zgrat | 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Size

2.7MB
MD5

69cc2e20ea7a51666b8c14be90441073
SHA1

6a3c7d3267c5c2a679f5f41dff36c091dccfb337
SHA256

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
SHA512

de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
SSDEEP

49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score

10^/10

zgrat ransomware rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2852-1-0x000001E982BA0000-0x000001E982E4E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2852-1-0x000001E982BA0000-0x000001E982E4E000-memory.dmp	net_reactor

Drops startup file 3 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
4 api.ipify.org
5 api.ipify.org
6 icanhazip.com

flow	ioc
8	ip-api.com
4	api.ipify.org
5	api.ipify.org
6	icanhazip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cash.img"	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Drops file in Program Files directory 64 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcor.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
412	msedge.exe
412	msedge.exe
5048	msedge.exe
5048	msedge.exe
4792	identity_helper.exe
4792	identity_helper.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

5048 msedge.exe
5048 msedge.exe
5048 msedge.exe
5048 msedge.exe
5048 msedge.exe
5048 msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2852	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Token: SeBackupPrivilege	4480	vssvc.exe
Token: SeRestorePrivilege	4480	vssvc.exe
Token: SeAuditPrivilege	4480	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exemsedge.exe

description	pid	process	target process
PID 2852 wrote to memory of 5048	2852	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe	msedge.exe
PID 2852 wrote to memory of 5048	2852	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe	msedge.exe
PID 5048 wrote to memory of 2124	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2124	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 5072	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 412	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 412	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 640	5048	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
"C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe44046f8,0x7fffe4404708,0x7fffe4404718
3⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
3⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
3⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
3⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
3⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
3⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
3⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
3⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
3⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17745374501994056045,9804987038244997992,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware
Filesize
16B

MD5
3049e3719b60adf7be48a6f45eb39bbe

SHA1
6d9c26ca129f7325b3864081711703c78145d0e1

SHA256
b23bbecaa0434a89f04e70530589db46cb49e8f116aa6417f55c5e842c13a61c

SHA512
e0c0e4501f5623c94295f9d52c02b80a46f264c2e4f01c5e7d39fc08ebe1eafb77533565cd575a088354c342b2ebb0a9ed9774db3a4d0b7e9a7ebb7c7f12aee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware
Filesize
32B

MD5
16443bcc6282d86eab119b6a0e004238

SHA1
42331363d43e1efda44c6322b9f0027e408cde2e

SHA256
107af933217173745655e2488f05f82bbc17ca57e76c0b6904de8fdd041ea57c

SHA512
4e642b892fa8a03ffcb6f83d531511b4918a7e8db234b8661aa6477b5d886bfdce9832355a8e6f087fc574e9dcfb7868fdfb3cc61fde2e683721ae19fa643e4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware
Filesize
48B

MD5
8f77a8ef829e5e9fe1d45e9fe29724ab

SHA1
dac5454094c04e5448001c71f5d7397a7c5d4094

SHA256
b027d02d1201fdd6119d4bd34a4834f65c9e9c3b0de37cc3a9706c5a0218793c

SHA512
f86b8dd72eb871b6708294182ea7f1a49724aaf66740fac369e28e6c57290a94f9b5bc04f52fa469a5108ac731cd9130cbf2e64f3bfb9e699200daec59c64736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware
Filesize
8KB

MD5
e35a944caeda2249b5a161db08dd80e3

SHA1
4d70b632e2c2aed8f549c8dc7001e301fc9d913e

SHA256
c9313bcf0011b9dd822deb0574b3c5410a14cf294b2dddea4dae771b4903e938

SHA512
a1c6f5eedceba315853f20de401d3b054f9a41c47cf816ea7112197702688d7777de928bca496cb04615cdb580071c2f862756d6f345b731c66be84f64907cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware
Filesize
8KB

MD5
c7f13bcefc29b61e4453db10ce87429c

SHA1
2e59c6459a6ff5c75b1611e4058fafff27ca8933

SHA256
687d45ffb3963df7589c1f8c4adee4f609ec110911ac9e5783158012800157f0

SHA512
881debdb35abe06b32fd460f9d85f77c3edde731998c918b8bef601173fa440dbccc665cd6793b0c662aa45ff29eb742b038ed8b932b6b9a5becbfdcfef105e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware
Filesize
264KB

MD5
b9e6945eed1c553b2edc0687ec0483ca

SHA1
c330140646e3b48b90e8e396da939f5211dea095

SHA256
81d30b77cafcbd453fca199429e4da73cfdc87a9e6410d5187bef75d1b5bd8e2

SHA512
9a4e1f08673a9c9ff509ca65dfe52722532a5a75a418e93bb0eeb5a98cc274bc8c2b2703b4902e44153b2079904b0f017d48887683444258a1dc2b83c806dc05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware
Filesize
8KB

MD5
73958c10eed506558c14c68bee940603

SHA1
ad2d43051cee756970f91a3a3e3d6a8b4cd8e59c

SHA256
e5fde0f070956588173eeb7d7ca5f34b21bd3135d8106541d371f988326205bf

SHA512
d752e2362c95087598dd61875ceda553e1856b797de88aa0e6fbfb4ff12051c1bc4f0974697542462e53e7f38606128b184a1d6a9f4653f7ed89950bb5e32be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
176B

MD5
4b0fdb42df7710656db54c391246153d

SHA1
76448462cca39b432c314f680ebb330258a28749

SHA256
72b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526

SHA512
f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3468b9e01f0db7ac1e5295cd383bc0cb

SHA1
17da1e06cb1c4c977546a4166a485e91695a0429

SHA256
2160a718fd30a201e5aa3bc2e31ae0f2ded1487db54add6f4ff7f8135f639b6b

SHA512
d067ca394dcbba5ed493c1b3f48108064b77139d765c8a3b0a85f96d5f356a3a836a8e761d02d491e482f609bd62769b8024583b5e50cad3e2bead757f544b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5885c6528976b0438f7c86b1a8deb7e5

SHA1
6767fcb4eb1b54d09bb502cc2c95f066d4ecb744

SHA256
4162298e3afc5f2760602759f064f11686cc816cd8a03d7027dfb244e8768a8b

SHA512
4d45814ded5aed4ca698d22cf5431eeb63d787423666955ca027afd946b65d2bec89a4e0926c88be060fb1626c4286ef9732a9967193c6635b13f6e730375d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
646465645980c44937671c5a5a19f8a8

SHA1
e837cadf14a65a44861b4c7c2f33d40c52761f6f

SHA256
9c9c778644bc87c31e5bdcec603495d6407398c42a4fb717317f1c9772911089

SHA512
20a7d098f7321e35f5ed29a378eb3c9056a31dde6f20be49a1d963d21b55b8dd7414e65103a1ee90a2437710c91166696a29877b6d3284850b005575aa3419fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware
Filesize
8KB

MD5
724df8cddf89e47761dd701e6b7f987a

SHA1
3f037b08753531d018095ce24b95be3877c9d1af

SHA256
afa01db3278fbb4183e336c207a42f59aa992831965a9de838010798163e2524

SHA512
66f2f18e9d1728ff26e3c8abdb07cc64cef358f64bbe93b5c231c15b2a21b31cc98097d1db9575fb6dd789afa0cc84ad6e93840b134899c8f60a43a427656a0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware
Filesize
36KB

MD5
36cc9d2e12a24ae1e4f1e44c12a77a97

SHA1
ab40723315ddc0167e7d0011f3745fc7804e0be9

SHA256
01710be342bd16447b3b3845fdd10902ec5c0e7cbb1ab53c350a245aa94509cd

SHA512
12af31a8712eb146e4593789bc1a505e8c3dc2bae3767a62509d2edb5d8b7b3d73f3968150c7df222f45310111ebcf7339a3b81660cfb9684f3473d2720fe1b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware
Filesize
36KB

MD5
46d2dccc727333560b545b9f66c5941c

SHA1
f7d29e8d0d5da2a15a05109cf4bd5cdd1a78b0d8

SHA256
aaadd1f555afc62a582bffd2a2131ccb7fe23171a14ec4b93c0de6976b133182

SHA512
ce797fcb0a76313dd8fbf6853be3038a8f2824addd8c33df1060ee6928daffe19c4da6bb07f9dc73847a0ab61824ef2cac570cec8c5a5cdef911b0d115135791

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f7bbdca-2df1-4113-a6c2-26f2463e08c2}\0.1.filtertrie.intermediate.txt.CashRansomware
Filesize
16B

MD5
981b64216aab43e31124f80039df3b12

SHA1
ed542f4c75473956a016d8df53a2faf0f260d4a1

SHA256
8887d8f3deff8701d235c0d46227776481d4097ee6dad1acce3dd4c13cf0cab7

SHA512
a0e4ebece495558ef09a6a517d446451bd11cd8b60509d3563f2042ce0f839c522f726383f7d6a87dbd19a0bd6a1b4295fbd3d22b7f2c936155774ae4cc43794

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f7bbdca-2df1-4113-a6c2-26f2463e08c2}\0.2.filtertrie.intermediate.txt.CashRansomware
Filesize
16B

MD5
c549061baa39689de6ea0a3d7ba98cf4

SHA1
830fac2bd2df90297a8e55c812d8233f452db79e

SHA256
8f1c07f08a91587a80d6a3d0a70fd5d5cc8886616644d96b44e40363f13b1e8d

SHA512
98687730220f801bfd1e7820525466e357803ab87ed0e8c40f9839a6c2675b755cca25448e32f7d6443d72d26b023e63cb1e5e94cbe05e299d5687d9a4f13021

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439082960180.txt.CashRansomware
Filesize
77KB

MD5
983a5f2f82eda0939e4d35568d2bb274

SHA1
c66fb41c2ab4916f7d861283ed3273048a7b6ae0

SHA256
c596a2f8efe1c91e3301374edf2c4df84c7b47f00e00cfb7e48082f76ead392d

SHA512
8152ca0aa61b3a01d5426bcfa8935e59e3537b9bd69ce0fca35492d6f6ecfc5eb4f705a4b77075202921ea9458a6820df20cc721e029a68888a1480b5417eb31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440369039129.txt.CashRansomware
Filesize
47KB

MD5
04c859a6c6d2f33da7ec74ed1504e549

SHA1
eb8f90b9021299b4af4f50b0cc0930926e2573d7

SHA256
f83d85a770c4c83bfb8b60d22dab9c3176ee320700bf88322f4b1ca30aa3a9a0

SHA512
3b08bf6ba1dc82a3413cfa80740078228cca5400ddadcc372a6079aa9395faca18cc76811507b29cfb9e7b82b994f014dc8bfd1a16210a6fad90b069ebaaf928

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596447416703473.txt.CashRansomware
Filesize
66KB

MD5
ab99de56f4111931c0fa13d4146799f9

SHA1
7ec24c2339d7e61e593971ff5ad9f552158a3cf2

SHA256
8dd07b6570408614fae60f04aab089b8237c8082e8dd4cc7b0717ab0871cf32e

SHA512
12ec6d03c0420858f83056515e436f7a4e42b340e926ef4abfe2f56bf0d3844ec2da2d950c8b7b0146dc4586d051e5ea3a1831f842f572b1d7efaa2be69b0f05

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596486474790747.txt.CashRansomware
Filesize
75KB

MD5
c35fa7bd273e882bdbe49175e9fc8f09

SHA1
87f6af415f3024e7e97ebc51b3f37521bd838129

SHA256
86f7e7f01e9887882b2b2d64aa1b456a90a3d37a89d204d49414332bacdb2983

SHA512
3b1099fb8df1051c0b2911f92d8a812b0bd41b54127d9dc749e5271a4f83497e93dcbe72f896491fb83e5a25c7c6c5a894e28e04551494ce663e3cc007c00ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
Filesize
48KB

MD5
c24464a04e7d5ffcf85a78b26a4aea60

SHA1
3cccbcffc6f8a6f7957282fbcef6f73f0296c804

SHA256
8ca03033772e1be3b619ad4074ce9bc81900d1cce54b72ecb566e0771f3d404a

SHA512
71b590c27c7422635cd31f3769a0af1c4057c5edd0a809f5d2d15425840b69b21eff7e0f28c5951a5f257fe75c7918a0cd27aa6fb1adadb2a834b8dc0b8f99bb

Download Submit
C:\Users\Admin\Desktop\Cash Ransomware.html
Filesize
9KB

MD5
b38d3abcc3a30f095eaecfdd9f62e033

SHA1
f9960cb04896c229fdf6438efa51b4afd98f526f

SHA256
579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d

SHA512
46968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768

Download Submit
\??\pipe\LOCAL\crashpad_5048_YBKQFFLCTTXBRNBJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2852-1686-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1688-0x000001E9A4610000-0x000001E9A4B38000-memory.dmp

Filesize
5.2MB

Download
memory/2852-1687-0x000001E9A3F10000-0x000001E9A40D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

Filesize
8KB

Download
memory/2852-1685-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1738-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

Filesize
8KB

Download
memory/2852-1744-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1684-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-2-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1759-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1760-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1761-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-1-0x000001E982BA0000-0x000001E982E4E000-memory.dmp

Filesize
2.7MB

Download