Malware Analysis Report

2024-09-11 01:37

Sample ID 240204-wjq52sffe5
Target 2cbb3497bfa28d9966c1feeae96d452d.7z
SHA256 686c57db4eb63748c3ddfcfdecc9258e47fa0dc62762ffd4c0519f4a92d074dd
Tags
quantum ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

686c57db4eb63748c3ddfcfdecc9258e47fa0dc62762ffd4c0519f4a92d074dd

Threat Level: Known bad

The file 2cbb3497bfa28d9966c1feeae96d452d.7z was found to be: Known bad.

Malicious Activity Summary

quantum ransomware

Quantum Ransomware

Deletes itself

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-04 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 17:57

Reported

2024-02-04 18:00

Platform

win7-20231215-en

Max time kernel

133s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1

Signatures

Quantum Ransomware

ransomware quantum

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C8HX303O\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HSCYP491\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UBTYURA7\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\592Q329J\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\README_TO_DECRYPT.html C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\Program Files (x86)\README_TO_DECRYPT.html C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\README_TO_DECRYPT.html C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28ADEB81-C387-11EE-9BD1-F2B23B8A8DD7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.quantum\shell\Open\command C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.quantum C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.quantum\shell C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.quantum\shell\Open C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2004 wrote to memory of 328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2004 wrote to memory of 328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2004 wrote to memory of 328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2004 wrote to memory of 328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F76D9AC.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""

C:\Windows\SysWOW64\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\README_TO_DECRYPT.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2036-0-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-1-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-2-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-4-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-7-0x0000000000500000-0x00000000005D1000-memory.dmp

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html

MD5 5de1f91f5692968ceaffa99e8cb58034
SHA1 65acc61eb9806f44d9ed790b4e03ab7962a318da
SHA256 5ec7a54192571e3d4fea6bce262716e2dcde520ad96d20ceec6f96d38dee3c17
SHA512 22409dcd15094ff29293ddbcd3373ab0a70cc19bc51a4b2bf85a94e72e9f9b1e2c64428e0472242f6ea3ec7a1ea7a1a44fff1b467dba43c39a9336d76177448d

memory/2036-44-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-45-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-27-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-26-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-8-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-474-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-537-0x0000000000500000-0x00000000005D1000-memory.dmp

memory/2036-543-0x0000000000500000-0x00000000005D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F76D9AC.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

memory/2036-554-0x0000000000500000-0x00000000005D1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar267A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cf55624334dd031bd8cbf1044893b98
SHA1 64dd976d8c5190535632844b4e2f321f5d71ccca
SHA256 df434d84d1083b14d5e6424d517bb1ba93b5eebedbd350c0dd356e5333e1e10d
SHA512 07f0f1fbeb87ab53b7f1fc369dd49ee59848bcc9fbefed6382810342125332e39e232acede584131432e2e0f52988f1d36855c907816aaaae108895e70ceafaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fccd585015a1658fc4fead65cedb753c
SHA1 bff28e0ff1cca9639e708554494c46fd13e20e8d
SHA256 466c3adf085a513876d6813e6b797580b65beed5cc12623f0d72910f3d501abc
SHA512 6480e2088b798819f477a209b2f55a36f566494b76b41e99a6ec8db7eadbc6be190c456725a9c3e105a3241b4b27246d035c6b6bd80ece98ae53905dc97d0ffb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c2660bcd31d2401376b743323e09fa79
SHA1 c3d85f581efbaf3d8dbf2fe0c06b5fed29fd1f4a
SHA256 99723f2b1630f16a412ceab1956c7a8b1c21a973532d12ff21ab37d4abd7373e
SHA512 13f475943551c764910545b3c9ce3dee01bc04b2c89ec7d4945fb8c96d74b4029de619c233c05deefa0abf2fd130c698bba7166c815d7376395c8907f410026f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9592f9c4566a25933f689e81a4c9a808
SHA1 e9b0319f81e377d44b6a7ce909215fd9e435a183
SHA256 f57b557b6e3b168447364085213245f2c3ccb47d44e1d601ace8c4dc2b4fab51
SHA512 4cbd76d4612eb1cc4b774501887eff490ae3a234c27f9fd53a88029c5a240aabf8e9fc6d8410a9dd4dfcb9f120fb1d66d7e0073806df311c1a15109d4534f94d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2610bbd0fd1f6c09830c3682c49dc57
SHA1 d801c9cbe3e014fcfd0ab30efe6c583532268da7
SHA256 7650923fd5b5e8ffc2b09ecd49ccf272092237e20b60f59fa9f474101cd6d64e
SHA512 eaa994195b84befddbb9ca554f10a3a4831218a1255f2e0972f88acaabf64a634ce40fee064d517280cc5e28a98ab081d6d1b6d01c573177d1960eccb3e9594d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4dda43201bc1c6e1bcb9a9a0a9fa3d3
SHA1 2d92437890285cefe156fe24faa3d5a78bd0c95a
SHA256 cbd9560ca9646c0ea6e77c23fa86740d0de929c4b93f46ca652d84ab5f830134
SHA512 5886049f5e794f7d7991106ddb700ca50c4657e7f3bdc29fd5a33e557a1a15df7cf269322a6b9388e788ccbcd0bd7a843b70da8ae41b953248252c3784e05ba1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb6aeb9cb19c771566f0840ae5ad2cbf
SHA1 343178a82044de188d3f023b7113a0be23a2bebf
SHA256 32a0b46b8fec22d0b19af6111a074908a47928b236972bf201c2d16edeafa1fd
SHA512 1cd9d19f3b091582d572178ca322510c3cd56bf5ec30640ca2552d3775d8ede88130089645e60000d5654ff39d8958073bb4edae3756ddac995e7d25239fe46e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0ed3b65a3371f91991619b08adb27ef1
SHA1 0bd7fa10cd46d28ad5f8856fcdec46179c3064b3
SHA256 85b602f169ce4723ff470c002dbd4c2b73009e4c0121f36f962759c84b4931f8
SHA512 d3f799d1fd3721664256692dc2e242567093d8c5dec1c0939e3d55fe7cda79d74bfe5fa4f66f04b54cebf08d8dc25ccc1be8f946e7f2e15ce6826891192942e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 049a6604d88c5a081e74fccadf42c5a6
SHA1 0831a75581bbcb7969a4a7b29b84fbf4b35a8383
SHA256 853daf51db25855c1f7495d9d5d24c65eb05e794b87415723fb24d2573e0a525
SHA512 18f74ca1f87c2d1c4df346f7d14859745f630381024ca97dee2db6071ff472e8d7a6acff892a5c6a4a762bbe5102142d2b4ae8461fc509653793d719faaf09f9

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 17:57

Reported

2024-02-04 18:00

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1

Signatures

Quantum Ransomware

ransomware quantum

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\README_TO_DECRYPT.html C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\Program Files (x86)\README_TO_DECRYPT.html C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\.quantum C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\.quantum\shell C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\.quantum\shell\Open C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\.quantum\shell\Open\command C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 1132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2376 wrote to memory of 1132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2376 wrote to memory of 1132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 3664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 3664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 3664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3664 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3664 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4276 wrote to memory of 4084 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4276 wrote to memory of 4084 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 5520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4084 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E5791E0.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""

C:\Windows\SysWOW64\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"

C:\Windows\explorer.exe

"explorer.exe" README_TO_DECRYPT.html

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa0e4546f8,0x7ffa0e454708,0x7ffa0e454718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10818971345491656159,571710442057329960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8

C:\Windows\explorer.exe

"explorer.exe" README_TO_DECRYPT.html

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0e4546f8,0x7ffa0e454708,0x7ffa0e454718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1191416973600629232,16664403139472616724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0e4546f8,0x7ffa0e454708,0x7ffa0e454718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8784782290733661502,4026022466514878554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/1132-0-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-1-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-3-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-9-0x0000000000C90000-0x0000000000D61000-memory.dmp

C:\Recovery\WindowsRE\README_TO_DECRYPT.html

MD5 8a6cd7e79f02329e62bdab3c6b5594e4
SHA1 53b3ae8f942f57de27d3ad6de2b1e6c02152aaf0
SHA256 a5cec99467da47e2aefb60df313dbe87cd6296e2d668b6329a4eeed089a02ec0
SHA512 0d9aa894f6eaee1d3ba9363418236d5a9bf722f7dc225e74c87b194b4dd6363f0851ba11fec6326c186b9ef3f1a88417dfbc889790d615e5631c8636129ccca0

memory/1132-51-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-154-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-75-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-336-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-12-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-1180-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-1183-0x0000000000C90000-0x0000000000D61000-memory.dmp

memory/1132-1189-0x0000000000C90000-0x0000000000D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E5791E0.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cca99891e4ed0c5a9a24d655031ff7e3
SHA1 1b908582450106fe51b4ee8036f5d306f478a223
SHA256 5c2dda27d96f781633d63cc8c5618d73204cf413bf2dbffa88b8ae01d5c0dd45
SHA512 1e5b6e2e545e554c6f9f7e40dbd9102e05f71aab1384b4b912b1ead70098c0ae4d586d1fc2014c8ae67c580c2d4cf11dea2479d89c7f29445a0d85bfc1755dbb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f96acad2d023d55c5c5e501ce1efedcc
SHA1 41b3ba6bca7f901d7f36e650856977e791a6202f
SHA256 1ee99430ad2bead6b0b3377a38819ad48469b9d6075ff598a1dbcfe5b34fd2dd
SHA512 fb41e25a1a0ba519982d7f8792c887fd3369207207bbd8994e0d4eb9b00bf75f2de1980e92d3c70733b4117d7ccc1ea9eea954c566d4d6eedb1bcbea76e0dd8b

\??\pipe\LOCAL\crashpad_4084_BNOFPVTQOHGSIZNO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 49a448784c5b90eea4c91e154423bfea
SHA1 dd2e9277bb4dd6427918eb709421343e08ec4b4c
SHA256 bb82f969805dd994d096e686a56abab55b2061d85df3375ec443c4d763f04ce3
SHA512 6848c88cb6c9dd77df5cdb143ddec1efd8e99d5f3a3799e66ba2344a4bbe49fe5f3d71de8e1ac0cf05bc42c08b82ffe021187326c20844f5247f8dc20de2379c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e314f781-1c35-4362-93ba-b2d1f8ee0875.tmp

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1d2754e9-c27d-4dd0-95f9-5f6173fbce80.tmp

MD5 44b2cce439b2614f52b17a0682ef1ebd
SHA1 2cf25179f9a083eab0651b5a50b878d62824cb24
SHA256 fe86f2788178af95ec6be2482b2850fa1b626d1596c58b280120ea050eaa0242
SHA512 f0b870e9fe15c715e6761d18f994616c83c1f96c32f92c37e2e91ab47f7f2bc50c0369280b44ccee07ad0da70b091cfa9165674b6b99711d7b48a8997675167b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-658619A2-15B0.pma.quantum

MD5 d848a7ecc75254770aa40e2eaf96ddec
SHA1 23e00b35940b7aa165cef768c4e84b3f6cb70b09
SHA256 95d2b3815412b58042132cf3226bff47b7720eeadb29895150f29c2aa4690d6d
SHA512 2534ccf4082082f3362d9cde53a9bff27a35ef082fd846979be16b17ae342648779d9adb8dcfa9282b1c3352cbbc3599132f3a3ace01d4131d3c0fc195338db9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 42f45fe60d4fc7b74fca481a35dfb6dc
SHA1 cc94dbd2fc84990d3ca849deedbe78d37331c735
SHA256 0ff81bfe8be0518d8f0d6ac60e1782d0c04745701c9ec549404fddf3e0604f8f
SHA512 c8855091db9b73ca924a8d3c8c84edba9bc5cc4766816872561d7f2b0d09874636247db6f82815f3d8dfd7a2202e8d664f7b8668925af166cb3e4b01163a2bf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 cf01e16ef9d238e63410aae326575fa7
SHA1 96840797526e333d6514dff9d88aec11ddff5ce6
SHA256 7fa86df437dbfbcd7bfd471f7c7fa2a356c040614e5259590ace4de73db302e9
SHA512 21467ff2341e5d3e5069674acec0903730c6b1e968b0b60625a9dfd7c20e1df0addca8ed072f18ec048d3662c1ed46ad419b8571f25004d19d012dad8fcbfdf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e591136d800623799ec77493c41b6885
SHA1 83879e435710507f8601e9efbbf747c9164fa7d4
SHA256 6bb5b1f31f30ffa708573406a51c741510a0c8cb4132165a2ceb013f94826781
SHA512 9632c969c28a463997d803feed4d85ccf1897561e1e7db3d2e306c6bbf88337640f27e4e6afd66ec41bb975d1d2b7f5224346f8a9345b936e92696c9632b58cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe57da52.TMP

MD5 cdb1239aba5621212e50b37aaf19db20
SHA1 0605dff395dbfe193bc0539262262fda6bb4cd10
SHA256 e027165d17a68dfb43385f7b22dbac4be0a24f647eab4cd9396b17651851a528
SHA512 b78f0cfcf1673287b6743077cdd0b56e63574eb5cc09c33280c75d395b6979206d817dc2b3c6a8205a42fa1610d8cf38c7784f3a6520d7a577c649138dc277bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2b316ea5-d18d-4644-9141-5d88644d85d1.tmp

MD5 0ea0a567a4626a72b4770283013f6ef4
SHA1 34e9a1523d3296643ded4790ee0e41545d67147f
SHA256 5094b63bd000020ae7ec76beb8a9c8ae8e64e3ec20ecf24188f6c1023655d5ff
SHA512 b067583d00d5c6ba8bb068d56c98fea00d52eea0b3f637c380ad3ab76841c4f5c258160b2b4955d160d4c42627d3671bcda1bdca863d9e2adacccb17a95959f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bd29a87110684f3df1798c6f25de69b1
SHA1 20b8af198e385dc0ed8e11620ec36094deb066c5
SHA256 a2d709c3b0cc7991ef7700086871361f0aa45ef612dd11b868f182836d3c4e77
SHA512 24a7234ade0223875412da825cd1bccdb3300a4d36b3d9f03630716f11e16134b5ac1de30836ca0b2cf26a67d705fe1d94e447a605c6d98b70352991edc49832

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 58df2627d065e93f757c58420937bbba
SHA1 c5edfb108faf72802363ef92cea2c841921850e1
SHA256 d2280eb293d7c2a7bbc724d26ded7af8d16974f8e420273181cb1b206d7f91c5
SHA512 96c6681260aa8a5b2fd494aa1590b4338bfeca9f8acbe40f2596e4d81db32ca8889de55c2f735446c5c57b7a27f06a13fe33b2b9a9d754ef694cd83b07590868

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5 6850a7cd8150e6e6dad560aa92184007
SHA1 89cb58767b56a6cd98c418db57e6366fc04b05be
SHA256 9c75048ff8ca2f1c1f82212d8ba83e32b7f606d8286e89e3bafec526cf54a4c3
SHA512 06405d8cd33f2f3f8404f79c23521fc382feec83c121a20ccca48d6f497984b5cd9c44940879ee69a4cf0314978a34caa41483f1fe83959edb3ef5848659117e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae9da7317bf25e6c9a0ea16380cd713d
SHA1 92bb0470c0b84fe6b1cb9dbc4833730c27cf5226
SHA256 7f6c5cb802289a560a5d3dc052052524ba02630cff026f5e8370f4b43aa9ef2d
SHA512 67c27a45a7272a3fb04893a181f3f4dc5aab79e3763d10b2c4f7a8be35d79991533421e0cd6c3373edd0f90f26e2f5d9132fd1c4454940ea001c3c8f80f773c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

MD5 2e71ec74b19cdab20c3ee2b612c66b61
SHA1 1f76200c0658d493a4eff090b0c21c06a271044e
SHA256 cf4adaf548f557cc3d40f91d6b8542bd327b8b7dcc7cc6be432836a664515f2e
SHA512 13dd177f81033b5e33b8cd72afa6b677b7808c65a796aff4414fc7b9f930924ef1e444a800242cfffb1dbde2e1ab63754e1c17fb68d768f6f20ad15e9b6526ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 12e9885201aa870d62e18daa97dc7e65
SHA1 4a9cd7517f458f7c51dfa6fe7e07e606b178a2d4
SHA256 a89c82498ba7bce2d3f57385eac45d050b5a612aaec96ff016c64350088c4c09
SHA512 1fd63567bf6dea915948526303c11c3a61550e3e5d57b78d905602617245881c7b550dbbe4a9ece7c94417e5d37ce04cc0612301ac0653b6a0ecfd1bad42acb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4ed7aad434f84cb6f324688761a63cc5
SHA1 a558cf52061b037b0ba1c5e69380d2ebade6a915
SHA256 1702e442eee1defc0876e69962158ca0fa5f822a9408604f53e90d44fb8d1c38
SHA512 1802c3b4826b16c845fdbb5a12b7b7a8cff38940fb30ee72521f49b3c9399fa10b7fd0e0caedfcca1985d95d707e575bb8d7a5a78123334d7e9094cd59e4cc4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 55284743a7775b266961e80bf9122301
SHA1 a6c92f6787596c144d88dd1dc4fa60ffc1268865
SHA256 f141b6ea694f2f13317463aadc39c7870563526f77393bdae050ffc130bbd516
SHA512 00742a3a3f7dafb0952f2a90a355de534754980d4cc637071c6774671d43524e3056776896ab676d5a2be59081ce911a618d18f77c45019379b4dda4c975dbda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 abd992bc83e27c5f936a51710d564076
SHA1 4726feb4e8dc299fd014dfe60766694e7d666e29
SHA256 f394e7ab4956c47b65ca8b5c25d04065ede0b3811628e74f543d071f09675dee
SHA512 e6ac8b7a62adde93ff0b05624798e7b91578b3c6848935b7b97536082713c0df31ef786714bfaac3cc87e93b68a6fe30ee3a3d71eb6c2b20a65d1b6d36270527

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 9799920c1ca0b54a411291fb11932c7c
SHA1 76a015eeb9afe54a8cda9ddc72536db78b061578
SHA256 3c02398d84c8d4a0ada2945148584742d5da8ce51663a3f06903dab0ce213a08
SHA512 a18c70442a67c92dfedc68d9c694f9852d2954a5252ec733efe06bedab2a338fddefc242a49c609fd3e9e3d9b319ac9bf028db42500297d75b0fb108cbecb75e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

MD5 f44dc73f9788d3313e3e25140002587c
SHA1 5aec4edc356bc673cba64ff31148b934a41d44c4
SHA256 2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512 e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 6b6217b0921ea329627ca238bd56099e
SHA1 6d102531b306441eb9ca2052039dbb76c3442c91
SHA256 578c96394e69dab991e22af3b2050e94424819c9b429a19d2b040338ec86b716
SHA512 88b34f0b672ccd9a7f8802b0f24bec852d104be132ca7ff4f9b60ffdc38d45f15517d4022dc83ec9020539d24c4c0710be853803f93198232111c639dbb0c9c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 1e43b07335f280ac6e270da6fbdfd56d
SHA1 a4c8a863c017deec70db074a14c91a0d329881b4
SHA256 eeacdf82c7e17fbabbe9143bc8c5c582aa2ac39e7723b89fabb8d5edf04df706
SHA512 4ae6ce1253e5350d7249515339eb29194d1acbe24aebbf56fb58a8698eb18bb5eeb2021312a0c7992a7330eec45f24bd55bddfac923cfd9233c3b9017a08f5b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 f5490a50b7c8f06c320e727544596d6d
SHA1 024bf21c54aa62943168412d0dd5efd216199994
SHA256 c6fe5b2b5d2166f98e2084602bf8e4c48ff1345e4779a277e71d65eb517a1eb8
SHA512 7b41bc0b27816fb39f89e5536e3007a6189967f4482dccb55b942cd08dfc963e5b53b934f10a5a7f6856fc5257314ccf5f88bd3a3e21378d4b7c056e6797e9cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 71c47b8f44867d805fed290fb0a18f74
SHA1 a019b3329dd49f91ea94267f19de580c40c6ef67
SHA256 13daa8fe29d46fda8acd97cacd7baecc700b2a8763538709f8282941b629865c
SHA512 f35b779a06ef83496eb5adcd1ffeb20c144cc78ced2d923c5f87f9b9220b23c31a712b7518f691b58f65422a28b48ad569a43ee23936fa6445a9d8251a9658c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 044565359538af42a386371c97deba0e
SHA1 e3e88bd09e6dc5ac138fed5d6651e096d052e877
SHA256 36d6fc09584f534a3f089eb8fbae8e4d31531a57d249585a702c3490f807c5b9
SHA512 8019d11f76a0d874bddbd8eccf8fcb0882894972d51ab1ac3e16a0687bdeff6063a95d6f8f3a3a23183f086225635ca6b644afa8a1f86a9a5d9e80f9663d1584

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13351543090302219

MD5 c34a6bfcd934d6f488e215a4a04cc5ae
SHA1 8d37029ed8360d9bfa381439edcc4d45b7771cb5
SHA256 020d762e0f9b6734405c372b6181548c2cf55a1717db5191c560340d64ed3afd
SHA512 30e3a95ad7470d34dd4d06cc6f68cae30b543f407c4ae14990468d3562972f9500028978a63854222f588730cc932fbc13e53ea9e5f17efc00badce922deed68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\index

MD5 f639c7aafb62a0e9b354662410727c57
SHA1 0244e8bc2bedeb8cc6828041eeaea0e6c3e9e5fb
SHA256 a2d595b7a7de9fe63916ea7ef5a72224fb3277991d5c68bdb0d46ccd1e2aad45
SHA512 bb963b07807bda4683b5bb6cd66e7c1e300f88e699c69c69dbaa42c946b68e6347d720e781d9fa0c4398a13f321bb86bc5d9c4338adfab5d9a427f8cca8c39d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 9f36605efba98dab15728fe8b5538aa0
SHA1 6a7cff514ae159a59b70f27dde52a3a5dd01b1c8
SHA256 9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd
SHA512 1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0b7976739ccb9042621bb5b69505d478
SHA1 16b0643bdbff2d294f5409b03748bb60f15d7539
SHA256 9170739a1ce5f1070db48e2dd1f0ee450946d550018305a54e4ff9055144ef55
SHA512 4b160251fd613f058bdaff9b920663fbadca8fc2028fa03d821d98e5426e5d0ff7c9d3db7ff015e56fce17a05e06b2dbab2773db09fd64ba0523fef4cc683d78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3cc67aaba9fcf1e9f1c34734625ad51f
SHA1 ecc76f93372c48bae903c4cdfea6aa787e3cd427
SHA256 18c946baf42801bc6270d5fa5ba8038e14201ef9a085a7496771e993a9e24c0c
SHA512 5974f4fd57ac9ea98a5cf93cf99acf3047ddeb668bdddc4a7e8fe21c243e5757c3b1ce8a4d41d2e82bee2abb6ef8b6691741cb7828e7e7dea7c82e3410a18f31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c5d2a69d-693a-4226-a1c0-73fb9e1009f3.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 303765283aed8488832657a3313c4e28
SHA1 8f6b2df3ced0e2a8616131d811e760b748c388ac
SHA256 35185c993b3d34e23a73516463a20a07123bbfc723af033cd454f231c82ddf44
SHA512 0eef9da7be0d4e3a2afd70d6c01e2916a38444bae1bba3913e1f0862ff55d327a1ccda08bea7c9c7271f708702e60c7657287f597012d24456ae41ffb70be6b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a33fb587370cc886e84af0ff25a55465
SHA1 693cb8d13c78bd42f9b2ac98042f578c8d135a2e
SHA256 f1cce5063bfa10bf23e18b1bfd95054dba8a0c14be1a3fc7c5fdefef2f6e3fc8
SHA512 d2f38d9dc947727561d562ec6eddae19144084926e60ff7d9c3992729b04e89dfec0e337457a44563247b7bedb61273f1bad45b99efeee2c3697090b385eb169

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f552dabd-e3f6-4d38-ac12-2589c11bb32b.tmp

MD5 ac3874afc61c2067cc2303f8211a6136
SHA1 4cb894557ce006fda9312c4a33312b3bc3c94223
SHA256 41a9e7694a52d5a8d51640c03a476c6f450d33656ee4beb2fb64654354553174
SHA512 0d99771ff909b56a3179ea5fc53a1171109192cf7e7366fabc7cce44c6f5e9600151aa9b805f425b12860e7cffc74b793f1440b1ce97f522478dd848f68ba2b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 97548916fe4086f62e2139dcfae360db
SHA1 86e50adb8e793f8aaab3530d4c7265bc9b49c647
SHA256 8d970463db7bd6113b378256eaed8073142414bd227331f2690d3ca02b87fe6b
SHA512 3ef69a790d85c44f78712aaf91e1cc0bbfc2fe4580cbc104e7fc3c7f811f6f877ce708687746a2e7d87a7f160d89c0af0e90f0c0ff7ac24bc318eb1bd930c8a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 166ef0092958ab479b4eca6765c5e311
SHA1 1f5028b592d9620aeb0679a93e508002dc92502f
SHA256 1b9718400233b083536da2781e3c5447e6c3940c5e6343a07bbd1665c2028024
SHA512 5d9e8e248044dc9dc802b444c9c923ee0f9d3e1dc7053b730238a06b45d8c1b315756c9cd66096a4441c0a112d0fd6f2cf86c13b76222194d3956b5e9004e204

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dbf03a266b6b147dbcd932d3c11be3cb
SHA1 20b40de37d8cc79e7e22fdef868cb918fdce2149
SHA256 9a1d50f53a2dc3af695b9e790288ce883bd4b80e6b3215242a608f606cff56db
SHA512 92e6e86af1b8c7d36e9a92e0fe163aec5c66a41eb7b60607d2f862aaaa1c840ee227657ffa01d41896601825cb08a3bd422f8957b7b798e848701672880000e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 134926e5d26c3ab611e5e7a2d6231614
SHA1 439e7238d90751bef941669089e4739168a11726
SHA256 0179c0ca1d27767b115cfa9c9cfa20ba7cd48dcf328cd6ebbf1b801b113e5d70
SHA512 a0d4d12793472b40611f0eb5acefa357b79e74c385bce5e769134a15295df40915d33e8e458a9aa550cff706b3db0cd5aa2e898f6e103a9c001ff27cc7a599c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 d1f604157b0745a40453afb93a6caa42
SHA1 3d5d77429b03674ebb0ba34d925ba1b09310df5e
SHA256 468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5
SHA512 0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0