Overview

overview

10

Static

static

10

Nvidia.exe

windows10-1703-x64

10

Nvidia.exe

windows7-x64

10

Nvidia.exe

windows10-2004-x64

10

Nvidia.exe

windows11-21h2-x64

10

Resubmissions

12-05-2024 18:26

240512-w3ftesdb55 10

12-05-2024 01:57

240512-cc9t2aea99 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nvidia.exe

  • Size

    2.6MB

  • MD5

    87610f8f3d48edf25d48c4c0ba2b3486

  • SHA1

    ab7498abd8626c968c84167ef1c1c503faace1fe

  • SHA256

    e387c084d5c3b62413743e912ee10776564e7c55ba1dc801990b312b88b61efe

  • SHA512

    73840a477b360fb1ab2061087838618a748f8b24560d289d563b4ba4b1b905f62686f4bca2c2e236007be1bc5931711c0d162b1c0f3ade009861e004116ddfe1

  • SSDEEP

    49152:O+8l/s9Yf5u4uT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9u65:OtVsGobzsG1tQRjdih8rwcV5

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nvidia.exe
    "C:\Users\Admin\AppData\Local\Temp\Nvidia.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0xe8,0xb4,0xe0,0xdc,0x7fff617946f8,0x7fff61794708,0x7fff61794718
        3⤵
          PID:388
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
          3⤵
            PID:448
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3884
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
            3⤵
              PID:3464
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              3⤵
                PID:936
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                3⤵
                  PID:1836
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
                  3⤵
                    PID:5096
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4788
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
                    3⤵
                      PID:1800
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                      3⤵
                        PID:4408
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
                        3⤵
                          PID:3556
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                          3⤵
                            PID:3304
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15884060267307023332,15890360297640404014,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:960
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2900
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4836
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4336

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware
                            Filesize

                            16B

                            MD5

                            4dbbfe13079120d86501e397d81a75c7

                            SHA1

                            89624c125d2887b5d55ba6ac31b7720d7075c2d6

                            SHA256

                            ac356b6a28ca93e0cdc3489c32e565a0fd06a9f709ba12c0f48aa942106df03c

                            SHA512

                            c106f2eac6be3d822cb9d5454e6d954295a6c66cf4290cd2728e66b72b69a542d72ce441cee6b2916a202a5e6fab8463961c104205bccf354c16935738043ef4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware
                            Filesize

                            32B

                            MD5

                            e137d7f298ba1412be23bb90aceec54b

                            SHA1

                            5bab1bac3aae45edc17587f94126a5ecbfe02099

                            SHA256

                            82db7367bef70197d23735da40ff6514b37dcde8bdea549d86be874a41054c1d

                            SHA512

                            e90022812f2fd1b95d98591c24cc924dfcb951eb888ee6ad1499366f3c4612bffc8c172be7866c527d90100213722fcc9f1a18b7ea22d3ab04c780b48258efda

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware
                            Filesize

                            48B

                            MD5

                            7c0e746f6300a061db56cf4697b4ee9e

                            SHA1

                            afb51a74127bfa8ee66f9616ac9052df07401bec

                            SHA256

                            a4c67be0a5ba7267fd27b2d39111112734199268c60afc93fb61a4a78c261cfb

                            SHA512

                            c7265908ca35ce584ffbdd17e4ea1d58d874a89c08cc192a33762206871f0750e1c4463e5f9ce976411453e2db8502126a35b023719e8e00798042c8211e73d1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware
                            Filesize

                            8KB

                            MD5

                            267835ba16bc29744c7390b5e312e0a5

                            SHA1

                            3cead158187f3b87242a77d0f80b25f2464f3d6a

                            SHA256

                            621857c80a542f9ac34573360ed55ed6bfd57577d7e2422283c53b1330c17c06

                            SHA512

                            3ae82897efc1546eb458cfdb8490adb13a38bd98b0de288c1cc899e55f82d4b6fa30342347b3527056be283b95d7cb7408afc97ea3db0a020dede98d2694e286

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware
                            Filesize

                            8KB

                            MD5

                            3b15a749fe20617c5169f7e1c1f0304a

                            SHA1

                            beea856a3aa9a18c5873c496ac6c5c823eaa1455

                            SHA256

                            27366b3dca192eec2af61a486d0b2af044278209093fc3ee8f3d4d7b74f02612

                            SHA512

                            871125374e6296bce991067777a7baf0bb6f12e47f5cd911f200e034f0567dfc8c21ad80cc0d23236837407fbfe637b9952bda3d1e7ff24e4228a95ed1a32260

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware
                            Filesize

                            264KB

                            MD5

                            c348affd02f06d06f89ea841fe8724b5

                            SHA1

                            35dc94f03e54d56ca012f022d4e813b0faa7086d

                            SHA256

                            c761b21ffdce62ee356d40a64f0a1af3c93d629560fb5b04c8166ec82b496775

                            SHA512

                            8503b90984f7ce0e62b2c5b9ab20eaeef5bf310c2723784325e9cb5d3f1e198ac26439ce2a30b42688f526519f707e3f657dc2ea30be2b429ab3d3d5a7552df5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware
                            Filesize

                            8KB

                            MD5

                            1c700693efe72b30c73675bdaedb317b

                            SHA1

                            449b09531d07b32fec2b451dacd4d3596070acc4

                            SHA256

                            139de2c1ab83257342372bf002448e5345aa2c813f2e8c666a1ebbd1e08aad79

                            SHA512

                            b78bb22e4542011f8f966e998dbb1219c7260ee5d33c62cc8320fb321091cf108febcca8f001d7e993a20254e3c7167d9b98e842202124a8b36fd20b7e3ea9fa

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            439b5e04ca18c7fb02cf406e6eb24167

                            SHA1

                            e0c5bb6216903934726e3570b7d63295b9d28987

                            SHA256

                            247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                            SHA512

                            d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            a8e767fd33edd97d306efb6905f93252

                            SHA1

                            a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                            SHA256

                            c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                            SHA512

                            07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            176B

                            MD5

                            4b0fdb42df7710656db54c391246153d

                            SHA1

                            76448462cca39b432c314f680ebb330258a28749

                            SHA256

                            72b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526

                            SHA512

                            f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            ce372b4115985b6521478401e3d09d5d

                            SHA1

                            a2b3525d75d2992466d5bab2938c592505981507

                            SHA256

                            bdfa04c7ccf452253b5b013c4fcdeff723b1f04eed02d03fa5d16c8ac784d6ff

                            SHA512

                            05e8a0742b31e76e70719918a5890009c439d610b5c61532a8b2f477d15844c9c74d3c9e52f6823a89ecd1928b872f3cdf35c46d6a172cd74cfd1938a1e958a3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            570d13a2fb7d3f5bf3efd57b35fa1404

                            SHA1

                            a51748fd5805ccb53db0ec694eab9286fe5c7768

                            SHA256

                            1babce70d49c3adbb4aaef0f10406988898ded3f300bfc32aed05838bf10ce98

                            SHA512

                            bf7f52c7aa83abcee7d1e7cf162b8b3834c10b774b3c81e18d40cc285de1262c3a5ea1a81ce717f45fb84be48f71927e57591ecccf2d1ad79e48b55d8c938f2e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            c046b874fcb41e8e7df63f500aa6d0e7

                            SHA1

                            44e02e50fe31a4215184efc2afd2776ba2acb3f9

                            SHA256

                            1f8cb032d378f6fcb880cbda39d619a58f0bd9bea149e5f98c110fc0eac9cee8

                            SHA512

                            d6e262f6f410f468c6753bbb242de6bff8facc5d5aaabacbadbe6928c0657c5caec3417691954a4cae353a2f4574a4e8be1d4e67046fc1aaf50eba473d4b2e26

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware
                            Filesize

                            8KB

                            MD5

                            70018c832a9c549b02bcb58f55bb9673

                            SHA1

                            93c5aa4a7aba32d72b2c0388424cbd9d1a789127

                            SHA256

                            8cfcfbac776ad087aa43d653261116360a3f89a1bc38b88730db4bf273bc4f40

                            SHA512

                            44e1fbc2edf86e81fef4488525cb8852fdcef52e964764787605779cbeec2e1b598089574c23158535caad7c47082c9f39c33106e90defc3e2a5df51251b0935

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware
                            Filesize

                            36KB

                            MD5

                            7b77ba51676ed5f03f7291d6badd38a8

                            SHA1

                            51e6ec74fabd780924e75436c889fde8ef557f0e

                            SHA256

                            90a386126472fa1ec4a6e402d9089f84fc7d82abdb91cbdb3c7567de787ffbf1

                            SHA512

                            5b44809a3211a897d7c15f2629f62980781dbd08efcda6e6f9793e86e9ba1f883d9d9f7dbbee824d536b786b509dd4edb17daa1cc94809b18c002fdffd5a33e9

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware
                            Filesize

                            36KB

                            MD5

                            e50759c34cae0de814b72dc8dda87990

                            SHA1

                            98f1dcf1fdd75f3b126df041467cf6011cb27072

                            SHA256

                            b50d008d75655b8491edc80d35c184e2282544c2c429046a29aea058a8587ec1

                            SHA512

                            87540a1ce0d3bb1b6bcd872be53abd6b1128f3e0944339031abb37ea611adfa8257834de7b5e733237d1d5102bee6db3ad0c827d69bb7657363f19f0454a43dd

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{5ad19b1b-600e-4a94-9f1d-df48f742e3e2}\0.1.filtertrie.intermediate.txt.CashRansomware
                            Filesize

                            16B

                            MD5

                            aeb0b33c9f1eaf7ec04a744e50fa9014

                            SHA1

                            2cbc8ce8cde353fc3bf111dd18aaf4bbaf782937

                            SHA256

                            b19509cc05175c1b289aee51d691c5487f5f335eb22921c8bceb790a0e7dd1c0

                            SHA512

                            e03d827c12065c1838572fd845b856493ee0e41d0b3eb902d308109407eabc517dab357d813c9568a16d0913ca9205ce2cf42823c27d30ecbdab34efe54e917c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{5ad19b1b-600e-4a94-9f1d-df48f742e3e2}\0.2.filtertrie.intermediate.txt.CashRansomware
                            Filesize

                            16B

                            MD5

                            02889d2ffed99ea3acba1b887938d0ee

                            SHA1

                            89f1cb16f18256e6f2cf37152d023919dac01329

                            SHA256

                            edc62cfa5e81454c72a0e44f9a722c01f461da0cb3716ce56f9fd0258c2b55b9

                            SHA512

                            bdf543959b4aabecd9658e8ed89d42788d5b335291a86c404fdcd0635e539cc61a39fc310999644dc72cf3ebea22c456d119f15992382ded00bfa85d69fa2ade

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439083295209.txt.CashRansomware
                            Filesize

                            77KB

                            MD5

                            cfbd18d6232adeec539d2002d3d74d8f

                            SHA1

                            3dc85d3d87fba495085eb3274275e18f9b6ea671

                            SHA256

                            b3eda24beb787509788d4c8de9dcbc693352f86ebb799266992dd847cdf4df93

                            SHA512

                            d2ed13ab483f8b79ab0179bcc5105d33e28987dc4247cde6b01ec66e6fe74c2c4d378c27470949f4768ba9aede59ac983ac2ffc368f63354b39117398a0e740b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440479376967.txt.CashRansomware
                            Filesize

                            47KB

                            MD5

                            8cdf43b70d662abeef0b1a382b7e7bd9

                            SHA1

                            51241557d254de192d885b46c8fce9ba25a009c8

                            SHA256

                            98217bac8b0e5e5646552650df3cf68bcf47e2ac1d79707e56a468cdae3efc96

                            SHA512

                            c7d54c869dd35a6ea6b87099e8b2b24313908f9f505bcb7ea1544eeb8900e714ee0aa01516f352fc2b0b1c358321f656c3bb6282f0eea6563b9009c43a4c4788

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596447864304096.txt.CashRansomware
                            Filesize

                            66KB

                            MD5

                            1e595ff3161544529ec331c0eb43f7ce

                            SHA1

                            0e19cbc443cb017869d3ebe1b6189fc6c24c8bf3

                            SHA256

                            f5a7aeb358dd25d057e5725540410b5ba096728b848d410c0d0a8e7a4baefd4f

                            SHA512

                            c638ce8af015807297723e52c05ee8086ada23f8f3b671871e74e479377afb8f8bc7b440c96442a085663b9e6406b536c5ac82c572b1a53ada5d3838e1ca7ad8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596458396484730.txt.CashRansomware
                            Filesize

                            75KB

                            MD5

                            471d6663febd7f7470ba6059028004e2

                            SHA1

                            e518b8a7b1e897c4a336b9eb2c0c07fe0306fc85

                            SHA256

                            20fafeb8db61c5e4dbf0a3f674b9cf66c89c4847dba4d4331e7b665bbf1c3ca6

                            SHA512

                            0e88b36d95eaf5d6e90d559be40f90596925c9f9bef93d0346050455797069690d99586a0d8cd9205e19243d35635ab0e5209b64f443319b02ed3d4d082aa0be

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\wctEED4.tmp.CashRansomware
                            Filesize

                            63KB

                            MD5

                            105f92be2a4f7d3dee43681b72569113

                            SHA1

                            90741c150d87e0ceec592cdd414900635cef23f1

                            SHA256

                            26affe4b650e4d15cbb1bac8ff8158833402296b4716116ddb3ab039982c5ab2

                            SHA512

                            7a543842a99a156f6ed0f560de436f3cab6abaaae5617d4d30e6742fa77c3d335677d91732cd1d1366017b4e30af1f28883228a5f41d27d6c8f04f16d7f36643

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
                            Filesize

                            48KB

                            MD5

                            45e68106c5f964e7c242499e485aa0b3

                            SHA1

                            b1fce0c9db643c1614c15b935edc3d67ac5e650d

                            SHA256

                            2d5d0b16b73782850d63d079b056e5500b950c58d4fbf35a0d756e8b587cd751

                            SHA512

                            f7fa362484f85301b05739b9cca78c0869e72c53c7d24e8892d1c3a2571490cb4d795891377e33f2e6d4631cb14d6c9191dc2e98af4f9194d8a144809cf4eb4b

                            Download Submit

                          • C:\Users\Admin\Desktop\Cash Ransomware.html
                            Filesize

                            9KB

                            MD5

                            b38d3abcc3a30f095eaecfdd9f62e033

                            SHA1

                            f9960cb04896c229fdf6438efa51b4afd98f526f

                            SHA256

                            579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d

                            SHA512

                            46968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768

                            Download Submit

                          • memory/4072-1741-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1683-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-0-0x00007FFF67033000-0x00007FFF67035000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4072-1682-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1681-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1736-0x00007FFF67033000-0x00007FFF67035000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4072-2-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1685-0x000002063F610000-0x000002063FB38000-memory.dmp

                            Filesize

                            5.2MB

                            Download

                          • memory/4072-1684-0x000002063EF10000-0x000002063F0D2000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/4072-1756-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1757-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1758-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4072-1-0x000002061DAB0000-0x000002061DD54000-memory.dmp

                            Filesize

                            2.6MB

                            Download