Overview

overview

10

Static

static

all.ps1

windows7_x64

10

all.ps1

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    15-10-2020 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    all.ps1

  • Size

    783KB

  • MD5

    3f966ed1ec7ffc9e896b82ea5be707c1

  • SHA1

    37111e03e9f5d1e1932051d9c6a5a1314bc1909d

  • SHA256

    68cf2072515bb9cf6ad418615c1f52dcdf24ca1ee46d115a3de2146d1d40d59e

  • SHA512

    5e1defcb7c651d2611c101e5e16c8add185560fd3a1f4ee2fc6bbf1f3bf91a674446a1d9c3ec790dfc85811d4df0367faa577175d31d4f189849a1836a3b0b52

Score
10/10
ransomwarepersistencespywarenetwalker

Malware Config

Extracted

Path

C:\odt\5673E0-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\5673E0-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Microsoft Office\PackageManifests\5673E0-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0d
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\db\lib\5673E0-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\5673E0-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\5673E0-Readme.txt

Family

netwalker

Ransom Note
Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}Hello, Valuation Research Corporation Your files are encrypted. All encrypted files for this computer has extension: .5673e0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5673e0: wt790W2EzoAMTWtLZ0tcsr+O9Rmniz7Dkv4L/7YSQZu1MXyFQq 1eIwVv0PJ3Opt16Lvup0rWEJY8CaW8X+QVYQpHiQcGC6l6nXuV 9NOeVwqeH0BBZSqR53pxu0dSoCZsi4SK7MEutOzra1ONttkZ/c 4eMpgCPRcklglpGUKhUjP8VUMwkNN/M2y3zVcysuJIy1Pqrzqp +YBguoTxjKm565FC6QbmOSAvVbfVE04u6im73JCixE57TCiRs3 pEGrvtlsuSnYaJEDZT/LizXOhh3KnGByw/5HVHbw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 17087 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3246 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\all.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1lp53lv\y1lp53lv.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DA0.tmp" "c:\Users\Admin\AppData\Local\Temp\y1lp53lv\CSC2B55D3FE2E9E40F6A42EFEFD123B9A8.TMP"
          4⤵
            PID:2424
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcrdbmys\gcrdbmys.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB9.tmp" "c:\Users\Admin\AppData\Local\Temp\gcrdbmys\CSC1011A94BB8F94F4884F1F8A7A73AAB3.TMP"
            4⤵
              PID:2156
        • C:\Windows\system32\notepad.exe
          C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\5673E0-Readme.txt"
          2⤵
            PID:3640
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Modifies service
          • Suspicious use of AdjustPrivilegeToken
          PID:3444

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES1DA0.tmp
          MD5

          6c276ccb7e663ed7fe760d00b9b55981

          SHA1

          fb1d5b1115f0f2d84c7eab0b0281910a07802e72

          SHA256

          b2131fd963038d84bd80e966c1067df8c2bc3e9322a7e147592c8df1a24eea7f

          SHA512

          4564ccc7583be9434f174afad4b5e5b9f29a5d700ace3892e8b5e078e6dcaebbd9b6c118e6e6ebd9afddc02c9ef5336646ba9addf8ecf173f142e61ae3a74ff0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES1EB9.tmp
          MD5

          d45b0b32097dd3acfc0e3c40fc83d187

          SHA1

          5acb415de4068ffc8569fd137dd8525128bf1246

          SHA256

          ba506777a733b9e686213aa6820ba16ed68e322024ce1946ac3bba4acce71922

          SHA512

          6fda96bc8bfb31c77453c5a5b1de9cdd9c5c74505bfdeca884cfe335f2bb0628442a1e82f0a55ec7bbbab99f3b29bd6c68df104982a3dc172ba51b4d03fe7a09

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gcrdbmys\gcrdbmys.dll
          MD5

          832995928755f58dc005b4f5f6b5a913

          SHA1

          452a1f745f562b12919dd89dd4e7d6071f13e9bc

          SHA256

          c47e90524d64635b3a16b6e260be8d6235c07ec183dff9c452f66864f7800cfa

          SHA512

          ceab429a647ff0c6a79fa7d5c0a3501711a22780b00886a0dc4eb28a2ea0494e8bac723bada54fb66e0207906ba5a4d2549fe5e973bfa83bab60c2a40b0a331f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\y1lp53lv\y1lp53lv.dll
          MD5

          75613f48efded69d3ffb278ac7b18f5f

          SHA1

          8097a2a61cccd0eea0998512c0bc00103790388d

          SHA256

          93b06b25b87a8035b78e57f53ea9b2d307a362bbc97d6de2036a59bbc33a1e51

          SHA512

          b0e3747ff2afcd70b0a1ecb284c3c2095ef61b31445e0f0c34eebc695156af0a656321d4d322d9c1d3b8f6a6995c29dba0a5e1ef02262a0755626167b60a3586

          Download Submit

        • C:\Users\Admin\Desktop\5673E0-Readme.txt
          MD5

          a2dcafd8d35a9e0349e9be08379dbad0

          SHA1

          d469ba5400cce148351f593998eed90cfa1295f2

          SHA256

          cc07f5c9756df97c38ed7d1bb18088b6236abe7387acc2362126ac49e725534c

          SHA512

          03d842d9d6281c2cb60fb19a68123d3dba5ebd49239c61e5067b662d7c71aa24dbfab3c9730075e3a131e2b692797357510db3e801469cafa27e84de6044b7b4

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gcrdbmys\CSC1011A94BB8F94F4884F1F8A7A73AAB3.TMP
          MD5

          f754bcf9f444bf9aa148ef78dbbae61c

          SHA1

          112fb5bd81d28d7c6106c1fced47fa7962e1bfce

          SHA256

          8023bcb9eb2056f6cf863babcc2ad02f5233e30ca3c987e8eb9331c6beec3f0d

          SHA512

          12249feabe6f7120825f5fa911336eb935d8375209affb02b82e1bf4ba7fbb3c46a49d550e2a86e783c0d47bb4349773182aa8911f75d54fec525f7dba3c1bed

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gcrdbmys\gcrdbmys.0.cs
          MD5

          7ca5fd8f3f67212d36d3a39ebd94ec62

          SHA1

          cf2fcc197dab14029a64982ba9b1d7251541477b

          SHA256

          333c82f5e1d23382eacae921cb750671fdfc9c5b0b2613dbe57713d4a6a85d8c

          SHA512

          a5ad725ae5d08e54e9e3d35fc5ed9312ee5ceaa5a5d3cb6cc345d544baf1c8a6d354a88629df76c682a3b9c4c2cf600fca7a190c48889e5aba408651e3abd115

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gcrdbmys\gcrdbmys.cmdline
          MD5

          274e5aa8ea6aaf75659e75e42d881b49

          SHA1

          745b0ff1768e5737cd5407aa24b979d866c8f93f

          SHA256

          018590d395a16cf2b442f885ac0f241b767fdca01e675b563afbea851394a473

          SHA512

          f2b68b3918dfb42e8763ccc639c53fe2d34d3faee5319849d3706f4952288954207f36625482adbb43824c69fae7ff178ba1f739fb2a188c4bda10177792e8f2

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\y1lp53lv\CSC2B55D3FE2E9E40F6A42EFEFD123B9A8.TMP
          MD5

          16085c70f4668d1bb369472f29e9b9ba

          SHA1

          616df6d682ad9c55092a2c3dfbf187a23faf3c44

          SHA256

          f6ec2ba356ee8b01a412fceb1c7959435fd56a5f9eb6666b6d65d2cbe059dc3a

          SHA512

          553d89890c0d22f42e1a21f18cfb13141f76c3fc6c0adc60e90b91c975d99281090de758cdb0ae9a970bbd96268ef4c0f22aaa4da7f1dee033e701ccb59e48c9

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\y1lp53lv\y1lp53lv.0.cs
          MD5

          c0bf1ac6cfcc3e3626e02b28397c4849

          SHA1

          0bef295f8641d4cdfe1539fb99624d4a7ee23097

          SHA256

          6fe3150903910dbc43ecbaf7175acedebe88a1be8d4f79ae8edabe7d0e30bd9d

          SHA512

          80d86f09a44e58260e4e70cd21ec5742325d6221c36994b0b1696f16b28448a58e8e0e0d08d8b419f13bf30bb3acc23ceab18bb17f78435c03ff45fcf76af9e6

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\y1lp53lv\y1lp53lv.cmdline
          MD5

          ecb5dcda9ffce7e78958561f9de95ca5

          SHA1

          62308c58acf0adb74ba198e0229539b563c21639

          SHA256

          ce3c496fb18ee9109a0caac446eec2fe76ac7d04e4c3cdb53072631ef4dc5088

          SHA512

          98972445e8489dc2b3c2710e0335d0dcf390f9e921f6ff1e187c4dfdc9fb5e6ed9295c754072192bd74950ca33339bac2094895cc52ed66a922683801e4786e3

          Download Submit

        • memory/1864-3-0x0000000000000000-mapping.dmp

          Download

        • memory/2128-11-0x0000000000000000-mapping.dmp

          Download

        • memory/2156-14-0x0000000000000000-mapping.dmp

          Download

        • memory/2424-6-0x0000000000000000-mapping.dmp

          Download

        • memory/3000-19-0x0000000000C60000-0x0000000000C7B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/3148-10-0x0000019DF1030000-0x0000019DF1032000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3148-0-0x00007FFCC2140000-0x00007FFCC2B2C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3148-2-0x0000019DF1090000-0x0000019DF1091000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3148-18-0x0000019DF1050000-0x0000019DF1052000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3148-1-0x0000019DF0E00000-0x0000019DF0E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3640-20-0x0000000000000000-mapping.dmp

          Download