# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: .locked ransomware

# Reference: https://twitter.com/malwrhunterteam/status/1043475192130031616

vipturkiye.com

# Reference: https://twitter.com/P3pperP0tts/status/1176830047510044673

radioisangano.com/admin/assets/bootstrap/css/write.php

# Reference: https://twitter.com/malwareforme/status/714632342766292993

sarkemc0der.altervista.org

# Reference: https://twitter.com/sdkhere/status/945977958967029761

freemandida.pe.hu

# Reference: https://twitter.com/killamjr/status/1277670729430040579
# Reference: https://www.virustotal.com/gui/domain/alkhaleejpk.info/relations
# Reference: https://app.any.run/tasks/e3888497-0259-48ef-a695-0745abcfdc48/

alkhaleejpk.info

# Reference: https://www.virustotal.com/gui/file/252442f0d8efc5276d735431c89a9319ced8676de53048d6296bae4c8b329be2/detection

pmjh161182.ddns.net

# Reference: https://twitter.com/fuscator/status/1300822841638760454
# Reference: https://app.any.run/tasks/36bb27cb-c66e-4cbf-89f5-135e220ef9a7/

enfiniql2buev6o.m.pipedream.net

# Reference: https://www.virustotal.com/gui/file/c4a8dcdf79572f3b35baa67d238e7ff9352cac1b6a0709fa57d6d4613c312e15/detection

172.111.131.19:5500
bldovf.kozow.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1116679966941417472
# Reference: https://app.any.run/tasks/ce935847-7c61-4ec8-9921-6adc13b3862e
# Reference: https://app.any.run/tasks/a01d8bd5-5a70-4398-b6fe-c34d7deee229
# Reference: https://www.virustotal.com/gui/file/6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8/detection

nebezpecnyweb.eu
/cmFuc29td2FyZQ/checkin.php
/cmFuc29td2FyZQ/detail.php
/cmFuc29td2FyZQ/platba.php
/cmFuc29td2FyZQ/platebni_brana.php
/cmFuc29td2FyZQ/

# Reference: https://twitter.com/petrovic082/status/1147167008393486338
# Reference: https://pastebin.com/NRaUyHLV

2anwyjsh7qgbuc5i.onion

# Reference: https://twitter.com/bartblaze/status/980877270565957633

sweet-candy.co.nf

# Reference: https://twitter.com/petrovic082/status/1333875610247106566
# Reference: https://twitter.com/petrovic082/status/1334577260674867202
# Reference: https://app.any.run/tasks/e681877f-e1df-4f27-9799-9d99e752ac75/
# Reference: https://app.any.run/tasks/47b2c8fd-f4df-4698-9518-b3b99a89f5bc/
# Reference: https://www.virustotal.com/gui/domain/wzl.pagekite.me/detection

wzl.pagekite.me

# Reference: https://twitter.com/malwrhunterteam/status/1344576519377735680
# Reference: https://www.virustotal.com/gui/file/8ce6a8ccaecc732b079334a7d0a304bf862efdf55b567484c0985d47e35be73d/detection

http://84.252.95.236

# Reference: https://www.virustotal.com/gui/file/f2a369cde7e5939c9926e22946f4e3a06c445fe4f5140f9169e970f6dcc4d370/detection
# Reference: https://www.virustotal.com/gui/file/0666a76ee0b364945262c3e94d439bb6645703c10bad79269fc698e168065a42/detection

http://51.15.91.55

# Reference: https://twitter.com/ViriBack/status/1408210500312342529
# Reference: https://app.any.run/tasks/bd3c7dc3-04ad-4c45-930b-9328c37f5ca0/

durasen95.com

# Generic

/verma/login/
/verma/plugins/
/verma/connection.php
/verma/receive.php?pc=
/write.php?computer_name=
&allow=ransom
