Overview

overview

10

Static

static

10

017b236bf3...d6.exe

windows7-x64

10

017b236bf3...d6.exe

windows10-2004-x64

10

05676f2007...fb.exe

windows7-x64

3

05676f2007...fb.exe

windows10-2004-x64

7

0a025116a8...57.exe

windows7-x64

8

0a025116a8...57.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

1.exe

windows7-x64

8

1.exe

windows10-2004-x64

8

18674bbd9a...38.exe

windows7-x64

8

18674bbd9a...38.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

234901adb1...b2.exe

windows7-x64

10

234901adb1...b2.exe

windows10-2004-x64

10

2ae06537d1...b6.exe

windows7-x64

8

2ae06537d1...b6.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

2c02c65090...91.exe

windows7-x64

7

2c02c65090...91.exe

windows10-2004-x64

7

3.exe

windows7-x64

10

3.exe

windows10-2004-x64

10

329b3ddbf1...f9.exe

windows7-x64

10

329b3ddbf1...f9.exe

windows10-2004-x64

10

336fe6e8bc...de.exe

windows7-x64

8

336fe6e8bc...de.exe

windows10-2004-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

4bd31921c8...be.exe

windows7-x64

8

4bd31921c8...be.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.rar

  • Size

    1.6MB

  • Sample

    241120-q22fvaxpcw

  • MD5

    72abd1e699045795972df38ef40d0c30

  • SHA1

    f2b9040f8fa4ccbad006eb8fed6020fe3f40d08f

  • SHA256

    280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

  • SHA512

    3890b4d31f26dcdf6efd80816668b6617a2b93534c158d6302c1544d132ea03d23981472de9524a44601b36415adaf744f9fcbe4bd5ba75a3a743b1facc9bd06

  • SSDEEP

    24576:WMdC2A/fFIf0fepeWD37XFmGFvE54ANn7Tzz7tWOr8NV6hxChSAwn0FMv0ksG5Q7:1+/dIfgeLL7V254A1zMMhE9wnoW099cC

Score
10/10
gandcrabsodinokibi1335123449backdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

49

Decoy

alaskaremote.com

epicjapanart.com

narca.net

mediahub.co.nz

mustangmarketinggroup.com

alcye.com

reygroup.pt

letterscan.de

jax-interim-and-projectmanagement.com

unislaw-narty.pl

justaroundthecornerpetsit.com

bescomedical.de

bertbutter.nl

parksideseniorliving.net

reputation-medical.online

biodentify.ai

polynine.com

nvisionsigns.com

luvbec.com

hospitalitytrainingsolutions.co.uk
Attributes
  • net

    false

  • pid

    13

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    49

Extracted

Family

sodinokibi

Botnet

35

Campaign

1234

Decoy

hameghlim.com

rsidesigns.com

goodherbalhealth.com

tbalp.co.uk

designimage.ae

elex.is

innersurrection.com

chatterchatterchatter.com

catalyseurdetransformation.com

mollymccarthydesign.com

gardenpartner.pl

cops4causes.org

gatlinburgcottage.com

yayasanprimaunggul.org

awaisghauri.com

amorbellezaysalud.com

unexplored.gr

fi-institutionalfunds.com

zorgboerderijravensbosch.nl

ingresosextras.online
Attributes
  • net

    false

  • pid

    35

  • prc

    visio

    synctime

    mydesktopqos

    agntsvc

    xfssvccon

    outlook

    firefox

    dbsnmp

    ocssd

    sql

    oracle

    tbirdconfig

    excel

    steam

    thebat

    powerpnt

    dbeng50

    ocomm

    onenote

    mydesktopservice

    msaccess

    winword

    isqlplussvc

    wordpa

    thunderbird

    infopath

    sqbcoreservice

    encsvc

    ocautoupds

    mspub

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1234

  • svc

    svc$

    sql

    memtas

    veeam

    backup

    mepocs

    vss

    sophos

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\BLHSN-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .BLHSN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/697fbeabed4d5628 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAACWss6JouxiLc1rxS+wDnxHOJIEJS5kkamyZmp6QMHADG9ItXz7MklpbOHF+rppOkMSFlVwpikdwurkVeOIdZD1WQ5zGliGRy6+5ANF/ST0AOQhawRp5E1zyqpXLw6rD/r3Z11fnXtyjWd6jkzs1FHKGhJ+Q1ZUlD3f3wP0FtheRuKhXFEYf3e99ZgYAhAd4rd1zwzEGClZvTZRmpzZjqN+F/bJtkMCkRdBEwk5Ca1NZUH34R1ttTmEp7OGnX3xFfIHecU1lyuVvF1wgfatDHrfpRibe93gYeUEuncfHdec1SGj8N6/Lz679kEXItbipARrX1a3Lec8eXS3GmOLQuIxKfqFFVecd8FlFmb7TQci3cIjGdTOoVO9MeL7wtTObBph7ecMjtkf6WJKL0e/Rqe/k7+qsI5rzq1lgAbgr4WlI2MAz6lLS+NP+IfkLNIe9RJ85ROSZi5lei2xbdbQi4cSKyvtUz39cKu+guXTNJaOndT2zRbMOvx7nwQfM1SefSFxOybicjbqNYVkYfy1U5CC1GoqnjqpD+SMLil98RVNepYn+yZwvU5e8QHmGiaxjHCFLOvj5nOzi/WqnPXXOMUakGEn+vsD9ZneirYBBCDbb7M3OyDMpLkqvPbM/mdoA91NRP8ckF8eZcms1KJL8zFxJpg07uEz9nY5iAWddzxKinNW/Im5KzD/Rf5Yd9KmJu4yby0rg3HiJ56yGzF7TWLc2nbLPjUqMDKRZCeep/n8WTlzPM1c4RcIxken+g8oUSlDlVpm6MNrY/yEVCszhzz7QMS1O2i1Z7glqHXri9XiKnaMabv0QPI0JfBp9D3Dz4q4Dl6shQq4f3kz+MvEl0LVVyZge3IicXLWzXbbloWF6ejUGr66UIw7DSZHAoe5DWnkno4w+QgGIm2cFHzJqzIJtwPyzQ76C2qLeL/7X7wJs4N0clW3FnVWMl3wggpwN11F3WzUlSdwqq/c5a/biXleGE6iDKuInwJ+LrF//AfrQ2OlU2meUBJWi0HgSut/PZnEoa4hwnvJB5ohHWboZSb4VREFJfpU/21XbRP8LqUvztRP19uImbYST8DPGHBMz9iniih5E2P9LYG4sqC0Kv3d35jlrDeRWtffiA3ZeE/bCYztVKMrwggS+co6JPrDlrovktQK2+NfvMeQ5O3k5D/BBJhcT4SSK8MVnBqSLL3GWBWq0ANKwe6m78vh4ECAB7Sr1ZtJ1UW4YU28mZpDsPoT4yxjhnX+tcAaMT0rXTSHXlop4jnhKwG+ndftp1pc4AeKcnoOpwoyjw18yyffVu23Ue6Qp8VwZJzzlGFBabnwZUx0LrGz9ZfiUC/Qnm8LrJ2TSIWh8LFyK27mq2Zu3GtJc2gZEqPwxF+ynDckZNTZm1NX0eHvE/Xt5ioPRTqlyGXNEwjs6QlUSZAOfcjQb6qz7FLX7CcH/L8A7fRLoSex0T+vCbB2FBgJZGfpGQEcdNntN0Avqq1g1uziXXP5DkJAxX/jW/9rbvyIm7DfM1K6YmizD/Tz7hbi4KIwftmrw7P024qdOGGShnUv2wnQs4908luALQtE6wHp2polZ2Z/Z0/7/KsFCNP7MPSj3Z8ZdhysHbUovyuvBx94zO9FSfeYX5Ra7qYraxF2vpETEdTBByls37RloBd5yaorABbzU9/up2qRm0pawGntwzzb7gmrJSCPvsuXwUvWDHU0HMthgHrjIZ4P7GG38KkBqn0+MR1sbM9R9dPx6MNS9B7vUgzk7xz66uUL+jvE5sH1yxIu9H39oKP//fu4NhOF9hc5IATu044bq03QdSjIRxc6shH0eTqMs8EfXMuskV1BlxmmoL+k8RJJ3Br9n9w7+L4KTJ0p2opf5+7dASskBvCIo8BaeW2ufnt8ESGCpHFSVCtdb4CoQeZVha6VRRm+VOtYUdw7q9ypeaYm0OQdX44dr9pN8we1lpi7y+zUDDgTFzUOQ2WIGzCjvpf5EgRUJErK/Cy07W+ArchLtLXjNS+EFDgTqXEqIMr/HEWzN1+JmIpr3K/gpoVXk9DrZ7xBduRwYtVRPcZ/Bz9gr/IVhE7VJMaAg72JlwS9BnyJixae/HxRdRhb9NPdpjmT+cBGj3VHxz+j0WNUqJB8LLKM/8yYqWMeFYk/jRaEwaOlnHQi/PWaqLfW6vEDrUBAxrCeaG1mEzM+jgVGAQsckM/KD9YTqSILUTbzwzxumh1gwWT819drXJAu2bCCYGiWLUKwRjCjMtB/0SB0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDw9NLJJZDQAv6VpODIRXvIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSACDMtL2JK9BfBnFq/8ZsR7W3ZbHImYCRiUeGP9vy9PNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypS8B1filVjmQ7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1gk/7uRQeyoEinT3CrvrP9dFPEuVLsovLqYb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/697fbeabed4d5628

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\WELENDZZNL-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WELENDZZNL The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/34d2ee38d03c3cf | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEVlwVQsezbhotkpr3Ao8/iZyVgFsTQMN0ta4AKvSvQAUUtX2it8vVzTSFnZVCxltbZnYDAi/nLOs1Gv6OSxTrtbA/e8SpQbQOQF0t9V+xqn9YHZAqCKcjVEBAvHiet2eQNHKYGWqQThMDEKdNzvQlyou3d4WZTayPo4bXNJREEQp445m/aSZWEJQBtouTelswMNb6GTz8p7nEcPiFJAYYECFR11sxsmnjKOun7L2IfP5QVKhra2EsTLnKTbOZzAyLHRFZRITM7Rj3BNmDDZMowIphzJ/atP6goe3DiCHAKDaCOxf3hogMiB2U44PftaPehyYQ/+pqoH6fzjt6UdZ3tWqAyb9CHefTZUJTa68rQZHhoJdOV4q29rVOBnGzDm1hOopRp3T2M65hJnHH6nc8boh+y0yb3WtwjNYLojuua3/1zLLuz6Zd22/nwtbW73uA5Kaqr9zPPa7Cc4gW1t6UUdJ/4XcyQa65ZmVMXsFy/89qM+1h0YpEcd0GvvozjQ7uBydCAACy7O29ucIjx7lFoiNkR16FRQbQVXbDD9+7j7B/SIqyK+SBs0bbxKdvzygShS52vFEmJ57Cee2GY1If1xfog7nN3l7vaY4Qbqz34rP3/Df0TpmjHI3Pq7krNHQu181de46ONKfqPs0BBzWTfeg0UliKATCFgUudngl3ys3bu5kD1Oq55vL99mmgFvHtIqItocfutQMhRs7NPCJmyH7AFp4IGTN1LLXFibhNS71ZhmCCqSfti0X4s3Riqf+bOwbe9IGaoeqVA6UGAcJuFSahHdFQD3vCk/Mt1Dkut/YoOm3W937n96Gpp/WMfi5giuWjWnDwwANzzVvUKQF6K9nWyDLzl+nJelAPoBxGkNBSe1NxRNmInYzBUx0i90+cMWwyZuUCNbjBMXNGdxH6FNWzuI5Tnx8mRSwUxDTu40mw1XdYIgeEzGL413u2KvAQnP6pkNGMQM7gZYjC1T7SS1shIqAO8a3kQU7JywqI3Gt450ICVlgk3Q1kQTk9XNNKy2akGZYCdszoutNDcHlcRbiZLg1hN2QYN5/ZwBTiLS1ePR24PRO/sOlT+Wu94oIGRzXg6u5T5lRvMmGFZArWk4njusXlZNRusr231sqBClWrCKid/e9HhzRcy2GIQnD88qH/Jkj5UkRRPAm6gVMkI50GhgdCn79mlI1YnVG6Oa2GUCp9cn3hEGpKbo4UPWGZ1Uvo5D8GvHlMYXioje1XrlmnKJaLLGQ1eo8xkGM6bFjJiJqrOisHPf1yYm1ez3i1sTe2O7vzYzzN7uTY8Lz/GPKhDD45nxbYEV3E4RMap6nhD3mUq1A5oGhZuawGjedUZXiGmtPv42BoBrt2L/RX7J4w70wNAp9dG7m44iZ2dGBSM5YXevII6Oorskp0Wt9H5z68j2vFEKgOCKQV++pg0tyhcZ+vjogpaTLf5Iu5pnSQ1T6rNWItGw/LS1Pv10Rg+287URheNd2TTn/hWlTSHQcf/I19MFzo1yuL2BThGYDZRzqvMbZ0ebBZON/ea28YTiQaI+gEvgaYflCvcWcYLsewxQeX5O1/7gxA6u3A6J2EOWbN9SmlXMuiqOdiBvH6eF53Qsg9NU6N7NzxOxJlC3J4CQX5VAy+hpxLSiP2HEyFddRHLTYgwgLjVHOJ2gKgbVDp70wLwihgz0VxVGOgj46inUpPXBQo9KJ+pLxr39L+7nf9bGxVbSObwGRczX2VcLiPP8JFBrV6tEuc3Aotu1iQt2gg1HFtSrbA7wTuTI5Lm55v+JJlNiumvbPhRKaBzokB6DmGB0C7E998qD3VzHDtMFkeWCNO6igE4pQKq64WgSML55EJ9wipDh8K/JKV2AYfPy7ZUCShzraFoy9Cbung8ytrezF3vxY1E5ry3gJC8SEBO32cJnM7Hc5jg5YR/AcE4qLd6lBThaZDMESx4kzwAOABVPXHOuUV2O1CV7JWTAvJLN8QXtEo/oCpVJvWKizZo/orsD8QsZIqtvCYFj9RIx86LcJP/HVAWMERJhoGg6bwG+nRTuFXhELEjgTcq9H8ndrP1F8ayfxt/JnqIqYSqXx/87jbiOMkTXjVD0P08k2sidGYzhot53dQA/v3u/32aM4KMuPH29+KXkuGGx6GU5+nde8+xpcGlO4kPsaQ4F+phDP/iwzcXlpqY0LiwvSO6kXG8zoCeH/2A5+fO2/zmzxtmUrk0qUunqsMuWRyFMDy6yzgurV/+MCxbQGdeseJI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDo9NPJLpDSAvSVp+DBRWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSBSDBtO6Jf9BYBnFqrcY2R7S3MbHPmYeRj0fTP4/y6vM9LODjDaPvr3tWv+YKTznJt/bAL0J01/eNSzezgKAqoTvFqJ2HPDmx5ShGudnoMloV6iCVyemoqB5vYrwCrt0ypS8F1fOlXjmT7rN4cOwygU+wTkywb+cfzdw/LWqjqbjWwFvi9DPXKP+ghY2cWKz+6gkLvCeiiYFcEv1EtSM9ANLhxdQDIBf1BEGWyeqMZp0P1h0/u+RWez0Et3TBCrbrZtdJPEmVKsoqLrgbsAnNcG2VuLCZEZKsSbTenISaf0Ihb4k0t1Gacy3SiKIADBDFnYH2qA1whEaNxA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/34d2ee38d03c3cf

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\LBGWQLRJNJ-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .LBGWQLRJNJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a9327876aeb32fd8 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIOnFSsX+OKc1jzYMmHp8RxDLHv/O9AML5yeJxVr2TNsAdzwVVHo7635FLF6zrjrsk+Dp/rmP6MbGL9NQ4gp0QMMcWMF2vtflzTbgjFnjQFr+NOng95B4UnK/kEvvctoPv9mskpS1+G1JdbKH7T1p4kdGCbaNd593EhmFOLyzInTV2eJ6MXkRJw7U1FGP3tXr3wg3Xve5y/T+QUG3RbFHVAkGBcUdiZFTiqQ/ub3Zy7X0/LRIx6BrPbRRihcbYF8yyHdH4LSWLSLO0Zur8KApRg9thnE8CIuq3HReELIgviqZQqqOX/rfS92Yi7OdduK0jrGeAlfSl1AqzIkQR8/CFiiE5WPkCxCsp7hyDeT/C5EMQGcUnDW2Wskp0KkolBTfUQ7Q8pupqE6SMUuobOKZ8buXcRa8l3tpxTOxloYRX4ZsJG8WMzdCmhkbWKNlwXifxjuomXhchp7d0PMBpsgxU0Ael+h8rDxvW/zSd9OmaqZch/tC8SAtAPG5OuSpHn9NJf1GbX5BrTc/uaLo2WHLxY4JO4/uHp4CHEjMHynNFqomhs/Wuyvp1/r/YfcEqKFyAEpVL/ryAPI9eq0xNkaHbSqfUKzHzp7XtxhWZgHkiJpF5VSkifnqqk4ov+w4eV27dLlayPKgU5F1eIeYIu7TVAbSlsFgJSYpjR1TcM3W6HCuvyVnoBP4Omt3Tcam/esuLJahdH35SvOUNDVQawBcvaLG13dyXl8pXcFqcEXY2YmJgnb6ttIga8l8sWuaF8BYZaHSkAdOmNn7CAeh6WX6iO/W2FynMFhY1Mh1aN/vIzqoQQPhDxRSo9C4fk0JR6ZmJ1+4o+8Yyuhcjb3hTVF8fNQ+3QshXvDMjr3v8F0hpURwV6nxgjVzb8hgxeMI5VfGa+NCqKy7iDsbtCj27YBCmmYg36KR52jDtEZWYBY5WIUzoeQTZLjll7nUCzBKGiI/KI4JwH2zW7MGIf2GvgrUcKYUXyoDsDPTGuTiXosTTOW9ax655Lhtw0K7uXU5CVQMQAObnnlePCtv6dcHzh29SHij+XmvYYueFtrJJ6+UT8ARGjbByXKSeQpgX0Nj0Vmd8I2aPeDgZ8wcLTbwUsfNBwiaayrVkAsjbd7XNvqk6ExJmXl9+v6R4lFhBllcSFFIC+eXCcgy85aUJQpARb2Iv2lRDRpCbTVdYK2QmKZ4bU+xE0gYdAD7HM4PpgLHxVDPt/+1LBW2Py4+siKwyihmqn94R8Di7p92Hh9ozoFJc8PneWrlbeyYrwwtDSuuf9BaahE2DzpV369YWeDl1hVMAgsGM7+sMOsn6WN2LLSbMFXZymfmnisp7GGVPetKIMwzJdm6al5TrSBDQcNqGE7r+4K1PixLKeR9G+Fs0Eln5mICjwA+s0AcuadoFt/HkRDzt5M8c9YinynpaCm099z+WDVnYtUWrp3LUIhtd439f3BMaSXRvGSkj1DZmC+D9nDLNTa59WxLz+YpPdYPqCSo4F6jqGQJ5WZ+VfjDt+eWCRVGnaWeUJNy5jSw0ppKalJCyqMPri5Sd8AEu09YztUNjfNaMbmTs+w/ZFAZTm+pEtIS0ha9qgj2oDyiR4AyLZdi0ipZm7F0MyuEe4xsXhUMTJYzRIJePv2h0kj51vaPYgfaxLo3jTjNhipR0gBRjVDLVni/JEJyqOOWStmhZKLsd1nvH8LsO7s+qGV8N92kNOPWlnU3vr0dMWomFZuT3SYLaRPBGobwblXQRUhE7kptUqGzNfjFuUjWuCNPzqKsLGHKOurafoKGUWTrnqIS8FK+ud90UKECCka6Kroh8GiGY0G6HrL2YRaEEJ1aGFPOHHAMwn61dg0qrY0szCi8vaTiqP2Ged0d+wrig3arkfdepCVVVaCQVJVGkWOwrXnwA/bv/gjDWT3J0Y0SW7MYXVnp7fLaPSQBhpc9OsoshBcpk+C2+TSNnCaiwq9OLxTXCyTryw8KrtlqNSCrSwGlKeP2FqC+iBlMTXZwmckFqUu1xHW/tOnCWAtopI7FX9h7JK2N6TXdeh+4xGisYN/RwJHh3BRmsCbzCmuDi1a5CQXghUlMAeei6UVf/sze1n+EIWGT3B2QC76ykhJKXgOF73sKAb/sSVtQYDQXrh8U4SrgkL4QmSkBK6PaipAl63rBEEnZc9+GTtFd5TBfQXvYm2pvbxG/FGgx5mCLUeyLAnyRlDQyeZHgcE4tvzwKzi6ycsIQgJ1OiOMqAqLMn/A277bRA+iKqw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJNJDbAveVquDMRXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJLNAEBidqrMY5R+i3NrHKmYWR2UfSP9ry/vMzLODjUaP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fulWjmW7q14BOw6gT2wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/+uQbe2gEznTbCqfrOdcnPBOVfcolLq8b9QmbcC2V7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/a9327876aeb32fd8

Extracted

Path

C:\$Recycle.Bin\RGCHLSHAV-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .RGCHLSHAV The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/252c6d3621ffb2c5 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAN3e9DqxvZr+kHb/GTgeoMktqQ/2VsKjDEv9Vylv57Cd8ATnzidejdr85Ug5fzYPQhm4wvi3J3us11RbaXqtyOxCpTDE1ot4E15mq+jAlfmnhITyYerG0Nx1TVFkDYXqB4vgXF9gAJsH+gaK8Bz/I62ok9/x4lOY+HVFCsu4NalnNkrPpCXRc4WhNieqEOLK1vRLZvnB+74kQWFqtqhxVFFRbEw/npymU/Fep1XW1GFM4ykEZOkhb0H9ZKwXgd9WE5XmnZvhOC4nz2YIPRW1iBz7oG35H/e2xdwazoxH6Myrzqhl1FL+cY6Z/cEhFI2sUMv2YIhVEkndcf4eC/syTjIh+yQTaxrdk0wS/ce+ksBRGZmADORnLh4duZ0d63rgNc54/W2qFXMQgLnGV198REln/qQML1SwdLaJLSR8T1FQzkJe5Jxm6InHMovzPoih8zIvK041H4slnt5lOF9ZMI9sbqCOrVcNpCoVbbm903rhOoamLG3ESdL3hsvaeEVNEWcEaF0ZKN8miYLq2AuckIsqfXDft0jyZ5iK4LAp9ge2oGW0W4XMLDz8PxDT98f4eoCQDlEN/2MmlwNYTJbUJlb3/EsTAJmYl5hRxzv+D0lZu1iElXOuz5yfWIekFaNNM6UXIMOpEFTayt4/We/KlYhqh1RHDl3sY/zV5KWI777Yo9j7clZBrs9lnTF9KR/nzsXv7ZMbPsQlkKhnwR/FoZ1zq3vYJeESfSvGQDAua1o48bP+aTslpGKTrnZSRTR3/B2vLfYxH31/UWhAp8Y/sFiXjC5doRlqkbvbzwJUHMmcX56r6HrLfNS6pKhV/9ceEoIWhgN0UsMk4m4jwek/KySW2JPHk26ZXz6uGD+rTn0J0adsYjLTkA4wTfUY8wmjCW+019bnOGnYAkwNTVYYgwJlfOaplw32LjacU20wYNC5G7HHF4wqkEHRKABVhs6xQ2z3Jehy0a4v2f+YT9OHqPcC3fJisWcv03N+uZjeAYpy2OFr5lc6iashUQaixsr/UqZSSZQ5kdbAI1THP5IMi5wAHFCcZd3MuwOw6jwYjkjMX/bhiC1HNlY6XXSFFvKJtkkR78gxUIYK1pfjYnADgFTlWibYUJBiHh3y20rG86/fKArV/Svj9svSWV8AuS3+TSKwGc9ijsPcISh/bscxvOujeJA1+WSGgnuxyWgBvRrMOOl5pF4HLu7kaxNnMYAWHKEgolBg36jbLl+DITEqBCKFU6UmbcdgFMr5W/OqIn04IGccZsFqb+BLoNRcs0aOaLVvw1xygy95CxVFpMrANA9tCtzijv6ckp22r+5qDR1tbPAPMU/2xsS4UKZ7wM8znsMMW3PDCXyoyPUIZ8fh/hjfiBlpVxeJS00HmqdmmdNwIamyElPcY1oeRGTvWkvPkbp7mVooO+Y0hu+5jCtRNCK6JsUfRd2USIOIOV+dpiz0Usxg2yVv2a2mZG0XnxYIE50UTeJJHb+U7EwtJ18T08O2U54tZ5YgqaD3FgrXs7yJLWVmdifKlW4oJuFiz/j8bq3FFOb5O+6k0aw/zJTKesGMdCyRmbcd6hdF2buPLVrMIdOL9WVf4ZN32PVFThXIgpqSq4xjbR5kvuAy5jGCsLh6GTNMjbGUo7nTQLbqmG6E87YXkFA1gzLr0YDRHYOrF0S0i/BbL0XNXWjD0mFCxMMCcS+jEYI8+NDRMQTYo4rKHo3MuewTCI7baTDJMjJfj3TSMnQUVnoQEWiY8zaG7wX+zAZ2JD+xNOVQCAwfr6iiPZ5/RMSfvaUy85OFXcX6O7AhCkvmhhDM1z44NWeZiL6/D+yGB8K8G8g+KaWBK3Ort9aZ415IzibO4rUZ/cE32maByGkQtfhsIwcpf20XGIYopAqvdLFo1q4rDkp+Do0+x1UkPItkGXs0SBEHC0Y7FTlVHoe1M+CmOY1+Fi/zCAtRr07OCev7aNsQPRGJfRMj+bMF/qySQcvMQiTZRtnsPPkeFExxWZYLkCF+EuCwU4iK+ndvBYW3SalvVmafBx/x87vzWpRA3hOS+LQmpM0z4KrCD+B3NjLRlPQU11LARDX2sWslWMwo26LvGTpkwcXYMW20tKhZstyKdbXMJYGRaIEDG3AxvyqC/9WoGOPX4xyVZoEl1P89T4ggIw8dAWFx8ZnT5b55gyTTKLbKDailzCOVWjDs7flM5tvyCY/ub4P/OCRBHP8HjWum9Sld/SR+n9ZA4sjc1GZV3icqzhogg8Gfjjg= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDt9MzJOJDfAuaVr+DXRWPIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJf9AIBiZq/cY4R7S3MrHKmdaRjUfWP4/yrvNnLOfjXKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fulWjmX7qt4Buw7gTuwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QTe20EznTbCqfrOdcnPBOVfcolLq8b8QmfcCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/252c6d3621ffb2c5

Extracted

Path

C:\Users\Default\b089lv602-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion b089lv602. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DEAAF204A8C7F96F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DEAAF204A8C7F96F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: q5FT1RBGiQ2qHk+fadScbc6zK7USYt/e9Z/Ow+8LqD3VEDPH8dk7Q9ulTrd2PvlW i6qn+aaVqw0mGd5fAUSPjJ5G65W+MoYKHTf5cHdhQ9RKika6qm4VHSkngMK2HAGq 9eNZ7BTCNswMTYRgiCt6lYnMXnfyHtrQdW54Hmu/r7YkNggE3a8tNmhsGBhYwb+I NYcS646Oh4P2uvdnX+FxuwRKmV3Vp5KNqCqS5XRmwJddLAkw9ef9JKdpcyQAMdWS pv2Zg2T8/TlJioKmBWoVO2h95kKqc2BTzNCqyfmtAd+GQ7xJUxTZ+ivI5usVvjbj 746x4wSLkJkqjohyD5matwBH/NJNZ+wyTbccLBDwfcDIgvgVeJEaCUNsTQ9x1+wj xJ4DMg/ENloK5TqaHP8DIHouWgCmWitV6UCB88iteXT52x5rzmg1DQDfiaijJzM1 VEN1EYuN3+qI3pe4Ko0bFVjT4u3AXzw+Yo+oUUXfLBsnA800Ghy70frMWqKvDhaY VkwHiZVFQR867JWb83cYC33lOeqsvwXVKp982t+LYCbxtr6VLJGl9BUYPBInzqnx hHAP35Fxk8R78DuF9n9QYHrStPtYSUHR12Uqttem/9EdBxbvmpBZcdKymUlrMB8e 4/wCfisWXsNZ1xwhrEToyxzEILf1/fnoiXC9HsfSMifH+wVZ/XIZyDfVoNssRUcg DBTjgCjP8+oDiv4VJb9mjB+rWL2wBv/ixgTjZo4Q8ebXU140YytVtpysuaXNhgwP POvhG5/v0oDG0C5xfJY40/w52RvJGttfaeTUS2e63WtuvIAN4Op9qcadNVsg2yoW ztBe5tCGAahFTdLGtwH+9wUPrVNBvtKW5GsuS8ws+OQLi3X4+9b4W1Goz2DNH5bu AOSMMNKJq8dLhbhu8umSn7nmp9FGAnOe6IOZ7P6of+DfqafQwdyzdTOJMaoxTxAM v8q5A2NPknBQBrjDgiOEZbdm7ZkhuNL3o8LD4GI7PLsSGtTDU1cNVjaesvKzkb3J fgGnjnJzdEfxSMjQmOCxmy+4Vur6tGNhANfs8C1d2ZwNBCZMw2+K8GQu8HjZVvUQ TsYSAnx/E7ACNxAMBc0N5uTYpW8ZFz3BODzPq9FLLRBrUJgnGJeIdfrbv9gbV1QW Y+Q/a44gelhcXwn+noOelx+XrV6+2oGAgB0= Extension name: b089lv602 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DEAAF204A8C7F96F

http://decryptor.top/DEAAF204A8C7F96F

Extracted

Path

C:\Users\Default\23n373-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 23n373. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8172E5319B91F962 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8172E5319B91F962 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fPA4YhHuSo0O6b39MBPieyO1nJaSnqYPumvssIs+YsbHa8gy8gIkPVU+wsZmbzpS xPTfUuajFvGoDbc8+6Fp6wHLlbzXN6spNX/pJlysHQ9TNGl1nMIgw2iq2TIA3P6c D8GW2TQixc2MSRbSmBmz+IH4NqA64Lf4ZGR4QATnQih+Ma4q3JbvkZDLJEuBWWV/ tGnXE9v9oZF5qhZcN+5NKRJpTaoGf7gq4fPR7aPjHm+iz/2058CWynS20u/J7KUH hA46Ql79IQXWFhYowUvh3WVpc7VxDDzN4z0EJCbqz5viqcZYcBSN2TOFpj2qC6od rTOfXnaNwKKjJi5klhqmy4yvHTGKHKxDoUbreBZd1pZQoighicIywMLCwVAJTGlZ jyDeLDFuT7iolMUFB5OX5dUx62Wal8HDpJ/7zhoSEMoMQTsI2ywJW2J2oXvzQ2aN foCOFqevGTxT6qxH4qLlVwOKUFeFLHiXhcBIyKxjCeNzfZDr5ckluuswhfgJD3A5 BuYTEp49MUPQf5CHKXFfIkUSq1foXZQJGZp4GKrwBXPPmMXzbETgrSYxWCxLcC3K npvtMLAjCrxdRC2VghNVZ4GeUj9g5jvWaQewnsIL1AvHzEV7kP5yMdZD06HjbHry MsTb6OT7VahM/tDpAat9/rU933KLEumAqIt8zzpwGMDd6SbgHCcZMTkynF3WL99e LADKEFJHvqFPBhlyYmd/v4aanbPiCC3mMXomsRE+l9TbO0ew8oJHEJz+gOliRhXW 8IyP+oJLomTcJk/1bNAl7KDhF/kQdfUa7EbG9oqgwF+zqRamFdH0Zcy36RbGYnSp GajoqoBf5Hyf8Dk8Ao4Nopz10kC4iNprN9RUYtqkmhoJr8h2027ngDIgn5UUORMD W8VxHItuTj6vMUvjxFEMNZiy5K3XN9Zy5ncggbMF99HKCnmeSLmn0ghX/wu55oUS 2I5aCe8qR7i2UcYpFudAVUY90XM3m2FCsQZvLZbpBR2iFkMsOn5OXUgZfXY0fKc6 Uz/S5Sf2v7aHu5gvuvKpBafEv15yyUR0fmwbp5CcQ4PtmAdcl5GUUi93hULYN4tK 2Q8cv0QbiduTJ2PLeTmvGVcL9EAxt30J0DUrvIHhkDYXC/S5u8gjgCuoLMYtpiUP fQD7SFq2ZnWtzvpAmHvxHthH7JiriMHvsm5yTqzE490= Extension name: 23n373 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8172E5319B91F962

http://decryptor.top/8172E5319B91F962

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\RZQKEAVZTY-DECRYPT.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .RZQKEAVZTY The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/7989a8dd6667a5d6 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGpnEDmi0wEsymS9U7PRb+vDzcTJUy0+R5Jeu2Fbmnzwu6lr7ZdVwDYgN135wrKl5jRE/cnY/G+AQ2wQBNs6Ez1ziZYtDNlaF4jy+QB9ztfmBOl0GY3OTgVvp4wzw84g0q/Mx/XbjIEzT//njmHnL15iDWTkKJKKryGvXiDhz279MWUA7rv0FNgvCZtHOJhIhrjq8EOokAvsZMwaJv6Midgrg2rg1fPW/A7dvAHSQCEWjti5bY6qq5nynrKsIs9QhOFRg8WLWRONcXkFqEAe7PWNwUIWV6Y8k6kIruLgW7QT+J2x9DVFQaTXG92YkJhpINGPr4ZE3JNmJ0VUm37jdzmHiMEqb59SQYNP5MhOtdyFY9FnaHlbculrIqUhPRE4b2D/m+GDDVhZ+m3RNRWWgIq/elE8NDDB+i/I7vuupKXHz54QNPDUKHSpuqj0+E0VwBBaiwyoZGKW/FGxpZpMPEzVBslenBObLmzmLUke938WmfZwZhFuoZ7zntXLtkug3GRLvd/4KI6yXYc9qkOn9OzTX3NL57YebIkn4ptWubeU1Kvm0ZaOX6PwPxpHH84AWzByFhaTOnD31Ks16WPapHeKXwI4Lz+K/fTZ4dNe3HfYAwMK0C4Rg1rh2R7U11EJ6NBnEq9ya5vy7ATposq2Y6RtgyfhawdSx7tidAUteA9H6kQPKDK38JjMFoJjSM7b9YGwOLa0j93t8mUN68Efw9Pi0SvYDxy9SQrK6y22qhI36Pm8XRC7UAhO3viHo0u+J7qTJmjsStJZJWBm1o/1cKD3JxgM20ggD+B1IOEIHiIQJVZyTpdlJLA/b5MmKd57kB2ArCzkAfNBGmZVRiVvCtFagnOwF2bTmnVo5Thp+Rz1vM1q0cNi+yE/YpeOwAScCkOpbE4AqeDRPKxwEOB/MU86kOQxk4NUHb2JdV/k2GKvxFzmB9XcU2KVJKgDrvp10AXoCVNgDiuA1HtsV7tKz8vVQLYhivG3Qh8qVTQKb7XdS8AcKRaQET+wEkG7Pk3dsZxlX/cKiMhn2XfDB6KC59aB5VtkniyI+zBB4yMbnwRre9z4RIoRPRABNYw/r7qqvcpztHxGa+7Zjvr3d2jnu/cgtz1shQwUcrHFZxbRa94WBhchkLQzLJjvUwcR5MPagucgaj14H+/EfJTXMNTYEc+TmOBcV+Ycv0ANvREtcm2DO3f2Zr0Td1JbKUneCQpYVycRGSHBhSeCRkQ5LKqutmfttRfEBu8OWnX3pB472Da2m1oDl3dJNj70xUmO+BJca0lH5kvJQytGSiIPAasbIN6/9YxmgmWtTQTgdIQw5HWZ++zeL/Gkaf/Qab1fSvpNrdEacySE4KjsuasvnyxdvUB+bshjJCV6a/h7Zn4xYOCoLFlXrJfae/ce36y2QXPg9l1HcduJJpxB5/kqBfadBupiI4vdgk2VYpt5Y98F8IlP35DxBkh3oBN/AdvO/7lI9qFj1IFvboFWSvR/6hf9TnQ8zd4aU4l7x9nihMsadO756Rl/NbZ4oU9EsRgAn3KPm70tIBByq1X91g+VhoiesssClLDsvjJKBI0tc9lAaBLtDZqNAUP6Sxk/jV19RemNmgTQUUHq7DA0kRFk/i7MTha2Xx2Tu/0RaOtiKW6XjR4CCcjd2CRC+nl7qyk37gvxSYbo2OGiGRSpoVMuKHOE19ORp3JYgIPdAdIHjqmbuVnpEIa7aNUPaQ6AmS2sj6eNtBjZHi9PIwDadjiBfGpSYqdDZKH/Q6IFFvgZpKZxL4cZRCd8v6Eo6dXtPTUnh5Jbc0m45UYHBlknlyJHdR2q73dOVM27Y441UKEpLK/Fm7Q2MNXHWk/cVytEzCzJXC7lAn5Y3P6nWRX5mUEO17ssMPFfKP/Qbhf/fk+xoHNU3WTcNKlFE/SSiFL1nq8lWBezXo6BktxUTP0vhwhbMhMm/SIHK+AFs195ub4OtJhhTt5KIe+yeLWroBnaVsfLkV4BOh+uL6Lb3xjzATKC1gRxPI3Vc3jo4GP380nulBmrRsD1r9bX1AWrh1jj9/oKc/xR2+A8zo6H+AMwLMuViTg1BYjg9C7s/qekpUDjIBdbzVMpY/iaHICEP8MU5p5FZmDfx6Me8o1kodgvKoBxTGpcWteeYs0k8t8bwDFNHai95nEASmoPjeu0Rw2xt/PSvrjIAcfJkZf8PESQaQAdShM6gYZfnlOKvt3ySIXvN3LhnQIQybsaLHFpV/snwPmE/2B2xNVW5Xg= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD89N/JJJDIAu6Vo+DLRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSASDMtLKJdNBcBixq+sZqR+a3N7HKmdOR3UeFP43y+vNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwCrt4yoS8E1fulWTmQ7ql4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0O1h0/u+RWez0Et3TBCrbrZtdLPEKVKMo+LugbownacGyVorCfEZOsGrTWnJ+aY0I1b840tVGNczDSjqIBDEPFw4H0qABwhEY= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/7989a8dd6667a5d6

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\KCLDN-DECRYPT.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KCLDN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/fd4b022afc967c73 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAE3lf+yJckrKpfRrtpb+FxF0PojX+9QTPCQsyPyxPer8fBJe62z7JEKebYWnr51fsRl0fWcsHtuSr/inKUV7Tnl9fx21teqosC1taCwNxINahjUFp+5fZzgvC0hmaEPOlG0uHoQZt8TVRTzy6WrkIuvQhKRysDXO2fb/dvEPN3dLFaCjWGwoTVkFrQCaUk3h6asNnZVHDhGNo+BKVHtoGpuEk31IjwlexRmI+Fg0l0jjVHSXaBpUe1dZZN6vD3P0cGAXbjlZ7WPmMIaSegiV3t49wc43yBn0/mBR71bPei1dzVno2qw8VJ8RzUrapzEIGdtmTCl8RtKnnawb9wPWgTAOIlpoK0jUT8egnYKLd9JXnLnj+iCDQ5hJcm3ivxq6AeqlfglVDsnTWL8hDLOT4Boaj09Ebz8CZuc+1UB3mzgDqjC6sevDY/peU+6N13qnKuwRgkYCECuktCyFKViHrM8lJDSKBmsH7X7CdkMN1eiAHu8/VVKnPtdFzpqidwKNxZncF6I9KqKrTIzCsUVS8KIvDnN5qLDjW5le+tau25G42ozVayTPb0zf0arG+MpNiN9Ee0W6ZR5O2rKEdqJjxI4TEMXrB0MLqz3jvnXR5EiCWPDPObfJxXr7/1FRF/hlCsbkYv3SVMe+kz7KuTcjzCG/pDIKerXDwG1V/WaleJl2q6f4hfBQrgtxTr8Dz+3Vpi+0E/uO+3T9japkwu7AoHfHbjaN0M6WCuYed6y3Hg67qxzOegp6JY6QNREym74H5YxSJS1c5te//hufMoYCryq4TE9Z5NmHUOZGRz0+6yL9302lWgS2BEarcc9ucsemuGA7aKRC2NJvgPAFgnrB/Tbin7h5BiwKYbxCq9/qH1BzJFnETQIGrW6wh9M8DOKpPjDNDafHKlb0R+jC+JGuYkPcUcy1zDptVPHkUdknA2NN4SfCAMt7+XgpPo7vl+O1y1NuGtxEmb+okuKPWhMImdcCbl5gUqW47/R2Y9JlcrnPvGhdQEZGBA6j+++uD9VmziaFv2+LrsU4tOe02evzYqMRiPVpp/22ACGo7Hf2Syfz+7vrFZjdOIdUphwD+K8fxDfDr1rf4E1ZpzC2766N2zkho+GrR6RWv5IPRxScqDcP3q2u8tq1iQNFH0vSqQxOgdp0YhI6EMSTAIjONGKB+tLrS27c2FQ21dTa/sfHtxHC+lLrU+HLc4mPghcMZVY8EjRHxYCPYid4uevIrrC6aOml/az1oN4Q4EJKmjZFfgNvKlNBlZldcEMKSjvFBAWiPUTnKMOyMa7ydt7IiQtlko+41m+5TpAJfrWMzLAEwjU4yejxQpZSemWVd4TXpVvB1QqfmHCBPDJJCv1bJm9LZeX8ezBbB6Fw3emnk5mUbO1JW6dtQF6caP8VoQn7235LHA+NogQi5L8uuROUIjC9k2RH8zP03yQbQ9syStD9gRgSzWIWTpTVonCODCMQXUgMr4Y3giaIhV20Tot3SdI335mpmOD+NV6Tcy5rDWTXMio5RDDaD4f5w+8r+Y07LIp0hD9sLarujrW9Frk5O6wMVSvm2UyP/g0Jl9yzbGpDVqZxBQtMrSj9wJawuCwJ9vLW8eQ0p7uVokCd6QGXiH9uGO9y13C+8qooYlx27t0Y5jdnoSmpzpAiIutLWAleQnKzayoD0oFtOWpOyWD+Ebt/kGS7t0DYtq/bkqKqdvnc3EOzGOOUiSLnPXH7q5K5yimt/ZvibK58seAUBaxGFtpAl0YGnISzPm53teccmPuLnDcfUUgoFII+HwUz5UnDdWYiqUK+MSEcpd8ziZocpUcElwxFS4rnDQ3mBii8UjQiXOm2Rk/3vcqjn7bfkIBruZratnOxuaTKCUv/m99kHFJ2TE78+nQbSlU8oyvp6ESdPqR0TKax+avbw8Be6P8k2SAtp81ssZcnr0OAiHSr1cj/8IUsERP0ZN0IpHjB3K3GT+lpHvWlRT+Qq4MSUbW7EHBPWTUjL6qhlDs4a2L+DuETQm9QvreP1L4Sm4jJU6ri927hm/IFVxTXTkDuUcZ/Os2HtsGMTR+Qa0LSkoGq38MUajnBq5kkomOk0qBPiGpgqrD3EthpvvdgI9pZ9tdsZE77TTxZeaBwzXCKm32+MXkhIUK/P1PCVYV/B+0+u7fZ0RTSDlkQ9SWEA/llDw2q//WqDa7O6kb977jBtNL+l7lIYlGm8pVz9sJ8og4P2zbL7wixo9E4BSQeDNuinvBBzzOCh/MpohM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59NDJJpDZAveVq+DMRWDIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJK9BZBiBq/MY+R+K3M7GdmYKR30eJP9/y+/M2LLPjWqP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1filXzmV7qh4Bew+gTmwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QVe3kEm3TdCrDrBNcRPB6VJMorLqYb9wmOcGmVrrCCEY6sTrSMnN+abEImb4E05FHfczjSgqIbDBfFz4H7qFFwi0aAxMzGs3U= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/fd4b022afc967c73

Targets

    • Target

      017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6

    • Size

      97KB

    • MD5

      125923ce61dffa8276a2a77e84d2832a

    • SHA1

      1801bb09f18b2b491e0e1831c2765a96efc1e493

    • SHA256

      017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6

    • SHA512

      aac5ef5260702228a165e72f4721d7df414e33b92a64c8b00c440c9e15ae85aead9fe2d978eea72733f1df84eea9d06fdff04e69ff4f67b0592a1c4a3ae1b433

    • SSDEEP

      1536:ufuwLvvKeqM0TRl79lvhWAwVl5OpqIyedIVjC3E87zcrHuTcxLUllPR:umwLXnqM0Nl795twDIyeeB8+HUiUj

    Score
    10/10
    gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (278) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

    • Target

      05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb

    • Size

      16KB

    • MD5

      ffe4f9b654ff2900c2361444e1b8cc11

    • SHA1

      e19af8a7a59f36f6dc60fccf3fed14558485400c

    • SHA256

      05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb

    • SHA512

      0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413

    • SSDEEP

      384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

    • Target

      0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57

    • Size

      96KB

    • MD5

      ed24f730485f03e084a017d79d899d5a

    • SHA1

      b29bbb2c510515c07f5c8f0b08a2c1cbfa56ec04

    • SHA256

      0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57

    • SHA512

      16365869fb6655b91009135c8edd3998ac8b62c2e2bb546b6ca337c504094de0aac7364da7cff7b1e1768695088911440b7f51fdf46fe71355e8ca19585055b8

    • SSDEEP

      3072:hCunH3YQ4TgvMvPQDeqgKJ+BCnwvG6Q5X1y:hCAX3vMvPQNgKLX6Q5c

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      24KB

    • MD5

      640bff73a5f8e37b202d911e4749b2e9

    • SHA1

      9588dd7561ab7de3bca392b084bec91f3521c879

    • SHA256

      c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

    • SHA512

      39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

    • SSDEEP

      384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      1

    • Size

      104KB

    • MD5

      5e488441d160b82bdf55b0547f8cb28f

    • SHA1

      f3dc1a56e21b25849e97d32be01afa8e8e0b6269

    • SHA256

      39f3c5f6717bd58b4bd299d6b0ea2eac3c2b62eaa1207b1c15d3e3d09589d6d2

    • SHA512

      85fe28c8b1cbeca5805c305fab96d6eb03bade72e82fe23ddbe7e89b1d29315bb0ded0f1adc41c1c8cfd8e8b888ed1ab03d77cb571912695389d3c064e4dc713

    • SSDEEP

      1536:/e8f5p+nyS3pPEnFZ60oYJjEiVf5ppW0S3pPpnW:28Wny4p2TpjEiVRW04p5W

    Score
    8/10
    discoveryevasionpersistencespywarestealerupx

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438

    • Size

      96KB

    • MD5

      9953c9961814c8e1c88346415dd208c2

    • SHA1

      bb2daf108ac562e5163e74ba57278857f720d212

    • SHA256

      18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438

    • SHA512

      75985b7c5e41dda0bb83ac34338bedccd14c9deed13c983f8afa1afc083ebf55217aaa69e19c9a195faf8479c0ccbe55a384dbd15a2a44ba89971ac502767027

    • SSDEEP

      3072:BCunH3YQ4TgvMvPQDeqgKJ+BCn2S6Q5aA:BCAX3vMvPQNgKL2S6Q5f

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      24KB

    • MD5

      640bff73a5f8e37b202d911e4749b2e9

    • SHA1

      9588dd7561ab7de3bca392b084bec91f3521c879

    • SHA256

      c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

    • SHA512

      39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

    • SSDEEP

      384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2

    • Size

      93KB

    • MD5

      bdbca2193b35706fef4ce9368af7a886

    • SHA1

      216e8cf79eced5dba6365b1648cb8ca126ef0cae

    • SHA256

      234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2

    • SHA512

      af70ab8b4738a2c5a7869f202a850357d71cb43d67498b87525924dfbd2f456254d0ecb4c2651797b2ec75c3717cf0a4433a7d7573a27bbb55ac644c75009a49

    • SSDEEP

      1536:7w2p3ieRXCkxEoSXf6GizDhp2keW8PaoYEXOcrHuTc+N:cSyex5yoSPmzKkeW8iEXjHU

    Score
    10/10
    gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (298) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral15behavioral16

    • Target

      2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6

    • Size

      96KB

    • MD5

      0c74ecd25840e903ab3d53064ba46c65

    • SHA1

      3a8a88c03c3172dde5aa20dc558089a6a936e3a6

    • SHA256

      2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6

    • SHA512

      3c6a31a0abe35422fbdef1bfafcb85cba495d0e0a976c7c9549a87d987958f10b6911ca6899e24513b31373c957acde1bcd3a78b557b575f387a0806b5b1ab2a

    • SSDEEP

      3072:qCunH3YQ4TgvMvPQDeqgKJ+BCn2W6Q5+W:qCAX3vMvPQNgKL2W6Q5Z

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral17behavioral18

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      24KB

    • MD5

      640bff73a5f8e37b202d911e4749b2e9

    • SHA1

      9588dd7561ab7de3bca392b084bec91f3521c879

    • SHA256

      c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

    • SHA512

      39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

    • SSDEEP

      384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291

    • Size

      149KB

    • MD5

      7b104c571efba855a2e0ef211450fdac

    • SHA1

      eaf61901c6e2e148c5e089a52cc2606217a41cfa

    • SHA256

      2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291

    • SHA512

      92263ffc40fc03c51c5e4b48a9a813721ce80353674979213fae27b49f7b420d5bb35817232069030b812d9dfc44fd23b4fce3186feaa874ae6c8dd853ce69c6

    • SSDEEP

      3072:R3FfHgTWmCRkGbKGLeNTBfn+TwnDqKBtv/p50oUJiTZxt09W96NXP:J5aWbksiNTB/+Twn2KP/pOS+y2

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral21behavioral22

    • Target

      3

    • Size

      157KB

    • MD5

      4bd82da426f6b59e08b40044adb5a3d2

    • SHA1

      097db21cb36c15979730a775ac6bad1240d75275

    • SHA256

      add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310

    • SHA512

      77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630

    • SSDEEP

      3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM

    Score
    10/10
    sodinokibidefense_evasiondiscoveryexecutionimpactransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi family

      sodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (213) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral23behavioral24

    • Target

      329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9

    • Size

      99KB

    • MD5

      78efe80384fa759964c9ea8bada3ac8d

    • SHA1

      6300dca046dee2d99f8429bdb9b5f3edc4d5ec1c

    • SHA256

      329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9

    • SHA512

      faab33afd525d4dee0497096f8cd07c748d98d6b3337d0616740495e6dde2d3b6a4bfb4aadfc2ac032ea5d6e065fc17b0addb4a1fe01878868d39d5d7c282dbc

    • SSDEEP

      3072:UKwH7Fxw0GQi8SHa0jNwriVcJLLfO1MYU:XG3wq70pwrimxLB

    Score
    10/10
    gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (260) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral25behavioral26

    • Target

      336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de

    • Size

      96KB

    • MD5

      4b8b656694ccb60ff4daa29923fb68f9

    • SHA1

      8e6ecaf78bb884a795f8fb3148cdb9b4e2a52715

    • SHA256

      336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de

    • SHA512

      6e1ab2bb02d8058413daf833bad02f25f506d3749e73c7b01f8952117cacfdf43091cb0a4ea2fad3f3c1585356baf0d8c979a52ed41cd055438fa60d8db9e239

    • SSDEEP

      3072:8CunH3YQ4TgvMvPQDeqgKJ+BCnc06Q5t7:8CAX3vMvPQNgKLn6Q5N

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral27behavioral28

    • Target

      $PLUGINSDIR/INetC.dll

    • Size

      24KB

    • MD5

      640bff73a5f8e37b202d911e4749b2e9

    • SHA1

      9588dd7561ab7de3bca392b084bec91f3521c879

    • SHA256

      c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

    • SHA512

      39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

    • SSDEEP

      384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be

    • Size

      96KB

    • MD5

      0f66bea7be0cc2eaf33da37398375b8a

    • SHA1

      5d72245db8614f528713fed551536b4cbec2b98e

    • SHA256

      4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be

    • SHA512

      b7b9494c2155ed89afcfd79559e5eba5932c9ef04e4719a25f9206d657db7e670b488ce7de7e1fe99ac98a75905b9db08fb03438c08a52cea13ded3d5731b98f

    • SSDEEP

      3072:oCunH3YQ4TgvMvPQDeqgKJ+BCnKp6Q5m8x:oCAX3vMvPQNgKLKp6Q5vx

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

upx1349351234sodinokibi
Score
10/10

behavioral1

gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral2

gandcrabbackdoorcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral3

Score
3/10

behavioral4

Score
7/10

behavioral5

discovery
Score
8/10

behavioral6

discovery
Score
8/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discoveryevasionpersistencespywarestealerupx
Score
8/10

behavioral10

discoveryevasionpersistencespywarestealerupx
Score
8/10

behavioral11

discovery
Score
8/10

behavioral12

discovery
Score
8/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral16

gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral17

discovery
Score
8/10

behavioral18

discovery
Score
8/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discoveryspywarestealer
Score
7/10

behavioral22

discoveryspywarestealer
Score
7/10

behavioral23

sodinokibidefense_evasiondiscoveryexecutionimpactransomware
Score
10/10

behavioral24

sodinokibidiscoveryransomware
Score
10/10

behavioral25

gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral26

gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral27

discovery
Score
8/10

behavioral28

discovery
Score
8/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
8/10

behavioral32

discovery
Score
8/10