551e43f4d1580540f9bd02df8f67b262c6aeff7643292f117c64304caa131db427a1149e8d0dc1a521a2fc6e71135d6789b28d4494e23d56025f8e5ce66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
9KB

MD5
dd70fc3e8b69b85b4569c4187e153adb

SHA1
cfa4b0c632c145b701bfb1a57d332acdb1a27161

SHA256
089dd8874957c2e2146472208659bf6ed935c711fa3b1262d03eab0253124874

SHA512
f99ea224c19797a071f7ab846355654a20021563fbaed8a0f61f090df1950285d653394cd2474450583aca7ba5eb54e7038f5092c2be7f0d8dc7cad140a852a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
0aba627c97fd722906eec2cef21aa06e

SHA1
12562cd73a4a0deb6f36b15e3d41f14b93c050b8

SHA256
fabbbdebd001ec455136aa5a0ac5a202fcb4f0689eec6d744fd42a46fb1f13b9

SHA512
4dffa7b7c348ff8aa70845d30f588cdfdf2809587101a6e75378d7a4aa5e84afdfcd2defee95055af663992d868ce1289acfbd2e464181c9f83d6cc221438422

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
bc98d8d6e717e8a6de82d57b7280dcd7

SHA1
ebf5f94a018f9117b0d75b236ad3e747dcbfa77a

SHA256
4066275301afce0ca131ceb9ce683bc3779176bfe7cb6ee70a381e9c65b9706c

SHA512
2e829147b236b71043488c14ab5b3cb4092ebd49034cb5df11340472dc97b0d091e01d203c7fe3eb4c40548c42379471de933edb62c5704a9e4286363696bf41

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
4fa7f5a1192caf84f039714ffdbd2628

SHA1
b9c90e3feaf564fdc5a2d75bfd8d639bc9f9bada

SHA256
dc28e8d92ec83b31f40b9a834cf29d48e237be24cce2af6a9d4ed740d23974c1

SHA512
ad9dac44abc78c2dde068fae5f557feb5ffb0c94cf8c06253410e91073c0de126fe8f717a14cf3bbf4c47feeab601c6d7fe175d31ba572bf0d83aaeb74e49da4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
04110d7971927992be623e9ba2e4ac01

SHA1
4ec1e14209c76d779193baa4fccac240ba87f1ae

SHA256
79cba5c229a7c6d2beed857230955863c948f3a34a7add5ab12b35b90e74da07

SHA512
7d0f84dc1b8dd0f2016084d95f630c076b86410b00690cfd8eb44a5f5a31fd6a169ac7e53ac1675e683605807db3e00e8be1a19157718cba82b9cfaaf4101272

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx

Filesize
1KB

MD5
62474545c50dc5807d305e478dbfebcf

SHA1
7a93ed2ae303eaf873bbb3adbd482764e4bff869

SHA256
45603081fb1d6beba750b2ec04c85cb84ca6f8ebb469f64f3c2596a35014e2d4

SHA512
1a30edb455775d56a77b94ba31e9b7e4f6e2e0a27ae8787a7edf2559a69d176412a41a4fa55015e1c3b70137413c4355b87fd35b4bdca3c972fd618e3b57a241

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx

Filesize
752B

MD5
8767b09443a314c35496dd3b35835c46

SHA1
eca147377dd5e90a7b701aa54677133afe622f85

SHA256
b20a841ade698d701ec05fb143346727e5fbaa294595e6cb421caa3411d56957

SHA512
f7d32ff7837c35d48abc4a99ad46116bc63945be6f427c313009d8fe7906aa8d8cab39e4466fe953f73d0a8413b6c8be92ea0bab53e638cf6f0065e37f48af53

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
8ee72353ebed54cfb5151594ef84a096

SHA1
659583cdde6d6732396b56b9cae3d69f99fa5a42

SHA256
3621e7fe60ac4614055c3323b58b52b2ca1e231072b426a136ef7ee5f00f6332

SHA512
7c39e0f15aec108d0f344dd4239f8225187247da25a6fce5443b620adcb33e072ec3a62fd950a91c3333194a9cead595c1425f6622260ff3e57750f231bbbc68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\navigationBar.ascx

Filesize
8KB

MD5
750d3ab029ff83bea50bdf309575bd26

SHA1
0de08ad2c816e69e0d35cb5e89e00b1f704b8af8

SHA256
d236aea022008032bf55d5ec8a989632010026683fc1e67d2033365ec5fba20f

SHA512
ec60f246ba572bd7327008f5f8ed734c5205047c1c96c59c95033fc90a8c8c4dae5e0633b16215f053097dbecdc4c6e0dc5fd83c4470d3c3fc0066443b3e5f73

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
8b89db538110c941e3dd66b5bfd5c328

SHA1
0a92de28dc9feac48c2e8506491fb07b7bdf6922

SHA256
0f4b2c2d53910f9fecf82e90ad89a57f4fed618f67ddf1b1140a1ead577c5e1d

SHA512
c578de3e4ef98868c68f276515bb9f630633e0bb1ff8a3dc75abce03a877f011d4397589d5fc4903ab44caa99baaa5f9421d5c918424d712f754b28ea5049287

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
7bcfbc5606222f2e3e191b9a21e9a7b2

SHA1
78592c2419da2e872645f53cb98667ff85ec3cfe

SHA256
6caa6d1597a73adfc99ecae602a1f76152b387d6d954a87fa50533050d66b35b

SHA512
099a9464525601728fd47a444b8d7b8fbaea4a4752fc18fd57afeba7cad6e1ee4b629c3bb1ba55abbd2efb7c2822fdb87755957efe2d359b9d4ec62e752c5726

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
c19ec5d31d0e7f9ff11496d0b7eb1bd3

SHA1
49b07bd9bd4184954587f2c4026797512cff6ac0

SHA256
6de072b62182c50999af3884d29cba4838e9bd15c44095107011a8fabec74aa5

SHA512
79e017b0b06687feaa0c7da3585f781ffbe4d0c46e1e9ec9575eb59a761018a867881c2cec9acd9ea74242707c0acb035c4888b3e209755e885a952e741d3967

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
d36c46f866584e0a93dbdd6dc79a3b29

SHA1
6e4933ad55f91f06e506c7ebe00c990b8ffd429d

SHA256
683c281c2740fd40311fb79096196e97bbdf3b88bffd6ab254a361f8c96945af

SHA512
1d7d8ff63c4af3729c7857950cd668b1b7b618dbb43c764f51eb5c9b03905a40bd0173e489eb5410d310ce3da4a4ef0a86ebb9443bca0809f7fa94a9713bfd5b

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

Filesize
2KB

MD5
802037cacbfa02384304fb20fbcf0908

SHA1
43abf03bf96a5d29cb1d761d8409f3749bacbb7c

SHA256
a393f96820e1a6256c9ca740f22fe98e3ab23a8fb30462d9790d3a15bd22079a

SHA512
1f052992074c2a91d8a8da86635f60d0b77577bfd715798d1f67ab6b01dfb69d2eeae300698c91b6ff2a3d522c327ab2283b463bf7900754b929092c0ae4cf23

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

Filesize
13KB

MD5
1a5d8418a02b8d7ff2a77ff75c304b50

SHA1
3cc8f3d6d18d1d63cb8ce806613bfd44b92eac1a

SHA256
e63e9ebd8a49341dc93133d34a3c51443eaa78bdf5355f98ceca7f6da7fce133

SHA512
6e591fe83673d865cbfce965ec58ce21f0997fc15482ca2f4fc84dab0adbb4734e93caa94963bc2ab416952958d2c94ae642758b9b3626551f9eed2b41fef1f0

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
memory/1700-144-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/1700-143-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/1700-142-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/1700-141-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/1700-145-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/1700-13858-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-31-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-15-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-55-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-53-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-51-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-49-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-47-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-45-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-43-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-41-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-39-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-37-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-35-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-33-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-63-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-29-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2908-5-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-25-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-23-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-21-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-19-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-17-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-57-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-13-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-11-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-130-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-131-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-132-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2908-133-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-134-0x00000000020E0000-0x00000000020EE000-memory.dmp

Filesize
56KB

Download
memory/2908-4-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-59-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-61-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-6-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-7-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-9-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-27-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-69-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-67-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-65-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/2908-3-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-2-0x00000000004D0000-0x0000000000502000-memory.dmp

Filesize
200KB

Download
memory/2908-1-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/2908-13876-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download