Malware Analysis Report

2024-09-11 01:18

Sample ID 230301-vq136ahc27
Target d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad
SHA256 d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad
Tags
quantum ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad

Threat Level: Known bad

The file d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad was found to be: Known bad.

Malicious Activity Summary

quantum ransomware

Quantum Ransomware

Modifies extensions of user files

Deletes itself

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Views/modifies file attributes

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-03-01 17:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-01 17:12

Reported

2023-03-01 17:13

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => \??\c:\Users\Admin\Pictures\ShowGrant.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\StopSet.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\StopSet.tiff => \??\c:\Users\Admin\Pictures\StopSet.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\UpdateGet.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandGet.png => \??\c:\Users\Admin\Pictures\ExpandGet.png.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\MountGrant.raw => \??\c:\Users\Admin\Pictures\MountGrant.raw.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\PushUnregister.raw => \??\c:\Users\Admin\Pictures\PushUnregister.raw.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\ShowGrant.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockExit.tif => \??\c:\Users\Admin\Pictures\UnblockExit.tif.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => \??\c:\Users\Admin\Pictures\UpdateGet.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4646D421-B854-11ED-80B1-DEF2FB1055A6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1184 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1184 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1924 wrote to memory of 948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1924 wrote to memory of 948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1924 wrote to memory of 948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1924 wrote to memory of 948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe

"C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C6A96.bat" "C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe""

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2

Network

Files

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 b036e33fabf6e1300c6874867d9b0f8e
SHA1 09c57c33a616cc7fa7d6f2453ca6916e7b4ff58b
SHA256 53d8388fa21fe9325816272ea4b20b827e502c3933a2342b990def883fa0ced3
SHA512 298ac4a142bc2498151b817091934dd18821c4088768a2e1188284801a12e83fe0d5a948e0a12f80325956d53cca209c6dfe75a092c77b20066e605090f32596

C:\Users\Admin\AppData\Local\Temp\006C6A96.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Temp\006C6A96.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

memory/1924-351-0x0000000002C10000-0x0000000002C20000-memory.dmp

memory/948-352-0x0000000001160000-0x0000000001162000-memory.dmp

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 b036e33fabf6e1300c6874867d9b0f8e
SHA1 09c57c33a616cc7fa7d6f2453ca6916e7b4ff58b
SHA256 53d8388fa21fe9325816272ea4b20b827e502c3933a2342b990def883fa0ced3
SHA512 298ac4a142bc2498151b817091934dd18821c4088768a2e1188284801a12e83fe0d5a948e0a12f80325956d53cca209c6dfe75a092c77b20066e605090f32596

C:\Users\Admin\AppData\Local\Temp\CabAC0B.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\TarAE54.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 031c9f325d99bb9ab5884e3165449d6f
SHA1 8c796762fcfea9a312e4631958e134fa01fe5c21
SHA256 1fbaf1b4b3fa50a3a4298b5a3256de103f62dbb29376a06a26acfda7d61b50d9
SHA512 8210966574bd21a1892fb8937b46e470c4eda07d66b39c2a17225d05369ac295f485fdf99d69d9fe53cf7499c4fa57d4dd1c978ec4c7d4cb34a1822aa885ffd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b24f964971e4cbf6cd784f3a9bdacba
SHA1 9085a7fb70e63624f136f438c6e8e90060b36868
SHA256 f4c67e39f251aa35a699d3ddfd2b932b475dfe29592d71362f990ef811c982e9
SHA512 99b2cf721ec45e1700a0770d2d7f86e86fa5795ff2b564ea2b4874ba8be7b91ec3f29c932da73617c71e978ab930df713185d5fddc485322d15a678e66f6fd1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d282c00773935a100f40244f351167c
SHA1 00d14ebe320ad279707ba6ee5ac39041ec99bdf3
SHA256 fbf536a5dd09086da10b62a2de45db8c22c7c8fdc6f80e9f9cfcfa4a0261259c
SHA512 bdfe37a09acab00ca29cb30d48f7910c8fc6cc19fea68699e4848e0849d3576b9db02fa79d949fa39131812d916b09768a4aa99be085a8dea4aa2efd1ed8a085

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29b3a2c20979edc2719c5c767174c35f
SHA1 7734ae32e9420cf0df2e81b9192b57f1359834e4
SHA256 765b717ba07a46e956469990800ac8feb015e61d2850d33f596169a79e395b52
SHA512 b7b6801b818f9d4f2737f275445664563236f603959615be97d01b81ca363b3fa1aacdaad1c0ea49fc0a6199ba9e60caeabd1ffca05354885f70036c5b5b5e6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd124f49340d8b71fe5eac8f07438d3f
SHA1 5ecc80d6646f56bd8ff5935d6b413e3c1ca77eba
SHA256 b1062d14f1dbfe4e210b1116c3871ce0ec93e3a7322d96b738a0be6fe204e9a6
SHA512 592d10553ae6ba26cbb485847e9c040f6517f24d3fe6475c177b18c3e57a97755163dc38a3ef20941f0e9074fee273452fd2cdc73e5c22f95ea1e1dfdc701069

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5fa0c91ce5c50e6d31c4aac6d80b915
SHA1 e79b33ffb92b6e844d4f8a057e5fa7808632d662
SHA256 8b5f6777341aa48ccece87f1da24fd50e779b878c717efc371735c8daa6a59a5
SHA512 51421d5849c4d17f5bc8392ed32cc6d141a96e9ec2f2da045c48c7ab6d50f8d9dd5af8a08f836c1d05e27f401beef0cd9be3497fb1df42d03c221436cb7cdfce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa152495bc463237dea1f8de8186b0a4
SHA1 68b0e9c7647408e7247b1ec590960bd5b5907b4b
SHA256 8c787ce62612a6870b2015f8c7c58d7fae96ad0feb64e4ab1e0f63b8d0f790d1
SHA512 a43c47b4ab779a6adec0e04cdffa12899b1a0a3d2e47182736c686eeeb54ca4dfd05fb7f50d47929a0b150237c151f2c486440e2283f4b1810a57013dabe9a70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1eacf4112fd8a0ac27e79d1cdd257713
SHA1 cf976747fc3296a7286d5c9e292f46af84dd2af1
SHA256 f560dba4002c222b0f6c5a150677b43cdff102440eba9a727b8e9bf77416e306
SHA512 fac1ac082a683e13df444353b3da07d9e89f553548e69d47adb7a224e2971bdf959989ad1255a608395d215141c5249bd07c4ec0d6676e943af939102a836869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50ca6946f914ec6d4d47da5b27625f53
SHA1 c5e5b9cdd08ff662b7c8d787350e213b1ee47825
SHA256 f0264040668eaed4f255f2b8e312c6c91fc8fe826dca8469e8c552cc00933d30
SHA512 3feb6f0199f9ae33b27d7ce0d271de46de9049424554c9b073ad491effd9664761f3a04ef9c92f6353c02014b779b61a46c37202ef88b0e8987e626e0f1bd76d

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-01 17:12

Reported

2023-03-01 17:13

Platform

win10v2004-20230221-en

Max time kernel

28s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Pictures\AssertGrant.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandConvertTo.png => \??\c:\Users\Admin\Pictures\ExpandConvertTo.png.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandGet.tiff => \??\c:\Users\Admin\Pictures\ExpandGet.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\HideMerge.crw => \??\c:\Users\Admin\Pictures\HideMerge.crw.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\MeasureRepair.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterCompress.crw => \??\c:\Users\Admin\Pictures\UnregisterCompress.crw.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\AssertGrant.tiff => \??\c:\Users\Admin\Pictures\AssertGrant.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\ExpandGet.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureRepair.tiff => \??\c:\Users\Admin\Pictures\MeasureRepair.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\MergeGet.tiff C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File renamed C:\Users\Admin\Pictures\MergeGet.tiff => \??\c:\Users\Admin\Pictures\MergeGet.tiff.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8d11c402-33fa-4eb7-ac28-ff5419c559ff.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230301181256.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\.quantum C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\.quantum\shell C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 212 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1636 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1636 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe

"C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E56A3B7.bat" "C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xc0,0x104,0x7ff8163f46f8,0x7ff8163f4708,0x7ff8163f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13808364344228455491,8946073475232250908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13808364344228455491,8946073475232250908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13808364344228455491,8946073475232250908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13808364344228455491,8946073475232250908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13808364344228455491,8946073475232250908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13808364344228455491,8946073475232250908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff66bb25460,0x7ff66bb25470,0x7ff66bb25480

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

MD5 5da40b5871fb3317bb933d4de41d367c
SHA1 5085eb5a96edba7f0af082f2488c9168ff8a3906
SHA256 d64328884053ee5e71046b1a6ca8468000a1963e0d0fa492ae253491a0560aad
SHA512 63bf1044652cd894bb9f4ebf0d738317f9a70e3687dabf386b2316a2cb95e69ceda8bd9f086e1a5fce45ed02a48590093dad88b458fb1cd3da19cac860a79f7e

C:\Users\Admin\AppData\Local\Temp\0E56A3B7.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5a10efe23009825eadc90c37a38d9401
SHA1 fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0
SHA256 05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5
SHA512 89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

memory/380-386-0x00007FF833310000-0x00007FF833311000-memory.dmp

\??\pipe\LOCAL\crashpad_1636_JQKSMJKPIMWGYFTJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c1a3c45dc07f766430f7feaa3000fb18
SHA1 698a0485bcf0ab2a9283d4ebd31ade980b0661d1
SHA256 adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48
SHA512 9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 5da40b5871fb3317bb933d4de41d367c
SHA1 5085eb5a96edba7f0af082f2488c9168ff8a3906
SHA256 d64328884053ee5e71046b1a6ca8468000a1963e0d0fa492ae253491a0560aad
SHA512 63bf1044652cd894bb9f4ebf0d738317f9a70e3687dabf386b2316a2cb95e69ceda8bd9f086e1a5fce45ed02a48590093dad88b458fb1cd3da19cac860a79f7e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 761b55196303cf7667099283c20c005b
SHA1 e71001d0fc3c92905215ce023e3c4a24e141ed8d
SHA256 b95345b2dcce9e17b3d49beb0b744738ac0047f208f2f8d3d4ed6205549345ac
SHA512 8b4d71eff79b3faabd3d32a2e0c0bbe3f2e0ddd7b68a72fb527f64ac9b9dd6f56e1603382ea464cedff551498cd40a8b55b7d7244a4a2e4ca7435305392c7fe7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5edab6d3ffbeee247ccb4423f929a323
SHA1 a4ad201d149d59392a2a3163bd86ee900e20f3d9
SHA256 460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933
SHA512 263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

MD5 a3a3e9e02ac0ea5a959a6a0e492b6b57
SHA1 eaca66e0e0005eebb8d1eb2b88379c652e8d6df8
SHA256 4cc5e21ee41f746a8f66551ea6da7196251f89f17d876c419085bfbbfb58d6b4
SHA512 8fe0bf0969824f17c1843c26736d7bd6c5dc648cdf3b561d6c064014bda82ed7645e629ba96e4bd4f91662896b45a34c544e3a17fea2dd72fe5a603c862cafdf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 648643cae67e7a8e6066dede62dcc5ca
SHA1 64f846afbff9cc97a22a9440eadedbfac69f88a4
SHA256 84c0a78eeab1d2d39b683ffa127deb7140a250c1375e4fdaaf7c96364f03579b
SHA512 b1e7d94bb9ac4a4215859a78ccdbf6a232e9d9e1a1e14c22ec090f7f9f61a6d32743ad7340fb23e04486ca07263080ea074cdf27bc57e9a332af9d1e746d56b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145