zgrat | 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
Size

2.7MB
MD5

69cc2e20ea7a51666b8c14be90441073
SHA1

6a3c7d3267c5c2a679f5f41dff36c091dccfb337
SHA256

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
SHA512

de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
SSDEEP

49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score

10^/10

zgrat ransomware rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3728-1-0x000001D655C80000-0x000001D655F2E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3728-1-0x000001D655C80000-0x000001D655F2E000-memory.dmp	net_reactor

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	icanhazip.com
27	ip-api.com
22	api.ipify.org
23	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cash.img"	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcor.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.CashRansomware	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
1588	msedge.exe
1588	msedge.exe
3560	identity_helper.exe
3560	identity_helper.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
Token: SeBackupPrivilege	4960	vssvc.exe
Token: SeRestorePrivilege	4960	vssvc.exe
Token: SeAuditPrivilege	4960	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 1588	3728	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe	92
PID 3728 wrote to memory of 1588	3728	958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe	92
PID 1588 wrote to memory of 3924	1588	msedge.exe	93
PID 1588 wrote to memory of 3924	1588	msedge.exe	93
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 3000	1588	msedge.exe	94
PID 1588 wrote to memory of 4168	1588	msedge.exe	95
PID 1588 wrote to memory of 4168	1588	msedge.exe	95
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96
PID 1588 wrote to memory of 3472	1588	msedge.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe
"C:\Users\Admin\AppData\Local\Temp\958CCD8E8DCCE5E7BAC5F891E8EDC42AD6C5497D9385C8AE26C328C5F7BEDA24.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc29c46f8,0x7fffc29c4708,0x7fffc29c4718
    3⤵
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:8
    3⤵
    PID:1436
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8414855596562610119,14817603193690614742,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware

Filesize
16B

MD5
f93c87386c65cd2e8571066a5a92fca6

SHA1
4220e1c8f2f145b803b31aed8fd6d85345b2a5d2

SHA256
d631fb907f41d5e991460a02759be301d66c0587e9c7891e4d901f1a527c1afb

SHA512
51fb53b87c50516d09bce2345410b3b0edccba6a8995a707a899e86c357b9532b88bdf11fd26750634a19e169eb30b0ea2a0c64d6d35d9881e49e6fd08148962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware

Filesize
32B

MD5
efe0f1457067e9b1b85e690d901c4450

SHA1
748f84c9a6e2e9fd51629c47dae69eb8f25c428a

SHA256
a57a649cb6fdd6f424aaa08571ab53d3356906be2a84c571a27902e91dee1fa5

SHA512
969b9c9e54fd3800e67f926df181f050c06b558914de57772e131a8fdff42df0315a5810343361a0f77031f842faec202b72a613fe07d5a7df1e23e3e337f6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware

Filesize
48B

MD5
deb7d86d2ad29853282a7590e45c4e28

SHA1
d950341ac8d16eeda9cbe03170c805bc68d3e6aa

SHA256
f22bf099970ea84ca2a276973c3ad0eb25cbeaef45e0996d58e9e4f88aff8e88

SHA512
7a98ecbffceb617db46eb46ac80f86487b5b395ba19cfb7269fdd07592af8a4a55d5ca70435f8c4648effde7e509da8d1c5697e45c44a0a6f236f4141f6872dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware

Filesize
8KB

MD5
2d95799b402cedb48e8ef83357ad2519

SHA1
7ca352c2b99b846c1bde1feaf5793e75a5014dea

SHA256
53df488fb1d15a8159450e50cbbbfdef5b73e69a8aa2f38cee0a3fb40ca4956e

SHA512
c2b876584fb318e993f51d1875e2fca15c83d27f3219c57f9aebcd52a2cda0b08bdf1ae80ab45f1c853d494f0b3a20a761a3c8599585c78af48990f8f9d5691c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware

Filesize
8KB

MD5
ce2335476848872506cd67807be91d9c

SHA1
94bdc76a7aa14e69f5088ca4feb61b0934e0e851

SHA256
ff0a6a1fd12e4a5ba12c5861989b37fd057103062f80090ff410186c2bddfdb9

SHA512
76df6cea77699d267a5abff54e2afcc214e36233a464e5b1a9df184418acc3f48029484807d4401be45dc403d46e31fa7bbd43e6c11a54b7b5caf59b7c0a4634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware

Filesize
264KB

MD5
922832dd69bccb1d4ad3d845acae66e8

SHA1
8e3841b9ec43697aac50c843c4d39b2081dead8c

SHA256
1539b3ab4ba21b86060173c78146911c5417b294ae38a06cf3966a0308df6606

SHA512
d802d6dddf4b09f292dbf5371b1fe4c3c82690bab408475769c64efdb6e0a8604c77f0cfe5189dce05b7b7fb2e315738d8fbab70aa69136245d3f829c8b5e960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware

Filesize
8KB

MD5
2db796a3e6af39af6b1e0c49f4caf672

SHA1
a4769cd30a7931ffba6036b4255d2fd8fd289380

SHA256
532d57bc6855e46c685751bf78adefccc01d16dfa978a0a711a19015d36426ae

SHA512
6f8966806e39a6f8870d3f3075e992b85075ccbd137fdbc56dade4624533ace2055c752b57168d13f982d580c5d96dacd3e05fdc4364d42706ef0acd459a929c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
176B

MD5
4b0fdb42df7710656db54c391246153d

SHA1
76448462cca39b432c314f680ebb330258a28749

SHA256
72b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526

SHA512
f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f2c9e92b768b69ca7120a56a2046e1c

SHA1
5165986ac599749f4733596db42db7270595d079

SHA256
80cb3ee679276149ac55583589fcaa2236eeeb28cb76f2284658c1bb650b0431

SHA512
b3d4834aee0a04f260a8e07fb6233cc799cb04f00d9082396daa18195ea8308355adc269c20791e9be08e388bb299300f6bee42d6b33452b92476d7a2f26708a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8df6c125a05cec5312bbed8f6edce2e7

SHA1
5fa0ce5a3b8a57ade8bb5eb43c59a1cb4b562415

SHA256
bc395a7fea2f49740bf92a400b7be71b2962a16e90dbbed8f8ecb65f49387ae3

SHA512
b62ae45f75b95dbf13995673cb330110a8de00e7f8eca198ae9ea0447b1e5a93a9a2b0d177fa50a21b55cd1a29beaeeffcbdf3f1d3dd5ed66359620d81d973fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f586710e8fc98960f1c2e79795226a6

SHA1
c0e72320ed0c676a5497bbcdc863f43f377d0d0c

SHA256
e58c8ccfe2220dae497ccafea7e15d173134de3f19ce0feed72a5f28a4f5503c

SHA512
ce20f61662df99987e95a6503e4703928948f12a608d8669d5c09730f55c5d52a77f4f7d421669122776395bd183bd83326ab5bfd3cb30e86ff5779b24b2ed32

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware

Filesize
8KB

MD5
bee61a8006cfc5a2ccfe5868a0d908b9

SHA1
81d4dbd0573022cb0ac15a03adcb00ccec4a87bf

SHA256
002356b323cb01c996a2146bc207acffc98ccd244ae264ef92b864571d6e06f0

SHA512
a9c9f1e23b1aa2ffd1fa1bdde6d523453d58d788b5581c1ea833b92a44f7b7ac1b2ab2025dd51a205c1e2d73b8564bbb57e6f86c76684d045a0916f5629b493c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware

Filesize
36KB

MD5
51368d5bf3577fe4407debbba682db0d

SHA1
7656637b8ed9434b6e9e602e4a79128bf660ed20

SHA256
4da47eda4f572c71072e1165776d9a50ab033719ca9fd623f41c2253246779f4

SHA512
17621d815a3b11de106f9101712961301a55a7a49bd80e4841618ec8dd803d623c112e5ba8a316120e070dacad8483c257a8568d4c37826f59a977511800de7c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware

Filesize
36KB

MD5
dcc649c948973e5a5d5d55d5466bdafb

SHA1
bdc1f91da7ea80711b0d4df292ed9be806c6d934

SHA256
5f7b270d88a594638430caa1cf2dfc5d1f28c7a7214de0d6e967be75bfd62bf4

SHA512
1552010ae53075712b8b717af9c3fedcff487569dda22ec467379defac128251b8674992ac7054afc997b18fa5717d01c79a5a6b67fdc5fbd5449360ec1611bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f9cb7ceb-dbf3-46fc-8f32-f243eebcb148}\0.1.filtertrie.intermediate.txt.CashRansomware

Filesize
16B

MD5
9086be2f660f42951d53eeee83847f0e

SHA1
e3c235782ce28965a7a00191bf5382c8a469755f

SHA256
0f3d9db4ef1a536576332c6dc7cdd5bd42d4fd55d11a09f5c6b0f4c17197ca0a

SHA512
ac7fe309f549164dac65fe12921b66a7543fcc9f40c1e6b18b380e9947fe46a783dc25156014f029eecb0d2be510c55608850792a340c847eb7da5f2379a7051

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f9cb7ceb-dbf3-46fc-8f32-f243eebcb148}\0.2.filtertrie.intermediate.txt.CashRansomware

Filesize
16B

MD5
8097feaf7d47a3b63e42083adb24a826

SHA1
7a0159859434fe17cd7e86a3e04166a3bcf25b35

SHA256
efdb4a5519771a995f03804de75d7308e4de92734166cd426d91f7b018147246

SHA512
7a09728ad1c6b12a7c59c8e29474ed17fec36009da20544adc306aea0db95415cc1f36a40e801613d230511009c197088cc40b0e587f82c32fb92a3652a3ed39

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596379517070185.txt.CashRansomware

Filesize
77KB

MD5
dbc69ee1f65149f8fcbf5eca6c9a639d

SHA1
e54e75ceec5c090056043553fedae51c240e1b17

SHA256
06a1daf7241d5bffa50ef4ff2d9361a8e19436ae18fb1a16a0a3d72ec262918d

SHA512
36556a4a6ffee6a44839a2d2690bc94e1f611f5c00806c9e0914d6189d7a5f3dab4b32ed50a3e306bf8310ee129d83ac45bebda7307c132342774031890b837d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380552933791.txt.CashRansomware

Filesize
47KB

MD5
86e8fc9da6f2fb66c75cbd8c0a07b4fb

SHA1
716b9aa75f0f96e614ee09a8e2b548253dcfcbc6

SHA256
19ce6f1b2a0faeebdb1222611410aceb4f02d4c4e69eb1303738e89194839153

SHA512
39472eb39128c3c255ac55c14f5636b21bae0b190eab2415a60a97e3d5dab7620c7f28a4f8259a7b0d73245a070bee035dca893f5136d7b2eb5c1d199ca5e334

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596387720650447.txt.CashRansomware

Filesize
66KB

MD5
d4717148a186f14dfcfe0435c706555a

SHA1
d9e54f6f90cad8b0b3decdb2bb32244fdb018679

SHA256
e73858ceb5a21ceedea332f3f0992f4fe70bd5ae36d73885cc75c7ff279b199f

SHA512
86e8e36886510e25f96d4754b1b52bea8c89cd6c5379486f8d6b4c3f1aeec0e69d98d8fb78aba471026c7e39ceca7cfe82934bc5a4ee3ef48ad45b51c7f55e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctB258.tmp.CashRansomware

Filesize
63KB

MD5
f9c781023a1f5150b3ae91897802bc2b

SHA1
dd823cc248c5dc71ca4628cccebf8c3c96462a64

SHA256
7ab238a660d96b61cea5f9114c88993d11fd3931ad1a3751bac7a8608a70bc90

SHA512
1c65e5a775068fd42a6947e31a836b61bf4287287defc252ae1515c43eb36319071bc566b8d53e62037503f2f92f5070720e8033eada3991024b89529091c303

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware

Filesize
48KB

MD5
14a2711725799185118d8052c5f54f20

SHA1
5da26ad9bd293e1b0564fc508c36467d73a577d9

SHA256
12b27f09fc068701432525712a0014817c4f6a2bb76ae4c6f808edd943a01635

SHA512
8a3c55ac90fed7805a6533d46aa1daabc4fe5ea9bf6ce4bb0a70e7db56047acf130cd467e7e47bd1bd1f4dd968a60cbe56e264875ebc96bd75a1077239a4c917

Download Submit
C:\Users\Admin\Desktop\Cash Ransomware.html

Filesize
9KB

MD5
b38d3abcc3a30f095eaecfdd9f62e033

SHA1
f9960cb04896c229fdf6438efa51b4afd98f526f

SHA256
579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d

SHA512
46968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768

Download Submit
memory/3728-1718-0x000001D676EF0000-0x000001D6770B2000-memory.dmp

Filesize
1.8MB

Download
memory/3728-0-0x00007FFFC7ED3000-0x00007FFFC7ED5000-memory.dmp

Filesize
8KB

Download
memory/3728-1-0x000001D655C80000-0x000001D655F2E000-memory.dmp

Filesize
2.7MB

Download
memory/3728-1719-0x000001D6775F0000-0x000001D677B18000-memory.dmp

Filesize
5.2MB

Download
memory/3728-1750-0x00007FFFC7ED3000-0x00007FFFC7ED5000-memory.dmp

Filesize
8KB

Download
memory/3728-1751-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download
memory/3728-1717-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download
memory/3728-1716-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download
memory/3728-1715-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download
memory/3728-1780-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download
memory/3728-1781-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download
memory/3728-2-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

Filesize
10.8MB

Download