netwalker | 8c5ce574ae676e0687e803e78c52e3c8672f7dbc4a63655c1067f2849135da25

General

Target

8c5ce574ae676e0687e803e78c52e3c8672f7dbc4a63655c1067f2849135da25.bin.dll
Size

57KB
MD5

9fb87ac9c00ea780bad678cb5bde676c
SHA1

887ba63ac7c37bb418f43cc5d978f1d2695df46c
SHA256

8c5ce574ae676e0687e803e78c52e3c8672f7dbc4a63655c1067f2849135da25
SHA512

ea16de3b0fcdf71214617a78d319f150653718ff6bd589290a085534c23e5cbc5c6e03cc79bb528d9e088373923faa66c8e37517b467c5f5f63d6b939c9baf97

Score

10^/10

netwalker ransomware spyware

Malware Config

Extracted

Path

C:\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Roaming\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\Documents\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\CD84D1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cd84d1: IKrMcD3a8Ee2qlQpNiwjrJf7Bo29++yY92obXDKFPHr++F6ga9 Y75yjiu4T5wLPe5e6FH42HJ0cVSrp/Jdm0eKaL5n5CexsLUMkL VhRrlCw7ZyjJdkJZHBELyI2phm3z6PKNFO6LAVT//Wgxj8+S5J dnwhyj9S9eBQw3A3NF3eicleU/hUpvwUkcy+aamMrUXbz0Aa8t HYwqtxCOecnlS/U5e0pOE1RIRUpAGSQDO2Mu6ZE/ExtMzQz/ao AcZhsdUr8zYT60lQ2JVVz/hKjDlKgxYkXZyyp9iQ==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .cd84d1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website i

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

rundll32.exe

description ioc process

File renamed C:\Users\Admin\Pictures\UseInvoke.tif => C:\Users\Admin\Pictures\UseInvoke.tif.cd84d1 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UseInvoke.tif => C:\Users\Admin\Pictures\UseInvoke.tif.cd84d1	rundll32.exe

Drops file in Program Files directory 17175 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-white.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_40x40x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png	rundll32.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\CD84D1-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_48x48x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-300.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\trainengine.3mf	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-150_contrast-white.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_40x40x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-400.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lb_60x42.png	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\statistics.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\CD84D1-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\SmallTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6536_48x48x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\NotificationsExtensions.winmd	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4583_20x20x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48.png	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\CD84D1-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\CD84D1-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5311_20x20x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_1d.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\CD84D1-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-100.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6124_24x24x32.png	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3070 IoCs

Processes:

rundll32.exe

pid	process
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1832 rundll32.exe
Token: SeImpersonatePrivilege 1832 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1832	rundll32.exe
Token: SeImpersonatePrivilege	1832	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3904 wrote to memory of 1832	3904	rundll32.exe	rundll32.exe
PID 3904 wrote to memory of 1832	3904	rundll32.exe	rundll32.exe
PID 3904 wrote to memory of 1832	3904	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 7464	1832	rundll32.exe	notepad.exe
PID 1832 wrote to memory of 7464	1832	rundll32.exe	notepad.exe
PID 1832 wrote to memory of 7464	1832	rundll32.exe	notepad.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c5ce574ae676e0687e803e78c52e3c8672f7dbc4a63655c1067f2849135da25.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c5ce574ae676e0687e803e78c52e3c8672f7dbc4a63655c1067f2849135da25.bin.dll,#1
2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\CD84D1-Readme.txt"
3⤵
PID:7464

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CD84D1-Readme.txt
MD5
c60b56cda23cb4b114806a0e445ea035

SHA1
54b582fd6b427732ed1b7c1fe5f61a99b9c9dcf8

SHA256
df28280d6933e7129b86c1da8fc9d8749e27b1b48cf5f83b43e5467e88bb41c3

SHA512
ae9f486559d835989a84fa177bee8797f7797cc5402f1cd7979f55455575dc4ae7096f602b441fc40490287533cf5428bd976039f312c4702074263c7f0d1f9a

Download Submit
memory/1832-0-0x0000000000000000-mapping.dmp

Download
memory/7464-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads