Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 23:28

General

  • Target

    270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe

  • Size

    344KB

  • MD5

    270b70bad151a515136f553e5bc880ac

  • SHA1

    77b7def336c7647c6faadaf7136d70ff1e9ba7fc

  • SHA256

    db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

  • SHA512

    c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

  • SSDEEP

    3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597 | | 2. http://cerberhhyed5frqa.45tori.win/27A7-6315-3347-0073-1597 | | 3. http://cerberhhyed5frqa.fkr84i.win/27A7-6315-3347-0073-1597 | | 4. http://cerberhhyed5frqa.fkri48.win/27A7-6315-3347-0073-1597 | | 5. http://cerberhhyed5frqa.djre89.win/27A7-6315-3347-0073-1597 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/27A7-6315-3347-0073-1597 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597

http://cerberhhyed5frqa.45tori.win/27A7-6315-3347-0073-1597

http://cerberhhyed5frqa.fkr84i.win/27A7-6315-3347-0073-1597

http://cerberhhyed5frqa.fkri48.win/27A7-6315-3347-0073-1597

http://cerberhhyed5frqa.djre89.win/27A7-6315-3347-0073-1597

http://cerberhhyed5frqa.onion/27A7-6315-3347-0073-1597

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.45tori.win/27A7-6315-3347-0073-1597</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.fkr84i.win/27A7-6315-3347-0073-1597</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.fkri48.win/27A7-6315-3347-0073-1597</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.djre89.win/27A7-6315-3347-0073-1597</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597" target="_blank">http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/27A7-6315-3347-0073-1597</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16396) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe
      "C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe"
      2⤵
      • Adds policy Run key to start application
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3216
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab24c46f8,0x7ffab24c4708,0x7ffab24c4718
          4⤵
            PID:4532
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
            4⤵
              PID:1912
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1472
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
              4⤵
                PID:664
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
                4⤵
                  PID:5064
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                  4⤵
                    PID:1380
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
                    4⤵
                      PID:3384
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
                      4⤵
                        PID:4960
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                        4⤵
                          PID:1872
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 /prefetch:8
                          4⤵
                            PID:2992
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 /prefetch:8
                            4⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2504
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
                            4⤵
                              PID:3904
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                              4⤵
                                PID:1100
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
                                4⤵
                                  PID:4948
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
                                  4⤵
                                    PID:3888
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:1
                                    4⤵
                                      PID:2864
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                    3⤵
                                      PID:4040
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597
                                      3⤵
                                        PID:2840
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab24c46f8,0x7ffab24c4708,0x7ffab24c4718
                                          4⤵
                                            PID:4656
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                          3⤵
                                            PID:3492
                                          • C:\Windows\system32\cmd.exe
                                            /d /c taskkill /t /f /im "Magnify.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe" > NUL
                                            3⤵
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            PID:988
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /t /f /im "Magnify.exe"
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4168
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 1 127.0.0.1
                                              4⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:1060
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /d /c taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:4112
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:436
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping -n 1 127.0.0.1
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            • Runs ping.exe
                                            PID:1820
                                      • C:\Windows\system32\vssvc.exe
                                        C:\Windows\system32\vssvc.exe
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:808
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:3668
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:2100
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x394 0x498
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1968

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            37f660dd4b6ddf23bc37f5c823d1c33a

                                            SHA1

                                            1c35538aa307a3e09d15519df6ace99674ae428b

                                            SHA256

                                            4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                            SHA512

                                            807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            d7cb450b1315c63b1d5d89d98ba22da5

                                            SHA1

                                            694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                            SHA256

                                            38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                            SHA512

                                            df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            729540b8af2236304b74438c7d2fd050

                                            SHA1

                                            ed34329a7cae91fa468352bcd3c1edbab0f782ca

                                            SHA256

                                            bd71f07f95b1dcebe3f27031f00a322297a0ba3c76c8a6c737d5e618dfe6bcbe

                                            SHA512

                                            c0c9c41d0af8a69539e3545a9660a26d7445dfcc98f201d5681bf759153fef4f14bb3fd407c484a0c0fc931ccaf79f0a4daef3d60b70b8f336e77de5598c1028

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            0bd045b74a1f92f597e3f6efb5f5bf9d

                                            SHA1

                                            f4f2204039b985227fc5e522bce938b26773e354

                                            SHA256

                                            6599d4216a253d6f80d4b185e137c6598c87d316a68e75e6f85291f464e8b4c6

                                            SHA512

                                            bcf425d4d850c59efd484f0d2d2d325972d93491e5599a706fa3690799004f2e578f92900d2dd53396faeecdc4f5897c49fb644e209b6c0502523e959f601d0f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            10KB

                                            MD5

                                            447b5ed9e597b2a6ceb7b1e087de904a

                                            SHA1

                                            ee591acaa44cd7dc5746b4edf890309f5f771f08

                                            SHA256

                                            9efbfbaaaefa35397599cf3d1d693831d914b618500e2a41e2fc4505b69d04d8

                                            SHA512

                                            0b4b97e8787b5af7251c4842f858176ed14b6a1a8a4846f90405d4e8583cd4140280e39d843752e1062094b4769b9ca7875d6944bbb857e67da627af79097c8d

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk

                                            Filesize

                                            1KB

                                            MD5

                                            7f63018fa7bb6ac591744b771f42b50b

                                            SHA1

                                            a95d68566721cd22e7625afb724adbb42b58d521

                                            SHA256

                                            5e021ee9eff8218379491512eb9c5ea7f3570f77e2cd19abaefaef32a269fa75

                                            SHA512

                                            7f4119deb3d38294ac8a36dcde3a2c5914fbe228404e4f11696ca6c823a1070bfaa0a7df3e02bdf4134e696da8f0bbfa77641168b731588e44bf868df815d791

                                          • C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe

                                            Filesize

                                            344KB

                                            MD5

                                            270b70bad151a515136f553e5bc880ac

                                            SHA1

                                            77b7def336c7647c6faadaf7136d70ff1e9ba7fc

                                            SHA256

                                            db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

                                            SHA512

                                            c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

                                          • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html

                                            Filesize

                                            12KB

                                            MD5

                                            efd218a89476a54272ad672a57ad7042

                                            SHA1

                                            0b227cf248d1355a90aff778f0af83bf40d40994

                                            SHA256

                                            581412734885380890905ff2eaf01fd727ad58a72c88bc7ea8e0bb352484fc97

                                            SHA512

                                            9ef441c128918baf899c9109f6ddb69974eac3bf80a85561131db6fd814cb22043d6ab1e1494661dc494e7ca862a1950e25621ff417ac51bfa90693f679d6f3c

                                          • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

                                            Filesize

                                            10KB

                                            MD5

                                            d9a83454a4d47177c92d7db730e786e9

                                            SHA1

                                            5247c6263e013c016494162b479fbec548fb7087

                                            SHA256

                                            b169de7c5bc9f4d4f554cbef18ea8385f6c978d708c1ea072447385d135a52a8

                                            SHA512

                                            ff26ac1d3ea923f847f667579478b1c851e954b9979667182487a193b22ae193f5af31c8470e7837b46737ee0436d4d0d7e92252200e9509faa03fe116ad28f2

                                          • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.url

                                            Filesize

                                            85B

                                            MD5

                                            6128d6628812b814744d74219709e02d

                                            SHA1

                                            a1f7556b375c8afce9b0b30bef4cb0fbdd07b39b

                                            SHA256

                                            075507aa043df834c913bd183a6868316a9becc1bcbb08e57c4530efe7f0da9c

                                            SHA512

                                            ba6915e6ce69afbeb1a7f70f18892512c8de0e635fbee0aad72570d112d0abfa5bb6a8f1793bd0bb2512c7a15d747496d517110fee669ff69ca3960dca92d0db

                                          • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.vbs

                                            Filesize

                                            219B

                                            MD5

                                            35a3e3b45dcfc1e6c4fd4a160873a0d1

                                            SHA1

                                            a0bcc855f2b75d82cbaae3a8710f816956e94b37

                                            SHA256

                                            8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

                                            SHA512

                                            6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

                                          • memory/452-285-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-20-0x0000000000400000-0x0000000000459000-memory.dmp

                                            Filesize

                                            356KB

                                          • memory/452-273-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-288-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-291-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-289-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-287-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-375-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-283-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-278-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-295-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-293-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-275-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-272-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-270-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-264-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-260-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-257-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-30-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-29-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-19-0x0000000000400000-0x0000000000459000-memory.dmp

                                            Filesize

                                            356KB

                                          • memory/452-10-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/452-11-0x0000000000400000-0x0000000000459000-memory.dmp

                                            Filesize

                                            356KB

                                          • memory/452-12-0x0000000000400000-0x0000000000459000-memory.dmp

                                            Filesize

                                            356KB

                                          • memory/3192-13-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/3192-2-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/3192-1-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                          • memory/3192-0-0x0000000000D30000-0x0000000000D4E000-memory.dmp

                                            Filesize

                                            120KB