Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CashRansomware.exe

Overview

General Information

Sample name:CashRansomware.exe
Analysis ID:1436572
MD5:71f0e2645d9051c3a8f5cf2dbce9d074
SHA1:a303632965f9fdc3b7cb4c532831c0b38f24df90
SHA256:132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3
Tags:cashCashRansomwareCashoutexeransomware
Infos:

Detection

PureLog Stealer, TrojanRansom, zgRAT
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected TrojanRansom
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • CashRansomware.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\CashRansomware.exe" MD5: 71F0E2645D9051C3A8F5CF2DBCE9D074)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CashRansomware.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    CashRansomware.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
      CashRansomware.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1614514248.000002075EC42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Process Memory Space: CashRansomware.exe PID: 7336JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.CashRansomware.exe.2075ec40000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.0.CashRansomware.exe.2075ec40000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                0.0.CashRansomware.exe.2075ec40000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: CashRansomware.exeVirustotal: Detection: 45%Perma Link
                  Source: CashRansomware.exeReversingLabs: Detection: 42%
                  Machine Learning detection for sample
                  Source: CashRansomware.exeJoe Sandbox ML: detected
                  Source: CashRansomware.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 213.188.196.246:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: CashRansomware.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: ~C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: }C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: lication Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*O source: CashRansomware.exe, 00000000.00000002.4366388738.000002077FA40000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: lC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: xC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ation Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3F( source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ion Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: nC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ion Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0` source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: hC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: yC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: |C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: fC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: vC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then jmp 00007FFD9B88763Bh0_2_00007FFD9B87AA03
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000055h0_2_00007FFD9B87C543
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 000000CEh0_2_00007FFD9B87E045
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 000000A1h0_2_00007FFD9B87D702
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 000000DCh0_2_00007FFD9B87E33A
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 000000EAh0_2_00007FFD9B87E606
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000055h0_2_00007FFD9B87C5BC
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 4x nop then mov dword ptr [ebp-14h], 000000F8h0_2_00007FFD9B87E8E7

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: CashRansomware.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.CashRansomware.exe.2075ec40000.0.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /api/ip HTTP/1.1Host: worldtimeapi.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 213.188.196.246 213.188.196.246
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /api/ip HTTP/1.1Host: worldtimeapi.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: worldtimeapi.org
                  Source: global trafficDNS traffic detected: DNS query: 54.229.13.0.in-addr.arpa
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.comlAn
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgHError
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.qrserver.com/v1/create-qr-code/?size=500x500&data=
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co/H4X0k5x/monero.png
                  Source: CashRansomware.exeString found in binary or memory: https://i.ibb.co/djp6D7n/logo-jester-done.png
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/
                  Source: CashRansomware.exeString found in binary or memory: https://pastebin.com/raw/azDDWzUg
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://worldtimeapi.org
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://worldtimeapi.org/api/ip
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://worldtimeapi.org/api/ip(GET)unixtimeBUnable
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=how
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtu.be/dQw4w9WgXcQvhttps://currentmillis.com/time/minutes-since-unix-epoch.php
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/watch?v=RfDTdiBq4_o.https://keyauth.cc/app/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownHTTPS traffic detected: 213.188.196.246:443 -> 192.168.2.4:49730 version: TLS 1.2

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Yara detected TrojanRansom
                  Source: Yara matchFile source: Process Memory Space: CashRansomware.exe PID: 7336, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 0_2_00007FFD9B87C03C0_2_00007FFD9B87C03C
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 0_2_00007FFD9B87DB2A0_2_00007FFD9B87DB2A
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 0_2_00007FFD9B8796B70_2_00007FFD9B8796B7
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 0_2_00007FFD9B87AA030_2_00007FFD9B87AA03
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 0_2_00007FFD9B87C8DD0_2_00007FFD9B87C8DD
                  Source: C:\Users\user\Desktop\CashRansomware.exeCode function: 0_2_00007FFD9B87208C0_2_00007FFD9B87208C
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs CashRansomware.exe
                  Source: CashRansomware.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: CashRansomware.exe, UnknownCheckerCode.csCryptographic APIs: 'TransformFinalBlock'
                  Source: CashRansomware.exe, UnknownCheckerCode.csCryptographic APIs: 'TransformFinalBlock'
                  Source: CashRansomware.exe, UnknownCheckerCode.csCryptographic APIs: 'TransformFinalBlock'
                  Source: CashRansomware.exe, UnknownF1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: CashRansomware.exe, UnknownF2.csCryptographic APIs: 'TransformFinalBlock'
                  Source: CashRansomware.exe, Vv13mEG6cGeE9nZjW7k.csCryptographic APIs: 'CreateDecryptor'
                  Source: CashRansomware.exe, Vv13mEG6cGeE9nZjW7k.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal88.rans.troj.evad.winEXE@1/2@2/1
                  Source: C:\Users\user\Desktop\CashRansomware.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\CashRansomware.exeMutant created: \Sessions\1\BaseNamedObjects\pGAIP95iDa9WwV5F
                  Source: C:\Users\user\Desktop\CashRansomware.exeFile created: C:\Users\user\AppData\Local\Temp\Cash.imgJump to behavior
                  Source: CashRansomware.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: CashRansomware.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: CashRansomware.exeVirustotal: Detection: 45%
                  Source: CashRansomware.exeReversingLabs: Detection: 42%
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: msftedit.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: windows.globalization.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: bcp47mrm.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: globinputhost.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeFile opened: C:\Windows\SYSTEM32\MsftEdit.DLLJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\CashRansomware.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: CashRansomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: CashRansomware.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: CashRansomware.exeStatic file information: File size 2702848 > 1048576
                  Source: CashRansomware.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x292c00
                  Source: CashRansomware.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: ~C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: }C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: lication Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*O source: CashRansomware.exe, 00000000.00000002.4366388738.000002077FA40000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: lC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: xC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ation Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3F( source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ion Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: nC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ion Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0` source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020763E03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: hC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: yC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: |C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: fC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762A03000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CashRansomware.exe, 00000000.00000002.4090714748.0000020762003000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: vC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020763403000.00000004.00000800.00020000.00000000.sdmp, CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CashRansomware.exe, 00000000.00000002.4090714748.0000020761603000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: CashRansomware.exe, Vv13mEG6cGeE9nZjW7k.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: CashRansomware.exe, UnknownF1.csHigh entropy of concatenated method names: 'EMGAdxIMXI', 'OmsAzqa4J0', 'SendHost', 'TelegramBot', 'f7OUHKE8ha', 'SetProcessDpiAwareness', 'GetScreenshot', 'GetTextFromHost', 'IHaUA7PdCa', 'sends'
                  Source: CashRansomware.exe, UnknownF2.csHigh entropy of concatenated method names: 'Dispose', 'qJLqrVMV1V', 'o9gPRAKueU', 'NG1PxA62cC', 'pqnqO8FSj7', 'NyEqSn2i6t', 'AP5q9F3r3g', 'G0HqD8sAXE', 'kMaqKyiSov', 'AES_Encryptt'
                  Source: CashRansomware.exe, Fxxx71MZ0qmF1bCJK9M.csHigh entropy of concatenated method names: 'NLhMnJ9faM', 'qoRM0qoMcX', 'XEMMl9b4xX', 'SFtMsfrZ9G', 'xbIM2rQS3o', 'q59MVy4dRN', 'wkdMrtbqV8', 'hCIMO6968K', 't4xMSG6DdX', 'smvM9cm7Yi'
                  Source: CashRansomware.exe, Vv13mEG6cGeE9nZjW7k.csHigh entropy of concatenated method names: 'zgKexSOBSi', 'nW4lBacjpc', 'pLne80fnjx', 'xHWemdGj6O', 'VXveJVZalE', 'RpreYGIGbf', 'avw5SO59dT', 'hIBGBfi3IY', 'gITGIVYwK1', 'UTpGgaM8jj'
                  Source: C:\Users\user\Desktop\CashRansomware.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLLHTTP://IP-API.COM/LINE/?FIELDS=HOSTING
                  Source: C:\Users\user\Desktop\CashRansomware.exeMemory allocated: 2075F210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeMemory allocated: 20778B90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeWindow / User API: threadDelayed 1102Jump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeWindow / User API: threadDelayed 1896Jump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exe TID: 7864Thread sleep time: -2204000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exe TID: 7864Thread sleep time: -3792000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CashRansomware.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KD:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RD:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %DetectVirtualMachine%
                  Source: CashRansomware.exe, 00000000.00000002.4090714748.0000020760C03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SD:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
                  Source: CashRansomware.exe, 00000000.00000002.4089414374.000002075F162000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\CashRansomware.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Users\user\Desktop\CashRansomware.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CashRansomware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: CashRansomware.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.CashRansomware.exe.2075ec40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1614514248.000002075EC42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Yara detected zgRAT
                  Source: Yara matchFile source: CashRansomware.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.CashRansomware.exe.2075ec40000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: CashRansomware.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.CashRansomware.exe.2075ec40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1614514248.000002075EC42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Yara detected zgRAT
                  Source: Yara matchFile source: CashRansomware.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.CashRansomware.exe.2075ec40000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		3
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  Query Registry                  		Remote Services11
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory111
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager3
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Software Packing                  		LSA Secrets23
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  CashRansomware.exe46%VirustotalBrowse
                  CashRansomware.exe42%ReversingLabsByteCode-MSIL.Trojan.Barys
                  CashRansomware.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  worldtimeapi.org0%VirustotalBrowse
                  54.229.13.0.in-addr.arpa0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://worldtimeapi.org/api/ip0%Avira URL Cloudsafe
                  https://worldtimeapi.org/api/ip(GET)unixtimeBUnable0%Avira URL Cloudsafe
                  https://worldtimeapi.org0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                  http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                  http://icanhazip.comlAn0%Avira URL Cloudsafe
                  https://worldtimeapi.org0%VirustotalBrowse
                  http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                  http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                  https://worldtimeapi.org/api/ip0%VirustotalBrowse
                  https://keyauth.win/api/1.2/0%Avira URL Cloudsafe
                  https://api.ipify.orgHError0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%VirustotalBrowse
                  http://www.zhongyicts.com.cn1%VirustotalBrowse
                  https://keyauth.win/api/1.2/1%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  worldtimeapi.org
                  		213.188.196.246
                  		truefalseunknown
                  54.229.13.0.in-addr.arpa
                  		unknown
                  		unknownfalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://worldtimeapi.org/api/ipfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.qrserver.com/v1/create-qr-code/?size=500x500&data=CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org/botCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://worldtimeapi.org/api/ip(GET)unixtimeBUnableCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://i.ibb.co/H4X0k5x/monero.pngCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://worldtimeapi.orgCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://youtu.be/dQw4w9WgXcQvhttps://currentmillis.com/time/minutes-since-unix-epoch.phpCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://youtube.com/watch?v=RfDTdiBq4_o.https://keyauth.cc/app/CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/cabarga.htmlNCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://i.ibb.co/djp6D7n/logo-jester-done.pngCashRansomware.exefalse
                                              		high
                                              https://ipinfo.io/CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/search?q=howCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://pastebin.com/raw/azDDWzUgCashRansomware.exefalse
                                                    		high
                                                    http://ip-api.com/json/CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://icanhazip.comlAnCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.ipify.orgHErrorCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/DPleaseCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8CashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fonts.comCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deDPleaseCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 1%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sakkal.comCashRansomware.exe, 00000000.00000002.4213560426.000002077AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://keyauth.win/api/1.2/CashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 1%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://ip-api.com/line/?fields=hostingCashRansomware.exe, 00000000.00000002.4090714748.0000020760B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              213.188.196.246
                                                              		worldtimeapi.orgItaly
                                                              		25400TELIA-NORWAY-ASTeliaNorwayCoreNetworksNOfalse

                                                              General Information

                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                              Analysis ID:1436572
                                                              Start date and time:2024-05-06 02:41:06 +02:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 7m 53s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:6
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:CashRansomware.exe
                                                              Detection:MAL
                                                              Classification:mal88.rans.troj.evad.winEXE@1/2@2/1
                                                              EGA Information:Failed
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Override analysis time to 240s for sample files taking high CPU consumption

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target CashRansomware.exe, PID 7336 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              02:43:10API Interceptor3013x Sleep call for process: CashRansomware.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              213.188.196.246Incident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
                                                              • /api/ip
                                                              out.exeGet hashmaliciousUnknownBrowse
                                                              • /api/ip
                                                              out.exeGet hashmaliciousUnknownBrowse
                                                              • /api/ip
                                                              potrgssavalue.msiGet hashmaliciousUnknownBrowse
                                                              • /api/ip
                                                              down.dllGet hashmaliciousUnknownBrowse
                                                              • /api/ip
                                                              down.dllGet hashmaliciousUnknownBrowse
                                                              • /api/ip
                                                              crypted.bin.exeGet hashmaliciousCryptOneBrowse
                                                              • /api/ip
                                                              crypted.bin.exeGet hashmaliciousCryptOneBrowse
                                                              • /api/ip

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              worldtimeapi.orgIncident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
                                                              • 213.188.196.246
                                                              out.exeGet hashmaliciousUnknownBrowse
                                                              • 213.188.196.246
                                                              out.exeGet hashmaliciousUnknownBrowse
                                                              • 213.188.196.246
                                                              potrgssavalue.msiGet hashmaliciousUnknownBrowse
                                                              • 213.188.196.246
                                                              down.dllGet hashmaliciousUnknownBrowse
                                                              • 213.188.196.246
                                                              down.dllGet hashmaliciousUnknownBrowse
                                                              • 213.188.196.246
                                                              crypted.bin.exeGet hashmaliciousCryptOneBrowse
                                                              • 213.188.196.246
                                                              crypted.bin.exeGet hashmaliciousCryptOneBrowse
                                                              • 213.188.196.246
                                                              Fax-REF-6391989.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 99.80.210.113

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              TELIA-NORWAY-ASTeliaNorwayCoreNetworksNOzWOxRE8mXb.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 146.248.204.198
                                                              B7nYecfqH0.elfGet hashmaliciousUnknownBrowse
                                                              • 146.254.2.198
                                                              sora.arm7.elfGet hashmaliciousMiraiBrowse
                                                              • 146.252.76.97
                                                              XMsAx1W894.elfGet hashmaliciousMiraiBrowse
                                                              • 159.171.245.180
                                                              1B7E3FLOXC.elfGet hashmaliciousUnknownBrowse
                                                              • 194.43.195.136
                                                              01EF8hZ6ib.elfGet hashmaliciousUnknownBrowse
                                                              • 213.225.83.116
                                                              0tfJECfbEP.elfGet hashmaliciousMiraiBrowse
                                                              • 159.131.65.10
                                                              8dToMPcvO1.elfGet hashmaliciousMiraiBrowse
                                                              • 213.236.216.88
                                                              NMdpQecbkg.elfGet hashmaliciousMiraiBrowse
                                                              • 146.242.216.75
                                                              pJNcZyhUh8.elfGet hashmaliciousMiraiBrowse
                                                              • 159.130.98.222

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0ewNyot4Puq5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 213.188.196.246
                                                              ABD88D155FC99F529EDC0F725A4151C61126B7890BC6B.exeGet hashmaliciousDCRatBrowse
                                                              • 213.188.196.246
                                                              SecuriteInfo.com.Variant.Lazy.387025.32273.29448.exeGet hashmaliciousRedLineBrowse
                                                              • 213.188.196.246
                                                              SecuriteInfo.com.Variant.Lazy.387025.32273.29448.exeGet hashmaliciousRedLineBrowse
                                                              • 213.188.196.246
                                                              7Ql51TchBG.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                                              • 213.188.196.246
                                                              INVOICE KAD-0138-2024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 213.188.196.246
                                                              0KRPn.vbsGet hashmaliciousAgentTeslaBrowse
                                                              • 213.188.196.246
                                                              #U015eirket arac#U0131n#U0131z taraf#U0131ndan dikkatsiz s#U00fcr#U00fc#U015f tespit edildi.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                              • 213.188.196.246
                                                              Supplier Order Scan 0001293039493.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                              • 213.188.196.246
                                                              file.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 213.188.196.246

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\02dd997d-6715-4253-be92-99eff1a177a3.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\CashRansomware.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1025024
                                                              Entropy (8bit):7.999833713068994
                                                              Encrypted:true
                                                              SSDEEP:24576:cb0amtWNCA1fSO3q8J4HroMiefJU2Q/yh6JCRqY0v:OeWNCxO3xJ4LZSyYIRqRv
                                                              MD5:01F6ABF1EB88790EB80EBA7A4613A663
                                                              SHA1:1406AB7BD41F14B3EDEAC6459E67D86654451427
                                                              SHA-256:BACDB36F7FBFA5BA170A1D1BF421F7A9EE34AB0A683C9DC4CD1A9946339B247E
                                                              SHA-512:5932F9251C649BE976CDD3849DFB243DB38C261A18B2E5B228629C5B75BA54D87215A40E3723AC4E693C4D73A4FD2ABE29E132F21298D41F015A1859579B48AB
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:..<.Y..oW4^.3..r.ZS4....5F..%.y..$=.R_.Ka......B..<..s@...P...j.F..cD...;.],!.....<.....} ....6....L..z7v*}..G.z..$]..}q..&LSoz.G...ny.]*.....A..o....R:..{..1l..e3.J.Z..q..;.r...x...V"...Y.O{.a.~jq.z..?._{..O..T...G'B[B%wr`U.....c { W+...:ttY....4w"J=..]...&?.Z1.%^.D.O.f!...d..}..%.......].C..........r.aN+...\...W...mE.......N....^.N1<.,.?.";.{..96?cg.U^h..X@..2..y.x..i.j..C@>..3....A...`[n....uK.J...`r...I.n...6..z..r.w.W.#.a85@._.X$,|Z.j$.....m......q...i....-:)...`.EJ.....DX.y...B..G#...........^.d.../.-$h....<....<KTJ,....F.i.,2g,KQ....@z.OY.<.."9.K..h.u.1~.d.u......fQw....|..".CX.........B..h.r....:.......B.w.......j...yC..o...F...T..Yu.../......".e.A...w.60PR.qc......H....p..(..X/..N.^^...Y.{.Vl..-......"...u..|.AP.h.O..?...pA..|....<.......`.K.v.....1..?..x)...c+8.....H.k.....8....w.nP`....5.v....R.-..+..E.... ..2.6e..t.5...'.tU..X..b.cF.$.c.U...9..-.`/.5....:.......'~...Pj..H[R.::b.vB..-..(k......O...t#.

                                                              C:\Users\user\AppData\Local\Temp\Cash.img

                                                              Download File
                                                              Process:C:\Users\user\Desktop\CashRansomware.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 720 x 24, resolution 3780 x 3780 px/m, cbSize 2764854, bits offset 54
                                                              Category:modified
                                                              Size (bytes):2764854
                                                              Entropy (8bit):2.7521411763892423
                                                              Encrypted:false
                                                              SSDEEP:6144:jAMuUwoDU/dorgB5sp9n7h8ItUXDS8P5Nglr7lQ0azJt2ejZLwXzIz9L/uvOaKIL:AoI/d2gYf7hjWDPqRxa9jLwjSDX52
                                                              MD5:E0DEDE0899CF378B289F048E3C3B0B0A
                                                              SHA1:C869DEFBEFAF4515CA90A6FC13577A3B32DED3E6
                                                              SHA-256:BD74508984F14ED03346D3B90CFADE00241494898A54FB81C1CD78B245991496
                                                              SHA-512:0DF203DE5699208EA452B6E9D5DC1B9123AF1651B21ABA74A47E51C27A12C01D8C46DE7ACE3D336D9CF88AFE36CB7DCA57AACD71CF78FD5F15CB76E054473FEC
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:BM60*.....6...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.746029460768452
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:CashRansomware.exe
                                                              File size:2'702'848 bytes
                                                              MD5:71f0e2645d9051c3a8f5cf2dbce9d074
                                                              SHA1:a303632965f9fdc3b7cb4c532831c0b38f24df90
                                                              SHA256:132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3
                                                              SHA512:14625c8fe238a41c0a45579731a15a705f153681a0f4e212b8315e3f5643542c57e17f82c247552b21417aa92dce36fd40fbcaaf85b4fb462182c2814f4f8077
                                                              SSDEEP:49152:Til/s9YkCKuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9u:OVsGkClzsG1tQRjdih8rwc
                                                              TLSH:20C5022D0325C628C95C57B0BAA2098877F0A95262FEC256FB77BDF78F342E1191644F
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7f.................,)..........K).. ...`)...@.. ........................)...........`................................

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x694bbe
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x6637FAD7 [Sun May 5 21:32:07 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x294b700x4b.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2960000xda0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2980000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x292bc40x292c002a932e15feaf0da7c3bc27ffff4df7baunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x2960000xda00xe008579a5decf6e13c74c1ea86d6d7eb55eFalse0.37806919642857145data5.0806761035875025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x2980000xc0x200762f9c9041e064109aeb0e56a11b274cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_MANIFEST0x2960580xd48XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.38588235294117645

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              May 6, 2024 02:41:52.547075987 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.547117949 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:52.547199011 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.590895891 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.590918064 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:52.819555998 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:52.819679976 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.822642088 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.822648048 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:52.822877884 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:52.862751961 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.873580933 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:41:52.920125961 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:53.063513994 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:53.063581944 CEST44349730213.188.196.246192.168.2.4
                                                              May 6, 2024 02:41:53.063623905 CEST49730443192.168.2.4213.188.196.246
                                                              May 6, 2024 02:43:33.071842909 CEST49730443192.168.2.4213.188.196.246

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              May 6, 2024 02:41:52.429977894 CEST5128253192.168.2.41.1.1.1
                                                              May 6, 2024 02:41:52.541019917 CEST53512821.1.1.1192.168.2.4
                                                              May 6, 2024 02:43:43.023835897 CEST6153953192.168.2.41.1.1.1
                                                              May 6, 2024 02:43:43.135473967 CEST53615391.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              May 6, 2024 02:41:52.429977894 CEST192.168.2.41.1.1.10xf33aStandard query (0)worldtimeapi.orgA (IP address)IN (0x0001)false
                                                              May 6, 2024 02:43:43.023835897 CEST192.168.2.41.1.1.10x55b2Standard query (0)54.229.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              May 6, 2024 02:41:52.541019917 CEST1.1.1.1192.168.2.40xf33aNo error (0)worldtimeapi.org213.188.196.246A (IP address)IN (0x0001)false
                                                              May 6, 2024 02:43:43.135473967 CEST1.1.1.1192.168.2.40x55b2Name error (3)54.229.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • worldtimeapi.org

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449730213.188.196.2464437336C:\Users\user\Desktop\CashRansomware.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-05-06 00:41:52 UTC72OUTGET /api/ip HTTP/1.1
                                                              Host: worldtimeapi.org
                                                              Connection: Keep-Alive
                                                              2024-05-06 00:41:53 UTC816INHTTP/1.1 200 OK
                                                              access-control-allow-credentials: true
                                                              access-control-allow-origin: *
                                                              access-control-expose-headers:
                                                              cache-control: max-age=0, private, must-revalidate
                                                              content-length: 398
                                                              content-type: application/json; charset=utf-8
                                                              cross-origin-window-policy: deny
                                                              date: Mon, 06 May 2024 00:41:52 GMT
                                                              server: Fly/a7fb3290 (2024-04-29)
                                                              x-content-type-options: nosniff
                                                              x-download-options: noopen
                                                              x-frame-options: SAMEORIGIN
                                                              x-permitted-cross-domain-policies: none
                                                              x-ratelimit-limit: 1800
                                                              x-ratelimit-remaining: 1799
                                                              x-ratelimit-reset: 1714957200
                                                              x-request-from: 84.17.40.101
                                                              x-request-id: F8y_f6AvHUP3Z5UcH12h
                                                              x-request-regions: a/mia;s/ord
                                                              x-response-origin: 3287d42b616e48
                                                              x-runtime: 251s
                                                              x-xss-protection: 1; mode=block
                                                              via: 1.1 fly.io
                                                              fly-request-id: 01HX5NK52F82SA07TX63A79N7A-mia
                                                              2024-05-06 00:41:53 UTC398INData Raw: 7b 22 61 62 62 72 65 76 69 61 74 69 6f 6e 22 3a 22 45 44 54 22 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 22 64 61 74 65 74 69 6d 65 22 3a 22 32 30 32 34 2d 30 35 2d 30 35 54 32 30 3a 34 31 3a 35 32 2e 39 39 30 37 39 35 2d 30 34 3a 30 30 22 2c 22 64 61 79 5f 6f 66 5f 77 65 65 6b 22 3a 30 2c 22 64 61 79 5f 6f 66 5f 79 65 61 72 22 3a 31 32 36 2c 22 64 73 74 22 3a 74 72 75 65 2c 22 64 73 74 5f 66 72 6f 6d 22 3a 22 32 30 32 34 2d 30 33 2d 31 30 54 30 37 3a 30 30 3a 30 30 2b 30 30 3a 30 30 22 2c 22 64 73 74 5f 6f 66 66 73 65 74 22 3a 33 36 30 30 2c 22 64 73 74 5f 75 6e 74 69 6c 22 3a 22 32 30 32 34 2d 31 31 2d 30 33 54 30 36 3a 30 30 3a 30 30 2b 30 30 3a 30 30 22 2c 22 72 61 77 5f 6f 66 66 73 65 74 22 3a 2d 31 38 30 30
                                                              Data Ascii: {"abbreviation":"EDT","client_ip":"84.17.40.101","datetime":"2024-05-05T20:41:52.990795-04:00","day_of_week":0,"day_of_year":126,"dst":true,"dst_from":"2024-03-10T07:00:00+00:00","dst_offset":3600,"dst_until":"2024-11-03T06:00:00+00:00","raw_offset":-1800


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:02:41:50
                                                              Start date:06/05/2024
                                                              Path:C:\Users\user\Desktop\CashRansomware.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\CashRansomware.exe"
                                                              Imagebase:0x2075ec40000
                                                              File size:2'702'848 bytes
                                                              MD5 hash:71F0E2645D9051C3A8F5CF2DBCE9D074
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1614514248.000002075EC42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFD9B87DB2A Relevance: 3.3, Strings: 2, Instructions: 805COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: VO_H$\O_H
                                                                • API String ID: 0-2853344854
                                                                • Opcode ID: df95ac8d98400bd44495e14138d7b1dbd2945a20e06a22a773fe5542f121b3a8
                                                                • Instruction ID: 0d755695414876b2c52f7e581b123c8f25e4d0e8a43e61649d0ae68bb447b457
                                                                • Opcode Fuzzy Hash: df95ac8d98400bd44495e14138d7b1dbd2945a20e06a22a773fe5542f121b3a8
                                                                • Instruction Fuzzy Hash: 19622871A0A55D8FEBA4DB68C8A8AA9B7F1FF59305F1040EAD04DE7291CF345A81DF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C8DD Relevance: 3.0, Strings: 2, Instructions: 489COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ujI$k
                                                                • API String ID: 0-1010181532
                                                                • Opcode ID: d1e256468a3e37b7c5d929e3ebae02d30c4a3a782c6f0d4b0e8a093303a500e5
                                                                • Instruction ID: e3df702914f09e99fd683d9d29c071fcaa5c99390f0c23ab22d9d12c5f9d947a
                                                                • Opcode Fuzzy Hash: d1e256468a3e37b7c5d929e3ebae02d30c4a3a782c6f0d4b0e8a093303a500e5
                                                                • Instruction Fuzzy Hash: 70122A70E1966D8FDB69DF28C8A8AE9B7B1FF59304F5000E9D00DE7291CA356A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C03C Relevance: 2.1, Strings: 1, Instructions: 888COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: X
                                                                • API String ID: 0-3081909835
                                                                • Opcode ID: 87e3c9a3170b0c4c45b502e804b3f69eb205f4a4541c354ce891a5ac664547e3
                                                                • Instruction ID: bcbab2608328f14f2b4e3c136e8d1ba037a629aab94f76488658564a878c9994
                                                                • Opcode Fuzzy Hash: 87e3c9a3170b0c4c45b502e804b3f69eb205f4a4541c354ce891a5ac664547e3
                                                                • Instruction Fuzzy Hash: 0E723B70E0965D8FDB65DF64C8A9AA9BBB1FF5A304F1010EED00DA7292DB345A81CF05
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87AA03 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: `H
                                                                • API String ID: 0-3392911310
                                                                • Opcode ID: 134f97a12854d61815cdbf6df40405bf6fe8faee4d8fbf4753a81856b003ec5e
                                                                • Instruction ID: 576b407ba57f009c2a7b99b73617b334eedd53ef5ff2cf9cb84256db0f2816d2
                                                                • Opcode Fuzzy Hash: 134f97a12854d61815cdbf6df40405bf6fe8faee4d8fbf4753a81856b003ec5e
                                                                • Instruction Fuzzy Hash: A8C12D70D1965D8FDB65DF6888A9AEDBBF0EF19305F1000E9D04DA7292CB386A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E045 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \O_H
                                                                • API String ID: 0-2659003842
                                                                • Opcode ID: 9a82b15e23be9b03dedd37da387882342c43d42986ea47b073d0191f7c96de03
                                                                • Instruction ID: cb6ffd8b29b52b82a3a705e09e00dda475e6c1c06c1afd8a0591f5b5619c9cbc
                                                                • Opcode Fuzzy Hash: 9a82b15e23be9b03dedd37da387882342c43d42986ea47b073d0191f7c96de03
                                                                • Instruction Fuzzy Hash: 66A13C71E0A55D8FEBA4DB58C8A8AA9B7F1FF58305F1040EAD00DE3291DE349A81CF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C543 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: U
                                                                • API String ID: 0-3372436214
                                                                • Opcode ID: 6ae47aa5cc92d253676bddc35276b4859eef2f43149610c7e6be31b761b77d68
                                                                • Instruction ID: c9e00379ad82b0e52ada206db86d41e770bf77a858fb024c1c6c68df1402c866
                                                                • Opcode Fuzzy Hash: 6ae47aa5cc92d253676bddc35276b4859eef2f43149610c7e6be31b761b77d68
                                                                • Instruction Fuzzy Hash: 0151757091969C8FC755EB6888695E9BFF1FF5A340F0004EED04AD72A2EB345A81DF05
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C5BC Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: U
                                                                • API String ID: 0-3372436214
                                                                • Opcode ID: 19d3493d00786ba7b588cc61ddc4e284a7e4f33a3c41a29daa646777848d2c26
                                                                • Instruction ID: 386a99a339b1c6c4c0727f776570585590ce5d77c4ed585e8c58de5e7f164244
                                                                • Opcode Fuzzy Hash: 19d3493d00786ba7b588cc61ddc4e284a7e4f33a3c41a29daa646777848d2c26
                                                                • Instruction Fuzzy Hash: EF41533491995C4FDB61EB6888695E9BBF1FF59341F1004EED00EE71A2EB345A81CF01
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8796B7 Relevance: .4, Instructions: 411COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f393477222b5d7418b42bb1bc3ba58941fbe469f9493d68355cd330a9215f15a
                                                                • Instruction ID: 814f2f80506e4e9efbda421d556247df858f35bea42edd1d28d3f682d4e66192
                                                                • Opcode Fuzzy Hash: f393477222b5d7418b42bb1bc3ba58941fbe469f9493d68355cd330a9215f15a
                                                                • Instruction Fuzzy Hash: B402F470E0561D8BDB18CF98C4A59ECFBB2FF48304F14866DD41AAB396CA34A981CF54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E33A Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: afc2b0ef9627a4752b08711fe8235bb0b48b797473c4f9f46af0728d941f59a3
                                                                • Instruction ID: a6f0af9a50d72bcf766ab8fd9a9030a3256e905e168f4209bf3a177ab6f3308a
                                                                • Opcode Fuzzy Hash: afc2b0ef9627a4752b08711fe8235bb0b48b797473c4f9f46af0728d941f59a3
                                                                • Instruction Fuzzy Hash: 28A15171E0A55D8FEBA4DB58C8A8AA9B7F1EF58305F1041EAD04DE3291CF349A81DF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87D702 Relevance: .1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9555614eaf674e8fcdcebe2b2c756c4842692bb6a9cbec9ece40c464773aa782
                                                                • Instruction ID: b7b0aadb4ee3b5887434d7d3d30514a36491270420c4913aba7a9a1dad749581
                                                                • Opcode Fuzzy Hash: 9555614eaf674e8fcdcebe2b2c756c4842692bb6a9cbec9ece40c464773aa782
                                                                • Instruction Fuzzy Hash: 1A519371E0E65D8FDB64DB6888A5AF87BF0EF5A304F0400EED04DA72D1CA345A81CB11
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E606 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3403bc851a10062bbe18faf41899027f1f7a3bc9ed20aae9dd9a5dc7e3d2a2aa
                                                                • Instruction ID: 61f892abea3094240a3e01d92e82015ee7583f8ee3c9dada0d4105bf0b39ccc8
                                                                • Opcode Fuzzy Hash: 3403bc851a10062bbe18faf41899027f1f7a3bc9ed20aae9dd9a5dc7e3d2a2aa
                                                                • Instruction Fuzzy Hash: 87514E71E4A55D8FDBA4DF18C8A8AA9B7B1FF59304F1040EAD04DA3295CB34AE81CF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E8E7 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7d0b397ebc00d80e49f5b632378bef8f9991f7e167d177ba40996e52d0b6f97f
                                                                • Instruction ID: 3d71333064d3e4ff267832bcc9ea1eeb1dc9061a14c71afd00a83009add50c8e
                                                                • Opcode Fuzzy Hash: 7d0b397ebc00d80e49f5b632378bef8f9991f7e167d177ba40996e52d0b6f97f
                                                                • Instruction Fuzzy Hash: 53417371E0A5598FDBA4DB68D8A8BF9B7B0FF55304F1000FAD04D972A6CA345A82DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87DDC4 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \O_H
                                                                • API String ID: 0-2659003842
                                                                • Opcode ID: 9015980692a3076f45cdbba648e363588fc07b69f5f119dd6b102e367b70b45d
                                                                • Instruction ID: 55f4f44c7896788a0354d1812c20083e1123173ec81570d900069738c143a597
                                                                • Opcode Fuzzy Hash: 9015980692a3076f45cdbba648e363588fc07b69f5f119dd6b102e367b70b45d
                                                                • Instruction Fuzzy Hash: 35D14D71E0A55D8FEB64DB68C8A8AA8B7F1FF59305F1040EAD04DE3291DE349A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E027 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \O_H
                                                                • API String ID: 0-2659003842
                                                                • Opcode ID: ddca7854345834bcc0c4b97dcf51ab60a2561a577187dfcbd0110254ddadba12
                                                                • Instruction ID: 51893d08251a6349bd698377c6f50cf02ff195b684329d12bba31fea8a03f572
                                                                • Opcode Fuzzy Hash: ddca7854345834bcc0c4b97dcf51ab60a2561a577187dfcbd0110254ddadba12
                                                                • Instruction Fuzzy Hash: 49A14C71E0A95D8FEBA4DB58C8A8AA9B7F1FF58305F1041EAD00DE3291DE345A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87DFDF Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \O_H
                                                                • API String ID: 0-2659003842
                                                                • Opcode ID: 9e1811f925d638384024c57cac34a7d6c2c41b8268528541e96d9f04038da35e
                                                                • Instruction ID: 33bbd9a008548b59d07d7ec79dbe6196fc94db989de261379105cff9e182ea02
                                                                • Opcode Fuzzy Hash: 9e1811f925d638384024c57cac34a7d6c2c41b8268528541e96d9f04038da35e
                                                                • Instruction Fuzzy Hash: BAA14C71E0A95D8FEBA4DB58C8A8AA9B7F1FF58305F1041EAD00DE3291DE345A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B870527 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: %N_H
                                                                • API String ID: 0-2307434723
                                                                • Opcode ID: 588df3b97c546d28949702f1018567162ea671737eecd42f8f92e5db4416ed38
                                                                • Instruction ID: 726be55a42c7d9613f6326a13ba0eddab492010ae79367cbb346e8d40aab3885
                                                                • Opcode Fuzzy Hash: 588df3b97c546d28949702f1018567162ea671737eecd42f8f92e5db4416ed38
                                                                • Instruction Fuzzy Hash: 9A616E31E1951D8FEB54EBA8D865AECBBB1FF59304F1000BAD00DE7296DE34A981CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87D296 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ~
                                                                • API String ID: 0-1707062198
                                                                • Opcode ID: b3fd3cc7aaab552c0e9a441b3111d0788465c72a6f8a983eb94fff65bca8d29c
                                                                • Instruction ID: d843ab343fc467482c8dd359258e7eaed3d707d139ab17dc5dbb328b3ce77ef8
                                                                • Opcode Fuzzy Hash: b3fd3cc7aaab552c0e9a441b3111d0788465c72a6f8a983eb94fff65bca8d29c
                                                                • Instruction Fuzzy Hash: AC512C71A0961D8FEB64DB68C8A8BE9B7F1FF59304F5100E9D04DA72A1CA346A81DF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B870595 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: %N_H
                                                                • API String ID: 0-2307434723
                                                                • Opcode ID: a5a4704d7e0b33606dbac17fb0eca0f091d9504ccca4905a47c3bbee6a78a9ca
                                                                • Instruction ID: 498272fd3fcb62e0979d25160314c8e1a2df2f528ed85176443588369992e137
                                                                • Opcode Fuzzy Hash: a5a4704d7e0b33606dbac17fb0eca0f091d9504ccca4905a47c3bbee6a78a9ca
                                                                • Instruction Fuzzy Hash: E1412A30E18A1D8FEF94EF98D864AACB7B1FF59300F100069D01DE3295DB35A981CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C463 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: R
                                                                • API String ID: 0-1466425173
                                                                • Opcode ID: eacf6de70e7f0f000bd1f8b3c081a1d32e883afa6169312e5458d787cffe740d
                                                                • Instruction ID: ce9888e1128d8154128fc4bd0837bc7e844a4d6cc21b209e1e5c48b9cf996fc4
                                                                • Opcode Fuzzy Hash: eacf6de70e7f0f000bd1f8b3c081a1d32e883afa6169312e5458d787cffe740d
                                                                • Instruction Fuzzy Hash: BC211A30A1955C4FCB61EB6888A9AE9BBF1FF1D301F4105EAD00DE7192EB345F818B41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87B20F Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /
                                                                • API String ID: 0-2043925204
                                                                • Opcode ID: 126762be690b434ac957d53cb27ac0d0c978a56252e3feab71cf8ca40c1f9735
                                                                • Instruction ID: 20b10f94f037785e6703fa4aa94daa4a91bbcd96a13ce654707099bc66c3d809
                                                                • Opcode Fuzzy Hash: 126762be690b434ac957d53cb27ac0d0c978a56252e3feab71cf8ca40c1f9735
                                                                • Instruction Fuzzy Hash: 8711D33191E6998FD765CB28C4A87A9BBF1FF1A304F0401EED0499B162C6291B42DB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87B233 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /
                                                                • API String ID: 0-2043925204
                                                                • Opcode ID: 04649391d336da5a9f6bcda7347fc34633fabbcccb99444b2fac86960f8deb0a
                                                                • Instruction ID: d6040882133a627696b59310f22bfdf7dfacc8e4c504b672e292614ef914ceaf
                                                                • Opcode Fuzzy Hash: 04649391d336da5a9f6bcda7347fc34633fabbcccb99444b2fac86960f8deb0a
                                                                • Instruction Fuzzy Hash: 9611C87091969D8FD769DB2C84A97A97BF1FF5A300F5001EED04DDB192CA381B82CB01
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87B2E2 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /
                                                                • API String ID: 0-2043925204
                                                                • Opcode ID: 934d526c2d4d0e7b3afe1cc30f16dcb19524a37c5b58374a233972a3981ebe83
                                                                • Instruction ID: 02ddedf15a3a0dc50b18c944eab4447076203ec6b32b9f90c694d46781965cd9
                                                                • Opcode Fuzzy Hash: 934d526c2d4d0e7b3afe1cc30f16dcb19524a37c5b58374a233972a3981ebe83
                                                                • Instruction Fuzzy Hash: 1311C2309096998FC729DB2884AC7997BF1FF6A300F5005EDD08A9B162CA391B82CB01
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87BF9B Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: E
                                                                • API String ID: 0-3568589458
                                                                • Opcode ID: d822ec0309a895d4da7637f9d07327abc7d7beed76ffe4d6d8f92cb6da517681
                                                                • Instruction ID: b3d60f55cdbcac0cdb1d2c79bfc3d917b1f2cbc9cd35168db115357fb23b52a9
                                                                • Opcode Fuzzy Hash: d822ec0309a895d4da7637f9d07327abc7d7beed76ffe4d6d8f92cb6da517681
                                                                • Instruction Fuzzy Hash: 9A11A370915A5D8FDB65EB7888A89E9B7B0FF09305F1004FDD009D72A2DB38AA81CB04
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E31C Relevance: .2, Instructions: 246COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 856e97a440feb113c4d42943faccfedd169680844f965789b7a825b69b054dfa
                                                                • Instruction ID: f4f21f18b4e190ff3199deed50e18b923dea969531ea5bfce9fa6a07cf4a23e2
                                                                • Opcode Fuzzy Hash: 856e97a440feb113c4d42943faccfedd169680844f965789b7a825b69b054dfa
                                                                • Instruction Fuzzy Hash: E3916F71E0A55D8FEBA4DB58C8A8AA9B7F1EF58305F1041EAD04DE3291DF346A81DF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E2D4 Relevance: .2, Instructions: 245COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 074b9ed396592ed0ec80276b15d2b9e016fb844d0b1dc3c3af1bec846358abca
                                                                • Instruction ID: 427dd772dc2025a4a8b3bd63cfcf2e3fdfbb3ae9732b90f872fab52897a0e848
                                                                • Opcode Fuzzy Hash: 074b9ed396592ed0ec80276b15d2b9e016fb844d0b1dc3c3af1bec846358abca
                                                                • Instruction Fuzzy Hash: CC916E71E0A55D8FEBA4DB58C8A8AA9B7F1EF58305F1041EAD04DE3291DF346A81DF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87330C Relevance: .2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 91998cbd3cd8e67f33158d4930414b756f6958ad1a4f82695e23119f5efb81c0
                                                                • Instruction ID: 09da8c62f3a1e11026f2926e4de989e5aa02df1516395846deffe307b68b7f60
                                                                • Opcode Fuzzy Hash: 91998cbd3cd8e67f33158d4930414b756f6958ad1a4f82695e23119f5efb81c0
                                                                • Instruction Fuzzy Hash: FF81A470A0965D8FCB55DFA884A5AFDBBF0FF59300F1401BED04EDB2A2CA246642DB45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87D57B Relevance: .2, Instructions: 202COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e4efb6f2402f07097e93abc4ecac8db42152a6ca709d30ff19dfd48fcd79457e
                                                                • Instruction ID: 539da00cd47ec83788d19c4ea7b51e259a65839d7e60de9f1f3f6687d5fee7ab
                                                                • Opcode Fuzzy Hash: e4efb6f2402f07097e93abc4ecac8db42152a6ca709d30ff19dfd48fcd79457e
                                                                • Instruction Fuzzy Hash: FC715A71A0965D8FEB64DF2888A9AE8BBF1EF59304F1001EAD04DA7291CB345A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87083D Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4fb1e81353dafc2182767e3f0e5185321259296af78f6e84906e2a8d4e3f1ae3
                                                                • Instruction ID: 4cf7257b9dfbc64cb397a66aa5524f1e648e2c789a4cead96d0f1c59c04c7728
                                                                • Opcode Fuzzy Hash: 4fb1e81353dafc2182767e3f0e5185321259296af78f6e84906e2a8d4e3f1ae3
                                                                • Instruction Fuzzy Hash: 94512432E1E15E8FEB15ABA8E8A16EC37A0FF59318F0001B7D05DD71E7DE2824469791
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8726FD Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b624500d441c2e71b7ab39204910121dd8d6d0faadc706be491dc8b8f828a25
                                                                • Instruction ID: de6d985db9d4165fd2a4bbd19dff75dfba4dff0cea86cccb40df445be0a95a14
                                                                • Opcode Fuzzy Hash: 3b624500d441c2e71b7ab39204910121dd8d6d0faadc706be491dc8b8f828a25
                                                                • Instruction Fuzzy Hash: 59510251A5E2C85FD342A7BC58BA6FE7FE4EF5B110B5405FFD08ACB1A3C80826429342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87270C Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f3a3e886645b9aa23dc2c0ebff8e7b1f96946a70164d5e1a7c9f84478400aa6c
                                                                • Instruction ID: de99fc8e1e1ed2df51b73850c83c4ed49766e04c2aa7bb7a0691fdad101f25f6
                                                                • Opcode Fuzzy Hash: f3a3e886645b9aa23dc2c0ebff8e7b1f96946a70164d5e1a7c9f84478400aa6c
                                                                • Instruction Fuzzy Hash: B451376165E6C85FD352A7BC58BA6FE7FE4EF4B110B5404FFD08ACB1A3C80826429342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B870480 Relevance: .2, Instructions: 178COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e620507fc9dcade8c2257b42d6c842aa3ca819f0a455d389e456dfa20f48643b
                                                                • Instruction ID: 19d4b1a871be2fb25718b56cdbf2173f1b43863ef7988e455db484c70fe29ad6
                                                                • Opcode Fuzzy Hash: e620507fc9dcade8c2257b42d6c842aa3ca819f0a455d389e456dfa20f48643b
                                                                • Instruction Fuzzy Hash: F951C131E0AA5D8FDB64EFA8D8A46FD7BB1FF09314F14007AD049E32A1CA395981CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B872FE8 Relevance: .2, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b81641258c4731ccd4eb7ac16f2e7043a0c86b9e6cbf57d58f376d9183ad401
                                                                • Instruction ID: 5a8b4f30bf01e8ee6f672a7ad50b64df24e513253c9d85d0a6e7b46d758e2e97
                                                                • Opcode Fuzzy Hash: 1b81641258c4731ccd4eb7ac16f2e7043a0c86b9e6cbf57d58f376d9183ad401
                                                                • Instruction Fuzzy Hash: 1351066150D6C88FD35A8B7898687E87FE0EF8B214F5404FED085CB2E7DB682656D342
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B872FF7 Relevance: .2, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b4be801dcef0a0cf11a68d9b9c5ce9ef28cf757c77880dde44f7c7994e1f49f7
                                                                • Instruction ID: daee9ae3b0d6ae8be80a7abdcfbc92c538457c4059a36d9e25b94e28e86af843
                                                                • Opcode Fuzzy Hash: b4be801dcef0a0cf11a68d9b9c5ce9ef28cf757c77880dde44f7c7994e1f49f7
                                                                • Instruction Fuzzy Hash: 9E51E66150D6C88FD35A8B7898697E87FE0EF8B224F5404FED085CB2E7CB681656C742
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8704D0 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0448bb9b3fbe46bdb4c9598b446ca3d52d175e7a26c7321c27fa36804ad03715
                                                                • Instruction ID: 94238700134a8fa42a282a2222ca84a503c4d752e23467d44953a2b713caa637
                                                                • Opcode Fuzzy Hash: 0448bb9b3fbe46bdb4c9598b446ca3d52d175e7a26c7321c27fa36804ad03715
                                                                • Instruction Fuzzy Hash: DA517A30909A5D8FDB55EFA8C4996FDBBF1EF59300F10117AD019E72A1CA399981CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87336D Relevance: .1, Instructions: 143COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81b79f60ca6b3cccfca703faa45367617c19be2ebf5cb46cb84be6a675a086df
                                                                • Instruction ID: 5b76ef9faeb420ec0a0cc819dc86753391d724dc7e807f1f6a501c704cfd429c
                                                                • Opcode Fuzzy Hash: 81b79f60ca6b3cccfca703faa45367617c19be2ebf5cb46cb84be6a675a086df
                                                                • Instruction Fuzzy Hash: A8512A70A1955C8FCB95EB68C4A5BED7BF1FF59310F1400EAD04DE72A1CA34AA85CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8704F8 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 39fe28feb63846ff23d352648b8a01393c804549fc274c2a545bb39b406748e6
                                                                • Instruction ID: cfefb69adaca4fc629d2966d2361d15bab9038a5c82cd4efba747598c7b4873d
                                                                • Opcode Fuzzy Hash: 39fe28feb63846ff23d352648b8a01393c804549fc274c2a545bb39b406748e6
                                                                • Instruction Fuzzy Hash: F7412C71A0961D8FDBA4EB68C855BEC7BB1FF59301F5001AAD00DE32A5DB356981CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E5E3 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8217cf15b831c8df8a1e0962deeaa93c4aea5cfcfc20e1d000c4d2b6defc44aa
                                                                • Instruction ID: 30d4056f201d8a21f778a6b2b5c319844d0368b41a8bdb259573492c0b899bea
                                                                • Opcode Fuzzy Hash: 8217cf15b831c8df8a1e0962deeaa93c4aea5cfcfc20e1d000c4d2b6defc44aa
                                                                • Instruction Fuzzy Hash: 58416E71E4A55D8FDBA4DB68C8A8AA9B7B1FF58304F1041FAD04DA3291DB346A81CF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87D6F4 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be6bd7f64eeed7ba2fca58e474293cc0c82e4185fd2cde7e68ecb8d02bff4b16
                                                                • Instruction ID: 89b1b9529b893bf0a88f1d4f69e2e62ed6baa7889b0f89e47cee107373799296
                                                                • Opcode Fuzzy Hash: be6bd7f64eeed7ba2fca58e474293cc0c82e4185fd2cde7e68ecb8d02bff4b16
                                                                • Instruction Fuzzy Hash: 8B417071A0D65D8FEF64DB6888A9AF8BBF0EF59304F5400EED04DA72D1CA345A81CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E5A0 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68f8fec6e49f289a18da692857dbc13d3aaa7965862571db16dea6ec9b9c66ce
                                                                • Instruction ID: 4e5bba9a51aad0731f3e7abb9fe83ba5a5c9656a5ff764af5dbc4b0de843aefb
                                                                • Opcode Fuzzy Hash: 68f8fec6e49f289a18da692857dbc13d3aaa7965862571db16dea6ec9b9c66ce
                                                                • Instruction Fuzzy Hash: 5A416C71E4A55D8FDBA4DB68C8A8AA9B7B1FF58304F1041EAD04DA3295DB346A81CF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87D6AC Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e2c38931f2de91ddb182ac60182f17bd1d141e031d991e37f5da5f65df5b6151
                                                                • Instruction ID: 8e089c1d2a65d4fd5a40367c840b949d93d812b1b54413d36514aaa30068a722
                                                                • Opcode Fuzzy Hash: e2c38931f2de91ddb182ac60182f17bd1d141e031d991e37f5da5f65df5b6151
                                                                • Instruction Fuzzy Hash: BD418171A0D65D8FEF64DB6888A9AF87BF0EF59304F4400EED04DA72D1CA345A81CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E8D4 Relevance: .1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ecdc194b96432190fbe00db291051afe5fb0043f847c2b0e74eaa22e81832f27
                                                                • Instruction ID: 21140ad1b320eb98924a89e4795d0d9655dcf776fe7bc58be6a3d775fcd0513e
                                                                • Opcode Fuzzy Hash: ecdc194b96432190fbe00db291051afe5fb0043f847c2b0e74eaa22e81832f27
                                                                • Instruction Fuzzy Hash: D4417F71E0A55E8FDBA4DB58D8A8BB9B7B0FF59304F1040FAD04D93692CE345A81DB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87E891 Relevance: .1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 89d83673a54bd461703a5cd2e90146d3901d9de7fe3a2b390f800e0c7392b84c
                                                                • Instruction ID: cae2ec50ff88973489cac9d2f94367b8b15ff26ad709ff327122c05b91333332
                                                                • Opcode Fuzzy Hash: 89d83673a54bd461703a5cd2e90146d3901d9de7fe3a2b390f800e0c7392b84c
                                                                • Instruction Fuzzy Hash: 12417E71A0A55E8FDBA4DB58D8A8BB9B7B0FF59304F1000FAD04D93692CE346A81DF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8708B9 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0352b2fa5fb07b32b9a0d2fdcee17b5ff6a0b0036ef67d76191dabe1e4fbfe46
                                                                • Instruction ID: 04c9525c1862ef77cb3a4b21c7ccfc10d172841c47df006ddd45b67f3e1560cb
                                                                • Opcode Fuzzy Hash: 0352b2fa5fb07b32b9a0d2fdcee17b5ff6a0b0036ef67d76191dabe1e4fbfe46
                                                                • Instruction Fuzzy Hash: E631AE71E1964D8FEB45DBA8D8A56ED7BB1FF59300F0101BAE049E72D6DA3868018741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B872628 Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8bee7560ec3d5dc4cd6bb28a8bbe041e52b8b104b3868195ef1d2cac6b3f39d
                                                                • Instruction ID: ffdbeaa848961bd3532acd5218f14cf22de3555a9db2a1f7708d4eb10f465a45
                                                                • Opcode Fuzzy Hash: b8bee7560ec3d5dc4cd6bb28a8bbe041e52b8b104b3868195ef1d2cac6b3f39d
                                                                • Instruction Fuzzy Hash: 83016530A1891D9FDF90EB98D864AEEBBF4FF5C310F010036E009E32A4CA34A940CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8745BE Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1395f7c93c2b122e367358f2fcc0ea3d9a41af8aeb6ab25f3819360ba9cdf687
                                                                • Instruction ID: 9e4acdabda4f701598f35ba73b0ad0356ab1d5e9a30bcfa27b45b1237c3e6a9f
                                                                • Opcode Fuzzy Hash: 1395f7c93c2b122e367358f2fcc0ea3d9a41af8aeb6ab25f3819360ba9cdf687
                                                                • Instruction Fuzzy Hash: D0110AB0E2951E8EDBA4EB58C8946A972B1FF58319F4001F9914DD3161CE346E80DF45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C83A Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 79e312af3cdb332e0dcea8261bec2512cb93439ff4eb922bfb5a7bd05e26e379
                                                                • Instruction ID: 0276f8f5ad9573d8e0be627cb01f67433f92fae3bbbd07ae7fec2924956df49e
                                                                • Opcode Fuzzy Hash: 79e312af3cdb332e0dcea8261bec2512cb93439ff4eb922bfb5a7bd05e26e379
                                                                • Instruction Fuzzy Hash: D511CB30A1492D8FDBA5EB28CCACAA9B7B1FF19306F1105E9900DD31A1DA305AC1DF04
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B879265 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f460f86702550e28024287ba452bf4bad2889ff7dd6db93a6ff36b179ce77e5a
                                                                • Instruction ID: cad9ec8ff2fd773d8e0e4874f89708bfffc19378c6d2455ee9e4169f9264840f
                                                                • Opcode Fuzzy Hash: f460f86702550e28024287ba452bf4bad2889ff7dd6db93a6ff36b179ce77e5a
                                                                • Instruction Fuzzy Hash: CF011771909A4E8FDF94EF58C899AA97BF0FF28300F1504AAE81CD7261D734E990CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8789F1 Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f47cec23ed455970115b74d9001a0efff3b2e0eef2c4e1138aeff10877284f8
                                                                • Instruction ID: 59f5cc7cc978da851dd064755ea9417aaca9cde7dcca7600cd98fa8e14d66e3f
                                                                • Opcode Fuzzy Hash: 3f47cec23ed455970115b74d9001a0efff3b2e0eef2c4e1138aeff10877284f8
                                                                • Instruction Fuzzy Hash: F2015E74E0961DCFDB61DB58C894BEAB3B0EB58705F1081A5D429A3290CB386B45DF45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B872C44 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1558e2a590f7c1e8f599d1d3cc5d8cb004055b9e4dff6214061b2eefd0514e14
                                                                • Instruction ID: 914825d5e8d3a8d24ca6f1d7c67b61f4130d121b8ec6b868b4df3168ee478ce2
                                                                • Opcode Fuzzy Hash: 1558e2a590f7c1e8f599d1d3cc5d8cb004055b9e4dff6214061b2eefd0514e14
                                                                • Instruction Fuzzy Hash: 4301A46090D6D88FD74697788875AE97FF0AF1B200B1405EED04ADB293C9381A42CB11
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B870B48 Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 93f9c353f1e241b509a7e9d8aa5168dfe57b1be1127d0571cb7fb9406a5a0455
                                                                • Instruction ID: f1ee103f1b916aaf2e3706d488baeafd2db89c0ff9b094057c7d5ab504ccd956
                                                                • Opcode Fuzzy Hash: 93f9c353f1e241b509a7e9d8aa5168dfe57b1be1127d0571cb7fb9406a5a0455
                                                                • Instruction Fuzzy Hash: 9AE0C232D5F68E89EF71A7A448A11FC7A61FF4AA0CF050179E45D630E2DE182358D683
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8789AB Relevance: .0, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: afe259270ac9a78f5d0cad70fbae42e25116d81498b2ec7267b82c4b7b652045
                                                                • Instruction ID: 98558ea2854ba6777d1343e27e1aee402f8156f0161f519f1098a7840ea1972c
                                                                • Opcode Fuzzy Hash: afe259270ac9a78f5d0cad70fbae42e25116d81498b2ec7267b82c4b7b652045
                                                                • Instruction Fuzzy Hash: 2CE0ED70A1565E8FDBA5EB14C8A1AACB3B0EB48704F4100F4911CA3191DE346B818F41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87C72A Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7eca582bfbfc0dad870b501d9c0bf79c6526ee67856c3b0713445fd5998859d7
                                                                • Instruction ID: 7fbb5b150d11849898063972f58c8f3777bc93ab4e5e86939477fe17072ffeae
                                                                • Opcode Fuzzy Hash: 7eca582bfbfc0dad870b501d9c0bf79c6526ee67856c3b0713445fd5998859d7
                                                                • Instruction Fuzzy Hash: 9AD05E105399994FC7D2972848BA7E66FE1BF491117D406EA804EC7196D4680A528745
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B872D4B Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e64560e338f002576914448df41b2291835e212afacc67e370c308607d76b19e
                                                                • Instruction ID: 9bc98273638c04d8d02407686be522d6df4876b343f55e5780c6ad699f673afb
                                                                • Opcode Fuzzy Hash: e64560e338f002576914448df41b2291835e212afacc67e370c308607d76b19e
                                                                • Instruction Fuzzy Hash: EED05E3061459C8FCB91EB28C8A4BEDBBF1EF49200F1445EAC04EE72E1CD346E858B40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B87AE28 Relevance: .0, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cb7f40f2a9f95bdee9f9b2106684ce4012033db8710a417a5ee560a0cc56a462
                                                                • Instruction ID: 6a8cadd7213a0b6a9afdaaf27cbb7165b66e4caacb0f7211e90e2fbf817f9079
                                                                • Opcode Fuzzy Hash: cb7f40f2a9f95bdee9f9b2106684ce4012033db8710a417a5ee560a0cc56a462
                                                                • Instruction Fuzzy Hash: F9C09B1025D5995FE31257E804757EA6B999F46304F5405F9E08D4B1E3C40956475241
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 00007FFD9B87208C Relevance: .2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08b71d1f91c7ce41cc8ccfb0154d0452b3abd8ab902f90602572af843e631c25
                                                                • Instruction ID: f84acf5c99349aff8fd814abdbcd43f680a79ae6d8ae4022718c471dbc084261
                                                                • Opcode Fuzzy Hash: 08b71d1f91c7ce41cc8ccfb0154d0452b3abd8ab902f90602572af843e631c25
                                                                • Instruction Fuzzy Hash: A05127A190A6C58FE34ACB6808766E5BFD2FF96210F0846FEE4498F1E7D92911429706
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFD9B8706FA Relevance: 10.1, Strings: 8, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4378297822.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b870000_CashRansomware.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: =P_^$P_^H$P_^R$P_^T$P_^b$P_^d$P_^f$P_^h
                                                                • API String ID: 0-786020053
                                                                • Opcode ID: b912f7a110836811cdc7473d87c681dfbc193979bdf3f1ddf8c8e9a9dc48084d
                                                                • Instruction ID: 9202e187dae6512a11facf7aa44862d59f7fc5cbc694e6e63b257004c5f7515e
                                                                • Opcode Fuzzy Hash: b912f7a110836811cdc7473d87c681dfbc193979bdf3f1ddf8c8e9a9dc48084d
                                                                • Instruction Fuzzy Hash: 2B11E5CBB5402559D31532F87DE66EC134CCF40BFD7480B73D5BDCE08BA858998A8181
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%