Malware Analysis Report

2024-09-11 01:18

Sample ID 230301-rpcgmage43
Target 8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede
SHA256 8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede
Tags
quantum ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede

Threat Level: Known bad

The file 8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede was found to be: Known bad.

Malicious Activity Summary

quantum ransomware

Quantum Ransomware

Modifies extensions of user files

Deletes itself

Drops desktop.ini file(s)

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Views/modifies file attributes

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Defense Evasion
TA0005
Hidden Files and Directories
T1158
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-03-01 14:21

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-01 14:21

Reported

2023-03-01 14:22

Platform

win10v2004-20230220-en

Max time kernel

36s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\WatchCopy.raw => \??\c:\Users\Admin\Pictures\WatchCopy.raw.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File renamed C:\Users\Admin\Pictures\WatchResolve.png => \??\c:\Users\Admin\Pictures\WatchResolve.png.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a8813d45-c980-41df-8453-d4ea6ed17144.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230301152218.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe C:\Windows\system32\cmd.exe
PID 4160 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe C:\Windows\system32\cmd.exe
PID 3556 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3556 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1636 wrote to memory of 3612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 1492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

"C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E569B0C.bat" "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcb2f746f8,0x7ffcb2f74708,0x7ffcb2f74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ea5f5460,0x7ff7ea5f5470,0x7ff7ea5f5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

Network

Country Destination Domain Proto
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

MD5 b88bbbac194b0267f4a5f1428abc840b
SHA1 bee3553e688e7c4137df57579930d1f42375402f
SHA256 c15b6dc8e4bac27c8d304d4c42c255593e755b6d3f6f1060c49e28a0f64a27e8
SHA512 f0ca555a7b41444fe0d28847fcdcc600b503345fc6f46f776dc3c169df9c9ab3e3093ad4a8bb5c103c6c5839f8211fe2d246213d1a97445c385f8ce460e87afc

C:\Users\Admin\AppData\Local\Temp\0E569B0C.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0820611471c1bb55fa7be7430c7c6329
SHA1 5ce7a9712722684223aced2522764c1e3a43fbb9
SHA256 f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA512 77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

memory/3480-365-0x00007FFCD1250000-0x00007FFCD1251000-memory.dmp

\??\pipe\LOCAL\crashpad_1636_IBIUKYFZSYNAEBLF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 425e83cc5a7b1f8edfbec7d986058b01
SHA1 432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256 060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA512 4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 b88bbbac194b0267f4a5f1428abc840b
SHA1 bee3553e688e7c4137df57579930d1f42375402f
SHA256 c15b6dc8e4bac27c8d304d4c42c255593e755b6d3f6f1060c49e28a0f64a27e8
SHA512 f0ca555a7b41444fe0d28847fcdcc600b503345fc6f46f776dc3c169df9c9ab3e3093ad4a8bb5c103c6c5839f8211fe2d246213d1a97445c385f8ce460e87afc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9568eb3b6de45223e15545abb76297b4
SHA1 216d3fb5ec83b580368befa89e7339779eb9e9ef
SHA256 90d54179c6ea11c90dd5b2a879ff5e74a0825747a9ba2a7dfc75ac3e617e18c8
SHA512 31c10a08bb56889fea7a6cfae3745e325a39bd02c2c363c161cd882e900696149d19604a7091cc4c3f9f7c11ebf3a2b024f7347d2546a5334e8eabc4a04e4a6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d53ac35ab3976e67caeed75c4d44ffc1
SHA1 c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256 647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512 391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

MD5 b297e2915e13a755a4c2e0f6ab3c791c
SHA1 53d742ed2140a65452922e583cb6be9932d6b1e7
SHA256 e5036af8b559edd6192a0a5411ad8924b8d82e66f381dc5c88f1ad58a318d3b8
SHA512 c0e6c8e9a865957fd6f5adbd1373442f3ed5f65629bcaadfe737f2a6a3b2e65d639a88a88157723fbfe9de276d5aa10a033f921e904482561a4d793b7eb7a096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 16675236d232267cda61f6b0e7641f43
SHA1 0d54cd0bec0ca8096e8ece1a6cdc9006e6133171
SHA256 aebf57669695f595be10e968d234483b06a1d9e6b27c66843de42b8d51bac0ac
SHA512 2760ddf0e5e6f191d7146a90ab7c27c85dd92b28cf20f0403d9086e79874c094411270aa90e3e13f5707ed841f4e72c101cb0d35962acd2056f604c49ba40c44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 510850c7bdb439526e1c26359ed1f793
SHA1 629c78860c532c691d69069b0f878c4640f18c83
SHA256 7b8c9d25c7d876619c25525e261d6e9666255dcefcc094cd20b06dd867cdecc6
SHA512 75953dd3a70c73613d62d10de8c04f534eaf1383a655f4778d2a4659b77ba1333ebd06c5e05ee8673156e7d7d26cc0a247f975189de2f05f9e44f61c9c4d28c9

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-01 14:21

Reported

2023-03-01 14:22

Platform

win7-20230220-en

Max time kernel

47s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\JoinUninstall.png => \??\c:\Users\Admin\Pictures\JoinUninstall.png.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File renamed C:\Users\Admin\Pictures\LockCompress.raw => \??\c:\Users\Admin\Pictures\LockCompress.raw.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File renamed C:\Users\Admin\Pictures\ReadConnect.tif => \??\c:\Users\Admin\Pictures\ReadConnect.tif.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendMerge.png => \??\c:\Users\Admin\Pictures\SuspendMerge.png.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF6E1391-B844-11ED-A0BE-C29C0423A1DF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a077eca5514cd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000011571c686e5edbefdd17787711d9904120b842c9113dfaad154475453e07c076000000000e8000000002000020000000ab2651c41240d50c22bf1f1b7d4bfe73885ac8f77f738dd5407ff05c1ff46c9120000000a1c4f093f96fd1880cd9edda5e5c472aada2f2f33ba7be24d22024f98a94e60a40000000b899424bee17e447a1cf15bec8ba039f4f788f0b942bed2db4328d5f40ebe106bedc3b3900c8ccb2b868baf840b497280f2fc5b5f9853c434059c2d2a38c61a3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc45899000000000200000000001066000000010000200000000d1edac89f8c947c5773905b3e785586bb5fff7969de44f75a6b5489bff5241f000000000e800000000200002000000089fcafe2c380eddfa77a2a7c9758301052dabae193be548180c8dfffc430874a90000000da155b5d14a579e3b624040ff263e1b68738f677f5020cfa7124d17407ca8487014bcbab0164241e3459b9486e9d25fd1b18869886121894b534add982e8e70eb4801361f239f8779a6a3b9a4173256effc2195e63b8c9c01f73261efd767c7036dc8873d93b0cb0bca24fa3950b86417ff1023fc9b9eb3096fc652357c352d158b9b39a3f648c157b2d5a7f0f068c52400000000447a0ad66aa580adbfce57f2f44014d81a86f30a1b9858065d7b49e0dadaeb42b37a88c1b17852c7a12489712d2fdbdad7a6531f576686b0a8c158513729dd5 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1732 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1732 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1376 wrote to memory of 572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

"C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3026.bat" "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2

Network

Files

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 f3dcfa4efb22e2572ba043df7f8b324e
SHA1 6e8a0d7cb7bcfed4252dc19f0940b297038f8feb
SHA256 37eed59e2b19bb813a295ceaf81f44d2d163c9a43846c87d632fa4743ea42d9c
SHA512 be46ee20f2935264fbfed07bb68dca3ac6c39a01c560357297d658f9b1d95f84d0164a0a16514b83a84b2b727dcbbc4bed6563548dc36165fdcc0477c6f7999c

C:\Users\Admin\AppData\Local\Temp\006C3026.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Temp\006C3026.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

memory/1376-304-0x0000000002750000-0x0000000002760000-memory.dmp

memory/572-305-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 f3dcfa4efb22e2572ba043df7f8b324e
SHA1 6e8a0d7cb7bcfed4252dc19f0940b297038f8feb
SHA256 37eed59e2b19bb813a295ceaf81f44d2d163c9a43846c87d632fa4743ea42d9c
SHA512 be46ee20f2935264fbfed07bb68dca3ac6c39a01c560357297d658f9b1d95f84d0164a0a16514b83a84b2b727dcbbc4bed6563548dc36165fdcc0477c6f7999c

C:\Users\Admin\AppData\Local\Temp\Cab7534.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\Local\Temp\Tar75D3.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\Tar7655.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a664e185661e0f76f8fa3c11a3c3c8f2
SHA1 167e01fff6097b5b52f8c10450ed822194fb49b1
SHA256 542268efcdd81712487f1d2b687ed287e4f53db4f07bbc365ea2b62245129fcd
SHA512 6ff884b9cc1d08c954c0f8d521d290574b4a698383e854e4514b518822f1d262cc8c24a1e8e2063d49027bf71037610130c9007a88f8577f6a6f65bde69c92ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36af67076ba22c42ce205ce54be372f7
SHA1 5af4e6881e5654b29e4dcc00f5488c6598f31c40
SHA256 450afba24e22679b220254dd3d8759e2e785884b1b12614bc1133cc09e4a5961
SHA512 a1e70f81525081ac157dcce0f8836c4063ef775d2d85b080af7e7fecfc670ee7d81c2bf804201417aad41eb7a59a45efe94812d3c86fb295dd09efa308f981e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1442f9a34c432399831b35918863cf91
SHA1 a4227c9ede8bc10b278b441b88a6c22bafc210db
SHA256 28d1eba81fec81566b6b3f9672b23857a67dc9135ec754a0bfc043731192515b
SHA512 9573d700f0f82b4b5ea50ca3b970f41d61f2597d9ebde9f11118e99e24dcaafa31215ae63a8d7c0cfb508dbcd951cfb4247f57c2accad306e2a77db671520bff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2e54c8b6fb4424c8c29f6a96683bc24
SHA1 f7cad2fed67826c9d54140812fd6b87fe5a8b8f8
SHA256 daa1c009c15da89a5191c4cfea9f503824f24d1d6c1b79f010c4dc4a46423cf5
SHA512 66afbb7e83bae04a55ffe82e87e6197492100660f6d3c31ba72322887054c2a612577e82376696f54fc772c06511cb30139df6a6405f2c638fa17ac9d1ad64dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bedfc1f58ae37da9426e0557e69d7fa4
SHA1 9d0d526a9fc71768eb4263e9f05c607aae08457b
SHA256 5ea81687bf37c135f30def207927f2b9d5ce40daac9491fed029e0d1c4e7b0a4
SHA512 804d44e3db3496e4dfe5951045dc5eb514de7f7c89c0e17db71400f6bfabc3ec4a9f002b7014a80c899d197c8fb5556879b458da3b125411184b91f852fb71f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fc33f4fe652481d4e22419fe78c0126
SHA1 374c30066328ec845fce3bb87eb83f7f47c3a1e5
SHA256 115aa60bfeda2a0c78a15bb38719abcbdc255568037fd1ff8e62c3dd13bc19fe
SHA512 0898e3bfac08345c8a8ac97870bd103f69975e9896003a3079a475fda26f619926b8d3bed8073b664c732af691ba8f06f9ccf10f6220c4cb755d0c1cc9da5bfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10e656ad11b7de16bc6b2c77ac7198d7
SHA1 285f61e415420a3cd842cb6b1ae926f9dc932a1f
SHA256 a4ec5ad6d46f5b677942827f8c53e69bcea13e1f58b2832e9159d6f4baaecc1d
SHA512 ce209aee27c8501ce7579ed1e1b60c645196409302673c18b4157050f662b91c9643186f3db4ff4cf390d9ff05b846daad7a0ab36f4b0df470de9f25091d885d