Overview

overview

10

Static

static

all.ps1

windows7_x64

10

all.ps1

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    15-10-2020 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    all.ps1

  • Size

    783KB

  • MD5

    3f966ed1ec7ffc9e896b82ea5be707c1

  • SHA1

    37111e03e9f5d1e1932051d9c6a5a1314bc1909d

  • SHA256

    68cf2072515bb9cf6ad418615c1f52dcdf24ca1ee46d115a3de2146d1d40d59e

  • SHA512

    5e1defcb7c651d2611c101e5e16c8add185560fd3a1f4ee2fc6bbf1f3bf91a674446a1d9c3ec790dfc85811d4df0367faa577175d31d4f189849a1836a3b0b52

Score
10/10
ransomwarespywarepersistencenetwalker

Malware Config

Extracted

Path

C:\Program Files (x86)\Common Files\Adobe AIR\E916CB-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\E916CB-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\E916CB-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\E916CB-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\E916CB-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .e916cb -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e916cb: S3oyA7QmTJPn6NG3pxoCec9gKPATvo3MYj41ncL7bkF5DfjaSa eJxfkYuK2oMd8D8R0ssiPhcGdGBF6OIhOe93hun/qE0DgVnXuV 9NyDaLQ7XB6MrZ4IAIVuHg/OPcfh22u56+qV444urRBIMVfrZ2 kSdmWJhbETTrdiqpYkiOZSAJ752I6Yh11n9SMXzwVV5Cq366+q C/SNTyXrsmS8nj/GUYFLzwQSSUJ5J+vtbZCwYfwpEBjfGmuFtX C/XKux4/dwfAPwloQsBz9ExQYKfSQWq2hYqAID0Q==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 7494 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 272 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\all.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ux4ghzs\0ux4ghzs.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA515.tmp" "c:\Users\Admin\AppData\Local\Temp\0ux4ghzs\CSCF19901BE8A6542ABB7DC423489A2712.TMP"
          4⤵
            PID:1604
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0mywszjt\0mywszjt.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D1.tmp" "c:\Users\Admin\AppData\Local\Temp\0mywszjt\CSC2FAD7542588140499AB661BBAD9AA65.TMP"
            4⤵
              PID:1888
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\E916CB-Readme.txt
          2⤵
            PID:5840
          • C:\Windows\system32\notepad.exe
            C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E916CB-Readme.txt"
            2⤵
              PID:7124
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Modifies service
            • Suspicious use of AdjustPrivilegeToken
            PID:1120

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\0mywszjt\0mywszjt.dll
            MD5

            e0ae110cd3c0e07a565e63b2bd703c8b

            SHA1

            7374f3fb251b5268df20e7678560d07daa70f56e

            SHA256

            9a2de6aacb57fa894e2e5fa477f82952b2c8adbcff622d6d58a45855fc27935b

            SHA512

            810ec1d74cfb04f38174585bae70c0fbf6888e5c91bf74747874d61b4148426405f9d2e1c1e99e510e5fc73114cdc07c3e775bf4d3c7457fcc8a637a843d8c32

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\0ux4ghzs\0ux4ghzs.dll
            MD5

            63ec27ba7a47b45e7a696a60e153a94a

            SHA1

            3735484e80a5be2975cb6b8bd7a7e6d61ca48ea3

            SHA256

            1cd717497c1fd607492db76e7bac386944e36490cda0f90dfa2073d13491c14b

            SHA512

            6e6a6654b4418c8147f6d1ef9f519ceacac4133653b42a5ebf0693d274862c788a560d498ffd0ddc60c7d8967d859210f0775af5da95469e3f196d53b457f24b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\RESA515.tmp
            MD5

            b7c8d6bfd5bc6636c2717297bf1c7a77

            SHA1

            7fb517addaf0a5133d7ba277360731486380dfcb

            SHA256

            32498199cc56c76aee8a9b8cb94f4213a5aac6e8bb4763fa89412fd292f8c97b

            SHA512

            71f658a24a8d1f4b8b82b7aebdeb8ad6d2617e5e958a7394920b3e84a9a92ad7e35366aaab646e40e9160c9920bfbd4d0dfe45003762fd76c052a60e192a0366

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\RESA5D1.tmp
            MD5

            45df223374a89384879fa4c0c01d8818

            SHA1

            422ea59c4c2f0e483c98e0a832c8f2310a7eb19e

            SHA256

            310f185450fb8bdc38a69daa401b795c72ed76b661683d38a6232f668220c94a

            SHA512

            f1e90569df533f81625f3bb75b131c786c35d05a6c57cc415092ac8f783217b090ce0ada444f42b61f899b79907f6588594ce413e53e4fffde090b03ac7878e5

            Download Submit
          • C:\Users\Admin\Desktop\E916CB-Readme.txt
            MD5

            d1526680d3c13c6b9811ad38f75c4b0e

            SHA1

            ece4e26c1eb337b737c4e0a8f22a5b137209ee4d

            SHA256

            8ee3c228501af60a67844d2fa382c751f013df54194b36db87ab65a6faabed17

            SHA512

            111359b42ea0fdf937d765ddda04c4e076eaccbf2691df63247f2b875783fe6137cc796a73077df79e12848b1e0e9641e5fd5af968c56aaaeb367e5cc6ca5bf5

            Download Submit
          • C:\Users\Admin\Desktop\E916CB-Readme.txt
            MD5

            d1526680d3c13c6b9811ad38f75c4b0e

            SHA1

            ece4e26c1eb337b737c4e0a8f22a5b137209ee4d

            SHA256

            8ee3c228501af60a67844d2fa382c751f013df54194b36db87ab65a6faabed17

            SHA512

            111359b42ea0fdf937d765ddda04c4e076eaccbf2691df63247f2b875783fe6137cc796a73077df79e12848b1e0e9641e5fd5af968c56aaaeb367e5cc6ca5bf5

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\0mywszjt\0mywszjt.0.cs
            MD5

            7ca5fd8f3f67212d36d3a39ebd94ec62

            SHA1

            cf2fcc197dab14029a64982ba9b1d7251541477b

            SHA256

            333c82f5e1d23382eacae921cb750671fdfc9c5b0b2613dbe57713d4a6a85d8c

            SHA512

            a5ad725ae5d08e54e9e3d35fc5ed9312ee5ceaa5a5d3cb6cc345d544baf1c8a6d354a88629df76c682a3b9c4c2cf600fca7a190c48889e5aba408651e3abd115

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\0mywszjt\0mywszjt.cmdline
            MD5

            9ba185948b7ab9ec1cc32b7289bdc5b8

            SHA1

            be68f9068b7e0625e608584322912cfa079f131b

            SHA256

            99bcc512512f2c821933936ab88cd1efb4096199012e07a49d2db536185d3972

            SHA512

            1bbd186d00c32a14a129182840ca03750e309834052a94a40d41ea8c8215edbd558f436db9c33e5c3125282939611221553c934745bf7b8735e329dc74ee2f6a

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\0mywszjt\CSC2FAD7542588140499AB661BBAD9AA65.TMP
            MD5

            2d06a85c3553671685c0a8de08f8378d

            SHA1

            56740d3d9afd9a88bdce8d4c1edb91f70573b4eb

            SHA256

            f0e8b60d25fb8b8cd9c18c7924e5db07a8e2e3458e4ae9e9a8b41e4767e395ed

            SHA512

            f066bf93aad68dafa56d59e6bee7adda68d04216ecaab2503a2de9bc7bd920b170e1a8f92421ed5953d1cd269334e8bf1e20fb47a3f9d9bbebef4dafcf111e1f

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\0ux4ghzs\0ux4ghzs.0.cs
            MD5

            c0bf1ac6cfcc3e3626e02b28397c4849

            SHA1

            0bef295f8641d4cdfe1539fb99624d4a7ee23097

            SHA256

            6fe3150903910dbc43ecbaf7175acedebe88a1be8d4f79ae8edabe7d0e30bd9d

            SHA512

            80d86f09a44e58260e4e70cd21ec5742325d6221c36994b0b1696f16b28448a58e8e0e0d08d8b419f13bf30bb3acc23ceab18bb17f78435c03ff45fcf76af9e6

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\0ux4ghzs\0ux4ghzs.cmdline
            MD5

            248f699b4fc811bf101dd51746781c82

            SHA1

            3b9eeea2775a020e3cd16d64cbb07d5579423287

            SHA256

            a8c038a7de2757cd90fbd9854328042b295ac3b117ca124aa5891580a6f10d50

            SHA512

            66fbdc5c3ded9896ce59121180f7452cf1805ad9b1dfcbc1786c094a56451d0c439027d5873761f693775f416ed4ecc297a4ba7a316f475484fc4f9b9b6bd34a

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\0ux4ghzs\CSCF19901BE8A6542ABB7DC423489A2712.TMP
            MD5

            7d3868c7d0e03e7dc7bbca0d4fae9f5e

            SHA1

            b24968beb3fa62bef8f757e65fa141612529e952

            SHA256

            067a83548f267e2262ffa740c5387ef386b49cc4d5dde3d51d9c617ebc55bddd

            SHA512

            9efcd54963ea337d029cdaf6923c796eedf8ca3fdcb33a2b6ce9ea3f3d1345033ec3034b4e2fad21f820077409c67da6d966a84f7f16345489a8cd18451a29ef

            Download Submit
          • memory/1060-27-0x0000000002750000-0x000000000276B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1060-25-0x0000000002750000-0x000000000276B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1060-1-0x0000000002490000-0x0000000002491000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1060-2-0x000000001AC40000-0x000000001AC41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1060-28-0x0000000002750000-0x000000000276B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1060-0-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/1060-5-0x000000001C5C0000-0x000000001C5C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1060-4-0x0000000002690000-0x0000000002691000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1060-3-0x0000000002550000-0x0000000002551000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1060-21-0x0000000002400000-0x0000000002402000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1060-22-0x000000001C690000-0x000000001C691000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1060-23-0x0000000002750000-0x000000000276B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1060-24-0x0000000002750000-0x000000000276B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1060-13-0x0000000002010000-0x0000000002012000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1060-26-0x0000000002750000-0x000000000276B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1320-30-0x00000000038D0000-0x00000000038EB000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1320-33-0x0000000045220000-0x0000000045224000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1320-34-0x0000000007850000-0x0000000007854000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1320-35-0x0000000045220000-0x0000000045224000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1320-36-0x0000000045220000-0x0000000045224000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1604-9-0x0000000000000000-mapping.dmp
            Download
          • memory/1728-14-0x0000000000000000-mapping.dmp
            Download
          • memory/1812-6-0x0000000000000000-mapping.dmp
            Download
          • memory/1888-17-0x0000000000000000-mapping.dmp
            Download
          • memory/5840-31-0x0000000000000000-mapping.dmp
            Download
          • memory/6048-37-0x000007FEF6510000-0x000007FEF678A000-memory.dmp
            Filesize

            2.5MB

            Download
          • memory/7124-38-0x0000000000000000-mapping.dmp
            Download