General
Target

f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

Filesize

69KB

Completed

20-08-2020 21:27

Task

behavioral2

Score
10/10
MD5

f0cc568491cd523d2677d938f163395f

SHA1

ca05a4cde0ba40983381b2f91c9ecee672c69262

SHA256

f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86

SHA256

acaa24ed418feb3dbfedae933859f43adfbb2442fd1fb46baadc5235006ee4c0a1b9ed1b4a1e2514ea7fc43d7fac0b768776e43d1452d4a47fd968c0aa0c46ba

Malware Config

Extracted

Path

C:\odt\0E9E94-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Roaming\0E9E94-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\0E9E94-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\0E9E94-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\0E9E94-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\lib\0E9E94-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .0e9e94 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_0e9e94: X2ainK2432hcPcKK4Lg92nY4yv+m8INRFV2UjNRB+gjBtiv6vE sbSDklbC38QBJ3nUIjrKzMEKVxHBTRumqNkacGMFfhdCtlxS9i HGk1TUC1Aw1vvqGTdzXAZGlQOujCF4IC0T/3voj/hL710DXqUP VcRVZtBy7rGebvyyiH2FCvbl5RfIJWoUZ4KY5W3wxwGOhmCC7a Qp/DAxDd9FXmQkPmwzQ+c+PEvekJ1bm/3ShPgR7h6mBpX9j3jz 4msLagJk9disc/KRiIqR4+sFkdGCiLmrvy7JhTsw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures 11

Filter: none

Collection
Credential Access
Defense Evasion
Impact
Persistence
  • Netwalker

    Description

    Ransomware believed to be a variant of MailTo.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\CompleteConfirm.tifff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\OpenReceive.tif => C:\Users\Admin\Pictures\OpenReceive.tif.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\UnprotectRedo.raw => C:\Users\Admin\Pictures\UnprotectRedo.raw.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\ResetMove.tiff => C:\Users\Admin\Pictures\ResetMove.tiff.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\MergeRestart.crw => C:\Users\Admin\Pictures\MergeRestart.crw.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\UpdateEnter.tif => C:\Users\Admin\Pictures\UpdateEnter.tif.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Users\Admin\Pictures\ResetMove.tifff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\CompleteConfirm.tiff => C:\Users\Admin\Pictures\CompleteConfirm.tiff.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\ReadBackup.png => C:\Users\Admin\Pictures\ReadBackup.png.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\AssertDisconnect.raw => C:\Users\Admin\Pictures\AssertDisconnect.raw.0e9e94f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
  • Drops file in Program Files directory
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\slide_in.wavf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-msf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_2.jpgf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.cssf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-96_altform-unplated.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.jsf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\0E9E94-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-msf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer14.xmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gn_16x11.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\0E9E94-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jarf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svgf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_40x40x32.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Effects\effects_lobby_bubbles.jpgf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-100.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files\VideoLAN\VLC\skins\fonts\0E9E94-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\0E9E94-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7xf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\mcxml\x-none\Office.x-none.msi.16_postcommon.mcxmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bb_60x42.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gt_60x42.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-200.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_none.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-200.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bv_60x42.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jarf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_40x40x32.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-400.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\0E9E94-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-300.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-msf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\LightedTextured_PixelLighting_VS.fxof2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-200.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\SmallTile.scale-200.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.jsf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags@2x.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Light.scale-240.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\Dismiss.scale-64.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-msf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_40x40x32.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-200.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-msf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_UK-UA.respackf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W3.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\questfallback.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_40x40x32.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    3916vssadmin.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    3668taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

    Reported IOCs

    pidprocess
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssvc.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    Token: SeImpersonatePrivilege3932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    Token: SeBackupPrivilege5584vssvc.exe
    Token: SeRestorePrivilege5584vssvc.exe
    Token: SeAuditPrivilege5584vssvc.exe
    Token: SeDebugPrivilege3668taskkill.exe
  • Suspicious use of WriteProcessMemory
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3932 wrote to memory of 39163932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssadmin.exe
    PID 3932 wrote to memory of 39163932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssadmin.exe
    PID 3932 wrote to memory of 72883932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 3932 wrote to memory of 72883932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 3932 wrote to memory of 72883932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 3932 wrote to memory of 36883932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 3932 wrote to memory of 36883932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 3932 wrote to memory of 36883932f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 3688 wrote to memory of 36683688cmd.exetaskkill.exe
    PID 3688 wrote to memory of 36683688cmd.exetaskkill.exe
    PID 3688 wrote to memory of 36683688cmd.exetaskkill.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe"
    Modifies extensions of user files
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      Interacts with shadow copies
      PID:3916
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\0E9E94-Readme.txt"
      PID:7288
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8651.tmp.bat"
      Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 3932
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        PID:3668
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:5584
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\8651.tmp.bat

                • C:\Users\Admin\Desktop\0E9E94-Readme.txt

                • memory/3668-4-0x0000000000000000-mapping.dmp

                • memory/3688-2-0x0000000000000000-mapping.dmp

                • memory/3916-0-0x0000000000000000-mapping.dmp

                • memory/7288-1-0x0000000000000000-mapping.dmp