Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 11:06

General

  • Target

    5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe

  • Size

    133KB

  • MD5

    5ebf1b0c233e9ef06a63623c7116e4a6

  • SHA1

    75c59361b6a8965ddf7f48bfd761fc75be410767

  • SHA256

    7ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988

  • SHA512

    8448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6

  • SSDEEP

    3072:4jYFtrnz2QVsDReiq9GCMDAhU0jqI07PWQZBmJoAGHjRumwA:4sneQi+GnDAa0p0rWQiJoAGHdv

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636 | | 2. http://cerberhhyed5frqa.xo59ok.win/ABF8-4395-AA22-0291-2636 | | 3. http://cerberhhyed5frqa.zx34jk.win/ABF8-4395-AA22-0291-2636 | | 4. http://cerberhhyed5frqa.rt4e34.win/ABF8-4395-AA22-0291-2636 | | 5. http://cerberhhyed5frqa.as13fd.win/ABF8-4395-AA22-0291-2636 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/ABF8-4395-AA22-0291-2636 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636

http://cerberhhyed5frqa.xo59ok.win/ABF8-4395-AA22-0291-2636

http://cerberhhyed5frqa.zx34jk.win/ABF8-4395-AA22-0291-2636

http://cerberhhyed5frqa.rt4e34.win/ABF8-4395-AA22-0291-2636

http://cerberhhyed5frqa.as13fd.win/ABF8-4395-AA22-0291-2636

http://cerberhhyed5frqa.onion/ABF8-4395-AA22-0291-2636

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #CerberRansomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636</a></li> <li><a href="http://cerberhhyed5frqa.xo59ok.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.xo59ok.win/ABF8-4395-AA22-0291-2636</a></li> <li><a href="http://cerberhhyed5frqa.zx34jk.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.zx34jk.win/ABF8-4395-AA22-0291-2636</a></li> <li><a href="http://cerberhhyed5frqa.rt4e34.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.rt4e34.win/ABF8-4395-AA22-0291-2636</a></li> <li><a href="http://cerberhhyed5frqa.as13fd.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.as13fd.win/ABF8-4395-AA22-0291-2636</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636" target="_blank">http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/ABF8-4395-AA22-0291-2636</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16405) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe
      "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe"
      2⤵
      • Adds policy Run key to start application
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3740
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3296
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff675e46f8,0x7fff675e4708,0x7fff675e4718
          4⤵
            PID:4832
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
            4⤵
              PID:2860
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4388
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
              4⤵
                PID:236
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                4⤵
                  PID:4344
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                  4⤵
                    PID:1064
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                    4⤵
                      PID:3408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
                      4⤵
                        PID:2348
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                        4⤵
                          PID:116
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
                          4⤵
                            PID:4592
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
                            4⤵
                              PID:2972
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
                              4⤵
                                PID:960
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
                                4⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1380
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                                4⤵
                                  PID:5176
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
                                  4⤵
                                    PID:5300
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
                                    4⤵
                                      PID:2764
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                    3⤵
                                      PID:3988
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636
                                      3⤵
                                        PID:2028
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff675e46f8,0x7fff675e4708,0x7fff675e4718
                                          4⤵
                                            PID:4976
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                          3⤵
                                            PID:3228
                                          • C:\Windows\system32\cmd.exe
                                            /d /c taskkill /t /f /im "rdrleakdiag.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe" > NUL
                                            3⤵
                                              PID:5528
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /t /f /im "rdrleakdiag.exe"
                                                4⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5580
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 1 127.0.0.1
                                                4⤵
                                                • Runs ping.exe
                                                PID:5692
                                          • C:\Windows\SysWOW64\cmd.exe
                                            /d /c taskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2940
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"
                                              3⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1816
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 1 127.0.0.1
                                              3⤵
                                              • Runs ping.exe
                                              PID:4044
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3876
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:2984
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:1616
                                            • C:\Windows\system32\AUDIODG.EXE
                                              C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4f0
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2488

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v13

                                            Execution

                                            Windows Management Instrumentation

                                            1
                                            T1047

                                            Persistence

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Privilege Escalation

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Defense Evasion

                                            Indicator Removal

                                            2
                                            T1070

                                            File Deletion

                                            2
                                            T1070.004

                                            Modify Registry

                                            3
                                            T1112

                                            Credential Access

                                            Unsecured Credentials

                                            1
                                            T1552

                                            Credentials In Files

                                            1
                                            T1552.001

                                            Discovery

                                            Network Service Discovery

                                            2
                                            T1046

                                            Query Registry

                                            2
                                            T1012

                                            System Information Discovery

                                            3
                                            T1082

                                            Remote System Discovery

                                            1
                                            T1018

                                            Collection

                                            Data from Local System

                                            1
                                            T1005

                                            Impact

                                            Inhibit System Recovery

                                            2
                                            T1490

                                            Defacement

                                            1
                                            T1491

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
                                              Filesize

                                              12KB

                                              MD5

                                              6fd8bbe248d7a694df0dfeaeebbac608

                                              SHA1

                                              d24cd36d733cca919dd334258ea99d78603cdb13

                                              SHA256

                                              8f8fddb69819a78f9964ff122c892fe249616fdb07f2db4525e19be1111cbd7b

                                              SHA512

                                              f581093b60df7cdbf8ec5639c570d20330cb4ca58b4e4d64778d29128949bccddb0d5bafb50e26a2e450fc6182e94a3907414e6f18e8e2e86399d37fbd57d55d

                                            • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
                                              Filesize

                                              10KB

                                              MD5

                                              86b36f3c869d0e05050b3677bcf74a7c

                                              SHA1

                                              926c60b084cc585f4ff694cb60d0227be1aeafe3

                                              SHA256

                                              ff09ec7a4ff6715a4b4baef943200e590f9dcf341fdd06851590c0cf798e4706

                                              SHA512

                                              bb1d8c85810d1dd3caad382c5dfb721d1504aa5b5afb41a7b3c9839816d9f73e12eeb9544d16236d3156abbd4b2e4cb7e73d2d8e8ba744c89e39959ba98b6bb9

                                            • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.url
                                              Filesize

                                              85B

                                              MD5

                                              caa5151d324b69d087b71305850d8000

                                              SHA1

                                              0af67308be0646f4a4856b2cd4afd84ac0474fbb

                                              SHA256

                                              db42542d67e61ff70e8a8bed199fa70f07b8d47ca100bb7ffa2f4d03c59471b7

                                              SHA512

                                              2627122e6dead1eee4f601e232db58e0820e6e898dde50416f19443e486d20a9f5eac54729569791cb08de198a5c8b46b32d0eb41e58f57bb8f5419ae4dc4ea0

                                            • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbs
                                              Filesize

                                              216B

                                              MD5

                                              48ac29422570636cae371b68c858b988

                                              SHA1

                                              ff86dea198c93a8ae49ee52c6eb919fcbd259aab

                                              SHA256

                                              3926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0

                                              SHA512

                                              75019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              439b5e04ca18c7fb02cf406e6eb24167

                                              SHA1

                                              e0c5bb6216903934726e3570b7d63295b9d28987

                                              SHA256

                                              247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                              SHA512

                                              d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              a8e767fd33edd97d306efb6905f93252

                                              SHA1

                                              a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                              SHA256

                                              c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                              SHA512

                                              07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              f50dd464b01f37d2da2aab749ef211c3

                                              SHA1

                                              4457e339988a9cf806dc1a6df347b33c589e62ba

                                              SHA256

                                              da557d9c051750f8792d22f779085dc17584bda11cd1a36a5d12b7d8f9e0a1fc

                                              SHA512

                                              fa8b9d2eceabbd2c0736ee8f76ada28584a1e291b793e07cb27ba05485c29f2fbe89f7047dc42690eefea8dd475473189c8a68d7c775a46c17a690c9f4049149

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              cb6e462b01303f2a9fa86254001d5b60

                                              SHA1

                                              52002ff38442ea346f89a399c07f48ee87faa915

                                              SHA256

                                              7d9bebcc36db582b1dd795455226045b98cc0e7df78742fbccf298b01e0508c3

                                              SHA512

                                              d5861700e20bb1d5d9195c29f2394da53712ae5d837d947af3767c03f393acf5b0928a288f96d5fac57f3367e81f0442e23e2d75749108d4dadf5a7e9df38f97

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              11KB

                                              MD5

                                              ed2fa4d6a629c318817fe66834ebfa19

                                              SHA1

                                              a7ad732704f07bd5e096617d30e8e9885bc3c285

                                              SHA256

                                              92d0ecb4226cdfc7a03ee31daee0249da419f8c8e88ac7a9082140c6e0560ce8

                                              SHA512

                                              f6d46d28263e5e3d4c87d42bf63e70270710f26c4b6c85a7fdad2cae0fd814dde719000d7f4416769585df1bb8a0282b46eb1020e0e5740d525419a1cae9e408

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk
                                              Filesize

                                              1KB

                                              MD5

                                              b9d56d0b17e0478ba56d6abfd2302e72

                                              SHA1

                                              957e5cb5ed2b35e165fd32d17ca6d137502d3719

                                              SHA256

                                              f37bcee2eb36c9fc1df61fdb011f8f2b52c19d5290aa4a597629da7742ad72bc

                                              SHA512

                                              c96cd13ef760a8129e1c3330334fcfd1a98071c6142719d968aa5b6e8240d9e641cd6f7732378632d30625d7444db2076bb887d6523a8efac8ab7806c4fb8875

                                            • C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe
                                              Filesize

                                              133KB

                                              MD5

                                              5ebf1b0c233e9ef06a63623c7116e4a6

                                              SHA1

                                              75c59361b6a8965ddf7f48bfd761fc75be410767

                                              SHA256

                                              7ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988

                                              SHA512

                                              8448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6

                                            • \??\pipe\LOCAL\crashpad_3296_URGBTYWEAOPBQSFE
                                              MD5

                                              d41d8cd98f00b204e9800998ecf8427e

                                              SHA1

                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                              SHA256

                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                              SHA512

                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                            • memory/4188-1-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/4188-10-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/4188-0-0x0000000000690000-0x00000000006A6000-memory.dmp
                                              Filesize

                                              88KB

                                            • memory/5092-14-0x00000000039A0000-0x00000000039A1000-memory.dmp
                                              Filesize

                                              4KB

                                            • memory/5092-11-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-12-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-24-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-19-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-321-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-17-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-16-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB

                                            • memory/5092-342-0x0000000000400000-0x000000000042A000-memory.dmp
                                              Filesize

                                              168KB