Overview

overview

10

Static

static

10

958ccd8e8d...24.exe

windows7-x64

10

958ccd8e8d...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

  • Size

    2.7MB

  • MD5

    69cc2e20ea7a51666b8c14be90441073

  • SHA1

    6a3c7d3267c5c2a679f5f41dff36c091dccfb337

  • SHA256

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

  • SHA512

    de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a

  • SSDEEP

    49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
    "C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Cash Ransomware.html
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff75846f8,0x7ffff7584708,0x7ffff7584718
        3⤵
          PID:1424
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
          3⤵
            PID:4592
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4384
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
            3⤵
              PID:4392
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
              3⤵
                PID:4088
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                3⤵
                  PID:3052
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                  3⤵
                    PID:4916
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4188
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
                    3⤵
                      PID:4500
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                      3⤵
                        PID:1436
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
                        3⤵
                          PID:5240
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
                          3⤵
                            PID:5248
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5296550564915765139,16443424378245694881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3104
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3544
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4996
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3504

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware
                            Filesize

                            16B

                            MD5

                            2bd5bbf99bc5175f80376f2b2ae35fa6

                            SHA1

                            162466c314d237c40c7d20412209d0d8b4ecb7c7

                            SHA256

                            f2847166ecc1e0585446fc02e872d58540393038e6866a52140c65dd2d8fb967

                            SHA512

                            a2631241a8715e1f8867a910522f7c29f8e6b52cbd444768e339415e3fd3b4fb3794f968211ba8c6ae6f6785f659a995b9fae9eea97c120310e78eef13dfd7db

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware
                            Filesize

                            32B

                            MD5

                            e61d8b3b2ef6451ada7c509ff1af6ca1

                            SHA1

                            06e654f614ccb393bbd41307731144a6dfbf3959

                            SHA256

                            dc1f019225d2b21063e8bf059884b939d366099fed487776cdb9675ccf5779fe

                            SHA512

                            c80cad0819eafc41f61dd205edd975dbb23330eaeda1e59a75156ad0284f4793db5cd27a60faf35c6dc802d928d830357b60b84f9098d10969061236e8151f0b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware
                            Filesize

                            48B

                            MD5

                            e65c321bd633d55b89248e1987ed40a8

                            SHA1

                            52bfec822db25326eb5575b04d827bd8f477a851

                            SHA256

                            0f3b7c8b30611e6193c29d791d7f4a24831c2a2f5d9e2f236593589e75179bd3

                            SHA512

                            ecf744f397c1d513e4110044a701e589c96b055f28669d385c0760c16148e3c9320c3928fad107db4596fad9bd57052afc29a31bf0d78b765b825327377accb5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index.CashRansomware
                            Filesize

                            32B

                            MD5

                            74b135df15afc0a18d67eb5bbcbe6207

                            SHA1

                            b0f3984dd327cf335dc8c856a6c0e45e7c633970

                            SHA256

                            1e8c5edaf309f76e0c50f41485dc16bfb12440f99f64e2beb50e8ce51f9a7c8a

                            SHA512

                            3bb5cee3140e422bf2e470f6171a65e35299d2d07dd7ec71fef613000af180786f17f0521214dea31704e7bae3d140917fb0f4eb40ab8c4a9cb82fae89935dd8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware
                            Filesize

                            8KB

                            MD5

                            43c1481016bfb62be927be6d4318330a

                            SHA1

                            52602ae19c27ecfd6abd94d358c6d2dd14896164

                            SHA256

                            7bfd0597bf335ced8aecae463c09188569ff18874f169a7a2b2959be140fe8cc

                            SHA512

                            5017f085b75550da322bdd9f97bfc0d7408e3c12bed97a343e2e7a2ab679c8f0a6c95c979b8deb8f3d575f49374227077d43af97c9221cf79eb950533376ae3e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware
                            Filesize

                            8KB

                            MD5

                            39fcf73a0df63448336192e72cb06ef4

                            SHA1

                            c73b50f0dd110e1a64058094fdc0479526091199

                            SHA256

                            23bb0d5a02cae660030a755807b8e0c99b521daddce02a71326551ddd5c483ae

                            SHA512

                            4a3a82d47f1ca76a888bef54ec524cec227e1ee8e757f3d3ab41ed1120d687fc059d5a3b381f9c5be0baf2f5640c9c7247f94a4b46303ba9000182f88d5a3156

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware
                            Filesize

                            264KB

                            MD5

                            6cdd79a0137f82449e1ccc9d6b8f2cf0

                            SHA1

                            071a4e6394f92077ca43a4132bb236cb6726cf55

                            SHA256

                            bba5a80735c55ec9c9c2dd14f604c861d41b69768ec0ae787f85155e10a4b170

                            SHA512

                            dac2ea7232efa5ee6ba26eee91c2f20029ca40e047851226f88696b66c7ceb458f809e2281dbb7f6371c9b1305993a7f6093364f3615804c6c2c02e3767cbdf5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware
                            Filesize

                            8KB

                            MD5

                            0e93d3365f790e97beb998fbbe1637f6

                            SHA1

                            c0c2d023c90dfc8f7c1dbd89dc1edcbba5e39d09

                            SHA256

                            4211adf1941beb24b929fc56175bb9d47f3131e5c0e1e8c55aff3a439209766e

                            SHA512

                            5d5a552c86f0596024b4df934742a496dbd07a48af7162460ab6d13aeaa7ee3d42ef360ecccd649e21286d70b7ae1cbf22541cc266eb87f562126135819e359f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            ea98e583ad99df195d29aa066204ab56

                            SHA1

                            f89398664af0179641aa0138b337097b617cb2db

                            SHA256

                            a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

                            SHA512

                            e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            4f7152bc5a1a715ef481e37d1c791959

                            SHA1

                            c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

                            SHA256

                            704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

                            SHA512

                            2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            176B

                            MD5

                            4b0fdb42df7710656db54c391246153d

                            SHA1

                            76448462cca39b432c314f680ebb330258a28749

                            SHA256

                            72b128de5bd06d50af02c4113956687082280bd564ff6b5517e4bc466ae5d526

                            SHA512

                            f5681e8c75062df44e985069f51ebaf7f0cf0e10427b5dc4800e1c8af1d401816cc9bafad6157afcea9c85bf347540211332c273573c706632c290cbf90de067

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            1f67337b94a18763f06a57f1e68a9dda

                            SHA1

                            478ac05b9903e2d5834059ec57c93554f9d94b03

                            SHA256

                            01392e8758800da6793506dfc0d716a3988d547c45f494dbd840cb90d2291adc

                            SHA512

                            5d8fdddd7c994d9b76ae34d104016f79587c643cbbae3cc8376cdbbb73a388e03cee8fbf2e5ca792934be1c7bd9dc9b75a67ab0d45018b02cfa4c2d8d5fb368a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            568210f6bc85c52f4da4672515b1fa83

                            SHA1

                            cdb52178eab9cd923775c2f4e009cf25a375f822

                            SHA256

                            64441a4e02f5ccb0abd6b0351345fa884b86ef9c8b27a4f910cdc703963aad6d

                            SHA512

                            8913ffbeee6dbcbd8595167d624aeb7fe363b586d56a51477dc85b6eeecf3f4aacd70e11a0dbd3befae0ef9120da5f180d9963f725c01b7feb1886d904e7e579

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            ed5f52b3840073a5c12ca1f297f18930

                            SHA1

                            d7f62fac23c5d4c6e1b4b134469d357a2d771dbb

                            SHA256

                            798d3e1cce45685300abce3f76d5caef9fd50a702aaa5c3300935efabfebad54

                            SHA512

                            60e2a85d2dc2d2020ce258f349b663ea754b918ab608a0bea727547780fd73c93dd02d5980292733869acbc37d95c7389c3a219abb5748b124d2fa2c5cc14993

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware
                            Filesize

                            8KB

                            MD5

                            71ffac7ec338dd69b088523cb72b30df

                            SHA1

                            f3a09f7129715e010f3e50acdc4103a75ca9fcce

                            SHA256

                            e483b11d2d67a42167650ecdb1888d2a8dd4c40ca19a04d4cbba0b300740a627

                            SHA512

                            bb90e7d57f77644a19ba4fd86e08ad655d7db05ce3c5e9a2fd5880ab35a3e9c80289ea8cf5854a1ea4b604cf2ccc86b656570d4894d2b6fe490af5f750047626

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware
                            Filesize

                            36KB

                            MD5

                            377c2fdfc8291c6fe1c27af5f4a54b29

                            SHA1

                            82d49d7b4463926602318bedc343089544934cb5

                            SHA256

                            628a2575921fbc7f73668374e8fae6482c2979c1bbb9ae275b4b1d781c7cb2de

                            SHA512

                            8527fadafa8313f6a5b551b34ab1b168c5af93e9194ee468fe928117abb2f5cd593cb6e1759d457f488b1dced62ce0f8ca25ebb20f1b943f59c9e3c8d3329e7b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware
                            Filesize

                            36KB

                            MD5

                            fd0b5f9421d0c8ee3bea88145784769b

                            SHA1

                            a7c8ba3fc1fe1a9fad8c2b93dff3c5027dae6835

                            SHA256

                            f2f0b4e3767c4516170d6ce0bfca391c8746a1c2012fc6f7748564cfefe2ce8b

                            SHA512

                            a621ab312e233ce5c6325bd24de8d5f7bea35b9e65156e7fa5ca5f8d9ebb3d127e72adf284018cf2d9e511657965b00026ce78648f3f04af0464661e7ff669b7

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.1.filtertrie.intermediate.txt.CashRansomware
                            Filesize

                            16B

                            MD5

                            3c65a58b94bedec03c36ae378932575e

                            SHA1

                            e2e73caf33f4f079a5e611c1939a10a05e5917fd

                            SHA256

                            57e26b5b311d473bf835635f89f9e506b4f81b70241adfc71c3a222e77bce03f

                            SHA512

                            b34e02d920558e6d479dc0ff480a104d223ebb33443e6402545cc8f0dd780b2b9451dcc57db75c080dfeebc7c82d29b5536ae2936858bb66cf73194b31d94796

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.2.filtertrie.intermediate.txt.CashRansomware
                            Filesize

                            16B

                            MD5

                            6f7eecd23ad35e15d397ca8beddd5d6f

                            SHA1

                            f89879de0aaa4f330c226938faad61d6e46e11bd

                            SHA256

                            e97a0aa7865182caf97356ba093e741feef90573e0ed1bad12096fb843edc889

                            SHA512

                            7b3b566613a0df3d7bd6c5366218f67dca7501d3d141f868a7cb964e7ae8b8774e986013db7a14b2dbced32df7011593b2d5160c1d7deb93cd8395b8ae6c6b3f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086489672153.txt.CashRansomware
                            Filesize

                            77KB

                            MD5

                            282f76b3091f1786cc29e221df37115d

                            SHA1

                            acb5b9db345a647c241f6fc5a2536b55ac07d381

                            SHA256

                            4dd3dcaa239ddc26fbbb9622a916d16fa0cd849dfe504fc7231e8ee06cae3809

                            SHA512

                            5ab3efec5564c911f1af1c618cd73992ae1be4334220999ea04bdca854af7e026a9b52830f93cea712e7159f1462d2080339a5ba038425c6ccbd5be89ed4aef2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088680666336.txt.CashRansomware
                            Filesize

                            47KB

                            MD5

                            7c4f9443f2d736a522a62165b8e7429e

                            SHA1

                            316294853c45ee1f3ff6aa692a74429a0b3c326d

                            SHA256

                            f77ad20819e0244ec2cb58b2f07afec766a1a6548a8d2df193c80bcde4552781

                            SHA512

                            1a12808de4fec78f954e0980eeda9c47650c4b2dcf28b4b98eb2de5844ebb7ef2ffcc06ecbb0ec40e607d3f790decd1aeadb4eed4d4158e96d35d5cf6834d1e5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095008010161.txt.CashRansomware
                            Filesize

                            66KB

                            MD5

                            fed9f2740eaa100bbb11e9a65040499d

                            SHA1

                            a9a2e4c5da35f10dcfeb497aec3ea266383aeeb0

                            SHA256

                            66149ce1df2eef4f042a36d1c4f3f22c0ee0335cf984c735521283cca0f8295a

                            SHA512

                            6308196e0a339a917e9fa80884039bec111950f7717b40f8c157c5810dfffd4a9949b71a14395807f19e8260f830996a35fc49124bf1bf3e5e804b744e3ac85e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\wctEF70.tmp.CashRansomware
                            Filesize

                            63KB

                            MD5

                            be7cf7588638b4111db05ab9e0f23a6f

                            SHA1

                            3327c1c6db0f9705a8922a4fb59be3aea068bc69

                            SHA256

                            b591bec6e7ac3709314e80ce22921b741eeeed3fce89b4af83651dbd4646fb0b

                            SHA512

                            39b9184acd14d5e5f11589190e70a01b9c47fc88db6a96a176f803aa7cdbc0ce471d086a091b0608aea3c57ebd684cc5b0368b4a7ae386fdf4462a127742c5db

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
                            Filesize

                            48KB

                            MD5

                            fedc6b709a1c747a95289237413d174a

                            SHA1

                            fe775d23af6a6bf576eac97354e4f006e151b390

                            SHA256

                            b519b5669d4643f3f691077d593812c917ac8affff17639b2d0d4f5ccd83ba96

                            SHA512

                            981f7aa4be8134054bf2094e22507ce4de0e2dd15e61228f1b5bfbda3a81868e4fb750be5fc09888735d953a22b25327b0acaed0888006c3dc557963b31757d3

                            Download Submit

                          • C:\Users\Admin\Desktop\Cash Ransomware.html
                            Filesize

                            9KB

                            MD5

                            b38d3abcc3a30f095eaecfdd9f62e033

                            SHA1

                            f9960cb04896c229fdf6438efa51b4afd98f526f

                            SHA256

                            579374af17d7b9f972e9efcb761e0a8f88ef6d44dce53d56d0512d16c4728b9d

                            SHA512

                            46968c3951daa569dfecf75ba95a6694d525cbbd1883070189896ab270bb561cb2d00d7d38168405da1f78695f95cc481d28bcbff74be53d9a89822a09595768

                            Download Submit

                          • memory/3008-1772-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3008-0-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3008-1742-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3008-1745-0x0000021176C20000-0x0000021177148000-memory.dmp

                            Filesize

                            5.2MB

                            Download

                          • memory/3008-1744-0x0000021176520000-0x00000211766E2000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/3008-1787-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3008-1743-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3008-1-0x000002116D1A0000-0x000002116D44E000-memory.dmp

                            Filesize

                            2.7MB

                            Download

                          • memory/3008-1806-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3008-1807-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3008-1808-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3008-2-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

                            Filesize

                            10.8MB

                            Download