chaos | a54a38a9aab0bde31b2065d8b88a8e6569cc66c3f6137379b6b5a62361c319f0

Resubmissions

09/08/2024, 19:49

240809-yj7h5s1dqd 10

03/08/2024, 21:46

240803-1mxt8awekk 10

03/08/2024, 21:21

240803-z7bbaazfne 10

Analysis

max time kernel
186s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quantum.exe
Size

417KB
MD5

3dc9bad7720a01598aa14e55baca7413
SHA1

99668a82a34ec17340fccecbc2ef0985b84704a0
SHA256

a54a38a9aab0bde31b2065d8b88a8e6569cc66c3f6137379b6b5a62361c319f0
SHA512

567581747132d56595c719e4d454bf6e73ba941581701b28287559f899ea5813a0abb7ff2df25cb3d7c99d3203c8a8ab361ea37b3b8e8392748fb855ee4cbaba
SSDEEP

6144:Jr9Zzp4MmFrxodIFRfiM6baHcgrRS8gPFYTdOjbGXypU5:Jp4MmxxhfiMzcyRQFYTdqTa

Score

10^/10

chaos discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\welp.txt

Ransom Note

Hello there! All your files are encrypted, but do not worry, if you're not poor that is. If you send us 50$ worth of Bitcoin, you will get a key that will decrypt all your files! Yipeeeee! Contact us at [email protected] After you send the $50 worth of BTC to the wallet, you will receive the key. Don't try to use any third party software to decrypt your files if you don't want to lose all your data.

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000670000-0x00000000006DE000-memory.dmp	family_chaos
behavioral1/files/0x000300000001e0ab-6.dat	family_chaos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	quantum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	quantum.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	quantum.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\welp.txt	quantum.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.svt5	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\quantum.url	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\welp.txt	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quantum.url	quantum.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	quantum.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	quantum.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	quantum.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	quantum.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	quantum.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	quantum.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	quantum.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	quantum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	quantum.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iaz8c1lbh.jpg"	quantum.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133671952175198438"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	quantum.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	taskmgr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5076	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2864	quantum.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2200	quantum.exe
2864	quantum.exe
1984	chrome.exe
1984	chrome.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
2864	quantum.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
1444	chrome.exe
1444	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	quantum.exe
Token: SeDebugPrivilege	2864	quantum.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
5076	NOTEPAD.EXE
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2864	2200	quantum.exe	87
PID 2200 wrote to memory of 2864	2200	quantum.exe	87
PID 1984 wrote to memory of 4820	1984	chrome.exe	90
PID 1984 wrote to memory of 4820	1984	chrome.exe	90
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 3552	1984	chrome.exe	91
PID 1984 wrote to memory of 336	1984	chrome.exe	92
PID 1984 wrote to memory of 336	1984	chrome.exe	92
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93
PID 1984 wrote to memory of 1596	1984	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\quantum.exe
"C:\Users\Admin\AppData\Local\Temp\quantum.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\quantum.exe
  "C:\Users\Admin\AppData\Roaming\quantum.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\welp.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d1eacc40,0x7ff9d1eacc4c,0x7ff9d1eacc58
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4684,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3424,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3516,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=1080,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3452,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3328,i,18200053394226111591,13076765045334792990,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:1964

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
04d75de5dcfe0ef9fb78cb767d567c1e

SHA1
ee1adeeae3bb018d45d327187b5f579c3aacdb9d

SHA256
fa64fcaf4eb6185a7e914d550eb2e37a663f15350553751f26f6af0d531e600e

SHA512
56db7e586282f1f147242736094e3dba3c62282edbcb48f90c1a8620b148e1aedab85040ade8b323b5d6d113553465ddb6b896718a80b31cb133dcc28579add9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8d8a1b1135091c6736caa885dffcca41

SHA1
6a2d1713c37160e4adc0a09902b82de09419547c

SHA256
2ec3220140728fc8ae067180a7a31c6771715c8346689429b79289637179f07b

SHA512
ffdb298c2a7e07c34027704705a3b67c3ec39f85026ff64f515db3c5fc63878b75124f56ca97a333ab0b4bf73a8f784daeccf27d5bff6938b0afb4a514a30e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
8f3786a359dc58b7920bd9604729fb82

SHA1
802c14bcc0d1094e59942de04996bd8396f40720

SHA256
271655f7484287fdf71ce7bb21e9a4334ce6119ff242add976756f70dc648ec9

SHA512
8a897a3b82a7ff0a7001b8d86bcc1b0fe00512b0368409ca4d655439ce45f2b7d9dc59954d1487dc2b34184e96aec62f8289565f9185b781ce8e3f7dbdb55042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
d2c86ec7f5d5449c3bc594e6af30f3b5

SHA1
7e90940041d38c7ef93c8fcee796557a8cdda60f

SHA256
9385d0255f6a4e22c47fc856cb211119e32c19e852ebe73edce9a1a92719791f

SHA512
fff8748758fbc83d9b05c0fef1089797e0710370fd30ce3f7897cdd52b27fb9b9704661f9fbdd5554d002369ff3a9ee82c2a455e7e978ea31ec58c651242427c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
7004537d4388ba34c4dfb77f54da9c2a

SHA1
7226319f8e644f6417d89f37bccb1434f4aff34f

SHA256
31a9f7e7bb15d844acb3754f5c6b23b01f4e54811ac72b225c69745a26730d33

SHA512
8bc478978c9051224f3aec1bc0bf73f3ad8c6eefac2fe479ec78daf5c406517ae5b8d93d5c201553f7ec163df11b16e79ada88b260be5f6512020f86509ac75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c11a2739889eb4aa11317bfb78b7a989

SHA1
8ffd243a96eeb51d7c7514a5d4e111acf97b57e9

SHA256
88dba184bc41bdf7226caae3fe9ecbbc7eb0fda251489faf7d2d184ccf9e7850

SHA512
b5e42ee7fdda202946f7c65f3b14dc79f5c9ba515466002f0e7f11b59b301a88b51dd6f757f32fdfabdaed55790ea49eca4d0153296875875eba62845f682004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2a12116ff1c208de7d1cef47f252b9b

SHA1
9d9e13f3aaa3a3acae7b9ac4c2fd3b91df6cad8c

SHA256
ea28aff538162eb8af48487b80149b5fa473d78a92e4d7e7b8cb52096ec56feb

SHA512
154b2ba87eac97968c8331ed4f7a009c07639e3cbfdbfeb83ea7ce01febef88f88469da9e4f64307f3673c73926e9b89a95608bd8ae459a6041935a310b0bd72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
89351ca13e8de85f405658b659a596f0

SHA1
d6f00c04208f7b0aed12cd283215f7ab5c193537

SHA256
600ca5214037ea31531fcee886c0d9227cb8b74eac7ba455fed2862a611ce64b

SHA512
640e8c2d4450b7376bdc8145face24c9651eee762bc152e73bbb09fd279a6693839506511f81c16f9a2ce5777f0c63abd4865b8de50c2809845e28403055046b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f4c6bfa35d9861af65093648a326dedd

SHA1
d4c1d5edb4357b03daa25c9f0b95ac96893a9f9f

SHA256
685fcfc7db4d41f879e1084778325797ddd6cf1e3b3d3ed1c1b18e67bd9d9e97

SHA512
781d3c9b0768b2629ac6afef45fb5adb9bc8582062b1ab7192a52fc064451679a7c4f3c5afc033fcd1c3ab84ecea2de3b9147c71e182a80fafb83f179f98286b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4a74b2f7b056f5f19cff0682e9cf9dfc

SHA1
da152fdbec35ce02ed312fbe9da1973efe1f2c07

SHA256
3eb49202084cd2c05617d3cc079a8972d89e628238cd8789d2fd1f71e901c89a

SHA512
cba03e02d0aa0003abbb642958d9b793c491c013687815682ac412ce34234e94bed76eff6867b582390a152a8bafdedc59538cfe82c5f043aec56ae6d2a1feb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
45f47f5e712ed5d95b868c466f0f0775

SHA1
f1a2d1fddecaba9a007c42368b1ddf4e7ddd65ea

SHA256
de8046c516e52194b7ea17cf8debbd3cbd44922e837dc80067933792672bfc0b

SHA512
95727a2163e847c44c8b07805f774d710594f73dec34b7a8168eb54fb0813fdd5cec590a57e7adfb066b5b16635ab03d83ae6e89138129172ac4c1a6ee611528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f00c96364e7d7765a7795ce5d8e82cb4

SHA1
d5fdd9d12c62f57602168ac089b83eeac3637b65

SHA256
1729e0a4ab3d68a9703857d9b0330f1472392a165454f7717a6778e4c8488228

SHA512
224a250caf476b4ec29ec95e9bfa7bb26e9d62fd81e067f90b7d0ea97cfac270679a5964416a232e65898aa5c2b6253a6cc4b10ec794fa93ac778c41f7b92411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
782975fc6e22612573856ced93f6290c

SHA1
2237f5da3350ecf119c624ae35e18f599e038987

SHA256
44db31e9b58702009e9483a1f2d0e0a38b3f0ab229954236812018203d4eb1cd

SHA512
43f9c819dd8f9253930a755ff00a45f47099f850be79485614be5929a8bffa6f375fbf1b61536b594e37d46263115d0e465e6f3255564c82be1eb988acd35f88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
01a1a876db39a6aec535555159732919

SHA1
86ec4d1c9fac5ebc806b937fc6a505434bfb1eaf

SHA256
a16560edbc729367ddaaf3aafcd793e65d1b22a10020c62f5127c3e5145535db

SHA512
36e1dc93d75476404b975bc05c25636578e0444186a194220c7fbe3243be351a61840f909f6ecccc5707471eb72fd2a00432b7172022dd7665751939dd9cd2fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e292078ccfe2a494088530e3399ca955

SHA1
e0deaecf4bcfe8c430f1f9cd5742ff94fd216656

SHA256
7bc9b1e43a55df842f81e8bc12c417e971b590ade617b935ae80df0d3697e3bc

SHA512
dd8cb34b424ce751354da177debecb6e4dd55cc03282a537a2c9dc7b80b4529c70f9d8e74d35b12613139716a43e9fb97041b3f5fcd563ffb651b82f3921d2dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5e53a0281fb4d7b4c38be9a15aab005c

SHA1
e71d6e792747d06a8217b39594530ef86e1671c3

SHA256
afd8d522b264e8b45d1d7804de3f7b83093a7cddf7a9ecc6997e4efb2cc6364c

SHA512
7e69d63d53dfd591f6df1418c1ce7441b306bfbb4beffe0dddac8c8340b4ba2d666464cd943d7ca5b9fc1fa2a22273b5b63b865d659ce1c82c7376c5895614da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
23885e1313e4b06916de1675c1a10780

SHA1
1d608b5bcb61a88736d91e5ac6c30b5f976e2e20

SHA256
9fe5ab45d5ff144a6cc977ea5267679e9ec3450fe31504b0b2310dae8a444ff3

SHA512
da7da7c4b39e605f5c4d4291188f8f9463e8a4034b85946889e2df7be270370c34704f671c8a4a1ecb54a61f04f82443a7142e9a9a4a043848f478d81698ac59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f94c4d9d470321e580c96df827606225

SHA1
f39846eb2a771956e6c99704afd4fdaaf0cee70f

SHA256
817ae43359009c1b92198c826cb610e3f0eefb5bd4ef892793d6f1e17261e5e8

SHA512
227b4bffab8f2a35cbd4f7a7d858beba2cdce1c7a070afc8596a66cc7255763fedf56e4b1957023011b11f9995f9481ad51bd0d8b66766c195c47300ce1e50c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5325ccdb52b367f23fd7e4ea6bdb3a77

SHA1
5bd314715ebe2ba6bbb39f7ad0a8ee802da01ee2

SHA256
ac59126c7be33ab6f45d77028e4ba78f017d0eb5daa3641525dc0c495da61b3a

SHA512
c852538499180b5a0a1bb05101f03eef5ad15debb1c4f3b75305b0d86598dbbd046f2cbe6595fe57563bcbd3588cea2bc536e41e8e4536cf55315b95f4db41c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e81815eccace62a63dbeb6d667030fdb

SHA1
f4544e319eb7b7a306fc6fb52f6cfa34fea28c5d

SHA256
9e660bc8ac96a852fbbeaa9c5ee1ecbf14b7fecd2b381d82d5161e824c13dc3b

SHA512
a2ad74566ff61654ca6cb30224bd388fc78b65febc444d0a598ee3fa5bc2036de90cf15de6238ef527dc60b9fd852487988defe6c6ac4510dbfb15538be15632

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a164ba967f57b84aedae7054dc3e5f4

SHA1
25c27feff420c77c5640f691e286b38ae0cbd49b

SHA256
885add0bd09860826cfed91c5ba83bd6e6aa10a58903390615c60eb55dec9fd3

SHA512
f1bc14af786fb4908fc62a06c1338952441d37ff36bf62510375fccf669e47cd29598f5116ef5a956cf658c1afa72ce74abdc60ee6bc44f4997932094cd2a440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e65f27c2ee319b012016d325af4ec31d

SHA1
8a243a1e00ccc5ca26cea4e6e1c866869860b468

SHA256
15ff7d9ca498a3a41473b764db5b487c2fc5b3be7e23eb841fe8a99d9f2e8a6e

SHA512
ff3e4f0c98c7f268f1b8ffffce1a2d23dbc43539e6255b6d26f48633e43da0353d5ed0d2d1a7bad020e660420fb9182e7d9f0f608ed25e9d6ed43850116a7e14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
85dd3a28afe09febe42b9a580f8f423e

SHA1
4faf737fda32af7a8b10c27dbada3f8e781a2578

SHA256
e41e7201f77ee7e6d18ab9836bac8e17be42e63a8306c0f90a0d8ab60361e229

SHA512
37d1302a971fb918103f969ceef0962c852f0935259502a7b5540edaab430841f8a323cc678a82ecdc400bc8acffbc2bf1c9609da210d99086c4f52b2b391b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6cf5e572f53eb1a4537975e40de3fa78

SHA1
3a7d7336e31cdcd188ed06cd1a6a7b1142bdd37a

SHA256
e9e95713b284f91f392107fb6b14fb9d0596b0071ff1a152b4e3dfb95962c357

SHA512
d86ae1ea071777021a079e10923670f9c243b780cca9e89dd00c5df0ebf0abe697132ad98b96865c424b494aa150eac4b092f07109dceb393444bf5a8c2501c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7160bfc9afc85fc51f9ae3e70692ca6d

SHA1
d17b3d2b1f58b365fcc1704e2e819006130a613c

SHA256
14bc38ffcb0ead79008cecb637de0c83ef7c82e0e93ae3e225b9c5f1fc1da1c7

SHA512
c5453e4bd425d683868108d2f3ece34d7496c59695d00f1fc3ce08b70eeb5fba30def274e9242a5f8a2cd76068eac1a2eb5a59e015491339ea352b574b3592b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9ef3a1eef50203588bf30a9ad692c263

SHA1
f1adf049db16bc17eeafe678e471c7767b9e4dc6

SHA256
44d61ef1207124dc78e4ddfd4686f728be147680ea498dce866603c33c454c94

SHA512
487c08d87fa482a0d6be81a2e83e775dd35e9df40fac0a35199bfcf8220dab9799f719f68d77cdc102d71a707f4ce9fff18a96422ca37b43b2221844045ad0f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
905892106d4b670cd353454e9b89f144

SHA1
10d41cab875dd314aae5987c50d08b7289d16c16

SHA256
d3b6d3a545470298c5b3908adc30fae1beac3dc398c5becfa26eedf5378560f3

SHA512
5052d1cc220cee76715e6b1e5e62ed259e93e99ebaafcf377e5e51b8f5d21ed12edf0e293328e8006f9ca6db056bcf8c46f09bc50c24af1d5f97f89ca56c2f3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6952b9d19a26276e4cf8958c499e9583

SHA1
a98aab7ff5c8271abe24342467d9c0cf2e4679b8

SHA256
ea7af8a2a31cf3bcd0d9ecf70907090d0eccd6e8e6d9588a56669db1960ae39e

SHA512
721325baba9f446ccc0bb43f61904104acd0ebb162c61a329b236026968bd2d83d2151c9e730bdeb244a27863252726e61b95295db83c57358cf5db971b16e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
87f50868cf8a992acae9c3da61a1d56d

SHA1
3fca2aa08c270f6e816881a6138b07a3923e9dc9

SHA256
729574caeac225e598c1d47c610fca6216a8829e326364ba0b03106b057f1582

SHA512
f56517906313559de49ef5ac67b0b55633fa6b144bef4aeae78f67406912723922b67e6e6f057311b427d8063905e7aa2c16e44fbdf3cdbdaab8e8b5f3791f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9edaf8843aab5c8f1ba9866c0b359437

SHA1
3eb8a93190591cb497c0692a9590e7a186e8af89

SHA256
9b4d79c6398693aed9635a744117093a158edb0f415d74a1c25e66b6f0304fec

SHA512
6b63e32bf1edca2a062768022586bf933127754d99f4c40ef30206ca812123f46f8d62e02720516fb74b4810dd1cc6f65bbdce17c4e45eec703eb7c173559dac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
da99294bd72899b922d676f2c2e45747

SHA1
442d4460b08c1fbab3ef5d29a7004542d96753f3

SHA256
e50c2d283aa8648d4c4d5933d4195ec7e17b259af3d6f5e59c3c823db80ed1c0

SHA512
d28999a35bbdb0cad012332eca3c9dd8edb35eb737a7866f7643935d04c3ea8b60f5a72f955dab035571ab260f7880704acf786b992443790cbad6359ef39602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
2d62b965ff4ec6a14f0a4a5eea716d50

SHA1
e887bdc11b1784469c6959c6ba25267583e915b2

SHA256
f202ed6f52786b1d00bdb55e7e653d6e2e1d1e53ff7ab2db48068cff3f64cd2f

SHA512
e876ed1f4e61d4e73a1ce904d7b42a599ec758d990f3b3c742f953b1f770dd67f8fce87f765f89f5e21b5240c7af5f11dd2ce21fdaf439c771c87b2f9e562f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c444e9df2658603b9b29638cdea2765c

SHA1
5a491775954c285d8b62ae394227b9a6b4f00e16

SHA256
980cdaad26bd7aeacba8fa11907b7729135f6236ccd3ed0ed1b639ff03884529

SHA512
bd8afe98b6efff484ff346d81e63a914db1f10b1f46698b87c77e29241c2719d57b7013bfa6821d80ba1fdcb740feedc47aa64583e8bceb35f73185655b57d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
e3a04281c983453fa7a4cb270d080919

SHA1
70a2f4d8b0e6be65d46bac49d17e16ddcd3db07f

SHA256
0e016a5bcf70b5ec67d3c8be460d6b5c6a5cfdc8011a099faef7f1b60334b765

SHA512
aed32cc8c77376dc172afe539c0ed510b2b6d1fef4c6c43da3f7d0904b335709965eb8bc927d5bc330a31435b4e8e22726cffc7c0522b81983fc41a288056ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.svt5

Filesize
436B

MD5
dc7db305eb7b74197f7d2f9db52001d1

SHA1
ecbe1fed5cb72eecc7b152ab0521acd6396902a7

SHA256
f0424f26c561e51fc167e086760baae9165f2b344d6c21b9f760f857587d3c33

SHA512
ce02c49a2fe2cea60240bef9d0e9b7dd2104a6fed99a46e103d8f157521867edfee4d2988c5825a029fa5e48371fab1ebfeefa2b0396c297f7d255d32cfb88c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quantum.url

Filesize
142B

MD5
d6df5a051ba3f834a1ff9ab5a8c13e96

SHA1
36bd56ea83ec0228da99266b318b5191f8d39da7

SHA256
941511f698f6af0b3ce9b72aec4e8b56ca7c35b55ebddd34e44ff981c1729006

SHA512
1f3919094cb594cfca5b3ee2e01c2dd0261e87fbe38554ba1ad9dd4949905885d20a4caf646521233f3b35e204b66c34a08fde54a708f1fb7793994f66612e98

Download Submit
C:\Users\Admin\AppData\Roaming\quantum.exe

Filesize
417KB

MD5
3dc9bad7720a01598aa14e55baca7413

SHA1
99668a82a34ec17340fccecbc2ef0985b84704a0

SHA256
a54a38a9aab0bde31b2065d8b88a8e6569cc66c3f6137379b6b5a62361c319f0

SHA512
567581747132d56595c719e4d454bf6e73ba941581701b28287559f899ea5813a0abb7ff2df25cb3d7c99d3203c8a8ab361ea37b3b8e8392748fb855ee4cbaba

Download Submit
C:\Users\Admin\Documents\welp.txt

Filesize
427B

MD5
025e685a33afef1bb7772b41f46d5700

SHA1
39c246daf9003a7a38cfb2edb5f66b2766c65c39

SHA256
fc4d2fe0b5c84f7ffa475e1cf9da6185e8bb162a03899bcfe015df64778cc380

SHA512
1d3d29da8bb4390ebe563e046d382ced7e1d4abb7870f4a7bee64683d3ae236375492b7ad7fb3e64c800859cf80da43406243f2e5bd36bc262e7bff1e5168b29

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
memory/2200-1-0x00007FF9D4703000-0x00007FF9D4705000-memory.dmp

Filesize
8KB

Download
memory/2200-0-0x0000000000670000-0x00000000006DE000-memory.dmp

Filesize
440KB

Download
memory/2864-639-0x00007FF9D4700000-0x00007FF9D51C1000-memory.dmp

Filesize
10.8MB

Download
memory/2864-51-0x00007FF9D4700000-0x00007FF9D51C1000-memory.dmp

Filesize
10.8MB

Download
memory/2864-14-0x00007FF9D4700000-0x00007FF9D51C1000-memory.dmp

Filesize
10.8MB

Download
memory/2864-546-0x00007FF9D4700000-0x00007FF9D51C1000-memory.dmp

Filesize
10.8MB

Download
memory/4756-992-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-985-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-991-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-997-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-986-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-993-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-987-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-994-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-995-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download
memory/4756-996-0x000002619AD30000-0x000002619AD31000-memory.dmp

Filesize
4KB

Download