zgrat | 12dcefaf7cb33b93666d904438d7e6de7d71618230f225c8a7ab37096857ae48

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Size

2.7MB
MD5

69cc2e20ea7a51666b8c14be90441073
SHA1

6a3c7d3267c5c2a679f5f41dff36c091dccfb337
SHA256

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
SHA512

de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
SSDEEP

49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score

10^/10

zgrat ransomware rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3008-1-0x000002116D1A0000-0x000002116D44E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3008-1-0x000002116D1A0000-0x000002116D44E000-memory.dmp	net_reactor

Drops startup file 3 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
34 api.ipify.org
37 icanhazip.com
39 ip-api.com

flow	ioc
33	api.ipify.org
34	api.ipify.org
37	icanhazip.com
39	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cash.img"	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Drops file in Program Files directory 64 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprst.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\wab32.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdarem.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4384	msedge.exe
4384	msedge.exe
3480	msedge.exe
3480	msedge.exe
4188	identity_helper.exe
4188	identity_helper.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3480 msedge.exe
3480 msedge.exe
3480 msedge.exe
3480 msedge.exe
3480 msedge.exe
3480 msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3008	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Token: SeBackupPrivilege	3544	vssvc.exe
Token: SeRestorePrivilege	3544	vssvc.exe
Token: SeAuditPrivilege	3544	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exemsedge.exe

description	pid	process	target process
PID 3008 wrote to memory of 3480	3008	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe	msedge.exe
PID 3008 wrote to memory of 3480	3008	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe	msedge.exe
PID 3480 wrote to memory of 1424	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 1424	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4592	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4384	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4384	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe
PID 3480 wrote to memory of 4392	3480	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
"C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff75846f8,0x7ffff7584708,0x7ffff7584718
3⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
3⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
3⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
3⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
3⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
3⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
3⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
3⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
3⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
3⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware
Filesize
16B

MD5
2bd5bbf99bc5175f80376f2b2ae35fa6

SHA1
162466c314d237c40c7d20412209d0d8b4ecb7c7

SHA256
f2847166ecc1e0585446fc02e872d58540393038e6866a52140c65dd2d8fb967

SHA512
a2631241a8715e1f8867a910522f7c29f8e6b52cbd444768e339415e3fd3b4fb3794f968211ba8c6ae6f6785f659a995b9fae9eea97c120310e78eef13dfd7db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware
Filesize
32B

MD5
e61d8b3b2ef6451ada7c509ff1af6ca1

SHA1
06e654f614ccb393bbd41307731144a6dfbf3959

SHA256
dc1f019225d2b21063e8bf059884b939d366099fed487776cdb9675ccf5779fe

SHA512
c80cad0819eafc41f61dd205edd975dbb23330eaeda1e59a75156ad0284f4793db5cd27a60faf35c6dc802d928d830357b60b84f9098d10969061236e8151f0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware
Filesize
48B

MD5
e65c321bd633d55b89248e1987ed40a8

SHA1
52bfec822db25326eb5575b04d827bd8f477a851

SHA256
0f3b7c8b30611e6193c29d791d7f4a24831c2a2f5d9e2f236593589e75179bd3

SHA512
ecf744f397c1d513e4110044a701e589c96b055f28669d385c0760c16148e3c9320c3928fad107db4596fad9bd57052afc29a31bf0d78b765b825327377accb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index.CashRansomware
Filesize
32B

MD5
74b135df15afc0a18d67eb5bbcbe6207

SHA1
b0f3984dd327cf335dc8c856a6c0e45e7c633970

SHA256
1e8c5edaf309f76e0c50f41485dc16bfb12440f99f64e2beb50e8ce51f9a7c8a

SHA512
3bb5cee3140e422bf2e470f6171a65e35299d2d07dd7ec71fef613000af180786f17f0521214dea31704e7bae3d140917fb0f4eb40ab8c4a9cb82fae89935dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware
Filesize
8KB

MD5
43c1481016bfb62be927be6d4318330a

SHA1
52602ae19c27ecfd6abd94d358c6d2dd14896164

SHA256
7bfd0597bf335ced8aecae463c09188569ff18874f169a7a2b2959be140fe8cc

SHA512
5017f085b75550da322bdd9f97bfc0d7408e3c12bed97a343e2e7a2ab679c8f0a6c95c979b8deb8f3d575f49374227077d43af97c9221cf79eb950533376ae3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware
Filesize
8KB

MD5
39fcf73a0df63448336192e72cb06ef4

SHA1
c73b50f0dd110e1a64058094fdc0479526091199

SHA256
23bb0d5a02cae660030a755807b8e0c99b521daddce02a71326551ddd5c483ae

SHA512
4a3a82d47f1ca76a888bef54ec524cec227e1ee8e757f3d3ab41ed1120d687fc059d5a3b381f9c5be0baf2f5640c9c7247f94a4b46303ba9000182f88d5a3156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware
Filesize
264KB

MD5
6cdd79a0137f82449e1ccc9d6b8f2cf0

SHA1
071a4e6394f92077ca43a4132bb236cb6726cf55

SHA256
bba5a80735c55ec9c9c2dd14f604c861d41b69768ec0ae787f85155e10a4b170

SHA512
dac2ea7232efa5ee6ba26eee91c2f20029ca40e047851226f88696b66c7ceb458f809e2281dbb7f6371c9b1305993a7f6093364f3615804c6c2c02e3767cbdf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware
Filesize
8KB

MD5
0e93d3365f790e97beb998fbbe1637f6

SHA1
c0c2d023c90dfc8f7c1dbd89dc1edcbba5e39d09

SHA256
4211adf1941beb24b929fc56175bb9d47f3131e5c0e1e8c55aff3a439209766e

SHA512
5d5a552c86f0596024b4df934742a496dbd07a48af7162460ab6d13aeaa7ee3d42ef360ecccd649e21286d70b7ae1cbf22541cc266eb87f562126135819e359f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
176B

MD5
4b0fdb42df7710656db54c391246153d

SHA1
76448462cca39b432c314f680ebb330258a28749

SHA256
72b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526

SHA512
f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1f67337b94a18763f06a57f1e68a9dda

SHA1
478ac05b9903e2d5834059ec57c93554f9d94b03

SHA256
01392e8758800da6793506dfc0d716a3988d547c45f494dbd840cb90d2291adc

SHA512
5d8fdddd7c994d9b76ae34d104016f79587c643cbbae3cc8376cdbbb73a388e03cee8fbf2e5ca792934be1c7bd9dc9b75a67ab0d45018b02cfa4c2d8d5fb368a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
568210f6bc85c52f4da4672515b1fa83

SHA1
cdb52178eab9cd923775c2f4e009cf25a375f822

SHA256
64441a4e02f5ccb0abd6b0351345fa884b86ef9c8b27a4f910cdc703963aad6d

SHA512
8913ffbeee6dbcbd8595167d624aeb7fe363b586d56a51477dc85b6eeecf3f4aacd70e11a0dbd3befae0ef9120da5f180d9963f725c01b7feb1886d904e7e579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ed5f52b3840073a5c12ca1f297f18930

SHA1
d7f62fac23c5d4c6e1b4b134469d357a2d771dbb

SHA256
798d3e1cce45685300abce3f76d5caef9fd50a702aaa5c3300935efabfebad54

SHA512
60e2a85d2dc2d2020ce258f349b663ea754b918ab608a0bea727547780fd73c93dd02d5980292733869acbc37d95c7389c3a219abb5748b124d2fa2c5cc14993

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware
Filesize
8KB

MD5
71ffac7ec338dd69b088523cb72b30df

SHA1
f3a09f7129715e010f3e50acdc4103a75ca9fcce

SHA256
e483b11d2d67a42167650ecdb1888d2a8dd4c40ca19a04d4cbba0b300740a627

SHA512
bb90e7d57f77644a19ba4fd86e08ad655d7db05ce3c5e9a2fd5880ab35a3e9c80289ea8cf5854a1ea4b604cf2ccc86b656570d4894d2b6fe490af5f750047626

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware
Filesize
36KB

MD5
377c2fdfc8291c6fe1c27af5f4a54b29

SHA1
82d49d7b4463926602318bedc343089544934cb5

SHA256
628a2575921fbc7f73668374e8fae6482c2979c1bbb9ae275b4b1d781c7cb2de

SHA512
8527fadafa8313f6a5b551b34ab1b168c5af93e9194ee468fe928117abb2f5cd593cb6e1759d457f488b1dced62ce0f8ca25ebb20f1b943f59c9e3c8d3329e7b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware
Filesize
36KB

MD5
fd0b5f9421d0c8ee3bea88145784769b

SHA1
a7c8ba3fc1fe1a9fad8c2b93dff3c5027dae6835

SHA256
f2f0b4e3767c4516170d6ce0bfca391c8746a1c2012fc6f7748564cfefe2ce8b

SHA512
a621ab312e233ce5c6325bd24de8d5f7bea35b9e65156e7fa5ca5f8d9ebb3d127e72adf284018cf2d9e511657965b00026ce78648f3f04af0464661e7ff669b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.1.filtertrie.intermediate.txt.CashRansomware
Filesize
16B

MD5
3c65a58b94bedec03c36ae378932575e

SHA1
e2e73caf33f4f079a5e611c1939a10a05e5917fd

SHA256
57e26b5b311d473bf835635f89f9e506b4f81b70241adfc71c3a222e77bce03f

SHA512
b34e02d920558e6d479dc0ff480a104d223ebb33443e6402545cc8f0dd780b2b9451dcc57db75c080dfeebc7c82d29b5536ae2936858bb66cf73194b31d94796

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.2.filtertrie.intermediate.txt.CashRansomware
Filesize
16B

MD5
6f7eecd23ad35e15d397ca8beddd5d6f

SHA1
f89879de0aaa4f330c226938faad61d6e46e11bd

SHA256
e97a0aa7865182caf97356ba093e741feef90573e0ed1bad12096fb843edc889

SHA512
7b3b566613a0df3d7bd6c5366218f67dca7501d3d141f868a7cb964e7ae8b8774e986013db7a14b2dbced32df7011593b2d5160c1d7deb93cd8395b8ae6c6b3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086489672153.txt.CashRansomware
Filesize
77KB

MD5
282f76b3091f1786cc29e221df37115d

SHA1
acb5b9db345a647c241f6fc5a2536b55ac07d381

SHA256
4dd3dcaa239ddc26fbbb9622a916d16fa0cd849dfe504fc7231e8ee06cae3809

SHA512
5ab3efec5564c911f1af1c618cd73992ae1be4334220999ea04bdca854af7e026a9b52830f93cea712e7159f1462d2080339a5ba038425c6ccbd5be89ed4aef2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088680666336.txt.CashRansomware
Filesize
47KB

MD5
7c4f9443f2d736a522a62165b8e7429e

SHA1
316294853c45ee1f3ff6aa692a74429a0b3c326d

SHA256
f77ad20819e0244ec2cb58b2f07afec766a1a6548a8d2df193c80bcde4552781

SHA512
1a12808de4fec78f954e0980eeda9c47650c4b2dcf28b4b98eb2de5844ebb7ef2ffcc06ecbb0ec40e607d3f790decd1aeadb4eed4d4158e96d35d5cf6834d1e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095008010161.txt.CashRansomware
Filesize
66KB

MD5
fed9f2740eaa100bbb11e9a65040499d

SHA1
a9a2e4c5da35f10dcfeb497aec3ea266383aeeb0

SHA256
66149ce1df2eef4f042a36d1c4f3f22c0ee0335cf984c735521283cca0f8295a

SHA512
6308196e0a339a917e9fa80884039bec111950f7717b40f8c157c5810dfffd4a9949b71a14395807f19e8260f830996a35fc49124bf1bf3e5e804b744e3ac85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctEF70.tmp.CashRansomware
Filesize
63KB

MD5
be7cf7588638b4111db05ab9e0f23a6f

SHA1
3327c1c6db0f9705a8922a4fb59be3aea068bc69

SHA256
b591bec6e7ac3709314e80ce22921b741eeeed3fce89b4af83651dbd4646fb0b

SHA512
39b9184acd14d5e5f11589190e70a01b9c47fc88db6a96a176f803aa7cdbc0ce471d086a091b0608aea3c57ebd684cc5b0368b4a7ae386fdf4462a127742c5db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
Filesize
48KB

MD5
fedc6b709a1c747a95289237413d174a

SHA1
fe775d23af6a6bf576eac97354e4f006e151b390

SHA256
b519b5669d4643f3f691077d593812c917ac8affff17639b2d0d4f5ccd83ba96

SHA512
981f7aa4be8134054bf2094e22507ce4de0e2dd15e61228f1b5bfbda3a81868e4fb750be5fc09888735d953a22b25327b0acaed0888006c3dc557963b31757d3

Download Submit
C:\Users\Admin\Desktop\Cash Ransomware.html
Filesize
9KB

MD5
b38d3abcc3a30f095eaecfdd9f62e033

SHA1
f9960cb04896c229fdf6438efa51b4afd98f526f

SHA256
579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d

SHA512
46968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768

Download Submit
\??\pipe\LOCAL\crashpad_3480_QBFHTNCOWSSVTODS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3008-1772-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

Filesize
8KB

Download
memory/3008-0-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

Filesize
8KB

Download
memory/3008-1742-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download
memory/3008-1745-0x0000021176C20000-0x0000021177148000-memory.dmp

Filesize
5.2MB

Download
memory/3008-1744-0x0000021176520000-0x00000211766E2000-memory.dmp

Filesize
1.8MB

Download
memory/3008-1787-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download
memory/3008-1743-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download
memory/3008-1-0x000002116D1A0000-0x000002116D44E000-memory.dmp

Filesize
2.7MB

Download
memory/3008-1806-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download
memory/3008-1807-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download
memory/3008-1808-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download
memory/3008-2-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

Filesize
10.8MB

Download