Overview

overview

10

Static

static

10

067f997e6f...40.exe

windows10-2004-x64

10

0c0c9a19db...c1.exe

windows10-2004-x64

10

1a8f35d0f2...b9.exe

windows10-2004-x64

2354403f00...3b.exe

windows10-2004-x64

240ac12f9c...0b.exe

windows10-2004-x64

10

276727bfac...36.exe

windows10-2004-x64

10

280a75ca5c...8e.exe

windows10-2004-x64

2e8af1ad4b...51.exe

windows10-2004-x64

10

32c51906c1...ec.exe

windows10-2004-x64

3e84def5ee...96.exe

windows10-2004-x64

403b8f1ce9...40.exe

windows10-2004-x64

4731758b5f...25.exe

windows10-2004-x64

9

4c21b335ba...49.exe

windows10-2004-x64

10

4c99ac9f69...35.exe

windows10-2004-x64

4fbbd67a32...a7.exe

windows10-2004-x64

10

622e2834e5...95.exe

windows10-2004-x64

10

6734e7474c...fd.exe

windows10-2004-x64

67a00565a4...5d.exe

windows10-2004-x64

6e228df5e4...62.exe

windows10-2004-x64

7b93299c45...03.exe

windows10-2004-x64

7c2a9bae3b...c1.exe

windows10-2004-x64

10

7d9c97a133...b5.exe

windows10-2004-x64

10

83b294975e...74.exe

windows10-2004-x64

9b0cfabed9...8e.exe

windows10-2004-x64

10

aa63528bf7...cd.exe

windows10-2004-x64

b54d6dc708...7d.exe

windows10-2004-x64

10

b6b2c1f4bb...00.exe

windows10-2004-x64

10

ba43b2eb48...fb.exe

windows10-2004-x64

cc43fc18d6...e8.exe

windows10-2004-x64

10

d50b23e12c...af.exe

windows10-2004-x64

10

ebb17d81ff...0f.exe

windows10-2004-x64

ec09cfa4a7...da.exe

windows10-2004-x64

10

Resubmissions

16-03-2024 17:17

240316-vtswysfd2y 10

16-03-2024 15:31

240316-syg9xafg39 10

15-03-2024 08:15

240315-j5rmgsbg5z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pablo_Escobar_1.rar

  • Size

    1.4MB

  • Sample

    240316-vtswysfd2y

  • MD5

    81b1444244e9cfb80fc2fe1d36e431e4

  • SHA1

    6072cfe876492ec8b43ece7aa02056068a81f270

  • SHA256

    b1968b4be3f82fc26b1e2decdcb8f532915aed847603aeeaf254722bdd411d26

  • SHA512

    044aa214e0c85f51d31aebc7b8766513c6fd2afa2214ab93488ff84db1f8bbd171de1646fbcc48a73bb110e1f7771ff79cd6118f51150cf60bb3feb53e443ee9

  • SSDEEP

    24576:/TFi0ekK8/1sPiNKnB2QkfjQbDKKKtCH7KNHeJejGgXIvMz6VWXQ0:/TAJT8/WaI0fEfQJNHe4GIQ0

Score
10/10
chaosdharmaneshtaphobosxoristevasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
READ THE FOLLOWING VERY CAREFULLY Your computer has become infected with a ransomware virus. Every file and folder has been encrypted with a military grade encryption algorithm and you will not be able to decrypt anything without our help. If you want all your files back to normal like this never happened you simply have to buy our decryption software by sending Bitcoin to the below specified BTC Wallet Address in which you will immediately receive the program and a special decryption key. Within 10 minutes of using the program all of you files and folders will be back to normal, and your system will be completely unencrypted and void of the ransomware virus. The price for the software will only cost you 0.1474 Bitcoin and Payment can be made in Bitcoin ONLY. If you have never used cryptocurrency before, it is very simple, just read about it on official website www.bitcoin.org or doing a simple google search on how to buy and send bitcoin. You now have exactly 36 hours to send the payment to the below Bitcoin Wallet Address or you will never be able to retrieve your files again, and everything will be forever encrypted and unrecoverable. AMOUNT: 0.1474 BTC BITCOIN ADDRESS WHERE YOU SEND IT: bc1qjt25ualzd0j0lvj0pq7mfrh23n9klnk29k22tf

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Rileyb0707@aol.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Rileyb0707@cock.li Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

Rileyb0707@aol.com

Rileyb0707@cock.li

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! Don't worry, you can return all your files! If you want to restore them, write to the mail: ronrivest@airmail.cc (ronvest@tutanota.de) YOUR ID jerd@420blaze.it Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

ronrivest@airmail.cc

ronvest@tutanota.de

jerd@420blaze.it

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>hensaxxx12@tutanota.com</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>503ADD58-3435</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>hensa12@cock.li</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>hensaxxx12@tutanota.com</span></div>

class='mark'>hensa12@cock.li</span></div>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\3D Objects\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :DarkxAnon7@gmail.com ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: DarkxAnon7@gmail.com) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)
Emails

DarkxAnon7@gmail.com

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>NormanBaker1929@gmx.com</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>69B680C1-2803</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>MichaelWayne1973@tutanota.com</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>NormanBaker1929@gmx.com</span></div>

class='mark'>MichaelWayne1973@tutanota.com</span></div>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail becky.cely2@aol.com Write this ID in the title of your message 3705CCA6 In case of no answer in 24 hours write us to theese e-mails: nikki.lond2@aol.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

becky.cely2@aol.com

nikki.lond2@aol.com

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>codeofhonor@tuta.io</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>09CA5FA5-3351</span></div> <div class='bold'>If you do not receive a response within 24 hours, please contact us by Telegram.org account: <span class='mark'><a href='https://t.me/Stop_24'></a>@Stop_24</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>codeofhonor@tuta.io</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt

Ransom Note
All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encrtyption was produced using unique KEY generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 24 hours after encryption completed. Payment have to be made in maxim 24 hours To retrieve the private key, you need to pay 3 BITCOINS Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK After you've sent the payment send us an email to : fast_decrypt_and_protect@tutanota.com with subject : ERROR-ID-63100778(3BITCOINS) If you are not familiar with bitcoin you can buy it from here : SITE : www.localbitcoin.com After we confirm the payment , we send the private key so you can decrypt your system.
Emails

fast_decrypt_and_protect@tutanota.com

Wallets

1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
We are sorry to inform you that a Ransomware Virus has taken control of your computer. The important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email xeqtr.4@proton.me
Emails

xeqtr.4@proton.me

Targets

    • Target

      067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540.exe

    • Size

      24KB

    • MD5

      3aea97ef58d132d994d6160ae232c6e7

    • SHA1

      de2146322b6a533ccf5ace0f1edcb6cf92d34179

    • SHA256

      067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540

    • SHA512

      a48d3ab7b7e35d1f24f1319831ffdc1c2dc9f4ededa0007684ff2515edf39e727915eafc124fa752082b0e1534ddf37a2ed12be18d9aadc72391b57cf5b6f9c4

    • SSDEEP

      384:Y3Mg/bqo2CUTermpEdwdcJAr91Ci7IJvOe2:mqo2Yrmpfd0Ar9xame2

    Score
    10/10
    chaosxoristevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (208) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1

    • Target

      0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

    • Size

      97KB

    • MD5

      8881f3e50b9f1bcb315769e24b76a3cc

    • SHA1

      f6f21445663a197b8f88a7a2fdbc4cbe2bf3be51

    • SHA256

      0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1

    • SHA512

      dde4d848499dd0eb92982358ad2990a82c22e2c1738a0387ca03dfadfd602b9fe429570815acf648aebc11e5337b1bc44b77e58f4aabd2f9ca5be88f6a34111b

    • SSDEEP

      1536:JxqjQ+P04wsmJCf5HqwoOFcqZNeRBl5PT/rx1mzwRMSTdLpJ1M:sr85CfxbtcSQRrmzwR5JS

    Score
    10/10
    neshtaphobosevasionpersistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (122) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral2

    • Target

      1a8f35d0f2b1a11a5b30e6f05ee5c9e93542fc2f559f8e66cf67f2a1b6ccbeb9.exe

    • Size

      92KB

    • MD5

      a23219bddf6b154ca2f5afa89cb2b0c3

    • SHA1

      0d63eb57023770b53b6b31f669a03bbdb7a2465b

    • SHA256

      1a8f35d0f2b1a11a5b30e6f05ee5c9e93542fc2f559f8e66cf67f2a1b6ccbeb9

    • SHA512

      65583cfa9c2d77330e15a5bfce430831b53bf1b018757fa8778618bef44b87b15d20a9bbcd80a1526bb6c582df3b8ff55f0cc7b002c4a1655c3f1ace01d54172

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4AYgfEHB0tRYn+9jsGGqbg8IIvoBec5wOmh:Hw+asqN5aW/hLmDHyt0KaIvogn

    Score
    1/10
    behavioral3

    • Target

      2354403f00f096f700e5616ed1a5ccd40fe53a1bb35a5e93e429f5f24fa4483b.exe

    • Size

      92KB

    • MD5

      16cd194650559b6d6772f58141ddc942

    • SHA1

      2d297e642b1707dba55df3cf5cebbf1ca89b677e

    • SHA256

      2354403f00f096f700e5616ed1a5ccd40fe53a1bb35a5e93e429f5f24fa4483b

    • SHA512

      6ae7a2a9923b0f147b7b4fcfd20b81bc931f3c9fe3ea0052b1ace3e9614bd8b194b3d436c7034817423b446a20bd85f4c1256f32f51a1bb23b89c4038f2b5fa5

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4Azgoa1M//fj2n4mc4SSo9R6ZaNESSP:Hw+asqN5aW/hLXa1MHfj24mbFWRH

    Score
    1/10
    behavioral4

    • Target

      240ac12f9c13ef1fdfbc77e16978f0423a41a3cc1c3dcb8786ba8e7672811f0b.exe

    • Size

      24KB

    • MD5

      63d533fb228e802c9c774ef75ff043fa

    • SHA1

      16515f05ed0ae98bcbd3de8290704b516bc58080

    • SHA256

      240ac12f9c13ef1fdfbc77e16978f0423a41a3cc1c3dcb8786ba8e7672811f0b

    • SHA512

      9f428e10f018e1e65dc17b65937505a30932a74285aa23df4a8e875ba47ec60510cfa693a7d44e8ec81c6e25aa91c4a462b67902b0fe0190641d5b149d9ff4b1

    • SSDEEP

      384:F3MLWHn3kIcuOxPRe2zpOUsB6vSkaJZAr91Cz+mLRsOeN:1n3kIcPfpbear9i+BOeN

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral5

    • Target

      276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe

    • Size

      92KB

    • MD5

      58402f0f41e3bfecbea9ca1bcc0f0c2b

    • SHA1

      0a2b11df94790e1121c17e350eb846a236e0fbcf

    • SHA256

      276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136

    • SHA512

      8155d0a3364ea067260ba9ad432e126b1da33a2c4c1c5f585112851c5765363cd6cc426263ef430b559e9b35eea938e19bf7cc2e50e6a6c356bba030664f9123

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4ALTroZbj0zTzn5W9qN9PI1fFznJGf0yG:Qw+asqN5aW/hLlTroZUzTz5W9qrI1JIH

    Score
    10/10
    dharmapersistenceransomware

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral6

    • Target

      280a75ca5ca5dc8e106f6f6e2005fe3e23b6c35e296d5639b00b5b6daba8c38e.exe

    • Size

      40KB

    • MD5

      deb90cbd18c233c18803a38db5799a52

    • SHA1

      bdecb3a9b1e7048fddf645bc5c17f0f8342468b8

    • SHA256

      280a75ca5ca5dc8e106f6f6e2005fe3e23b6c35e296d5639b00b5b6daba8c38e

    • SHA512

      bf0d637d15dde553654b7384bd3458ce12e7a4a9e8fa37c68808538655cdc7d57ef490474adcc2fbc910946710841b4e8a013d254b15ce96c8b73ddbce291211

    • SSDEEP

      384:febFNw4Pk1itKkpAjj/3nrI9oRg1qYvjSfkDCgScjUZhGXq8VMBAciu:f0FmBkpKjPMXcY73DCsjSG2Ni

    Score
    1/10
    behavioral7

    • Target

      2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe

    • Size

      31KB

    • MD5

      3fdd9b2402350844b482aa6076e18d22

    • SHA1

      81034b4deb144ecdf21cb213e455a84ea319812c

    • SHA256

      2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51

    • SHA512

      cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4

    • SSDEEP

      384:y3Mg/bqo284ujNI2pl6VwTwJrjr91CzJ8lC12ntnGeC:Iqo27uj+2pIw4rjr9kJ8lCEtGeC

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (191) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral8

    • Target

      32c51906c182c8c92afbc93cbe674d1b24d855f5f4f0c4c82d076691cce4c7ec.exe

    • Size

      92KB

    • MD5

      b94b59ce09ac8e8be119a4c4b7fdaab6

    • SHA1

      228b0dd92b685122f293d7f72b12f61754ce3d74

    • SHA256

      32c51906c182c8c92afbc93cbe674d1b24d855f5f4f0c4c82d076691cce4c7ec

    • SHA512

      7f3167a989cb7a30e139d5a879b0c0bec4345339fdca6c06a07d17ff717bbed7465ac8de1fef134c532edf75dd19ee0ef7bcaa3a2b95200e91de0b1c8d04d26e

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4Ak5aKqliACD/ZSAqYhF4sUOuy2VedCL:Hw+asqN5aW/hL65ukZzZSRsUOcD

    Score
    1/10
    behavioral9

    • Target

      3e84def5eeae88ab28d21de08581e68e46fd9a94b5fee35d609d6f73a92a9e96.exe

    • Size

      92KB

    • MD5

      67ce18845fd67549dd470a10662decae

    • SHA1

      e3f3adc21fcd172edba23fac6ad528a6b0bb4daf

    • SHA256

      3e84def5eeae88ab28d21de08581e68e46fd9a94b5fee35d609d6f73a92a9e96

    • SHA512

      8e76952539e212b1930765b22fa4b5c4b9ae1c9bac38b189bc2dbcf7397a3793bbee9e081cafeac8d82bbc5f27ddae2b241e9be1f5eeb4979e1ef70b5eff6800

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4A6RQmnQHs28YNMA8m0kQED86T:Hw+asqN5aW/hLjJs2HMAwkQe86

    Score
    1/10
    behavioral10

    • Target

      403b8f1ce98aeb6f4a7cfc23693c5a9799e0239806a4850b4eaad58ab7bedb40.exe

    • Size

      92KB

    • MD5

      8739058c3caec449e8e3b061d6f03206

    • SHA1

      8d92b7b42a57ace6134d325088c5c59577139ca5

    • SHA256

      403b8f1ce98aeb6f4a7cfc23693c5a9799e0239806a4850b4eaad58ab7bedb40

    • SHA512

      e79ea19c63f71643eb29afa3b232d9a53ddda84bec9746e1708d09ab90fb3a10bb1f85c8b7151b2b30e5f9ec421458eacf34cc38253921d62d755b14dce5d4e2

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4Aeo85hz8I4DvvAGGHMXBZQ3:Hw+asqN5aW/hL/85ZqvvApMXBu

    Score
    1/10
    behavioral11

    • Target

      4731758b5f792686547e861c6bd86ccf88ddb63cba6fa6b048a46cfc5f146325.exe

    • Size

      12KB

    • MD5

      784d3d48c9f583292a9928697d7cf87b

    • SHA1

      c6dbd334524d6e6361550995c33a76ad0b6793aa

    • SHA256

      4731758b5f792686547e861c6bd86ccf88ddb63cba6fa6b048a46cfc5f146325

    • SHA512

      ae2a34a08c35dca812812d21dedb2bde3f2153b5e25dff18b866be501630a7705f93a64e428577af7e3588a301f0c9dd309cf79513f4a7bd0b0b5e66edba2e52

    • SSDEEP

      192:S/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMonWNo:SebFNw4Pk1itKkpAjjI2Ypdmo0o

    Score
    9/10
    persistenceransomwarespywarestealer

    • Renames multiple (2169) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral12

    • Target

      4c21b335baf9907cfaec588f25354b804b3d59f3882d923fbaf0d929b933ef49.exe

    • Size

      92KB

    • MD5

      ee524170a7ffc7ad48afc3a1e7377943

    • SHA1

      c9c8725012fbf7e9651b2e1519eaf17e86a65658

    • SHA256

      4c21b335baf9907cfaec588f25354b804b3d59f3882d923fbaf0d929b933ef49

    • SHA512

      d0efb486382698190e2d95090d04d70282a07315fae162b339d2d935ffabf5c1b22576aaa2ca2fbd5469d21354d097e05d6da5368706aa5e318c90f5a9825d43

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4AYotGG5Gq5XgH7id4NkzpvjNU4lm:Qw+asqN5aW/hL/GKp5wbk4Nkzphvo

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (503) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral13

    • Target

      4c99ac9f69cf03b60583b12f94fe442da74178f53030bd2b7703b1d53da6a135.exe

    • Size

      92KB

    • MD5

      71a04ec7f0242ca16b60a08c6d2c77d8

    • SHA1

      cd82760b8a30aecafffb08f37a05510e33362f6b

    • SHA256

      4c99ac9f69cf03b60583b12f94fe442da74178f53030bd2b7703b1d53da6a135

    • SHA512

      c1113d46a8cba899bf9dadc4cefa6ccdd975f7c0dd20aceb24a57de38d91b2beb44789b164bd01db1797c77ebd75d2d993707f87e9b6f89746c024e03f19a72b

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4ArygRKhD8DtuGgUN9ZmYPzY5ZSwgrsI:Hw+asqN5aW/hL0gRKhD8DtuGgami21ks

    Score
    1/10
    behavioral14

    • Target

      4fbbd67a32384a485efb0efb9e958a9f7b7a879d3945b16ccf80a8580bd935a7.exe

    • Size

      29KB

    • MD5

      9ca8e64065e6beaad07fc7b472c2617f

    • SHA1

      0f91d62f996b0ec76addca130fb4f3b87e604d0f

    • SHA256

      4fbbd67a32384a485efb0efb9e958a9f7b7a879d3945b16ccf80a8580bd935a7

    • SHA512

      e12b98a8111222f0bc918de5bd24ba2ef018fed28a3c81dd7775055142bd4e7ab29c62bfcde4a7d481caf8050dfb879d9df604d056fd50382015034cd30782f3

    • SSDEEP

      384:BtWZPzzxAm1vwt9IryJS74WtRQ2bqlhlsNpGB0lFOy5o919rWXyw82vO:o7zxAmoIryJS1RQCqCN4uho9DriJ82m

    Score
    10/10
    chaosransomware

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    behavioral15

    • Target

      622e2834e51caa303d120c7503d8fcce671226a0342d7be0f8cf546b44cee195.exe

    • Size

      92KB

    • MD5

      e096b294d0ed5f42ca68bc41c47ac27a

    • SHA1

      1d5601986887ead48d036f1401330b8c9fd59eeb

    • SHA256

      622e2834e51caa303d120c7503d8fcce671226a0342d7be0f8cf546b44cee195

    • SHA512

      4d8ead3774210c552a0633db886ea1bfd3c13fcd51fd60efe9b7db8f27ff1a5a6ae4394cbcd8ec01b5514492966b118c4647efcea191313e4f1ec3536ba937ba

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4Ah610ButurulYOGLwf6v7ctk:Qw+asqN5aW/hLnbfSGOGLpv7c+

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (703) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral16

    • Target

      6734e7474c81f5b7b0c006a17b79f59e3281f45f03910ddeeae2ea05291655fd.exe

    • Size

      92KB

    • MD5

      3ecf963ff8585fd26fc180e3fbfd413a

    • SHA1

      f11d313a67b1b38db4f0164a9d9ea6447f70b28d

    • SHA256

      6734e7474c81f5b7b0c006a17b79f59e3281f45f03910ddeeae2ea05291655fd

    • SHA512

      040c4307285a1543616b4af6094886af4b9410ed2e46f18079312fff0c9e0c69bc6e8c9eebf26bcdf62fb8e9332e93b5dd8f3761a07b975b8320e5b137ae54f2

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4AaFAFLZYEKox+2yZzOcJwqCsQ:Hw+asqN5aW/hL0FABKa6S

    Score
    1/10
    behavioral17

    • Target

      67a00565a4c5fc9f08543cb10bfa3858801f87a558e21ad36d514c9bedb10e5d.exe

    • Size

      92KB

    • MD5

      7166d5ba7fae799b13403100dc26648a

    • SHA1

      b917bbab06e5f6ded669a7a1350398f1a233a3c8

    • SHA256

      67a00565a4c5fc9f08543cb10bfa3858801f87a558e21ad36d514c9bedb10e5d

    • SHA512

      1e2e350862e157cbde0549312d800acd7812b93bd3c2574e63eaa34f9a8fb0efbd1914517d3a131c825f18f740837adb01540ef1d59c9561e4268359903bb462

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4AqXeiKozyHj0vThU2BHYZsX3AZMgLzw4g:Hw+asqN5aW/hLMXeHoYQbhvYZD84

    Score
    1/10
    behavioral18

    • Target

      6e228df5e458ddcd6a9b5284418b6101cb988315d3910f1b422d511135acd462.exe

    • Size

      92KB

    • MD5

      0e6469ddffd4511d8ea4d2ee5eab4e9d

    • SHA1

      7e2cb399c6623a61c239971ffbdd7fbd9dbf8470

    • SHA256

      6e228df5e458ddcd6a9b5284418b6101cb988315d3910f1b422d511135acd462

    • SHA512

      27de4c89201832b6739006ef17aa820a82842a16c879255a9ece9d75a076b08e12a9cfd323f01dcfa1c9fc88f299b007d5314bb79a81b49e2b6465f2e4788ddf

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4AjKUDX/oCPj2oKKH4JxirQL74mQ2C:Hw+asqN5aW/hLloGokrQI72C

    Score
    1/10
    behavioral19

    • Target

      7b93299c4559e89716a9b37f4a43c1b084c610ad1d9d8e462a1383320e299503.exe

    • Size

      92KB

    • MD5

      35428935f5bdc42cd696f1fe9641891a

    • SHA1

      030f19364f83bf97c8a3761e217d818a1d789b28

    • SHA256

      7b93299c4559e89716a9b37f4a43c1b084c610ad1d9d8e462a1383320e299503

    • SHA512

      a368c6c3fe5ed55bff8465d8f3237124912e768cb3e3d2760e9e442141a60966eefbf9a992f170881cee66e282f4f7d48909c66a9836dee151f29f7f53613dc0

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4AaL1jUTvZo9rka35/jRfpa76v+RkUJ:Hw+asqN5aW/hLSUTho9rv31jzW6vnw

    Score
    1/10
    behavioral20

    • Target

      7c2a9bae3bbdc9e38516754d76a192d6a3ce37849c06a8a8d3b06fb7f75916c1.exe

    • Size

      56KB

    • MD5

      e3d064afc3476b131db81cd483a5c87a

    • SHA1

      600fc81eddb1a44ae97e9565cab9d22363dd3711

    • SHA256

      7c2a9bae3bbdc9e38516754d76a192d6a3ce37849c06a8a8d3b06fb7f75916c1

    • SHA512

      76b9dd263f9daa1ae9abb01eb8ab78f4871d49c8a4474138fee45ce791faf760608fb7f2817aae4e031c81b1563167ba3cb0efce3d25c97ac9b1bf6e79a43874

    • SSDEEP

      1536:eNeRBl5PT/rx1mzwRMSTdLpJ1/4aE2i9hfVxOD+H:eQRrmzwR5JV/E2G5VYD+H

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (503) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral21

    • Target

      7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

    • Size

      56KB

    • MD5

      891671a3dbedc9f31325acd29ec912bf

    • SHA1

      9d0f4cb30fdf9cf55948306190e3f71a72cff9f0

    • SHA256

      7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5

    • SHA512

      014488fad8ecfa5dd583d14e7084f4c9f6eb180aa3f06157546467f6b545a849a90afb04eff0f20cc7d11d1a04986e260ddcf6d97a09ab7798022640706fc6ee

    • SSDEEP

      1536:CNeRBl5PT/rx1mzwRMSTdLpJ/VeHOR8ZJ+EJ:CQRrmzwR5JdeHG8ZJVJ

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (394) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral22

    • Target

      83b294975e094024bdeb90f5cdeb9832304cf6879a27eee5cfe08650e5731674.exe

    • Size

      92KB

    • MD5

      f0584531c7e28b1f8b3b9cdab6e22faf

    • SHA1

      d6d1628c3154be80499c3d23d981db32438c4028

    • SHA256

      83b294975e094024bdeb90f5cdeb9832304cf6879a27eee5cfe08650e5731674

    • SHA512

      04d23952ade7e5a6ec4b9b79e37dcd39795864852a5a10c7d02359918014cc8f332286a990a30222b230e66d7bd6d9675b0f43d7d3b655954e077d8fa097b056

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4A3KOO3guHp0caS0nlTjuSHGOVCJyk/:Hw+asqN5aW/hLYb0HXTjuSHGxJy6

    Score
    1/10
    behavioral23

    • Target

      9b0cfabed9fbf6b05c74e5a31eb500fea0691c84fa736dd25e8e5013a35f038e.exe

    • Size

      27KB

    • MD5

      cc4c6842f8a31ee3ac6477b42d34acba

    • SHA1

      ce6e9918189e9187143e0e012356bec98988c035

    • SHA256

      9b0cfabed9fbf6b05c74e5a31eb500fea0691c84fa736dd25e8e5013a35f038e

    • SHA512

      25b31b5065d3a625ce11d922cdcc6293c021aaf3ebd9460b5fd317e548c5cf6e6a173ec0062cb129b0f1f9262d6403bd585f697aca71aff86d7c577cfe6ddf93

    • SSDEEP

      384:atWZPzzxAm1vp5Z+HxbEWx0OeuBbIzlXOy5o91Sk5n82vt:f7zxAmpwb70Oeu1who91h82V

    Score
    10/10
    chaospersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral24

    • Target

      aa63528bf720d3f9b31e91945a576afa4c609a09c07b3bbfc29351d760a71ccd.exe

    • Size

      92KB

    • MD5

      3fdb650cb7d17cc8c639d44ee11ee91b

    • SHA1

      bb0da74121cacfc68ea590b1e9a1603e094363d6

    • SHA256

      aa63528bf720d3f9b31e91945a576afa4c609a09c07b3bbfc29351d760a71ccd

    • SHA512

      6e01f0e776895c82b67c17409595130a5da3b838b8b26f29403a0a1bde435efa48f26d37ea01828689e4815820dcddba26c9d7c2b6e916cf6c96a2ffb6ba21ca

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4Af5yoswkqcXI/33TyUcIXzmfq:Hw+asqN5aW/hLl5y3d9XoD5vDK

    Score
    1/10
    behavioral25

    • Target

      b54d6dc708eade0818fcf91e59c7dbe37267abbe43a1672fb5f1c126e021ad7d.exe

    • Size

      56KB

    • MD5

      dc09c3148ba09028fe0a43efd287917b

    • SHA1

      fea5a0668ddd1a7278c934276c2efada3ee2287a

    • SHA256

      b54d6dc708eade0818fcf91e59c7dbe37267abbe43a1672fb5f1c126e021ad7d

    • SHA512

      ee411ef051eb03bdb1f9bbddda987ec08bc80ab0c431b78abb52926794530db29e4a01ccbb325c15225d530e579b8f5678a948a378ebf70e8aa071d528505c36

    • SSDEEP

      1536:sNeRBl5PT/rx1mzwRMSTdLpJjYizrtZF:sQRrmzwR5J9zrZ

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (616) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral26

    • Target

      b6b2c1f4bbe4259e0279a0c3db98a69db12ab6ae0b549085c714f1497f3c8300.exe

    • Size

      92KB

    • MD5

      be47139183c40fceb264c6946627b93f

    • SHA1

      06f645d6afc2f909dbdf61c0982dcd74126bc5f5

    • SHA256

      b6b2c1f4bbe4259e0279a0c3db98a69db12ab6ae0b549085c714f1497f3c8300

    • SHA512

      eebd19694a2ac660c89ad2b323c7b871deaa3099065c8298d5135b3ce1bb56d751cb049b55099ffe78c54eb2a00561970dfdd184dde950534433b26c47696a73

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4AeAI3cCVuogqtNp6XNUS7fvUHkd:Qw+asqN5aW/hLdIseKqtneN7X0M

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (513) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral27

    • Target

      ba43b2eb4865f24c9e04bdd6cd885202267e831ef797df32eb602dd91ff36ffb.exe

    • Size

      38KB

    • MD5

      ee53f13814a90ccdbb478e9724fbbf5d

    • SHA1

      bc5e16aa82cbf97d305be67d51de9b77973c774b

    • SHA256

      ba43b2eb4865f24c9e04bdd6cd885202267e831ef797df32eb602dd91ff36ffb

    • SHA512

      f03338e82225d40516951dddee542fde124f8da2eb3b7966c06112e6e671a3a2709e0aae17974649166f784cead3273e78296ec952b49f7226312f4b4a9c697a

    • SSDEEP

      384:bebFNw4Pk1itKkpAjj/3nr5QZqYvjS3kDCgSfncvesMBAciu:b0FmBkpKjPS4Y7fDCfcvINi

    Score
    1/10
    behavioral28

    • Target

      cc43fc18d6d1dc662ad747652cd961152ee13dbf2cea9bf75564f3e2e8ffd2e8.exe

    • Size

      56KB

    • MD5

      6c8a41af3344dc63c4a21990f11b4e96

    • SHA1

      0cf67235a9a94f016dfd2d0b0416415f38502a6d

    • SHA256

      cc43fc18d6d1dc662ad747652cd961152ee13dbf2cea9bf75564f3e2e8ffd2e8

    • SHA512

      bd15674b2a89957b2735a2860fc211c99e494da32a46e913cf9c2d4e9e71131cd7d2894b6fa968825f8f2418d2b9427f8422e8fb498b0c83216e8436f01f9690

    • SSDEEP

      1536:3NeRBl5PT/rx1mzwRMSTdLpJdfeYm+L8i1NNw:3QRrmzwR5JXJL1D

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (493) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral29

    • Target

      d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

    • Size

      55KB

    • MD5

      498ee5cf9c611ba7ed2379414d0bb010

    • SHA1

      c4f779d08633a53e7a03c702eafbe3314055aa18

    • SHA256

      d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf

    • SHA512

      8dad911c0b59485dafd6ddcf879774016f8d63690085d4840e422b44735e82140ad177e9e7663b6cc474214461693219142b55e93fd853a593925752fbaa2761

    • SSDEEP

      1536:KNeRBl5PT/rx1mzwRMSTdLpJYXRBawzpK:KQRrmzwR5J4e

    Score
    10/10
    phobosevasionpersistenceransomware

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral30

    • Target

      ebb17d81ffb02c01b4f49c7267246f243272ca2aecda68a44e89a33f74a47a0f.exe

    • Size

      92KB

    • MD5

      b55a6a785c1fab2b52afc9656c639e02

    • SHA1

      b2edddd040d4071666679c6be75f916f4982f1e2

    • SHA256

      ebb17d81ffb02c01b4f49c7267246f243272ca2aecda68a44e89a33f74a47a0f

    • SHA512

      ee5dab0188e94af221ecea3b41962f86ff6be87930cccf5370e7434f33e8302956396f517a5dda9cc9afa7d64638b3399777d55561859c255e3c9812de21a60b

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4A7I1cRtMoKAk0izr4tXyjvb/GSA:Hw+asqN5aW/hLZjEn0rloG

    Score
    1/10
    behavioral31

    • Target

      ec09cfa4a79d709daed859d1a0e131aaa994f4a7b4bed80406125db76446fbda.exe

    • Size

      23KB

    • MD5

      71d9e6ee26d46c4dbb3d8e6df19dda7d

    • SHA1

      a88176cdd3df153349104442eac4e2d1c416e457

    • SHA256

      ec09cfa4a79d709daed859d1a0e131aaa994f4a7b4bed80406125db76446fbda

    • SHA512

      d6a61d6d32bf636bec7948323a422116b359dadf78e55327633ad5c3de41e6c15dcadd27a8c53453ef14dd63184c22dee82420b99338f5cc7359e9f6ec50cca7

    • SSDEEP

      384:eebFNw4Pk1itKkpAjjI2Ypdm/nYi/8lhRea16Wv88oyLOixGqKWW0o:e0FmBkpKjPYpudR4v8x3iAE

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (12562) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

8
T1059

Persistence

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Privilege Escalation

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Defense Evasion

Indicator Removal

32
T1070

File Deletion

32
T1070.004

Modify Registry

17
T1112

Impair Defenses

6
T1562

Disable or Modify System Firewall

6
T1562.004

Credential Access

Unsecured Credentials

14
T1552

Credentials In Files

14
T1552.001

Discovery

Query Registry

24
T1012

System Information Discovery

28
T1082

Peripheral Device Discovery

7
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

14
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

41
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks

static1

upxchaosneshtaxorist
Score
10/10

behavioral1

chaosxoristevasionransomwarespywarestealer
Score
10/10

behavioral2

neshtaphobosevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

chaosevasionransomwarespywarestealer
Score
10/10

behavioral6

dharmapersistenceransomware
Score
10/10

behavioral7

Score
1/10

behavioral8

chaosevasionransomwarespywarestealer
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

persistenceransomwarespywarestealer
Score
9/10

behavioral13

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral14

Score
1/10

behavioral15

chaosransomware
Score
10/10

behavioral16

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

phobosevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral22

phobosevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral23

Score
1/10

behavioral24

chaospersistenceransomwarespywarestealer
Score
10/10

behavioral25

Score
1/10

behavioral26

phobosevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral27

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral28

Score
1/10

behavioral29

phobosevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral30

phobosevasionpersistenceransomware
Score
10/10

behavioral31

Score
1/10

behavioral32

persistenceransomwarespywarestealer
Score
10/10