zgrat | 12dcefaf7cb33b93666d904438d7e6de7d71618230f225c8a7ab37096857ae48

Resubmissions

14-05-2024 07:02

240514-ht24eaeh43 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Size

2.7MB
MD5

69cc2e20ea7a51666b8c14be90441073
SHA1

6a3c7d3267c5c2a679f5f41dff36c091dccfb337
SHA256

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
SHA512

de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
SSDEEP

49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score

10^/10

zgrat ransomware rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/528-1-0x0000020C585C0000-0x0000020C5886E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/528-1-0x0000020C585C0000-0x0000020C5886E000-memory.dmp	net_reactor

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	icanhazip.com
25	ip-api.com
20	api.ipify.org
21	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cash.img"	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
3356	msedge.exe
3356	msedge.exe
5080	identity_helper.exe
5080	identity_helper.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Token: SeBackupPrivilege	1328	vssvc.exe
Token: SeRestorePrivilege	1328	vssvc.exe
Token: SeAuditPrivilege	1328	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 3356	528	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe	97
PID 528 wrote to memory of 3356	528	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe	97
PID 3356 wrote to memory of 2356	3356	msedge.exe	98
PID 3356 wrote to memory of 2356	3356	msedge.exe	98
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 2300	3356	msedge.exe	99
PID 3356 wrote to memory of 1812	3356	msedge.exe	100
PID 3356 wrote to memory of 1812	3356	msedge.exe	100
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101
PID 3356 wrote to memory of 4512	3356	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
"C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd35246f8,0x7ffcd3524708,0x7ffcd3524718
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
    3⤵
    PID:276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18107880709516020108,2974693036832868772,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5700 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware

Filesize
16B

MD5
3a3b3a904a9006fdeb84e37a9441ec2b

SHA1
5d84c9b4f507a4d3c52d29322767f12797e43d86

SHA256
83557a837fa8b252bd306dd30eab266c30beeefdd9e15a64b903d5116268851a

SHA512
4bea1af1b58df9acc73858414d816f115fa76d5a643fab1709a347ed7cab00e6dd74e63449a540ccb15befa993e45feeba6cf3ada6a6300919f2046381c32578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware

Filesize
32B

MD5
dabf4782e7d59f595ad527020ed9c24b

SHA1
8029a4201c90ba947dc5dfb7c07cb78c74df850e

SHA256
178c82f9e99ddac94a8253997d498ec443cd05370c38585926c5153c809272dd

SHA512
76d984103a63f244c5633d693bae1311f87c7f800c3ef8afb4ed15c5a6abacfee798bc3eec9b28e1af59c6090b4e473c51441f6b8e864650ce26911825172dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware

Filesize
48B

MD5
3da5fd3f20f3be970fd78e1a70f7d41f

SHA1
fa4cdb8720db7d2077d95f86d5fbedce9bf245f3

SHA256
d1ce6d39f54cf511365d5c1c26b965f4701d6f5376800d371e42fe072246ebd5

SHA512
7ec5cfb2410e69e97fc18346577c6d1eb887d504b990bd8a9328853894ad0192cfdd9fc75fce0ca950a6c7b8f09392f87f2ff327b3ee3132ee72d8f2cb222cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index.CashRansomware

Filesize
32B

MD5
f8e8a554251fc35bd30fb1807a34cab8

SHA1
5e8a818266ec3ab586825effd0d47c5a9f005bdd

SHA256
bb1d693e1852ec608852cf79cd1fd6434cb18a948e1306a4afeef76f82f193d2

SHA512
07aa5cd341831cce66c18627b42e43d73d81fae8e940b2064d55f8b7866f9f8d0b658d96deaf93db503b8c9b6bd2b3cd7eb8f79d24a759b49176217af2390ccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware

Filesize
8KB

MD5
d31c4e0e79ee2a54452fc3f9e4a3ed33

SHA1
dca904d6c7907ab80355a3a0c07213656b09a5b5

SHA256
c8b0a07cb973dbf2ff2bbd9186adf335c3aeb4a2835f1b600fd56c0eb294e15e

SHA512
db813d06c870953ed8575a84a39d92a42063cc20f752367f23df8593d3553a25a2ba2ec790242c5e13dee53a3a3f67c259ca0fb58f19c289edface7933938d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware

Filesize
8KB

MD5
df8eb38ebda20f600d3e8b693bca4823

SHA1
ecb3d6c67306c8a2e4c2c0c3675c16a43d87314d

SHA256
dc39bec2c376f043f5560ca8e33f81296723259e3ce6ee5b360b838d9010006d

SHA512
0882f97edb14b058ea245602c8c45fe1536aa3800790e6759d8fed0f89dfff1db8fd4801da53aec8ee35e310d58f4f6e4b12191dbb6118b29bba566193d18c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware

Filesize
264KB

MD5
8c5e0b77b054a072c67dc3aa04e88d0d

SHA1
62f48026eda54cc6b796fe513cca0ed5a0bc8ecc

SHA256
c652f67db5722aeb55c5de247448c1579eb526f17cb430af8fa22eed5dbbdfb1

SHA512
bcef59a5497bdb3e1ef3a72f77cfdcbc6c4877dfcf63618b21b2a5fcf2d8358c9c8dec532f44ce6941e1924bd43e108bfde26f003cb06e1ff63fa8eb47f2fc97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware

Filesize
8KB

MD5
9cd22e6e1904e76ddba10e18a9801bf3

SHA1
8a3545b9bd9b96a34f5be37efd14b0d7fc1d3bff

SHA256
83851d339f0e8260f98973cdcc98087456e5c8f5b2d2a27cfc85640fb1a5af29

SHA512
c6706c840566c16adfb8eea59df0d5db56fe723beb06d420e669ef4eb0a4625e184142a7aeedc0f8ce154e8a6c0a5d2692609b8c1540b4efe549e89f182bcc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
176B

MD5
4b0fdb42df7710656db54c391246153d

SHA1
76448462cca39b432c314f680ebb330258a28749

SHA256
72b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526

SHA512
f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da387f9361220efafc4230055c31ebf7

SHA1
1285a570fb3c081f52564e4405d12987c9b8f78f

SHA256
d39e2fc606c19af83f45b2795f613a0b4f45959ca22d9eb7d29cab7830f45052

SHA512
f5353a5e05492374023bc59eb7e438b4fe492761ac0876a726196a3d49e410714e1d21e7bb53cb77a0f883f158708bdd595ad55a668af6ea134adb3593c685ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e620e0d10317a41171d0951e0b6bb4cb

SHA1
d66ca1c37f69c1bf8dd2e71b9fe5cd65e8ec92f7

SHA256
d1e263c7fc4aaeec9bb39e386bd09e36df4bd4f0729c5f9fca968b8fd3c02bba

SHA512
cabd1aadefb72de1c2868cf8cbd9d6ebe194092ac09018f52a180c2c41b2e829ba01dad5babd9a1bde0bdbd0e6762338fed020382c43ffb386fe80a843fe71f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5304c94cf8a09f90a400c165be92dec7

SHA1
156b89a57269dbe06303bf59a064c057dc033645

SHA256
ba32d7ca24d516f99c1522f1598f88ad632946e9dad1013b7ed626d073993ca3

SHA512
17b9a546e07d2b72722ed354133a03106b7ff515d6e2371922ce80096c0b1f716bfc5020219ee663a542f22189c80c23edfb337914caa11e47839d650f18ae36

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware

Filesize
8KB

MD5
611e50f5e713cb5dcf5b46441080e9b0

SHA1
e59883edb5edb1a4adc45d3e106793ee6b9c2b60

SHA256
9a1efedd92b36b417f365bd6fc29cc1d0023468095ab55fd1e099452904be1d6

SHA512
66bf1f752d82665fc8c6c74fe62ba03af546085ee556daa6183e927967983f05d2759a860475d97035649e71ecec2ee2b4b1b8962f347acfe618eaf98d55a4fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware

Filesize
36KB

MD5
359882255a489713afc9554c0562997e

SHA1
79dfaf47aa972a817b113195bd4c3ebbfcd3aacf

SHA256
1cf5322d65f6bc6558e7aa3dec452820fa9edca793bde09460029d59041c2182

SHA512
c0eff04ffb27d2d9b7a058b9da04d1dc5c81985b60b37949182535754cef923e19d8d104532d340927383382ded89e8e88482b8cbcf97c97ab032bc2b45e1171

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware

Filesize
36KB

MD5
3b252d1da3d2fa2ab036ca6daec0b51a

SHA1
e192908b977470811b2fb7986aee052af08195c7

SHA256
f709dad65db78082a2c628aa7736e5a963dbf660955b30c81a8954d61519ab9b

SHA512
8411769e55c5a2b161bd3f66e27e4de64d0a5a456aebb85c0a5c4be446a0d01e80d17bf337ae08146649de0dac698eeb0d7e7a523047c5af86988805ab081731

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a94cf1a9-3515-4dda-8f97-9c6ffb1c23cb}\0.1.filtertrie.intermediate.txt.CashRansomware

Filesize
16B

MD5
db7073fc424d0553c0c712390fbaa8e1

SHA1
7a5891a5b9fa983a7521222cdd48c61b928d2e9d

SHA256
d1c03499b7dcaa13b89a487fb84c761bf2092204866656f7b941550ae157aa62

SHA512
cbdc86f8d37a76c7312dd091da57a6d9ced3a65055fd2544c083a7561dd0c1da42265334543ea58c3ede8a4da7a41f8ab9fb195b77c7693833f9d9e189af741d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a94cf1a9-3515-4dda-8f97-9c6ffb1c23cb}\0.2.filtertrie.intermediate.txt.CashRansomware

Filesize
16B

MD5
8bac39f33728eca91eabfe578a470a6d

SHA1
b70c9c34359b533a497dc6c5eeff85fccb94b852

SHA256
2fa2df55e16ece71ab5f83dfe27da164cbb650e14ce00cc5dc53234bdf1ec8dd

SHA512
5deba6ad64e4e0b7fd5bcba75d83d6f2d32d0dac46c471ee2aee4b0be6ebaf5e61bdc2ee7856de0fd406f8097892399fd0780a183ef53f8ce2efe37596415f82

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086489926428.txt.CashRansomware

Filesize
77KB

MD5
13919890bc81f84eef388ff6ee948fb7

SHA1
3a074ad811afe85b552c2c5e01e7ce8e775a040e

SHA256
406a7da853b27128bb7c04491d2372aaa3dd80241e500c7919070f828f3a303f

SHA512
904155c36a7698ec691b09e68c840e9441bd89096045f4b87c8bdb90802458a9669a5983d28fa742bc41e0c409c590d677384d2e807ccf7d828e79455332ff58

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586091900220172.txt.CashRansomware

Filesize
48KB

MD5
4acda45ccf9f01bc763a69243c8d7223

SHA1
8110a61c0181df313ba194971fd9a6317388d66f

SHA256
e4fdc61479f85415d64b89a1efb666a9b687b208b5f48d203b5c216a11fa94ad

SHA512
a38297daf21565cfd58c7121656f495559fae38a229dc9c2556bf07ba295d87f2a5a83923b7bdc005a95aede345a63c932819e6684ea1020e0df62429d5ed21c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094759622111.txt.CashRansomware

Filesize
66KB

MD5
87fc5504eda0a2d7fa796ce199d86796

SHA1
3bb63d58e0f0ff81d5f41fa084c9be6c43c48011

SHA256
b362098820c277abdc86c8cb514643ecd3e821a451099f5c95acd5cc3de9f74e

SHA512
6433f7d4136381b03299a41b0b360c94581977176b89e7913492c072cb34dfdf3391ef02f9e47747e1e8938933c979519e097fc2f0f3dc6e87ad0474c24fda51

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctE0BB.tmp.CashRansomware

Filesize
63KB

MD5
25dc4c8148ab9b77dd1458c49786d89c

SHA1
2b54bb7907a8f052abd8e6582a186dd0103e8b02

SHA256
105e1909f1ec5ed8093b9df2d1fb4de8fe3d90ea78d5c9d595d27b62607c43f9

SHA512
e70f3b772594d2e75fe90760084f00c1245f3c722397926e7763160631ac025bfe8380510a83aff3847c5e8e90cbf73a17a846a70ceace3375e72016627e9169

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware

Filesize
48KB

MD5
753e2efd8666f9a7e309ac862b5ceb50

SHA1
5f193be4527dd9fac888d1dbb056b68e99ed0eca

SHA256
fc79a91cd5caafa879a9ea297893a5f19a9983afeff6db55c066cd044db6b003

SHA512
30b569e6d9a8ca1eda5657c5c873820dc9523d462eac8aba2470ae1649db4596af097617c03bcabdc5e1b1de574659e52ec4bdd5036395775cd536fe581070f7

Download Submit
C:\Users\Admin\Desktop\Cash Ransomware.html

Filesize
9KB

MD5
b38d3abcc3a30f095eaecfdd9f62e033

SHA1
f9960cb04896c229fdf6438efa51b4afd98f526f

SHA256
579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d

SHA512
46968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768

Download Submit
memory/528-1753-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-2-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1754-0x0000020C79A70000-0x0000020C79C32000-memory.dmp

Filesize
1.8MB

Download
memory/528-0-0x00007FFCD9673000-0x00007FFCD9675000-memory.dmp

Filesize
8KB

Download
memory/528-1755-0x0000020C7A170000-0x0000020C7A698000-memory.dmp

Filesize
5.2MB

Download
memory/528-1795-0x00007FFCD9673000-0x00007FFCD9675000-memory.dmp

Filesize
8KB

Download
memory/528-1800-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1752-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1751-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1815-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1816-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1817-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/528-1-0x0000020C585C0000-0x0000020C5886E000-memory.dmp

Filesize
2.7MB

Download