Analysis Overview
score
10/10
SHA256
204ad9cc8149d5f6f24e76ac18883c4843081878397ad9cf2dc29842fc28f277
Threat Level: Known bad
The file sample.zip was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Modifies extensions of user files
Drops desktop.ini file(s)
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 00:33
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 00:33
Reported
2023-02-24 00:35
Platform
win10-20230220-en
Max time kernel
112s
Max time network
117s
Command Line
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sample.zip
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CheckpointNew.tiff => \??\c:\Users\Admin\Pictures\CheckpointNew.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveReset.raw => \??\c:\Users\Admin\Pictures\ResolveReset.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowSubmit.png => \??\c:\Users\Admin\Pictures\ShowSubmit.png.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\CheckpointNew.tiff | C:\Windows\system32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3304 wrote to memory of 4416 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3304 wrote to memory of 4416 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 4416 wrote to memory of 4672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 4416 wrote to memory of 4672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 4672 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 4672 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sample.zip
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe quantumlocker64_faf496.dll,RunW
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E58678F.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4416 -s 392
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
Files
memory/4416-121-0x00007FF696240000-0x00007FF696258000-memory.dmp
memory/4416-122-0x00007FF696240000-0x00007FF696258000-memory.dmp
memory/4416-123-0x00007FF696240000-0x00007FF696258000-memory.dmp
memory/4416-125-0x00007FF696240000-0x00007FF696258000-memory.dmp
memory/4416-126-0x00007FF696240000-0x00007FF696258000-memory.dmp
C:\README_TO_DECRYPT.html
| MD5 | b7f6959164e820e178cf8a31fe982940 |
| SHA1 | ade9490ff6c1e393ad44756274f0999770ae05e7 |
| SHA256 | fc88a0e27b674dede4ec1535cd3210481719c1ea98d44558ca413fbcbbf1df49 |
| SHA512 | 41ff1781645a00dc5f7c9ad27016ea3a47b02ed04d0e34068f105cf74387d2597847a56e99feb0151302b068c691d1df0d5ebea8f33ce7392a2797f282d23a42 |
memory/4416-361-0x00007FF696240000-0x00007FF696258000-memory.dmp
memory/4416-363-0x00007FF696240000-0x00007FF696258000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E58678F.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\Desktop\ApproveHide.wmx.quantum
| MD5 | a42717b4a2342dc98d92f29cd70498b7 |
| SHA1 | aa0db914dbbb583e7c044b87fd6b9b79015d87ce |
| SHA256 | 49e340117a74ab57eb26b7c9e2a8e2fedb84ed34e44e28ad4d74e46d24051527 |
| SHA512 | 23708df2007464c8a2db0875a404746ccb735c5553b61df7ba324ab9343d2132c8fc45cd6d20dfbf29309612ffacb15ba22ad32c17e0dbf993a976da9830b6b7 |
C:\Users\Admin\Desktop\PopUndo.xps.quantum
| MD5 | da6ad380bd072df9357a9724ac4c2e03 |
| SHA1 | 1eb3810cceae0aef754a0410d38409acb4f62b26 |
| SHA256 | 2b69bc13fd1e58de4ef8e7984516016fd3c1aad65b36e80ddb2d9bf86c337948 |
| SHA512 | 94ffe6bb41e46892275597ebbd375580e99f6f030f951545c8740652ce102968a7077ee783f87b65f96c61573cc1be3a8271688ee7f95f38b660061df4b81165 |
C:\Users\Admin\Desktop\OpenWait.xml.quantum
| MD5 | 0171dc561409bb5b8fee475026faa70d |
| SHA1 | bd940dc0c46ff9db4fa6a59e4091f20bfe59d348 |
| SHA256 | c428b0d9c0df703dd43ee09b05c32cfce304db25b01ff65db91cd9772bfc8fa5 |
| SHA512 | 8de719cf2955f16c32cbea3689223f3605577872432065b04f9cd3e37d93533c832df5c5a32e514969bad013ffa91b8522debed3573aceb167ed384c6b0c24b5 |
C:\Users\Admin\Desktop\UnregisterTrace.xml.quantum
| MD5 | 35d54308bb74a67ba6c86aa762dd75f3 |
| SHA1 | 365be7abc186697727ec485ca853375b3e0e4ef3 |
| SHA256 | a16ead72beb5196fa78c40f48fc09ed527495ec05fb6d750b9336e8286436a03 |
| SHA512 | 473f32ba7d2acbf2c12ed1f0d58b52a5a316252436f2c63042bd25c5fe8208870e53d83107f7da1e4cd19a168dee42b0bf1f16d6632650ea3bae114e1c9d722c |
C:\Users\Admin\Desktop\UnblockFind.xml.quantum
| MD5 | 29e33723171e75c1a55004e1aeb2dfef |
| SHA1 | ed8b0b3d2d33de41322978da6b4e15e79ba0b613 |
| SHA256 | d452242d3d97d1bf24d51df7c92d0122c426306ccbb9d115535061ec4c3445bf |
| SHA512 | cdb7a2661ab02564bd84a81e9ac33fc586d47cc1deffc5ffb8f64c6c8593ddeb0fbf6a43c3fd7e51b06a4da3f20d4bf037b5a9e9480dcebe53d326272f99156f |
C:\Users\Admin\Desktop\TestCopy.mpeg.quantum
| MD5 | d1dc9210965c94516a05094ee39f8ce5 |
| SHA1 | 1e810d9885a4bacb462254220c1bad908867d5ca |
| SHA256 | 21ccfafbca7bc73c231b995ae05fa417aa34fece7d65235df45f82ba1b5ccf83 |
| SHA512 | 4e507d64e626a0c406a74b3f6ccd2e21d8de378d60d1ce4c4ccd868e92a5d2c318efe40ec6d8747c2bee3e8511c4f3d0377e58f55a59e8ed751d5fa54f463c31 |
C:\Users\Admin\Desktop\SendClear.gif.quantum
| MD5 | 6486b990ba0e5c29345ccc082de3c798 |
| SHA1 | 2909a5828d816fdbe79d5fb96f616979960ea74a |
| SHA256 | 94bcf621dc8cf0393a282d99ca5edac8276c8497af0a57c853b88a32cf39c6cd |
| SHA512 | 352c8b773e91282af84569ed8a42841a2b0404fc5ddea615d7b25cf302a6b16e2a5b487707519fa73515c308d33e4bf9ba40ebae091afdbed98fd12572c32ecb |
C:\Users\Admin\Desktop\sample.zip.quantum
| MD5 | 19b56385b6b2df8928afbe151f464f03 |
| SHA1 | a0920e9f91fdccc433e5a2d0a0ba240eedd97b85 |
| SHA256 | b1654bcaf6eef7eed9846840a0e82c2462225fdbc26afa43e57ab95703ca4998 |
| SHA512 | 7959df53cb56a84660764d1d43c28c1d0de4ca0d26be5abb2ded4431fa509030ce0c0e85ce0b00b2a0df44237ef804ca6f3e6128254ad81ecfcc34ee8c299356 |
C:\Users\Admin\Desktop\RevokeWait.png.quantum
| MD5 | 8e0bcfd433b5ec049372e98a743d35f7 |
| SHA1 | f791bd1c9b4d6100a69be31346419e8248363d67 |
| SHA256 | 7f9c166092d40a23206772506ba2e30e1042b759eec8f5a8877c4e90c04112fc |
| SHA512 | 0acbafe8aee059f311b8853f253a547a32838a9eed4ef8d16e9a009291b5e551e66e969f8a12e36cac34214edb1869d8d33143d4dd1c4e0400501c650bc4123a |
C:\Users\Admin\Desktop\RestoreGroup.snd.quantum
| MD5 | 133c1c02cbc93a5bb768534b8960fd07 |
| SHA1 | 5d488b961e2c4a4316a794a174c01c60b7271f4f |
| SHA256 | 430acb1e5724cb724ae250b9b5c445a3a21c491684d78b7906df9b62611296bc |
| SHA512 | 7f2df9ea9b07796961cc5ae063c972243455f3b3611cd85f4d1e3cdc68445643eef1fc7f3fc6b7f56632cbdb5309e455a961662897028632dc17903cd1a0df04 |
C:\Users\Admin\Desktop\RestartPop.svg.quantum
| MD5 | 21339d8edaef296b7c3d67a36950406d |
| SHA1 | 666be5c0626765489e5da711d6e26ae5e0ad3cdf |
| SHA256 | bd46a55b3b668f5344b2902e5e214a4f82a197d55724f5a8bbd850f36d51a96f |
| SHA512 | 7840ce4767725ea90382fd42e41c99e1ba1aa5ecd882ba34d6a78d088d4a510387f175513b9709d3ca2f57c29db2f48380bf2ea8837450d26cec90bb57dd4916 |
C:\Users\Admin\Desktop\RestartFind.vdx.quantum
| MD5 | 42c299925799b774606a0f61e2103fd3 |
| SHA1 | 7eb606c6de8a4898b137a4460e403d9520dff7ea |
| SHA256 | bae191be25c6d6d772c1b9e8a8e608374244edb877a0977a48d3c94a436becdb |
| SHA512 | 8197a167d3227780184cbe5f8488b0f82ffc3022032324c770753195db5d49db00c8829ebc0cd849fd4a3e6763a82c423f065f46d20b8c0844a2008cb0657e7f |
C:\Users\Admin\Desktop\RepairInstall.cr2.quantum
| MD5 | 629aee3e1cff5f2c44b096fa3ea3e34d |
| SHA1 | bc6a88b8cec40ab6f8f3397c7885f4260aa063be |
| SHA256 | b91c5504ffbd0c6c839765172391831362c8c5cc7ead8dbdaa3bb0b129e23b69 |
| SHA512 | 1e12b8dffd06205a38ee554bd4dd55283f0c67f15559bbf652104bc0fbd2123ce90aa28f3f8231a8e69962dea7c4080343302efd5df94466776987d092586f2f |
C:\Users\Admin\Desktop\RemoveSend.vsw.quantum
| MD5 | 08ad22070416f4a56a6193698c839064 |
| SHA1 | d031877516564737679e8ed020cd4b1a670c344f |
| SHA256 | d0abdfa8fae4e610264ac52e17914af631a2160cdf88703fd93fea7d41261383 |
| SHA512 | 5b32fb69cc3d082d4a3b08ae306e5536d793c35db12bb03207e5ddaebf9c1f37534951dacc5c62cbbe44b2c18e3c98615bfe12a4351c10ec13b3c29f101a4779 |
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | b7f6959164e820e178cf8a31fe982940 |
| SHA1 | ade9490ff6c1e393ad44756274f0999770ae05e7 |
| SHA256 | fc88a0e27b674dede4ec1535cd3210481719c1ea98d44558ca413fbcbbf1df49 |
| SHA512 | 41ff1781645a00dc5f7c9ad27016ea3a47b02ed04d0e34068f105cf74387d2597847a56e99feb0151302b068c691d1df0d5ebea8f33ce7392a2797f282d23a42 |
C:\Users\Admin\Desktop\ApproveHide.mp2v.quantum
| MD5 | eba1daad08ac76aa600dfd7980f35117 |
| SHA1 | abd09c46ca949e910ef04ebcd8ac1d3442833e6f |
| SHA256 | e218076d80f9433aea2494e7664ee272ccdb8d0fc87a7acc69fc88f8334df10d |
| SHA512 | 7d7cc16c991189c0ee836fb6d04c6a3712c54e8c8b5e79d16b5597cf3829c8ae0a897df82413df1e2ef30eb226fac50cc5024b14099ea07060bd0431915f27a3 |
C:\Users\Admin\Desktop\NewCheckpoint.vsw.quantum
| MD5 | 91c84ad50e4340849588f9955a5ffe45 |
| SHA1 | ee1fdd175cc894ad94c37690ee1061f256b1f1c9 |
| SHA256 | 03769856ecc7b886799554e0598acab3875abde49b466d29ec8906e981908546 |
| SHA512 | 14a684a44ae12788e0072aaaabbb1432719f8ce8dfb437030ec53b70b07c507bbeddf499ab759ede028c113a5f463b2ed5534f88e10cb662b399ac1b99798551 |
C:\Users\Admin\Desktop\LimitRepair.M2V.quantum
| MD5 | b30b8fd16b2df07786d8e17a8e8e748f |
| SHA1 | a6fa89dde500b3ec4905e2d3eb2973da7f9d7149 |
| SHA256 | 8ac8b982c7004e3368cb1f8491266564f8035dbec2c9a1b225eece714933cfc1 |
| SHA512 | 53a394511413b7fd78582acda1f71f39511635a13134935ac4e27749a0c532edaaaa4be3585ab14567430ef7a690f95af5f2d81bc16ceb2bb1fe53d01b3534bd |
C:\Users\Admin\Desktop\LimitAssert.zip.quantum
| MD5 | 7618d1095cc9d1af9dd0ef46ba380caa |
| SHA1 | 8636e0b557c003597067db1f4218ca191b6f3882 |
| SHA256 | 49751067b92fed25f8c3bb051e001936d244e8a096b06b3260f9c42f2ca29510 |
| SHA512 | 9379477d449e174594a2652e3b66dce5cdd254fbea8e5a4681140bc65a7ade39d2b9496aa801367363be366f5069edc00cca624e8bdbf26339973bc404cbccd0 |
C:\Users\Admin\Desktop\ImportSave.zip.quantum
| MD5 | eaea71824bfabe68454b34d644d5ccb9 |
| SHA1 | 83dc9f23d4a2acc7585fea518d29a8957f801378 |
| SHA256 | 6db92c05c5348e5ff7626a023c4925e8fe882082902ec4ef29c827f5e9b4d619 |
| SHA512 | 061b63429d197ef182b47d972cc296d8ea4f0f3a7c840a0030581de92baf29bae8748659e05368d53ac9fb9c4220c574e5cbf64f7074d926bf32903fa88dde00 |
C:\Users\Admin\Desktop\GetSync.css.quantum
| MD5 | 45c163b3b91636765325a9cee7f729c3 |
| SHA1 | 7d7916c55889418190775d97c766c13aa502a6dd |
| SHA256 | 4a283e22a8d124d19adeb2f5c3df0a39f5c8363b195e3bd248367bc826b445eb |
| SHA512 | d828559426d4904f721217985855b5dad9391f17ff5362fd4f2c1c67b06585a4a9495836b2e3c3498a256276629e78ce7db41b9fc283c21e42f2af0ae5adc940 |
C:\Users\Admin\Desktop\ExportTest.m4v.quantum
| MD5 | 8e00726832a586ab5af06155d5f53911 |
| SHA1 | f35582da74b3fd634e18a8935734c686dc07c78b |
| SHA256 | 50b69c90a4c1c1617e7c675031851af5dbdcadbca58d1c8528393fd61c96b9e4 |
| SHA512 | e440aec965f6e21a04d3bc4b9dbaef4c0d6da42cc7f7faf2828423fb791e528c215db9475b8ab4f0107286224e32936380a547b7615733c0f58fd832c8070244 |
C:\Users\Admin\Desktop\EnterPublish.rle.quantum
| MD5 | 7d291f64b249c75627383fc3d1a36fc4 |
| SHA1 | 7538cf881d152618034179c3cbac479e23089569 |
| SHA256 | 36562391ed1b782a14ae551a90b4bcc99a1d1f9365b03828accacbe8cb7e444b |
| SHA512 | 1517a0ebccd1a0633ab7cf2540b504fd2743032a4f5f9d785726e2cde63f068d943780bc59421d6bd5c4d16876f1c5962e8de4fae6769b76c418afec8e3f0d79 |
C:\Users\Admin\Desktop\CopyShow.ico.quantum
| MD5 | e29cd5a04f5165511876c1268cf18f04 |
| SHA1 | 94b05ee9b5c1f39fff62476f5f0363eb9bdc10fc |
| SHA256 | 1e29f35259ecde4f2fc07bc844da16d2af5e2bdb878ea161c556286cf6aa12a7 |
| SHA512 | 6b83ecdf691e731a0c2d145daa643fb9ea9bd3d7e98ee8e0fad4597544c07e12b88b0b0e2c26bfe34f5f548b59e20b936c3223394379dc3f9c8a0ad793e64a8e |
C:\Users\Admin\Desktop\ConvertToRemove.wav.quantum
| MD5 | ac64e5e99896207a91d906f9a841c4a5 |
| SHA1 | 9fb33121f49bf5948e7a48ffb44e910bfa9b7005 |
| SHA256 | 2e4524f5e226d8333579b8b0056cacb3d0d2789434b56549b9da8f86afa26581 |
| SHA512 | 43fecb28854b154fbe1170d8e9f866cf58b7436561f8b2415ca16834faef1b3b11d39c6c992d65c0e24697f76b2c02f91e36d0904199dc90ea7d89c406704950 |
C:\Users\Admin\Desktop\ConvertFromResolve.emz.quantum
| MD5 | fc3779104fb9b9cbbcd8275b878913df |
| SHA1 | 022460b4f393480ccb6f64a203afdd0118bc0196 |
| SHA256 | 8a56d0b98b816a8bbb861863dc277f2a0e0cf0d4d2065588554c82a1318674b6 |
| SHA512 | 424154b428298904bd85d6d99f7d1452110e5a67a8ebcb2b322314c17bc31279fb91a9d44a159e451b4f46784dabdafe6997ea7e2a5e3a0bcb23c3e3ec625f53 |
C:\Users\Admin\Desktop\ConnectExpand.dxf.quantum
| MD5 | 4a97a31b2b46b8d624cf7a59d74833c0 |
| SHA1 | 8143a8741ee0c5eba2d8919257695967c8d825c6 |
| SHA256 | 31736962934a25e88658a7daaef21c50b844e74aea2ae3e107793cd94f408b40 |
| SHA512 | 2292b9e4d61978bb1a7f88e3a0262e7c55692423c6bf0a58ca1cca2392a579bb016b7f61d5c600ff698ec4a07a87c4089d621424a51f8410ef66d5a9292b46d8 |
C:\Users\Admin\Desktop\ConnectClear.mpp.quantum
| MD5 | 333b364c928949e0771b6834197cc241 |
| SHA1 | 8d769ea7124b3271d7e08f9919d9ef340249039a |
| SHA256 | 0f3aa53cce091bf5dcba2d7bfd6265444670cebb1de053dd0e0908f858d3295e |
| SHA512 | 11094ee79259d17537d582cd74366effd69f573829924f157367fe1633f0fbb3ff3872cca01680032589cc7392b2182bbab0df4010d3fc48ef95c4bc56b83d6c |
C:\Users\Admin\Desktop\CompressSearch.tif.quantum
| MD5 | fadc68a3fcff255bcef3e7e789c6084e |
| SHA1 | 30d925fd607bd04171cadb4c2cf9f2220c31eafe |
| SHA256 | c40013778f67eee95421834e0b5a29cb7e40e9d5c28ee389cb1313c243bfaf71 |
| SHA512 | bd1b1292b36a068fe1fdc6e3dc406fccc36e637133d1664c7cf3965adf61e79a401085caae88a29697426ed290d2925d68c25f7c80afe26789308bfc24fee9cc |
C:\Users\Admin\Desktop\CompareCopy.eps.quantum
| MD5 | 1dadb19092f4a52bc88c3019128f1551 |
| SHA1 | d25434a0a1dc39c4486a951dabf2a379f7718b88 |
| SHA256 | 50c16c79589b6b60bf2a3b5b4dc9ff340ed4460cb7a8d36e7d0bf10c5c366285 |
| SHA512 | 701942e783260bc901b4d66d7c00d365cd5255f291742793ff39759360b53581e6d3574546e50b4db4a2e7ec7c75dbbbc91af067937127855d575fe24704a189 |
C:\Users\Admin\Desktop\ApproveOptimize.eps.quantum
| MD5 | 45f941a6516c2dfa4a83d54b9a3fe233 |
| SHA1 | c6e8b0c05860a3261d9ed1f487a2693fb51c16bd |
| SHA256 | 22ace0cc320af5519d170e2e4141f367a7a18b7b9790c1c32d210c83ad670edf |
| SHA512 | dde268b114547774320f0f9d1637b8f6f31d21d43293b28efaae09d0bdb38308469ecd860ddc4ebd08ab39a681f82beb3569b2316e3394ee1bedb510523c8ba9 |
C:\Users\Admin\Desktop\.log
| MD5 | 80fac2827c5707c8947d7707d0e9613c |
| SHA1 | 15803bf5fa2966ab5cbd6edff157de58f23b62d4 |
| SHA256 | 305f288211687bc87bfa70c0e5d2606a7eab2766d6c48654724fcfba44e09036 |
| SHA512 | 01c043c5b58b320f53840db682d547f6eaf75880ac448a5de25f2d6f130b4a071a0ab5f98261cbc2fc215d2af1e7bf6b645ca3cd5116d309e2f52986c4f7b8d3 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 00:33
Reported
2023-02-24 00:43
Platform
win7-20230220-en
Max time kernel
461s
Max time network
412s
Command Line
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sample.zip
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Pictures\HideGroup.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\HideGroup.tiff => \??\c:\Users\Admin\Pictures\HideGroup.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishGrant.tif => \??\c:\Users\Admin\Pictures\PublishGrant.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeUnregister.tif => \??\c:\Users\Admin\Pictures\ResumeUnregister.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitUnpublish.raw => \??\c:\Users\Admin\Pictures\SubmitUnpublish.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockClose.raw => \??\c:\Users\Admin\Pictures\UnblockClose.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterOpen.raw => \??\c:\Users\Admin\Pictures\UnregisterOpen.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1704 wrote to memory of 300 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1704 wrote to memory of 300 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1704 wrote to memory of 300 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 300 wrote to memory of 1848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 300 wrote to memory of 1848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 300 wrote to memory of 1848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1848 wrote to memory of 1584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 1848 wrote to memory of 1584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 1848 wrote to memory of 1584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sample.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1fc
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe quantumlocker64_faf496.dll,runW
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006FA7A6.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
Network
N/A
Files
memory/300-54-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/300-56-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/300-55-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/300-58-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/300-59-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 4c61454476bd2d8e0e6e18415d7807ad |
| SHA1 | d00f49c39216b5e0e152c7457c2f89a67df2b12c |
| SHA256 | 4995d5702633c794a9ad903bba9c5eb9ca3fa8b5308f4019e89949fa07f93000 |
| SHA512 | e409c8bb4e55631c64400a30fd787c50d09c382423222d54a446ba6318028aa0d41e219503caee3878c304699b04dad84880b3b9cfe92684a2bb28f9e647fd20 |
memory/300-327-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/300-330-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\006FA7A6.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\006FA7A6.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\Desktop\.log
| MD5 | 289c7eadfe9782d3c0663128d32ec7ab |
| SHA1 | 77c605486e68fd00f6408cacd54ae269dc6e4826 |
| SHA256 | a3a943cf4f885bc94207dd07ef80f51e624c42bc5659fb94f364465f3815ea3a |
| SHA512 | a3443d0630e3f5df39ea551bd59d125dcff9f0cb1e6557cbdb654199ecbe561d33949522e6859fa369b5d9dc0c482dbf11c24e18b4e2f2303e0e604029896a4e |
C:\Users\Admin\Desktop\CheckpointInvoke.DVR.quantum
| MD5 | f8e4f03c621393266464304723c88046 |
| SHA1 | 8a26e620da1bc2827a1b3a2502e8009e5bb022c1 |
| SHA256 | 7fc5d87fa4739d2d2a8575ec87eb6cf958a38f331be4a9a719ee3b43fe72fcd4 |
| SHA512 | 3f0c935d9fd4d9d519227d25d48ce8b09ec7d0c4f75eb1be77516c2819b7cea84e70bdc764c3cbcb7873aca73e3213cfc8760e19886870e3b17e38977c39afe6 |
C:\Users\Admin\Desktop\UsePublish.mpa.quantum
| MD5 | 419670a7a22087c595a1a9145b55906e |
| SHA1 | 7a6e25327a7da144757fb256d074ac1952ee2a19 |
| SHA256 | ab86776cc5de58048c5fe7f264ab03e757017479315dac488bf1f49664ac4509 |
| SHA512 | 6df16ac733cfe387d4d0477e398255b3e4b82e8e9c73ad6108b7754ed2be78fccd898b3fe399d7fd52f49e7f2469da6d4b8d344807228c8c7b0c89a782aad8c0 |
C:\Users\Admin\Desktop\UpdateGet.MOD.quantum
| MD5 | f7918f75b779be306bf8f7c1b5878f7f |
| SHA1 | fda4f8aadd00e92683af0c7efa4b2303e512e4cb |
| SHA256 | ddd685757b4ffd0f31931284e7206623cc66381246cae6cadf15bc50767983f2 |
| SHA512 | 91c96dbe0d93853105a1819935f5112a10af50760c0be2e9f5dc7ca5cdabc038083efd5851174c409fc68e002265719d94f35adc5330ef39c021f0a4befe5902 |
C:\Users\Admin\Desktop\UpdateDisconnect.dwg.quantum
| MD5 | 76d207fa0068a2f3e63cba1c7dcbe194 |
| SHA1 | 8db720b7a68045c45cb4195ce3b0c6f1ca66bdbd |
| SHA256 | ec70aadcaa31fe369223b9494bb4b000305fab60f193d30b435a5b9378dcf9c0 |
| SHA512 | 86507f46bccebd8001d1b3307dd11f33b6c773422380e6889ba6bdf110f22829abd781bd93f92e992b0d00bf8465b849b1ff192a2adbff097d286d8b95b7100c |
C:\Users\Admin\Desktop\UnprotectCompare.vdw.quantum
| MD5 | 928a26f681a97e9ba2e552f4987b66aa |
| SHA1 | 1c5ccaac27012d663c8fdfeb77625daf15d66d4a |
| SHA256 | 8f7c7100daf116478f483ea403a28577dfb626d77d6c4838bb9a9bdb6310c660 |
| SHA512 | e73366d9c996ee31d4278565a6e85f2eebfed8e44829a50717ee648f4972bceb84897229a65f620b5d7a93db5ec5b89829460d186f22862afd2f9bd7d81a4e16 |
C:\Users\Admin\Desktop\UnblockBackup.mp3.quantum
| MD5 | 5310553cb4b04c6f40e3f218f4aff25c |
| SHA1 | b39d0ca633fcc51c2ef11be7e4afa25e44396bdb |
| SHA256 | 1f0cacaf2e50ba6802f8433db012936fa01a4fd4a086800b699dce2e96794200 |
| SHA512 | 43f87cb995114f936bf230eb242e0e37dee9252386fa8d4996e64552e462b1eb882b86e0bf4226e1a720f03035c209b8a93e069b79767d641c48dc7a12e7e3e1 |
C:\Users\Admin\Desktop\SetGroup.html.quantum
| MD5 | 0f524d2cd414c87c93f463662b4db755 |
| SHA1 | 2aa39237f5b30a3cc2a3f772255ee7ab765cef75 |
| SHA256 | 0bff682c1db98558499660bec238a934f96aa255912923c434bea5423136ac0a |
| SHA512 | 50de31b17a75ac8371ed90a2cb60079679135cc859faf1275d0055a15e688022b85c4ce0dc8d393ef66942f29f31e048c7e4d862486d96c40eb96d5bd9e4d14e |
C:\Users\Admin\Desktop\SendClose.DVR-MS.quantum
| MD5 | a82f65ef09e524297736cc38e98156bd |
| SHA1 | da6899fa829a69e5cd6648f86b4221d2caae5907 |
| SHA256 | e8ed789f5760cdbf19f91d3d9953adf44bea9625fc99bf7ba6afbb7f26bddb46 |
| SHA512 | 649e6b88401744a5ee44f228930698f89157e8e76266469be384f8fcc60f589c8c57667bd00775110f1c1285ba97805eceaebcd6aaf45295d12f6ac1585127f4 |
C:\Users\Admin\Desktop\SearchCheckpoint.aiff.quantum
| MD5 | 0b6213ec7e28455b24d696fa945bae1c |
| SHA1 | 52188c87ccacf89e358cb252b96784baf37bec6c |
| SHA256 | 45bc242c9bf5cb78f9b8c0c63d92369ac3166034693f39aded19948738eab691 |
| SHA512 | 66f3a3a7d54e7616ad55e4bc1e1c9641a08aadd4a65f08c01d2128c690d46f12bd7dbb2457cbf9eeecfcf47284dbeb5b9cb3a694664a9f0666881e1233573b16 |
C:\Users\Admin\Desktop\RevokeHide.ram.quantum
| MD5 | e461e5749c263d2ee531ca180d2ab225 |
| SHA1 | 76a419276daaeb4751316abc8d39481cab04f7a2 |
| SHA256 | ca1b5668de8c9c8d59ba25e0a77d2b76eeff7027c5ef879774c28a0726b310ce |
| SHA512 | 14d80b43c555ec8c068de04a3a89b212c4ef68a56b76618c350a79ad47eed1cd478439af1c470868a507f952493f0e682bfaa4e8c26d7d2abbd1a5f5c8afcbd3 |
C:\Users\Admin\Desktop\RestoreSuspend.TS.quantum
| MD5 | 4c07b25a3591ea03723b217a04fbb662 |
| SHA1 | 4aeb0bab8b2ad45c33b0d3dc5fc0d667341c3288 |
| SHA256 | a5c857c80014eec963690d798793ce091101a41fd12a0d7d21dcb5a68f96e007 |
| SHA512 | 331c7c431b470cc890bff5626794e0ba7769192b965f0377a8e47b2822da9452506ece6dfd48a4e77c899f18f7b82cbea60567004844388dba7b80d83a3239a0 |
C:\Users\Admin\Desktop\RestoreShow.mhtml.quantum
| MD5 | bcb42258446c1094563a0e1cbb264e5a |
| SHA1 | 87a00d217fa03c4404899df85eea3885458c4e44 |
| SHA256 | 08fcbf5fbcdf280bd79ad76a391ea995184f27d72fb70c34e5f471a0bdb701f0 |
| SHA512 | ef326b055b8a67e4f54da3c411f6cb7a9cabc247b32785a8b02cb3b829d543edfddd0d7f8adb0a159bdf1a34b8169a77319ca1b6ae4ea95e09f5c1081b735ba6 |
C:\Users\Admin\Desktop\RepairRegister.scf.quantum
| MD5 | a659d2c4825944f5436324e8619a81c1 |
| SHA1 | e802e06053861fdc47aff73637e1f25c9901dff1 |
| SHA256 | 7d31641b5f026864d10e500ac812ad6a251ef6aec4eee47f118f7b6a0cb21038 |
| SHA512 | 67a8efbca4b362bb2014d310d43ad0ebfb4dbcd5dac4bd40c41aa6ca0216c24ff663b1574dd6d66601b6ce3119ad90366323848c7ad736c290163bcb18afcd91 |
C:\Users\Admin\Desktop\RemoveUnregister.jpg.quantum
| MD5 | ef29a621098a735a3a40b57f8eb2659c |
| SHA1 | 5b61fc2c68152e702d7d542607e2efbebbf7daee |
| SHA256 | 2070c4ce587f637b29c7b623631cc9ccbf6f0f131cc8d52e7881f0af4e032fe7 |
| SHA512 | 9948aa85b574bb933d2730690c11446f4d6fb632df384b2f67e19b83dc9a7208d4fae8faa606eed513cd88326ec0409e3919f17b1833db25c2d365fafaa10295 |
C:\Users\Admin\Desktop\RemoveEnable.mpeg2.quantum
| MD5 | f239e15a660f1d7f94e615d7e3b3f9b8 |
| SHA1 | 0dfee4cfcc905692670f2ffad52ab89035252eef |
| SHA256 | 8bd234dbfc03037fddd6b3fbd141fed9bd6b4a46f3a2f25a841d077e1cec72bf |
| SHA512 | 2b10dcf32704a79bd24382fd84a31f30ed76c3a1a7a27cf5f0d5257e37cf75d1bd28a1c5c4c742b9a6dea5e8deff8b865e13f6a2bbcfca7e7a7bd4e2758a3b2b |
C:\Users\Admin\Desktop\RegisterUninstall.dwfx.quantum
| MD5 | 949be288c3ab464a6e7a24b10159357b |
| SHA1 | 96c098f6cabbda6b64583a2ac77e51b8dadbc44e |
| SHA256 | 747c3c5c369d8230c9634da6bde0f182f0a7c62f4f283899049cc2b881391b91 |
| SHA512 | 439db582ec85fad40166e5660251145b0a2e1d2a84a94537ae751d9e62eed40b573cf45d29961c89e69a20bd6f3642a9e3cc41d89e955a39a9c2f05ad4b5d11b |
C:\Users\Admin\Desktop\ReceiveUninstall.pcx.quantum
| MD5 | ca249db96c47b84a201e80996ceecba8 |
| SHA1 | cccd153fad5c8f6a009e71ca39caa06a0d717d43 |
| SHA256 | f9c269f4acbcb916c1f2f8c1ea7de7c57a468eaab4f5bdd7e455ce8305e95dd4 |
| SHA512 | 46ffe212b12ee526e99c27c9e0ecc35c8fd926ec916e7f13353a9d9ab1ec6ef41a550b0e89164dcd7b4dd5a9fb6310ec17baf3825ae0a5f35bc00387600c91ec |
C:\Users\Admin\Desktop\ReadRepair.aif.quantum
| MD5 | ea9f48d0c266b509a186ea33990b2d3e |
| SHA1 | 72cdb9fb3bf19d31c520ec7d7d69361d720683c1 |
| SHA256 | a46eb50baebedd03298c9748fe90fee90e79667718cd200844d85777d5ee4d0d |
| SHA512 | 70925f2ce917b6927c05a1c7602371b53a56639be3d8f2fa6344bba503f23489eb3f9d5f3ef251d231bd124936159e25d61648a5af135ca3f527171ba42dc43e |
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 4c61454476bd2d8e0e6e18415d7807ad |
| SHA1 | d00f49c39216b5e0e152c7457c2f89a67df2b12c |
| SHA256 | 4995d5702633c794a9ad903bba9c5eb9ca3fa8b5308f4019e89949fa07f93000 |
| SHA512 | e409c8bb4e55631c64400a30fd787c50d09c382423222d54a446ba6318028aa0d41e219503caee3878c304699b04dad84880b3b9cfe92684a2bb28f9e647fd20 |
C:\Users\Admin\Desktop\PublishEnter.ps1xml.quantum
| MD5 | 56a71f0f147795e8755288e8ffc1ff9b |
| SHA1 | 8f91f9460d943a6bbb0ab8764f4d87d631cd18d5 |
| SHA256 | a6b5033d2cb60d060debcc812d7595913660883bfaf7614b3ffd7585dbbb3e13 |
| SHA512 | 6d8623dab252a27595829ae5fbe207253afabfba87278d45de1539c3de00eb85c4d114e6996415bf546275db509ccdb540fd813988a6ad8153c91eac42d4f055 |
C:\Users\Admin\Desktop\ProtectUpdate.odt.quantum
| MD5 | 76513e6201951e65f6b37265516791a5 |
| SHA1 | 45b84538f3719db7e18959ae37fb2d2a1eba5278 |
| SHA256 | 57c5a7161d3b878a5fcc1a9e60792ec3133fbac26c6f028755f4a45c68bf3574 |
| SHA512 | 728148267a55585c9cc45faf319618130144b4c8f938bd7d7a4d448020b2ed0af6d52cd74cc38baccb2f5792013d1cf0755a8949dec2bda3793fd75a4c56769f |
C:\Users\Admin\Desktop\PingRename.xltm.quantum
| MD5 | b774c43c1bee7234e8f3759566d8db1b |
| SHA1 | 6c778715fc647029226ef3dc2fce08a27a157608 |
| SHA256 | 1668a3eab4a7c16156eee7d179a10408fa56026e6f79ff24454876d0257eebbd |
| SHA512 | f362131c2f0bac8c18da7fc26df4a264505936a499f93a2490be66818436b733ded75a991f6ef91d1d261334cbc9b34db820facc2ee2a6a59fbe2a17b83a224c |
C:\Users\Admin\Desktop\MergeRevoke.tif.quantum
| MD5 | a2323c1c4a8259efcd95e0eed058c8f6 |
| SHA1 | dfd00b7a45cbaded66c8fd160bf11589266f122c |
| SHA256 | 7995933239ac05288d75adf02146678c1de436596f67052b783d53738eeb7ff8 |
| SHA512 | 18819472f75fb8612addfde0b590f1a010b25d26be073423fd0b11a6a0f62f80daa4da972f4088fdbd35f21992292b269292ceb3eb299dfbb365307eac1b2687 |
C:\Users\Admin\Desktop\ExpandReset.rtf.quantum
| MD5 | 24ada1d3fd47cfa0effe6603c88acccd |
| SHA1 | de49adaf8c51acead9dd019c06a1f91210e576a6 |
| SHA256 | f92f953cedb3de04bcf885635378f49204adf86a34997eff9d96ef27c50ef2cc |
| SHA512 | d3f155358687ea50f2b025ebcb3a63add07bcdf463f1930c438b55569521f6f032b827c4401da2a7c29bf028294ccf5cda7c7a17244a6d3db387f5fbd1fea9aa |
C:\Users\Admin\Desktop\EditOpen.xlsm.quantum
| MD5 | 3a5dcf5b15d9f2cc1157e9b115bf89ca |
| SHA1 | 44e842807d2861bab79b445081d45172f4cdbbb6 |
| SHA256 | 9c7e8b68fe222a8de1c59b6924f30ae5f97889463ed052d30c77b002f930582c |
| SHA512 | 779228e0d3d67d9aa39882526626c0cf104df868370d63295532a4131a7d5fae1883fc2fd2bd263624290e5bc28fd965b5a665ea8a31d9b631326306d42b4b05 |
C:\Users\Admin\Desktop\CompleteUnpublish.ini.quantum
| MD5 | c333535ebf20fdc3a33cae08889d5a36 |
| SHA1 | d41ac4b1fdde9529bbe2d6fe9b7db3f285ecffd2 |
| SHA256 | 3f965f2b6c19046f6e7824d68b10bd58dc6ef1b2d1ad3b59a918b296dcacd86c |
| SHA512 | 1379334233420ce7700a5333df6d0174a811ec88445c82a1d02871796b64737e8585f2954793c6bb3cf574b21462ebe8ab03fdd1200a0e5d62424228c54abc13 |