zgrat | 12dcefaf7cb33b93666d904438d7e6de7d71618230f225c8a7ab37096857ae48

General

Target

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Size

2.7MB
MD5

69cc2e20ea7a51666b8c14be90441073
SHA1

6a3c7d3267c5c2a679f5f41dff36c091dccfb337
SHA256

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
SHA512

de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
SSDEEP

49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score

10^/10

zgrat ransomware rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-1-0x0000000000280000-0x000000000052E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/620-1-0x0000000000280000-0x000000000052E000-memory.dmp	net_reactor

Drops startup file 3 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
5 api.ipify.org
6 api.ipify.org
7 icanhazip.com

flow	ioc
9	ip-api.com
5	api.ipify.org
6	api.ipify.org
7	icanhazip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cash.img"	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Drops file in Program Files directory 64 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	620	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Token: SeBackupPrivilege	580	vssvc.exe
Token: SeRestorePrivilege	580	vssvc.exe
Token: SeAuditPrivilege	580	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
"C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.CashRansomware
Filesize
32B

MD5
df1c36dbd723aea3ab0424c29969cc54

SHA1
330a257490189d35777a4b647e7fb7782e5447d4

SHA256
9d3e236cf77f5634c94ab258ae890b6da5b148610937fb38290663813e324919

SHA512
2fa019dc6edfa15561ca16e9ebcd2ed54e7579826f731db785deb5faea6ade3952cdc7915841be1341df5c781e28f2f48b770b54fe6eeb5010d9f56d42b3a14d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.CashRansomware
Filesize
8KB

MD5
8a46bd320b119b130249a9a9ae45558b

SHA1
15ff4c262ca1f2f13fa8ca01a9866b2afb6459d2

SHA256
fa95af6e272e8bd332e82bacc0c429323e69c88d88f29b01d8617ce419c3170e

SHA512
4bb842a6b2c7307d3226d4f25976e8f7a1d199cb20065789ecc4c05f3ccb2eec7e6df2680e349f6da3c1d79ca5deef9dd44eb9de65acb2fb54c3e134aeef5199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YR1SPOMQ\desktop.ini.CashRansomware
Filesize
80B

MD5
855825a8f0fc2ceb79a917bfc95563e3

SHA1
937d5bcb358ac8dd4f08ea37e8ac3cda0490a495

SHA256
a2c0047588e755a4f6ab4284ec68ddee88096f7c697c493fe5846439e9799456

SHA512
1468e88ca8f38b673ddb86d3c498087739b9f87a928ecf6797775f44a4de794608c3e347dc353bb126aebdb8ccce9a80accd6f29e90746fa2a68b84744d2ec23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.CashRansomware
Filesize
28KB

MD5
1bc6920be2cac4e9877344049c46b98f

SHA1
4a9dea3cf972ed9458d04fa4cc08aeec12025ecc

SHA256
3ac173ad0f8d5efb76955c674384e8efed8ddde3f5547d8e7c93801db7e0eee6

SHA512
343c6a8d2fe15e06fe769e0a564a42651b6bbf4fae2df959c237317fe7af72a9319096e7b9250e74b3074080d3bdde30c269afb76ddb55c328b97a158047c8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat.CashRansomware
Filesize
16B

MD5
c3028c83663a4fec63f3fcbe1bd197e8

SHA1
42502c1d25b528ffa85544c1f4e7abc792775e1a

SHA256
3dfcac09d9350940c69e0b88a53e6b800f1c0ef959fd9e52dcaa53624c63c346

SHA512
2f46eb1c0143afedbc1bd5fd545f89c33c93ae4503f11695f192da8723651ead1fd43a3d12043486b7a4692c6b09df668278c0d9ed71b46e109fe38aa52d79f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
Filesize
48KB

MD5
57b7b987d6eef9c097b62ed02892d243

SHA1
f5bde60da1db911861c5b9f1eac2ab3638bf2438

SHA256
ab22fd1752388fa6f48464be970e631ef50de2d61f2e1414cdd0a42cb6a00f92

SHA512
7bdf59c6798a96fefd46caaba95b9b0999c425be8fa5afe3aa6745b65e04bd739b07fb2872ea46df47b8535a7c06899f3f28b431c2bd27ed228bcd37c95db85c

Download Submit
memory/620-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/620-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/620-1-0x0000000000280000-0x000000000052E000-memory.dmp

Filesize
2.7MB

Download
memory/620-1256-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/620-1257-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/620-1258-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/620-1259-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/620-1260-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/620-1261-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads