Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

General

  • Target

    RS.7z

  • Size

    20.5MB

  • Sample

    240728-t5tryssgmm

  • MD5

    2e40472330409ed96f91e8e0bb796eb4

  • SHA1

    8fd90404184de1a627068a93482313449dbbec91

  • SHA256

    c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

  • SHA512

    b11720cb8519fc6838161ba8bf696681b242b0789ffd5c442efbb50161d511fd65229ca88a347c856e8ff91501c077f5de7714b09e29d4400f595bfe7829189d

  • SSDEEP

    393216:NkDF1XseDcJIrXeSG0b5mKZ1F0gvpdO8GPnqzHLP3iN5M0CptgNpAcklC0CN:GDjXseDcSra45mKt0gvT0PnMbzkNpAc/

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Family

sodinokibi

Botnet

$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

Campaign

7258

Decoy

gasbarre.com

all-turtles.com

rksbusiness.com

christ-michael.net

mardenherefordshire-pc.gov.uk

erstatningsadvokaterne.dk

marchand-sloboda.com

unim.su

bauertree.com

faronics.com

moveonnews.com

autopfand24.de

mountsoul.de

beaconhealthsystem.org

cerebralforce.net

aprepol.com

kaotikkustomz.com

dubnew.com

simulatebrain.com

alvinschwartz.wordpress.com

Attributes
  • net

    true

  • pid

    $2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

  • prc

    outlook

    agntsvc

    infopath

    sqbcoreservice

    steam

    firefox

    ocomm

    ocssd

    mydesktopqos

    oracle

    powerpnt

    wordpad

    synctime

    sql

    thebat

    onenote

    excel

    visio

    encsvc

    winword

    mydesktopservice

    dbsnmp

    isqlplussvc

    tbirdconfig

    mspub

    msaccess

    thunderbird

    ocautoupds

    xfssvccon

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 70 GB archived data from your file server and SQL server Example of data: - Accounting - Finance - Personal Data - Banking data - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7258

  • svc

    svc$

    vss

    sophos

    mepocs

    backup

    sql

    memtas

    veeam

Extracted

Family

sodinokibi

Botnet

$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

Campaign

7178

Decoy

kamahouse.net

bridgeloanslenders.com

abitur-undwieweiter.de

live-your-life.jp

xn--rumung-bua.online

anteniti.com

marcuswhitten.site

ostheimer.at

joseconstela.com

deepsouthclothingcompany.com

dr-seleznev.com

ecpmedia.vn

aunexis.ch

anthonystreetrimming.com

pocket-opera.de

mooreslawngarden.com

osterberg.fi

extraordinaryoutdoors.com

kamienny-dywan24.pl

fitovitaforum.com

Attributes
  • net

    false

  • pid

    $2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

  • prc

    avgadmsv

    BackupUpdater

    ocautoupds

    synctime

    thebat

    excel

    isqlplussvc

    ccSetMgr

    SPBBCSvc

    Sage.NA.AT_AU.SysTray

    lmibackupvssservice

    CarboniteUI

    powerpnt

    BackupMaint

    onenote

    klnagent

    sql

    Rtvscan

    xfssvccon

    Smc

    mspub

    encsvc

    LogmeInBackupService

    kavfsscs

    ccSvcHst

    BackupExtender

    NSCTOP

    outlook

    dbsnmp

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7178

  • svc

    ssistelemetry

    adsync

    svc$

    msseces

    mbamservice

    ssastelemetry

    altaro

    sbamsvc

    ds_notifier

    ntrtscan

    ofcservice

    code42service

    macmnsvc

    memtas

    auservice

    telemetryserver

    tmccsf

    psqlwge

    sppsvc

    viprepplsvc

    azurea

    ds_monitor

    swi_filter

    protectedstorage

    mfemms

    mfevtp

    kaseyaagentendpoint

    ltservice

    dssvc

    altiback

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\807042-readme.html

Family

avaddon

Ransom Note
<!DOCTYPE html> <html> <head> <title>Avaddon</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #f1f2f3; font-family: sans-serif; line-height: 1.5; color: #333; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #dc3545; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #fff; } .description, .attention { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="83" viewBox="0 0 200 83"> <image width="200" height="83" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQ0AAABwCAYAAAAE2SWjAAAgAElEQVR4nOxdBZhUZff/3Xunc2u2g24URFEwADEQsBAxUBTEFsxPvxBU7PxEFLARG0TsQBRbFCSkc4vtrskb/+e8987uzM7MssCi/D/3PM88U7fve8974nd+R0Cn/B2kFwA9gMbOu90pndIp+5PrAYgAlnZeqU7plE5pS04FsAaAor1IcTg7r1indEqntJYkAC+FKIvQ15zOq9UpndIpoXILgIpQRTG8W7fAcQMHitp3imlYO69Yp3RKp5Arsi5UWfCAOHvqVK8SCPhXr1ghhvz36N/+anVKp/yNJTWKKyJfeN55gT1lZX5FUSRFUZSmigoxXqcLKg6PlknplE7plL+Z3AigNlRh9O7ZU/xkxQqPUlrqVn76yae0iPzgjBn+kGVv7hwsndIpfx/pD+CX1kHOa++6yxfIz29Unn/eV56eLu4GxIb580lxyKQ6GsvKAno1g0LLl3aOl07plL+H3AFAClUWJ4wYEfhh9eom5eefm7zHHhvIBZTCuDhln9Op5PO8KObmBjR7Q54xaVKotTGxc8x0Sqf878qZANaHKovELl2kBa+/7lG2bWtS7rzTVwQo+Xq9Uty1q1KUlcXe8wCl7IwzKLYhktYo2b49EKJ0tnaOl07plP89OQfAJ6HKwuFySU+/+aan+O233cpjj/nqsrMlsi6KMjOVopwcpjCaX5mZSi4gN739drO1cf2ECaHWxrmdY6ZTDlS4zit2RIoFwAsAJjcfnNWKSZdc4nt80iQxe88ewf/QQ8aSwkJOSEyEYLdDkaTI8+B5iIWFMPTrJ6Vu2kS/CPX79onOrCye/gWQB6Dr3/pKd8oBS2fB2pEnlwBYDuDk4JH11uvFl0eNCtx9wgmKc/58Y/7ChQav0cjpkpOh0+lgUhRYOY5FOcXQmUBRwDud8O3axelSU0XDscfyRoeDy/v1V2nj7t107+MAvKZlYTqlU9olnZbGkSMDADwCYFzwiHhAnhUfL93hdMLGcUJZbi4fsNlgTUqCQZZpEcUNyHWKIhfJsmLjOC6H4/T+0FPiOMg1NWSJSBl798p8Sop+77p1ge5DhgiatTEbwP1/26veKQcsnUrjrxedVhPyr9AjOctsDjyemIj+RqMgiiLfIEkw8Tz8gFStKHK5oijlioIKReGqFYWrkmVM0OvRl+d19YoSdlKcTgdfbi5s55wTSPrwQ9qfctaQIfIX69bR53rN4lCOqKvSKUesdLonf60MB7AyNCBp53n50fh4cZ7LJSTrdLqmQAB1gFwNSHmAvEVRlE2KIuQDfA2g43heCHAc7+I4ZRjP8wGAk1ufkixDsNngWbuWNw4aJOr79NH17tJFfvGNN2jSMAHYp8HQO6VT9iudlsZfI4kA7tYKzJjEcZxyld0u3R0fr8SZTHxAFLFXFAPlisKVKArKJYmvVRROVBSeUxTRK8v6gKJIoqKIZGlMt1j4EwRBXyHL0W8qz0MqLQUfFydmFBZy0Ov5oV26iGvy8wlSXgAg53/7kndKR0mn0vhzhcrW7wVwWZDbggeUcQ6H/xKbjR+k13v3SJKw1ucT9oqiXBAIoFKSDB5ZJmXB+WVZ9igKvLIs+RQlWD+inGE2i5+npOhqZJn3KbG9DE4Q4M/Lg33SpEDCu+/q1v30kzzkpJN4bRxMB/Dy/9wV75QOl06l8efJdQAe0KyMZhEAZajFInoVRbfF75f9kqRobmP77g3HYWV6ujTaYBD2iSKLbLa1LAIB+EpKlK6rV4s4/nhdttOpFNbX02p1AK4BUAigWHsF/r9c3E7586RTaRx+yQQwH8DZh2NPF8fFiYsTEviGQID3tmcFDbthHjBAdG3ciP/cdRf/0GOPRdM1JRqOg5RIPoC9mhuzG0Bup0L5+0qn0ji8cotmXRwW4hurIMgfpqeLowTBUCJJ7b6ZHMfBW1CgdF21Sqw95RTEC0Iw/dpeCSqUvZoC2am979BIgDrlf1g6lUbHCz2A4wHMAjDkcO7oioQE/+NOJ2+SJJZmbffN5DhIxcWw9O0rJf7xhzzt0kv5V99+OyyTZtDr4A+IB3pIZOzs0RTKLk2J7NGUSv6BbqxTjkzpVBqHLoRx6A5gMICRAE4BkNWerRp0AjIyM5GV3QUZmRlISk7Bsccei+3bd+LhB+5rc900g0FemJIijuJ5fZMsR6ZZ9yeiCH9JidKlqUkp8HjknKQkPtTauO6GGXj8sUew6Y8N+O77H7Fnz27s3b0Lu3fvRkHhvoO5aEFlsl37vFtTLHmasumU/yfSqTTaFk7LeNg15WDXYhT9tZqNXprCaBfL9+mnn4ZTR42CyR6Hnj17Ijk5GWarHa6UVNjtFtQ1epHmMGHDpu0YfFTftjal3JiUJN5ks/HZsizUHIiVERSeRyA/H65bbxUtTz2Fc0eMwEfff68L/p2SloHbbr8Dd95+S9hqNQ1u7Nm9EwV5edi+fTtTJvl5eaivr0d9XR1qqqtRUVl5IEixci1WUhoSgN2nvddovKYNAJo0uPsBmz+d0rHyd1caFGtIC3llaEohVVMG9FuyBoA6ZLn+hpsw/7l5bDNucv4r6tDQUI+A34fa2jpYrBYcP7Avln24EhPPOz3m7k622eR/JCRIxwM6nlKxB3lgiscDsbpaymlqQkljI9JdLq51bKNv/4HM2hB4HgXltUhJjoMxyrYaAgr8Xg8CPh/qa2uwY/s2rF2zBl+v/Ao//fxzR1w+skaqtXhKgaZUSrRAbZn2uQhAVUfsrFNiy99BaZAS6AKgm2Yd0PdsmkwBpANwtbWy2WRCcrIL3br3QJLLhYysbBw7ZAhkhcOVUy6DLB3YxHfSKaPw8ccfIq+4nM3OPM+hqakJdmc8Tji6H3bs3ofx48/B3p3ro65v4Xn59uRk5SyDAYMAofpgrIygaLiN1EcfFU133sldcPLJyvs//qhrvdiECy7EsveWYG9xOYt16HR6cLwAncBDlCT4/QHwggCr1QqnkY84nt9++w133XUXvv3227DfMzIyMW3aVGzevAnr1q3Hvn37IEWr1m2/uDUrpVJTIEWaBVOgvUq0QG3Doezk7y7/K0ojJcRd6BaiJDK1+ELEg9BaDAY9Bh51NHp074Gcbt2Qk9MVNrsN3Xv1Rk52DuxOJ8SACKfN2LyxIccej3W//3bAB/v4U//FtTfdjF9X/wqvzwOHw4lBgwbBYeBx7gVT8NH7r8dcd5jFIs9ITJSPBfhkjuOb2gBztUcIJarv1y+QumEDv2XDBgwYPDjC2iBZuepbjB45Alv35MNgMIDnefh8Pnh8XgicAKPRALvNBpPZzEaVThBgMeig51uG2AMPPIBZs2Y1f+/arQdWfPU1enTLZt+Lioqwa9cubNu2DTt37sTGjRtZDIWUiXKI5xkiNZqVUqq98rW4SpmmcIKKpdMNiiH7fZiOEDGFWAbdNeWQoX0OuhQRLoTDbkNycgr69euHmro6/PD99zHP5tmFL+LqqVewzw0SUF1VC8pEWm02NDQ0YOeuPUyxVBgNEAQdemam4Jghxx6U0thXuA8+fwA6vR4WgUd2dg5TGCSbN21oa1XlGIsFiRzHpwJcQwc8SEJSEgIbNwry9u1y/0GDhJP69JF+3L49QmnMuWc2Rn/3Hax2ByCJ8Hi97EUPM6dT07iBgB9+vx8cz8NqtUAvCBB4rlkD3X333SC7aPasu9n33L270bN7Dha+8AquvXoqMjIy2GvkyJEtJ6woTGns2bMHhYWFyM3NxY4dO5rfq6urD/SU47VX/xj/B7Q4S2kITqU45L1Ie/cc6I7/V+RIUhouLfMQr8USsjWFEFQWya1nQJrtkpKS0K1rF6SmZ6B3797IzMxE127d4EpORWp6Omx2JxJsqj7p0q078nP3Rt358wsWIM4ZjwkTzsGGdevh8/nRtWtXVFdVoramBnqDATqdAEmSkZ4cx9YxmOwHfJIOhx0XXnopexAMRgPinU44nGoc9cfVm7B3V2wWvmEWi3K0ySQnKAoncByvdISpqNcT/x/fuHSp5Jg1i7v/wQeVURdcELHp77//Hrtzc9G9a1ds31vAFAaJ0WCA0Whk7zLxd/AcTCYTc2HkKAc36+7/4KuvvsIP33/X/Nt110yD02nHxZMiaUtJGWVlZbFXa3G73diyZQs7tmXLluGXX3451KsBrb1DhvaKlTKv0KySMs3t2ae9F2mZoXItcPs/KUeSe3IagK/au3BWVjZ+X7cerqQEKheHIcoyZF/6JMDr8yPRYsCV067Ba6++2OZ2L5syFf+d9yz25OZDkgJsJjMZTbA77BB0OqaUUp1W7MqrwOhRI1GYd2BUm9ffcAOeeu45bPxjK5wOO5yOOCQm2NnxT7r0Wix9+4VYqyp3JycrA41G7hSOUwRF4TsKkskQomedFXB99hnDavRKSpJ3VVVFTCgPPvQQ/v2vf2H1xq3Q6wQY9HqmIEhhKBwHu80Km9moDiqOg46LPsB278lFzx7dIn6vqqpGQkL8QZ/H0qVLMX36dBYr+oulOiRQm6spld2aKxR0jf7fppmPJKVB0zf5DwPbszAN1muvuxGPP/EYRI5HQ6ObDViPzwevLwBJlCArMrNGAgER3TOScf+Dj2H23Xftd9u/rduItOwu2PzHRrYfm8PBrAyr2Yqe2WnYk1eME4aNQGXp7gM6QYvFglU//4qU9Exwiswo+gxmK9LiLNiysxAD+vYC5OhjabzdLo5zOvlUReHOEASutuN8fCiNjRQUFdM2bVL41FT9Z4sXB8ZdcYWu9fjo0iUH23buRmF5NXzuJnZtSHGQy+Fw2BBviZZXiS4TJ12MZUvfDftv7Ljx+PSTjw/pXIqLizFlyhR8/fXXh7SdwyzlrSyTIi04W6UpnFzNHTpg+M2fIQcCHT7cUnsgTXy8Xi/mPv0kZtx0I8zsLDiUVVSirKwC1VVVqK2tgbupEY0NDSxwB/bQmtu17dU//wi73Q6L1coCoLS+xWhiKVGSNb+tOWCFQTL9mmsx9OgBDNRFDxuZ806r6jrdP+ehmArDJQjyOQ4H55ZlLpvjpI4eSZzNBrGykvf+8APTRGOnTOH75+REpDHy8vLx0Ucfo2dGcrOFQeeg0wtMYXz62Ze4+fb/YNnyz1FU2nbm8/45kWRhn336CTZt3nxI55Keno6VK1ei/8CjDnobhJ85auAA9OrZAzaL5ZCOJ9YuAByr8ajcBuBJjRN2GYBVWiyFrBLSfPO0xlgjyLs9HAdzoHIkKQ1oF+ziAwky7dm1i70rsgyPxwNZVq0Lo8nI4hD0wAuCepqJrjazq82ybcsW2AwcLDY7szDMmt+u16nV6Dk5mQd8YjzH4eobZzCXiSwOZkLzOlj0PEoqGvDekjdirnu2w6EIPC/YAbkLzwuHmjGJEI4jMBYf2LSJ0xi8hPPGj49qhX6wfBl71+sNahCU42AyqhZGQJTwzFMPYeKEsejdqxf+PSs2qrVvn5446uhjIn5fuGBBh5zSe+8tO6Dl6f7OuvtubNq4EaUlJdj4xyasXr8J67dsx2dffIFbb7kZaakUXvvTJFPr0XsTxekBfKspkmf+xGOIKkea0iAhm/Wf7V14/HkT2LskiSxISYNYr9cxMJLA8TCZjPB6vMzOy87Obtc2d+/ehYBCBOBmZmHQgKKgpV6vlmf07tMbzvj2KaCgTJ4yBQN6dIVXBBrq69mxJieqE8e8eQshBRqjrpep18snWyxciSiiB88TTTnX4blACmBSbGPHDiVoEl81fboSzTxet0bNFtkcdvACx65vUJmee85YZGR1YZ+bGqrx8AP3YsnS92Lu9sqpUyN+e/vtdzqEd7BPrx4457wL2rUsoXMpzTvn/vsx4Kij4FF4NEpAvNWEHl2ycNaZZ+Kp/z6NvXn5ePSRR2JuhwLxI045hU0KByrx8fHQ6/fbYpdc+Bl0mQ54Bx0oRypOI0Erdkpqa6GcnGzk5uXDLSkoLS1nrgiZzWRZ8BzPHnZSJtU1dcjKzkJNZSWO7t8P7qa2A2XdunXDL+s3QeF4+N1u6PQ6GA2UV+SRoLkTg4ecgA3rfm33CW3ZsQv9evVAZYMXFRXlcMTFISPBAbdPQUZGNmqrotZzKDcS8tNq1ZWLojRRr4ddUYTDEUGTyspgGDhQTFmzhiwPimfIE046SVr+008RI3l3bh66d8lBWW0DTAYTDEYdzII6lG6YcQsWPDu3edkhxx7LkKHRpLS8ElkZGRDFcEzrlytW4IzToyNiKT5Fk0IsCSocOprf1q7H8cdFWjOhkpCQgL1798LpdDINWVpdD7/Px6zLDRs2o3+/XshMc2FHYSm6Z6WydONPP/2Iiy66mOFKQmXkqaOx6uuV7BcCtNF2d+7YgZ27dmHr1q3YtGkTRDG6yn/r7bcxauRIprxoPUopb926BQX5Bdibm4uamprWq3yjkVB31u1oYtUizkpbr0Wvv8E6AO0uLle25+5T8suqlF0FxcqewlKlsLxKKSitVDZs26Ws3riF/dfgDSgDjhrc5jbpFedwKIWlFQq1JiuraVAq65uUqga3UtXgae6ofPa5F+x3O8HXWWPOYuvU+yUlr6RS2VlQovhE1mJVeWbhmzHX62EwSK9nZopz0tKUZRkZgabsbDmsGVIHvvYlJCj7UlICUmGhP3iOf3z7baB1G0h63X///ez/Wk9AcUuy2ppek69X/RBxHtU1NUosGXLs0IjlL7l0cszla2rrlNPHnKdMveom5ZVF7yiN7ubDZU1r6RWQW5bv1ad/m/dmzn33seWoBV1pbYOyI7+YfX/syfns//jEFOXTz79kv1XUNzVvt66uThk5alTE9gYdc5xSVlkd9dgLCwuVrOycqMcxY8bMmOfc2Nio3HzLrdHW276/ifVwyJHonkBDc6a3tUCXnGxccdlkVDV54PP60LVLBrKTE2CzWaE36CBLEmpqa+Hx+qATdGhobILVqEP3bt33u/O6+nr4vW6WsDcY9er9Id/dZIBPm8q6d9//doJy9gTVhWps9ECURLjinTBoM/P8Z5+Oud65DofCcZxAz0IPnufoKA4XZThvtUIsKxP861vg6wNHjOBP7tMnwkV55ZVX2LvDpIMpBLxFcurIk5CWEY6p+OTj2BmRESNGRPy2/P1l8PmjV9TEOR1Y/fMqvPrys5h25cUMuLdt+072H11RUWl5okiuuuqqNs/7fO3e1DR6UVZazoK6JN+tUi2GmqoyjDvrTBQUFCLJbmn21xwOB1Z98w0mTrwwbHsb1q1B1y45qK5RW8mIITeM0vXfffstg9y3lsWLFzX/0ugXEZCV5nMgeP7T/30KKSkRMZXeAD5t8wQPgxypSuOU/blO819UB25pWSW6Z6Vjw+/r8cILLyEl3sECcuSSEAAp6CfW1tbCLcno3qvXfnfO2qoXae4CJ7A6C7PRwEzLimrVtTnqqPZF5zMz0nH55MnwSpSYlBnU2mlTszjf/bwO2zdHN92HWyzSULOZ2xsIoDvPK104jm84lDqTWMKrQ8BfWAjebBY5hyNUSfALX3wxIrZBpvOXX65gxxLteG644aaw74SfiCXXXnddxD+UGWsrIPqvf93d/LkgbzfGjh3T/J0YDekVfFhvuP46BvCLJoMHDcKAAQPgERVUVFRAFAPgOfWBPmbI0WFrTLpoknpBWl2MpUuX4L775oQt625swOkh7lVtk4/df3JMunbtgt9+jUQR19XV4/GnVLfOZtBBVDg0+iX45Ratc+mUa6OdxlA63JgX6zDIkao0prX15/Bhw3DW6aNRVN3A6kOMOh4PPvgk5s6dywZxY2MTAoEA6z5GA8jv96GGpWEbMGBAu2Ag2KK2MWTxEbPRyAqzamrq4POoiZ2cLl3atZ2Zt9wOm8UMt19igCin3dr8oM1/LjaQaxTN/AAvAkpPQSCrhzukUq4oQkTDhNHwFxYq5jFjfOnbtyvGESPCcHL9TjpJOH3QoIhdz5s3L+Z2p2pw/KD8+mvs2E+vHt1w8imnRvz+cRvWyYQLJoR9z8vNxR9//ME+s4Cu3KLMbFYzLpx0UdTtnKJZOSUV1fB5vbBZ1XtDj+no088IP4fVq7Frt5pm5xBuzcyePQvXXBuu/Nb9vhYfffwxA7gRp5okK/AGZGapDhlyTNQAMdEQXD71WuzcnQezABZ4N2i1O4vf/hgfLl8e65JcEeuPwyFHotI4d3+a854HHmbvjY0NyHTFM9TnR8vfg6epFl5JnW70RjUlSIEz4nlocrspL8tmlvbIpi1b2FKUEg0qDLI0KJ1LgyUtIwN6Q9u4D6q/uPraa9nyZgPPalk8fhXHmbuvCsuWvhl1vR4Gg9LDaOSIKDiV4+QcjuMaO9jKoAZKUmUlxKoqKX72bF/y558LQna2IYrxwN93//1cyDPC5NNPP2XWWzTJSEvBKSNHN/9TXl6OH374IeaxRMuiULFaLOndsxsGtkrX0vFAswLI89OFnMWkSZOibik9Q02d+30elvEwmy3wej0orW3EkGMGIzExPFzw2mvUwVK9QJRd88otFs3zCxegf6sJ6Z7Z97D3OKsBkiwzwKGirXvhxAtw+x3/iDimNxa9gH79+mL16l9h4lqsmiceexB7d2+KdUkujPXH4ZAjUWnc09afJ514Is44dQRK6hphtVgZt95zCxYTYJxVXVIcg/xNSiPSQ058FQ2NDSw6bjCakJySDGf8/mNHRDADbYDU1zcwy4UeeirKqmrysZqX4KCLJTfcOANxdisbWLKkMPo8UVJH2cIFL8ZMsxIuw8hxPFH4dRMEYvjhD5YzI5qQwhALCiA1NkrJS5eKzvvuM0SpQwoELfFh48dzg7KzW1kbCt58662Y+2itCBYuXBhz2UkXToDJHE6jWllZic8+/zzmOpS9CJXl76uzMJ2EvpXaO3H4CawEoLUYTWomzGI2M6yJ2+NmLi2l6AldPP7sc8LWeOP1lupjshxkeoVo02effS5s+Q0b1mPz5i1sjJKXQZaDFJBQ7/bBJwNPPP4Yhg49PuK4pIAXl16inl/wvk+9cnLEciGSpjXe+lPkSFMal2q0eTHlsmlqYKuhvhEZSU40eWTcf6/q41ZU1qCqopxVppLCoBRsXW0trBYbUpJTGKMUAbYoL78/2bZ1KxsMEgMtiRocPQB/IMD8X6PJgpz94D5u1WYSGsO19Q1ocnuQYDWgrimAF55/Luo6/YxGaYjJhDJRJPif3I3j4Ouo3DjHqb1PcnMJhy+mfPGFZJ440aiNAzYJitu3+xpfeslXOmKE5H7tNTEI9ppzzz1Ka2vjpRdj1/FcOJEUQQteYcmSpXC7o2P2bFYLzp8Qialoa/uXXBKuNNasXdPsPrQWqokZPvykiN/9PjVbSQBAt8fDFIbVbIHTrhYiXnzJpWHL5+fnY01z+phjFbzQapzowowccTKOG3pC2Dpz56qBbpNBB0VW4PF4IQb8THGA4VKiQy5y8/JQWFTcTHh05ZVXQqdvE6Z/aVt/dqQcSUqD1xogxxTiaDh7/Nlo8ktw2m3sQXrk8XmorSpkq9DDXVFexrIcVM5O5rPBaERSkgs+v5fVJcQ5zBFmZDTZV1SE3PwCNnMRUCwgBuALBOD1+lBWWkb8NejRRlB18mWXI82ltjhp9HhRT3B2o5Gd5OLX342JyzhHy5gQuU4WzyupHMe7OwIBSvELjwe+vDyYzzgjkNXYqJjOPJPKdgO+b77x1d9zj7/81FPlsmHD+KqrrzZ4v//eVDl9uiDl5zN/6uxp07hMmy3M2tiwYQMrWY8mFMc597yW2AMFGd95952Yhzd1WmQY68MPP0RjU/Ri0W5dsnD88JPDflv5Vex6x4kXRsY1aqpVqHtDU1OzwqCCOatVfTjPPGM0El3hGYtg5oiSLBrQmLpeMqwQyQutFN0bb7zJLBITD5bJE2UJHK8W8zUFFHTr1hXPvxA9tvXN1yvZGK92+xHvtOPcc8+LeX50im392ZFyJCmNR/ZHyPvv2fcgPTkJpdV1SImzobisFo8+fG/YMjQbkEYnhUGEMCkpqSzNSd+JB4NyKf37x6JSCJcdO7azm0bWBfFfULl8fX0dM2MNeh69evWOue6cOWpEnVJnZRVVrFQ8NcEOvww8/d8noq4z1GyWjzKZ+ApRJGXFAqBCtN6sByGK2w3ebhcd06d74p95Rgr8/jvq7rxTLD3mGKVs9GihZs4co3fVKiMdqD4rizN27QpFFIWK887jIcukLHQP33dfhLXx7HPRLSaSG2+4Iez73Kfnxlz29FNHILtLeOUrlQQsenVR2G+hqZxrr7km7L9VrZjBSPza0V500STo9OG10Ll7c9Vl/AGW1SKFYbeZYeDU/dC9nzIlPMb49jvvsMkp6OzIzFWRIflFFuwedNQAnHd+i7KkGMmi19Rz8EsSG4M6nvXgZuOKsirXXH01ZsycGXHs/33qKfYetDJvmjkj5vXTKCROa2uBjpIjRWlQGDsyKhQi6WmpuG/2LNR5RaTGq+bjFVOvR8AbHoyjWhSyBswWC9LS0hlegx50QoraNbPzqKPal0HZuE7tiez1+1kakIrgRMrKCAIa3T707tsn6npUnk0cH2S27iurhCSKMFvV+Muri5Zg787IIJ+J45SL4uLgUxS+TlGQw/NyD47jOizNqihEuKMoHo9QMX68sfTYY4Xaxx83BnbsMOjS03X67GzosrLAmdXgriKKMHTpAu+GDbqqK65grvtlt90m9HG5wqyNBQsWsIcumpx80jAMOua45n/++GMjfvzxx5iHeOutt0X89kgr2DaLD2mfp1w+GQmJLXD+pUuWoLS0tPm7l9wBrx+VDR6kuBJw+eVTwrb1888/ockvIjM9FS6XC3a7qjAkzS0lmdnqYSZ3d+MGlSiJ4hSSKEMUJaZIvKK61vwF4fGb++fMYcccb7cyikSqQyJVQNaXx6deu2fmzsUVU8OtLQoGf/f9D4i3GFDn9WPkySdi0OA2uxQW5QIAACAASURBVGJc3dafHSVHgtKgY3h+fwvdc/9D7L22wQ2rUY+V3/2OlZ9Hmrv5+XmwmvSMsYtuCj3oFOQihRGsdu3Zszd0hv1zBW/ZolZc+v0iGhsbmcIgYA5VdvoCfvTt1z+qn3nPvar1U1nnRlNjIyvucsXZ2G8E0okmZ9jtUrZez9dIEhtg3XieM6kp1w4RzmpFIDdX73n/fYNSU8MJ6ek8KQohOZm5LojiAlERoCEtDQ1vvCF4v/iCDoW/4847w5ahVOXS92LjMKZfNT3s+7xnn4257ORLL2WYmFApKtqHn35SiYmDmQoumCXhOVzWShG8qlkmZGHQfaMYQmWVyu41ecqVYctSK4Yd27bBadLDalKtUDG4bW2ZLtkZOOHEU8LWW7FiBXtnSkOSWIaOChtNRj18soK0FBcumNjiDuXl5SEvPx9mndo2l2Bbkiwx5WHQ8c048EWvvIyBrapzg+OlpkGNB1173fUxrx+Ao9v6s6PkSFAat2jItpiSmpKCq6+aCo8ow+VUo+z/+Ed0w6SkuAgWvcDSrXV1tazS1Wq3M8wGA2ixmpV0dOkSSQLTWvbs2g2fRLOVh/GD0jYowGo2m2ExW5CTmc56loTKhAkTkJmRgTpvAJ6mJijE6aHXw8hz+PLrX7F9cyRmwc7zymlWK2olibkiZHUkcRzn78g0K3VgM5nAJyWBo4KqGIoiTOh/o5EyD3z1jTfSoUgTrrlGaA32erGtgOWlF4e5Bcvee48RKUcTV1I8xo6L7F75gubzU9yR0qmEwwhinlojPp9/Xp1/aDmKIVCAUxID2FdZi1EjTkTPXuHW4dZNqtWnC1EY+hDFRHLZ5PDMxSsvq3ENIw9mZZD1QFSQZNV6/Kq1ccst4a0fvvlKVTQU+iB3hs6FeFWJGlH0SahqUvMk3333XXNWh+SDDz5AVXUt0hLszPqZeOGFMJpipvp7apmUwyp/tdKgs//X/ha694EH2U0kEI7FIGDZx99iw5pVUZctKS5GRW0DfH4fDAayMBwMFWoyGBgDV0BWZ5H2ZFB27tqJvIJCZqlQkRSZoBTMJCVGnNsmPY+cLjlh6/zzbpU4t6HJA6/HzRClaUkqG9UTTz4ZdT9j7HYpVa8XGqi8X1Hg4jg5ieOUI4KEkvzwjAz49+7VeRcskOMdDvmMQYPClAZBo0vLyqKunhDnwAUXtOAkaGZ+883o+BSSaVECokuWvMvS6bz20PEhOIyjBvQNK7EnS/OXX1eze9zQ0MjcSsLZUGCc1m9tmRDvKEIURFBhMNY37ceLJl0IQddSt7dn7x6sX7+ebY8sT6qApqplisEQVwoYNOAERpwclHnzVAvLZtarFoZe5ZqVtUmJFBu53vHxcfjqq5Vhx7j4tUUwCjz2ldUgKd6B4cNjZlfpkKIj2TpQ/mqlceH+Cm5Sk5Nx7fSrmO9JlaZNAeDuf8fWM0TaW1y0D3ZHHOPe1Bl0MOn1zDpg1ZHaDEVlzPuTquoaxilKmAyKevO8wHxfQg42NrnZ2qHB0JNOOhHHDR6EOp8E0e9jEXlHnJNZPhu35mLl55FmfIIgyIT+rJEk5un6AaUbz1NXpg5zTQ5ZiGjHbkflv//NQF73v/RSBNhr8eLFMfdy/oRzw77PbwMiPn7cWDjjEsJ+owf//fffZ5/pIrXGYbTOvCzQ8BIUi6I0OU0YDNWrABe0Anr9sno1e+dDFAZLs0tKMwN6UmI8zjxrXNh6ixapbpDZpGeYDVKGZInSOpTtAEuTtmBVCLFKBEMmgWeWF68TmGVCwXWyPFj6VpGZhXrySSfiiSdb3Nj5z6kKJ3jBR506Gm3IJW392RHyVyuN/Z7g/Q+rgbAtu/YiIzEOn326Ets3r465fB3DZtQhOysDep0ORh3xWJpZPIOUBt0gEip0ao/sKyxQiX8VICUlGXEOB2PcDmIOeoVYLLffpSozin/QzGa2WJHhUq2MuU9H9+XPtNmUJJ1OaJJlBuRxcpzcleOYxXHE8BZQEDUxEWJtrc43fz43dMgQDExPDwuIBlOR0eTkk8IxEhRI3L07eqrWoBdYn5XWEkxLRiuKv/SS8GH07pIlqGloQmpyksq6ZrawTEVucRn69+qOk0e0wNa//OKLsOI4Oimq9yB9IVDPW+33yy+7LGwfb2nANiOnZnnUcn0OHreXKTmwtHv4Os9p8RyjQWAmk9dHKViRWcKEA6KAMgVuKR5z+223oncftcve7j17sHrNWnRJiUeN24czorhwITJUa/Z12OSvVBqUZB/T1gI9unXD9GlTUVhRgzi7Gkh8/NEH97vh8tJiOPUqo5TVYoHRZFCrVekGK6rS6NO3zbaHzbJ962bG4pWSmorEhHgW0yCloTeo5ioxloPNOEacetoZLO7i9XjYIEhJdrFBXlBcjbfeeDli21aeV060WrmglUGMXD15HtTP5Ejjx6egqKDXo1pNsXLPvPoqQq2NHdu3N9d/tBbKfJ12evitfuzxx2Lu68abboz4jVwgCiZGk2RXAiaEBB7p/rz60gusKpWC0L6AavVBw1LcGRIPo2WXvLuEfW5WGLIaZOVCYNznnjM+LFNDiNVPPvmEfRbIJVGgArdICeh0zA3u3jUbI0e1ZEEXL36dlTOQonGT2ySKDGVM7gp9Vi0OBRU1DezCrvjyC7goUA3g0YfUcU/ZuOMHDcCYs8a3dbvaLu09RPkrlcZD+1tg3kI1wLZrbx56Zadj+affYc3qyFx8a9m7R0UGWixWmMwq+S3YPEDRanWu6t6jJ8zW/VMu/rFxI3vwCVEqSzIC/gCbvRw2Fe3YtZuqNKZcORUOkx4VNfXM7ExMTEScBhKiwJnPUxex7TNsNjlZp+PIyhDVAI/ch+dp8B62EviDFrI2UlLg37qVk374QR55xhn8sO7dwzyob775JubW77wrnND5xRdeiBkQHTJoIIafFFky/8wzkUx3Xi0ievMtt4b9/tQTKhbGarcxJK7daoVLA9uNHzcmLID9rGYBsIdB4VgbBir+VTTgFtWK0KRwZauU6BPaPkwCx4KuBAAkuDqBARu9air1xptaKn49HjcWaLiWALNO1PgGWRgUE6H9+n0ByGIAxdUNjGnup59+YstTQDS3cB+yUlVv/tY77oh1qUnaTLEcqvxVSuNECgG0tQAVDI05/VRs2F2Avj3VG3znHbe3a+NF+1S0pcliVun1GV+2annQzfFLCovU9+y5/zJ5Yl6StW0xC0OvZ02YqNGRKCvMZaE02dnnTYBblKFj/KQmFkMJXtwPPvgwYrsOnpdPtVqVWs3KoIK0bEFQ0jiO7+jitA4TlQeCr37kEZWM56mnwmIbBBWPJaePHon0Vjwbb4VAqJVWwK1JF0a6KG+8Ec6jSgrD5xNZhuvkE49H9x4t97OouJh1hUuNs7GAeHx8AqzmlmDm5MtaAqK//fYrQwuz1nKCyhZA7gm9KIjq9qm68bJW7gZlOqqqqljQNSCJLChKFJNEOaloFi3FaCi+FpQgGC7BYQXH8SweQoqGp0B7QFSJmgUBnCxhT1E5evbogbfeUaEFTz/xOOLMRuwpqcToUSPQpWtMTpe2erYcsvxVSuOW/S1w9z0qW3VjQz3SEuLx8uLl2L3993ZtnEqlwSLVBgbZhUZ+SzeoprYOtW4v9Hz7MihkEufmFcCqA1MUVpuFWS8Umad+rC5XEh5+

Extracted

Path

C:\Recovery\decrypt_file.TxT

Ransom Note
*************************** | We Are Back ? *************************** We hacked your (( Network )), and now all files, documents, images, databases and other important data are safely encrypted using the strongest algorithms ever. You cannot access any of your files or services . But do not worry. You can restore everthing and get back business very soon ( depends on your actions ) before I tell how you can restore your data, you have to know certain things : We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public. To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware ) *************************** | What guarantees ? *************************** We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free just send the files you want to decrypt to ([email protected] *************************************************** | How to contact us and recover all of your files ? *************************************************** The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses . [ + ] Instructions: 1- Send the decrypt_file.txt file to the following email ===> [email protected] 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address : [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ] 3- confirm your payment by sending the transfer url to our email address 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you, so that you can recover all your files. ## Note ## Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible. By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites. Your ID ==> qcJ7lWpD9R8k5V4N5enc
Wallets

1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT

Extracted

Path

C:\mINyMTFyg.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Extracted

Path

C:\Program Files\R3ADM3.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- V8gTskvaU8gGgzzk0qC2sM90noCXm1AgvCkADBk9JhxwjahEd2MSBLQ5sgBZOEkq ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\!!FAQ for Decryption!!.txt

Ransom Note
Good day. All your files are encrypted. For decryption contact us. Write here [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Extracted

Path

C:\Users\Admin\README.b77a682a.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Targets

    • Target

      RansomwareSamples/Avaddon_09_06_2020_1054KB.exe

    • Size

      1.0MB

    • MD5

      c9ec0d9ff44f445ce5614cc87398b38d

    • SHA1

      591ffe54bac2c50af61737a28749ff8435168182

    • SHA256

      05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2

    • SHA512

      c340baeb66fc46830b6b77b2583033ade6e10b3de04d82ece7e241107afe741442585bf2ea9d6496af93143c37e9676d4f1e1d301d55632b88b12daadadd43f0

    • SSDEEP

      24576:Cs6JmdFn5KLOCgHWcAvcrOcEsKfR9uA7rmFbbbbpccf:Cs6JY5KLOCyWcDUfRAA3mFbbbbpc4

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (279) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      RansomwareSamples/Avos_18_07_2021_403KB.exe

    • Size

      402KB

    • MD5

      de6152b2b3a181509c5d71a332a75043

    • SHA1

      d62c0ad2ec132065c5807c0fe7a4cabcba34cf29

    • SHA256

      01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f

    • SHA512

      99df08f8c0d966c1ca866cc414939ee9ff23a044496497edd5c64fb83a7011718183272f9001dec97111a8e8387218632c7ef6a9f00644e01363540002f5b0d4

    • SSDEEP

      12288:L5rxhWsTDzB6BybYxl+xX4VpMDEvqXHRAS0uayw4H5qsNI4j:L5rxhW6PB6BybYxlWX/DEv4eZw

    • Avoslocker Ransomware

      Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    • Renames multiple (81) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Target

      RansomwareSamples/Babik_04_01_2021_31KB.exe

    • Size

      30KB

    • MD5

      e10713a4a5f635767dcd54d609bed977

    • SHA1

      320d799beef673a98481757b2ff7e3463ce67916

    • SHA256

      8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9

    • SHA512

      fed1cb7e1798ea0d131a0d4962a2b9f6c700ee3e1c9482c7837be930ce5167196ac7b1e715d9c9a5c171c349f3df3dde1a42db8e439459bc742928f9d19b38a7

    • SSDEEP

      768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (478) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      RansomwareSamples/Babuk_20_04_2021_79KB.exe

    • Size

      79KB

    • MD5

      024382eef9abab8edd804548f94b78fc

    • SHA1

      b69a5385d880f4d0acd3358df002aba42b12820f

    • SHA256

      c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784

    • SHA512

      011bd185ef5aef409dbd198f59829d9812d2b1ead69e867e8b9983eb7c742356b074b17383c17fe22f417b61e6aaf7858cbb9e3abd5d25d02f256b69834c42d4

    • SSDEEP

      1536:jRS6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:jRMhZ5YesrQLOJgY8Zp8LHD4XWaNH71m

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (182) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe

    • Size

      12.2MB

    • MD5

      96c2f4acef5807b54ded4e0dae6ed79d

    • SHA1

      3e93999954ce080a4dc2875638745a92c539bd50

    • SHA256

      c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908

    • SHA512

      bfb933ce0e68c2d320a49e29eb883c505012895bd04b82f29167cd791e4bd507ee5529a2199a51c6faaf9f70053869b488833766b6dfa1efeab2700c0bcea30c

    • SSDEEP

      393216:Rd9c5hlEK/PNKwtN3ZWyp032LOqKT1g8Cy:RXEhxtKwtN3p232LOqKgz

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      RansomwareSamples/BlackMatter_02_08_2021_67KB.exe

    • Size

      67KB

    • MD5

      598c53bfef81e489375f09792e487f1a

    • SHA1

      80a29bd2c349a8588edf42653ed739054f9a10f5

    • SHA256

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • SHA512

      6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

    • SSDEEP

      1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:qR7auJXSkZg3C

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Renames multiple (163) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      RansomwareSamples/Conti_22_12_2020_186KB.exe

    • Size

      185KB

    • MD5

      7076f9674bc42536d1e0e2ca80d1e4f6

    • SHA1

      854485ee63e5a399fffe150f04cd038d6a5490ef

    • SHA256

      ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124

    • SHA512

      71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a

    • SSDEEP

      3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (8072) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      RansomwareSamples/Cuba_08_03_2021_1130KB.exe

    • Size

      1.1MB

    • MD5

      a12e733ddbe6f404b27474fa0e5de61d

    • SHA1

      e8d0c95621a19131ef9480e58a8d6dd3d15c9acd

    • SHA256

      271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad

    • SHA512

      f27605a283e958690eb7ad50aa46110b6d155217ad09d658ad3f9c4368d4c66ab623a0cc3489d695a02db462fec3bcf8ebee13f9da1bd61e2e3db46de2d73ddf

    • SSDEEP

      12288:xtwee4XgIijsCMtcTCWVRapiyC9vwic8CPK3EOnA+u+:8efgIiICMtIChp8N2K3EOAK

    Score
    10/10
    • Deletes itself

    • Target

      RansomwareSamples/DarkSide_01_05_2021_30KB.exe

    • Size

      30KB

    • MD5

      f00aded4c16c0e8c3b5adfc23d19c609

    • SHA1

      86ca4973a98072c32db97c9433c16d405e4154ac

    • SHA256

      4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a

    • SHA512

      a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf

    • SSDEEP

      768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (154) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Sets desktop wallpaper using registry

    • Target

      RansomwareSamples/DarkSide_16_01_2021_59KB.exe

    • Size

      59KB

    • MD5

      0ed51a595631e9b4d60896ab5573332f

    • SHA1

      7ae73b5e1622049380c9b615ce3b7f636665584b

    • SHA256

      243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

    • SHA512

      9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

    • SSDEEP

      768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (190) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Sets desktop wallpaper using registry

    • Target

      RansomwareSamples/DarkSide_18_11_2020_17KB.exe

    • Size

      17KB

    • MD5

      f87a2e1c3d148a67eaeb696b1ab69133

    • SHA1

      d1dfe82775c1d698dd7861d6dfa1352a74551d35

    • SHA256

      9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

    • SHA512

      e361811b07a66d9a784be37bdace0bdec9e11374083d7ccf7d9830e47a59afa8b9d12d80d4d47ea1932116354ad60bbc8ea6a6a265885d264b35486986415ea3

    • SSDEEP

      384:SGyUrEk/yEoQE+yckIYN/pBa3AWK3T2oTboHblKR/:l4klFypIYFpB/x9ngb

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (143) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Target

      RansomwareSamples/DearCry_13_03_2021_1292KB.exe

    • Size

      1.3MB

    • MD5

      0e55ead3b8fd305d9a54f78c7b56741a

    • SHA1

      f7b084e581a8dcea450c2652f8058d93797413c3

    • SHA256

      2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

    • SHA512

      5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

    • SSDEEP

      24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

    • DearCry

      DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

    • Renames multiple (3370) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      RansomwareSamples/Hades_29_03_2021_1909KB.exe

    • Size

      1.9MB

    • MD5

      9fa1ba3e7d6e32f240c790753cdaaf8e

    • SHA1

      7bcea3fbfcb4c170c57c9050499e1fae40f5d731

    • SHA256

      fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87

    • SHA512

      8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

    • SSDEEP

      49152:zHOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3S:Z/8WJjiPSRRu5undVmDd5VEyvS

    • Hades Ransomware

      Ransomware family attributed to Evil Corp APT first seen in late 2020.

    • Hades payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Renames multiple (260) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      RansomwareSamples/Hive_17_07_2021_808KB.exe

    • Size

      808KB

    • MD5

      504bd1695de326bc533fde29b8a69319

    • SHA1

      67f0c8d81aefcfc5943b31d695972194ac15e9f2

    • SHA256

      a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749

    • SHA512

      18c5b28bafb13edf47f6a2b803d9d9a914945f037b266a765f2a324842c5ef04ebda27eba31851d2d63e00779a42900e0edfe4ad5bd817eb4f43fa4d4e3a4767

    • SSDEEP

      24576:lafTGwLNdRk4RBtr/ioF4/I+CMx3cMt3/4KFG8Qz4YwY:IT7dRFr/ioFjicMtvV4z

    • Detects Go variant of Hive Ransomware

    • Hive

      A ransomware written in Golang first seen in June 2021.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      RansomwareSamples/LockBit_14_02_2021_146KB.exe

    • Size

      146KB

    • MD5

      69bec32d50744293e85606a5e8f80425

    • SHA1

      101b90ac7e0c2a8b570686c13dfa0e161ddd00e0

    • SHA256

      95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

    • SHA512

      e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f

    • SSDEEP

      3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVcH:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMcH

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (9354) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      RansomwareSamples/MAKOP_27_10_2020_115KB.exe

    • Size

      114KB

    • MD5

      b33e8ce6a7035bee5c5472d5b870b68a

    • SHA1

      783d08fe374f287a4e0412ed8b7f5446c6e65687

    • SHA256

      2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f

    • SHA512

      78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f

    • SSDEEP

      3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8323) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

pyinstaller512478c08dada2af19e49808fbda5b0bupxcryptonepacker$2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm7258$2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq7178blackmattermedusalockermespinozasodinokibi
Score
10/10

behavioral1

avaddondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
10/10

behavioral2

avaddondiscoveryevasionpersistenceransomwaretrojan
Score
10/10

behavioral3

avoslockerdiscoveryransomware
Score
10/10

behavioral4

avoslockerdiscoveryransomware
Score
10/10

behavioral5

babukcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarestealer
Score
10/10

behavioral6

babukcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral7

babukdefense_evasiondiscoveryexecutionimpactransomware
Score
10/10

behavioral8

babukdefense_evasiondiscoveryexecutionimpactransomware
Score
10/10

behavioral9

ransomwarespywarestealer
Score
10/10

behavioral10

ransomwarespywarestealer
Score
10/10

behavioral11

blackmatterdiscoveryransomware
Score
10/10

behavioral12

blackmatterdiscoveryransomware
Score
10/10

behavioral13

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral14

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral15

discoveryransomware
Score
10/10

behavioral16

discoveryransomware
Score
10/10

behavioral17

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral18

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral19

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral20

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral21

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral22

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral23

dearcrydiscoveryransomwarespywarestealer
Score
10/10

behavioral24

dearcrydiscoverypersistenceransomwarespywarestealer
Score
10/10

behavioral25

hadescryptonepackerransomware
Score
10/10

behavioral26

hadescryptonepackerransomware
Score
10/10

behavioral27

hivecredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerupx
Score
10/10

behavioral28

hivedefense_evasionexecutionimpactransomwarespywarestealerupx
Score
10/10

behavioral29

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral30

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral31

makopdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral32

discovery
Score
7/10