Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 06:20

General

  • Target

    b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe

  • Size

    350KB

  • MD5

    b21a8247fed6d7f3fb9fa89016a5f41d

  • SHA1

    9227062dc0a62e4fa0284ad521a56c373c34ffde

  • SHA256

    2d63a0d8ece25bdb093098fe7569c973ada10927387ee288b87030e5765f514b

  • SHA512

    68c0342db819d8df9bddce9c23a2552cfa6d72e24ff54c3ed922a4388e698c0c6e3cee8688c905564540141ea32d3e26e8acc49b5412aadd526aea93fe5f7fa7

  • SSDEEP

    6144:oucrZMDMXbJ2kAUWaNCZAaCudurslKREBKT0PLNMbQ4AWbO/Fh:P8ZM2RiKCZ9urGETYNMbQ4zbm

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B | | 2. http://cerberhhyed5frqa.slr849.win/33DA-3C2B-4211-006D-AF6B | | 3. http://cerberhhyed5frqa.ret5kr.win/33DA-3C2B-4211-006D-AF6B | | 4. http://cerberhhyed5frqa.zgf48j.win/33DA-3C2B-4211-006D-AF6B | | 5. http://cerberhhyed5frqa.xltnet.win/33DA-3C2B-4211-006D-AF6B |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/33DA-3C2B-4211-006D-AF6B | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B

http://cerberhhyed5frqa.slr849.win/33DA-3C2B-4211-006D-AF6B

http://cerberhhyed5frqa.ret5kr.win/33DA-3C2B-4211-006D-AF6B

http://cerberhhyed5frqa.zgf48j.win/33DA-3C2B-4211-006D-AF6B

http://cerberhhyed5frqa.xltnet.win/33DA-3C2B-4211-006D-AF6B

http://cerberhhyed5frqa.onion/33DA-3C2B-4211-006D-AF6B

Extracted

Path

C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B</a></li> <li><a href="http://cerberhhyed5frqa.slr849.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.slr849.win/33DA-3C2B-4211-006D-AF6B</a></li> <li><a href="http://cerberhhyed5frqa.ret5kr.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.ret5kr.win/33DA-3C2B-4211-006D-AF6B</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.zgf48j.win/33DA-3C2B-4211-006D-AF6B</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.xltnet.win/33DA-3C2B-4211-006D-AF6B</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B" target="_blank">http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/33DA-3C2B-4211-006D-AF6B</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16401) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe
      "C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe"
      2⤵
      • Adds policy Run key to start application
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3556
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3260
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffa025546f8,0x7ffa02554708,0x7ffa02554718
          4⤵
            PID:1880
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
            4⤵
              PID:2272
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4500
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
              4⤵
                PID:3376
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
                4⤵
                  PID:3492
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
                  4⤵
                    PID:3496
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
                    4⤵
                      PID:3668
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
                      4⤵
                        PID:1516
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                        4⤵
                          PID:1804
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
                          4⤵
                            PID:3176
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
                            4⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4560
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
                            4⤵
                              PID:1408
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
                              4⤵
                                PID:1316
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
                                4⤵
                                  PID:2588
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
                                  4⤵
                                    PID:3812
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
                                    4⤵
                                      PID:5100
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                    3⤵
                                      PID:4476
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B
                                      3⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4184
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa025546f8,0x7ffa02554708,0x7ffa02554718
                                        4⤵
                                          PID:1368
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                        3⤵
                                          PID:2952
                                        • C:\Windows\system32\cmd.exe
                                          /d /c taskkill /t /f /im "cipher.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe" > NUL
                                          3⤵
                                            PID:3632
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /t /f /im "cipher.exe"
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3416
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 1 127.0.0.1
                                              4⤵
                                              • Runs ping.exe
                                              PID:4456
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /d /c taskkill /t /f /im "b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe" > NUL
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:396
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /t /f /im "b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe"
                                            3⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2700
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping -n 1 127.0.0.1
                                            3⤵
                                            • Runs ping.exe
                                            PID:4372
                                      • C:\Windows\system32\vssvc.exe
                                        C:\Windows\system32\vssvc.exe
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1196
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:4592
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4496
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x48c 0x4a0
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:396

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html

                                            Filesize

                                            12KB

                                            MD5

                                            2462d2a3d98650952539150aea35c76f

                                            SHA1

                                            9a8a14bd12927b444fca913ef43bdef5b271f223

                                            SHA256

                                            8ea6933934f7136dd0c630f43e3b3201e98979578251763729f0345f0a061e1f

                                            SHA512

                                            884c093803db35b2c39cf94aed5207dcb9ac7f870b4a90579011ae5e07f340c9d0846371ec66a7e8752fad07f899ff05c027916c17702615f6348ca3bf7da12e

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            b4a74bc775caf3de7fc9cde3c30ce482

                                            SHA1

                                            c6ed3161390e5493f71182a6cb98d51c9063775d

                                            SHA256

                                            dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

                                            SHA512

                                            55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            c5abc082d9d9307e797b7e89a2f755f4

                                            SHA1

                                            54c442690a8727f1d3453b6452198d3ec4ec13df

                                            SHA256

                                            a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

                                            SHA512

                                            ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            8f9c870c67984e5496e32524c9e9dbaf

                                            SHA1

                                            c8e6aa2dde974879ee0d4c4af0164a86ef60f8b1

                                            SHA256

                                            11944a8d5957cb1c11de5833663369f1989b55574965c7d9acda04674b80c5a8

                                            SHA512

                                            66d4358fabdeceac7004bfe6e9db44c48c68351b6eb084c8fe64afd88a1e24e1e0a1f85c5bee83e5a71512ba7cffd08bd7492acf4a57838d599004e01eb32de8

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            1254dabd053439961743af6078ae965a

                                            SHA1

                                            10a4e07a7c6ac7ec161411b63b7c27d368d5c68d

                                            SHA256

                                            910ee61c4942f4b9565ad92e480ff45134b5c0fbe9e884a71e4120fcfeedd812

                                            SHA512

                                            077a1fc7575c41882779b122d4ede017c0dd101476c6516b256357ebad3becaa7242761bda14570808a3647005e9bc221f05e397e0daa75d8af20e8d54138094

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            46295cac801e5d4857d09837238a6394

                                            SHA1

                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                            SHA256

                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                            SHA512

                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            206702161f94c5cd39fadd03f4014d98

                                            SHA1

                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                            SHA256

                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                            SHA512

                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            11KB

                                            MD5

                                            d4a478c0660cba3084bbf033aa0a60cd

                                            SHA1

                                            23c37a05a0515eb2574a2770511d20d62f358eb2

                                            SHA256

                                            55dacd36fb4ea40fbe1c9b2f13414ed695d4f5b89f63130353b8bb89689b5fb5

                                            SHA512

                                            2dee520173b65e343dd88de28b2996773385999784b9aed4163a81e7ef267494344fe852eef2dace0e96cd1bb6f966f072ca8ac35b1e6db00767e49982264e78

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cipher.lnk

                                            Filesize

                                            1KB

                                            MD5

                                            230bd4c152212389b41a5fbc886c696c

                                            SHA1

                                            fd62d836e4c95e8a1706cd008606288b94498c96

                                            SHA256

                                            6df9b55d48f7e6464825031c4510fa40788022c4a523b5767c964a635a1654e4

                                            SHA512

                                            d36dfa653a768c88f166fea23d3cfd4175490f24df773e6694e3c3b6da52b1eeef4fc7130390f49a5fc99bf31006180f448c721d751d670f1c6e433213516e81

                                          • C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe

                                            Filesize

                                            350KB

                                            MD5

                                            b21a8247fed6d7f3fb9fa89016a5f41d

                                            SHA1

                                            9227062dc0a62e4fa0284ad521a56c373c34ffde

                                            SHA256

                                            2d63a0d8ece25bdb093098fe7569c973ada10927387ee288b87030e5765f514b

                                            SHA512

                                            68c0342db819d8df9bddce9c23a2552cfa6d72e24ff54c3ed922a4388e698c0c6e3cee8688c905564540141ea32d3e26e8acc49b5412aadd526aea93fe5f7fa7

                                          • C:\Users\Admin\Music\# DECRYPT MY FILES #.url

                                            Filesize

                                            85B

                                            MD5

                                            6d26de61e79ec33ba5add652fb3db475

                                            SHA1

                                            e7f377582fa04dc7ac122f7fa136f2adaf557fdc

                                            SHA256

                                            d944e5668953c8a0a021f0f967e862a2f62546efa436b2ee03750362d67c9faa

                                            SHA512

                                            3fa3bcd0b588721d1c6226bbc00c1b1a891bc716cd3d13e9963b3d1500fd5f7f0bdb6e75cc51459660aa201fc92ec8c982080edbefc64b02158886d91b20e3a7

                                          • C:\Users\Admin\Music\# DECRYPT MY FILES #.vbs

                                            Filesize

                                            219B

                                            MD5

                                            35a3e3b45dcfc1e6c4fd4a160873a0d1

                                            SHA1

                                            a0bcc855f2b75d82cbaae3a8710f816956e94b37

                                            SHA256

                                            8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

                                            SHA512

                                            6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

                                          • C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

                                            Filesize

                                            10KB

                                            MD5

                                            7b9f34f6c21726de3e1fcc83895aea71

                                            SHA1

                                            3827ff1a44c3c1f9788a62798391405b9e2fe4b7

                                            SHA256

                                            d3312c78e22c1f219c82e682a3def15af54bfb783849e4cffd935c7191964044

                                            SHA512

                                            0a9b00e492e81b2e7b3eccc73fd857bd5f35d5cec677a3928afe7fdb493c3cb2407096e3644c024074d8645c24f7cd8712c2864748daa7deb448f62f1706f9ed

                                          • memory/3572-23-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/3572-18-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/3572-16-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/3572-14-0x0000000003470000-0x0000000003471000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/3572-12-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/3572-11-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/3572-397-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/3572-415-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/4520-0-0x00000000006B0000-0x00000000006C6000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/4520-10-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB

                                          • memory/4520-1-0x0000000000400000-0x000000000045A000-memory.dmp

                                            Filesize

                                            360KB