Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 07:04
Behavioral task
behavioral1
Sample
958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Resource
win10v2004-20240508-en
General
-
Target
958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
-
Size
2.7MB
-
MD5
69cc2e20ea7a51666b8c14be90441073
-
SHA1
6a3c7d3267c5c2a679f5f41dff36c091dccfb337
-
SHA256
958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
-
SHA512
de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
-
SSDEEP
49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/2852-1-0x000001E982BA0000-0x000001E982E4E000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/2852-1-0x000001E982BA0000-0x000001E982E4E000-memory.dmp net_reactor -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com 4 api.ipify.org 5 api.ipify.org 6 icanhazip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cash.img" 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.CashRansomware 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 412 msedge.exe 412 msedge.exe 5048 msedge.exe 5048 msedge.exe 4792 identity_helper.exe 4792 identity_helper.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2852 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe Token: SeBackupPrivilege 4480 vssvc.exe Token: SeRestorePrivilege 4480 vssvc.exe Token: SeAuditPrivilege 4480 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 5048 2852 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe 86 PID 2852 wrote to memory of 5048 2852 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe 86 PID 5048 wrote to memory of 2124 5048 msedge.exe 87 PID 5048 wrote to memory of 2124 5048 msedge.exe 87 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 5072 5048 msedge.exe 88 PID 5048 wrote to memory of 412 5048 msedge.exe 89 PID 5048 wrote to memory of 412 5048 msedge.exe 89 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 PID 5048 wrote to memory of 640 5048 msedge.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe44046f8,0x7fffe4404708,0x7fffe44047183⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:83⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:13⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:83⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:13⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:13⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:13⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:13⤵PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD53049e3719b60adf7be48a6f45eb39bbe
SHA16d9c26ca129f7325b3864081711703c78145d0e1
SHA256b23bbecaa0434a89f04e70530589db46cb49e8f116aa6417f55c5e842c13a61c
SHA512e0c0e4501f5623c94295f9d52c02b80a46f264c2e4f01c5e7d39fc08ebe1eafb77533565cd575a088354c342b2ebb0a9ed9774db3a4d0b7e9a7ebb7c7f12aee3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware
Filesize32B
MD516443bcc6282d86eab119b6a0e004238
SHA142331363d43e1efda44c6322b9f0027e408cde2e
SHA256107af933217173745655e2488f05f82bbc17ca57e76c0b6904de8fdd041ea57c
SHA5124e642b892fa8a03ffcb6f83d531511b4918a7e8db234b8661aa6477b5d886bfdce9832355a8e6f087fc574e9dcfb7868fdfb3cc61fde2e683721ae19fa643e4c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware
Filesize48B
MD58f77a8ef829e5e9fe1d45e9fe29724ab
SHA1dac5454094c04e5448001c71f5d7397a7c5d4094
SHA256b027d02d1201fdd6119d4bd34a4834f65c9e9c3b0de37cc3a9706c5a0218793c
SHA512f86b8dd72eb871b6708294182ea7f1a49724aaf66740fac369e28e6c57290a94f9b5bc04f52fa469a5108ac731cd9130cbf2e64f3bfb9e699200daec59c64736
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware
Filesize8KB
MD5e35a944caeda2249b5a161db08dd80e3
SHA14d70b632e2c2aed8f549c8dc7001e301fc9d913e
SHA256c9313bcf0011b9dd822deb0574b3c5410a14cf294b2dddea4dae771b4903e938
SHA512a1c6f5eedceba315853f20de401d3b054f9a41c47cf816ea7112197702688d7777de928bca496cb04615cdb580071c2f862756d6f345b731c66be84f64907cfa
-
Filesize
8KB
MD5c7f13bcefc29b61e4453db10ce87429c
SHA12e59c6459a6ff5c75b1611e4058fafff27ca8933
SHA256687d45ffb3963df7589c1f8c4adee4f609ec110911ac9e5783158012800157f0
SHA512881debdb35abe06b32fd460f9d85f77c3edde731998c918b8bef601173fa440dbccc665cd6793b0c662aa45ff29eb742b038ed8b932b6b9a5becbfdcfef105e6
-
Filesize
264KB
MD5b9e6945eed1c553b2edc0687ec0483ca
SHA1c330140646e3b48b90e8e396da939f5211dea095
SHA25681d30b77cafcbd453fca199429e4da73cfdc87a9e6410d5187bef75d1b5bd8e2
SHA5129a4e1f08673a9c9ff509ca65dfe52722532a5a75a418e93bb0eeb5a98cc274bc8c2b2703b4902e44153b2079904b0f017d48887683444258a1dc2b83c806dc05
-
Filesize
8KB
MD573958c10eed506558c14c68bee940603
SHA1ad2d43051cee756970f91a3a3e3d6a8b4cd8e59c
SHA256e5fde0f070956588173eeb7d7ca5f34b21bd3135d8106541d371f988326205bf
SHA512d752e2362c95087598dd61875ceda553e1856b797de88aa0e6fbfb4ff12051c1bc4f0974697542462e53e7f38606128b184a1d6a9f4653f7ed89950bb5e32be5
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
Filesize
176B
MD54b0fdb42df7710656db54c391246153d
SHA176448462cca39b432c314f680ebb330258a28749
SHA25672b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526
SHA512f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067
-
Filesize
6KB
MD53468b9e01f0db7ac1e5295cd383bc0cb
SHA117da1e06cb1c4c977546a4166a485e91695a0429
SHA2562160a718fd30a201e5aa3bc2e31ae0f2ded1487db54add6f4ff7f8135f639b6b
SHA512d067ca394dcbba5ed493c1b3f48108064b77139d765c8a3b0a85f96d5f356a3a836a8e761d02d491e482f609bd62769b8024583b5e50cad3e2bead757f544b5b
-
Filesize
6KB
MD55885c6528976b0438f7c86b1a8deb7e5
SHA16767fcb4eb1b54d09bb502cc2c95f066d4ecb744
SHA2564162298e3afc5f2760602759f064f11686cc816cd8a03d7027dfb244e8768a8b
SHA5124d45814ded5aed4ca698d22cf5431eeb63d787423666955ca027afd946b65d2bec89a4e0926c88be060fb1626c4286ef9732a9967193c6635b13f6e730375d2c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5646465645980c44937671c5a5a19f8a8
SHA1e837cadf14a65a44861b4c7c2f33d40c52761f6f
SHA2569c9c778644bc87c31e5bdcec603495d6407398c42a4fb717317f1c9772911089
SHA51220a7d098f7321e35f5ed29a378eb3c9056a31dde6f20be49a1d963d21b55b8dd7414e65103a1ee90a2437710c91166696a29877b6d3284850b005575aa3419fb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware
Filesize8KB
MD5724df8cddf89e47761dd701e6b7f987a
SHA13f037b08753531d018095ce24b95be3877c9d1af
SHA256afa01db3278fbb4183e336c207a42f59aa992831965a9de838010798163e2524
SHA51266f2f18e9d1728ff26e3c8abdb07cc64cef358f64bbe93b5c231c15b2a21b31cc98097d1db9575fb6dd789afa0cc84ad6e93840b134899c8f60a43a427656a0e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware
Filesize36KB
MD536cc9d2e12a24ae1e4f1e44c12a77a97
SHA1ab40723315ddc0167e7d0011f3745fc7804e0be9
SHA25601710be342bd16447b3b3845fdd10902ec5c0e7cbb1ab53c350a245aa94509cd
SHA51212af31a8712eb146e4593789bc1a505e8c3dc2bae3767a62509d2edb5d8b7b3d73f3968150c7df222f45310111ebcf7339a3b81660cfb9684f3473d2720fe1b6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware
Filesize36KB
MD546d2dccc727333560b545b9f66c5941c
SHA1f7d29e8d0d5da2a15a05109cf4bd5cdd1a78b0d8
SHA256aaadd1f555afc62a582bffd2a2131ccb7fe23171a14ec4b93c0de6976b133182
SHA512ce797fcb0a76313dd8fbf6853be3038a8f2824addd8c33df1060ee6928daffe19c4da6bb07f9dc73847a0ab61824ef2cac570cec8c5a5cdef911b0d115135791
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f7bbdca-2df1-4113-a6c2-26f2463e08c2}\0.1.filtertrie.intermediate.txt.CashRansomware
Filesize16B
MD5981b64216aab43e31124f80039df3b12
SHA1ed542f4c75473956a016d8df53a2faf0f260d4a1
SHA2568887d8f3deff8701d235c0d46227776481d4097ee6dad1acce3dd4c13cf0cab7
SHA512a0e4ebece495558ef09a6a517d446451bd11cd8b60509d3563f2042ce0f839c522f726383f7d6a87dbd19a0bd6a1b4295fbd3d22b7f2c936155774ae4cc43794
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f7bbdca-2df1-4113-a6c2-26f2463e08c2}\0.2.filtertrie.intermediate.txt.CashRansomware
Filesize16B
MD5c549061baa39689de6ea0a3d7ba98cf4
SHA1830fac2bd2df90297a8e55c812d8233f452db79e
SHA2568f1c07f08a91587a80d6a3d0a70fd5d5cc8886616644d96b44e40363f13b1e8d
SHA51298687730220f801bfd1e7820525466e357803ab87ed0e8c40f9839a6c2675b755cca25448e32f7d6443d72d26b023e63cb1e5e94cbe05e299d5687d9a4f13021
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439082960180.txt.CashRansomware
Filesize77KB
MD5983a5f2f82eda0939e4d35568d2bb274
SHA1c66fb41c2ab4916f7d861283ed3273048a7b6ae0
SHA256c596a2f8efe1c91e3301374edf2c4df84c7b47f00e00cfb7e48082f76ead392d
SHA5128152ca0aa61b3a01d5426bcfa8935e59e3537b9bd69ce0fca35492d6f6ecfc5eb4f705a4b77075202921ea9458a6820df20cc721e029a68888a1480b5417eb31
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440369039129.txt.CashRansomware
Filesize47KB
MD504c859a6c6d2f33da7ec74ed1504e549
SHA1eb8f90b9021299b4af4f50b0cc0930926e2573d7
SHA256f83d85a770c4c83bfb8b60d22dab9c3176ee320700bf88322f4b1ca30aa3a9a0
SHA5123b08bf6ba1dc82a3413cfa80740078228cca5400ddadcc372a6079aa9395faca18cc76811507b29cfb9e7b82b994f014dc8bfd1a16210a6fad90b069ebaaf928
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596447416703473.txt.CashRansomware
Filesize66KB
MD5ab99de56f4111931c0fa13d4146799f9
SHA17ec24c2339d7e61e593971ff5ad9f552158a3cf2
SHA2568dd07b6570408614fae60f04aab089b8237c8082e8dd4cc7b0717ab0871cf32e
SHA51212ec6d03c0420858f83056515e436f7a4e42b340e926ef4abfe2f56bf0d3844ec2da2d950c8b7b0146dc4586d051e5ea3a1831f842f572b1d7efaa2be69b0f05
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596486474790747.txt.CashRansomware
Filesize75KB
MD5c35fa7bd273e882bdbe49175e9fc8f09
SHA187f6af415f3024e7e97ebc51b3f37521bd838129
SHA25686f7e7f01e9887882b2b2d64aa1b456a90a3d37a89d204d49414332bacdb2983
SHA5123b1099fb8df1051c0b2911f92d8a812b0bd41b54127d9dc749e5271a4f83497e93dcbe72f896491fb83e5a25c7c6c5a894e28e04551494ce663e3cc007c00ec9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
Filesize48KB
MD5c24464a04e7d5ffcf85a78b26a4aea60
SHA13cccbcffc6f8a6f7957282fbcef6f73f0296c804
SHA2568ca03033772e1be3b619ad4074ce9bc81900d1cce54b72ecb566e0771f3d404a
SHA51271b590c27c7422635cd31f3769a0af1c4057c5edd0a809f5d2d15425840b69b21eff7e0f28c5951a5f257fe75c7918a0cd27aa6fb1adadb2a834b8dc0b8f99bb
-
Filesize
9KB
MD5b38d3abcc3a30f095eaecfdd9f62e033
SHA1f9960cb04896c229fdf6438efa51b4afd98f526f
SHA256579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d
SHA51246968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768