From 3c7230e38eda2eca958099738daae60023de9b11 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 22 Nov 2022 09:00:04 +0100 Subject: [PATCH 1/6] add Bazarbackdoor Synonyms --- clusters/backdoor.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index ee16029..c52e142 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -135,6 +135,14 @@ "refs": [ "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/" + ], + "synonyms": [ + "BEERBOT", + "KEGTAP", + "Team9Backdoor", + "bazaloader", + "bazarloader", + "bazaarloader" ] }, "uuid": "1523a693-5d90-4da1-86d2-b5d22317820d", @@ -187,5 +195,5 @@ "value": "BPFDoor" } ], - "version": 12 + "version": 13 } From 8bf6d73d66e4e4ff48847cc0b365643691fbe0d5 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 22 Nov 2022 09:08:28 +0100 Subject: [PATCH 2/6] add BazarCall campaign --- clusters/threat-actor.json | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ec2f959..da86565 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2572,7 +2572,8 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://threatintel.blog/OPBlueRaven-Part1/", "https://threatintel.blog/OPBlueRaven-Part2/", - "https://www.secureworks.com/research/threat-profiles/gold-niagara" + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous" ], "synonyms": [ "CARBON SPIDER", @@ -2580,7 +2581,8 @@ "Calcium", "ATK32", "G0046", - "G0008" + "G0008", + "Coreid" ] }, "related": [ @@ -9894,7 +9896,22 @@ ], "uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387", "value": "GOLD PRELUDE" + }, + { + "description": "BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.", + "meta": { + "refs": [ + "https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html", + "https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/" + ], + "synonyms": [ + "BazzarCall", + "BazaCall" + ] + }, + "uuid": "906e2091-cc32-499e-a799-2b9b15e45042", + "value": "BazarCall" } ], - "version": 252 + "version": 253 } From e316382b8aeadbaa7b4acd83f55f906bd0431b4d Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 22 Nov 2022 12:06:03 +0100 Subject: [PATCH 3/6] add qakbot ref --- clusters/botnet.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index df6dea5..d7ad655 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1346,7 +1346,8 @@ "description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.", "meta": { "refs": [ - "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf" + "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", + "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html" ], "synonyms": [ "QakBot", @@ -1385,5 +1386,5 @@ "value": "Dark.IoT" } ], - "version": 28 + "version": 29 } From ffc68b9b8f99b2556c6fdc6d6312cc3ebd47168a Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 22 Nov 2022 12:40:47 +0100 Subject: [PATCH 4/6] add several ransomwares --- clusters/botnet.json | 10 +- clusters/ransomware.json | 235 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 240 insertions(+), 5 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index d7ad655..c2c34b8 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1347,7 +1347,8 @@ "meta": { "refs": [ "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", - "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html" + "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", + "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/" ], "synonyms": [ "QakBot", @@ -1361,6 +1362,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "dropped" + }, + { + "dest-uuid": "9db5f425-fe49-4137-8598-840e7290ed0f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" } ], "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 5878212..e45ff7f 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14391,6 +14391,9 @@ "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", "https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/", "https://darksidedxcftmqa.onion.foundation/" + ], + "synonyms": [ + "BlackMatter" ] }, "uuid": "f514a46e-53ff-4f07-b75a-aed289cf221f", @@ -23619,6 +23622,20 @@ }, { "description": "ransomware", + "meta": { + "refs": [ + "https://howtofix.guide/ransom-mountlocket/" + ] + }, + "related": [ + { + "dest-uuid": "0ca6ac54-ad2b-4945-9580-ac90e702fd2c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "7513650c-ba09-49bf-b011-d2974c7ae023", "value": "Mountlocket" }, @@ -23658,7 +23675,7 @@ "value": "Leakthemall" }, { - "description": "ransomware", + "description": "Conti ransomware is a RaaS and has been observed encrypting networks since mid-2020.\nConti was developed by the “TrickBot” group, an organized Russian cybercriminal operation. Their reputation has allowed the group to create a strong brand name, attracting many affiliates which has made Conti one of the most widespread ransomware strains in the world.\nOne of the last known “Conti” attacks was against the government of Costa Rica in April 2022 causing the country to declare a state of emergency.\nShortly after this final attack, the “Conti” brand disappeared. The group behind it likely switched to a different brand to avoid sanctions and start over with a new, clean reputation.", "meta": { "attribution-confidence": "100", "country": "RU", @@ -23669,9 +23686,34 @@ "All of your files are currently encrypted by CONTI ransomware." ], "refs": [ - "https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti" + "https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines" ] }, + "related": [ + { + "dest-uuid": "0ca6ac54-ad2b-4945-9580-ac90e702fd2c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "parent-of" + }, + { + "dest-uuid": "9db5f425-fe49-4137-8598-840e7290ed0f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "parent-of" + }, + { + "dest-uuid": "1c43524e-0f2e-4468-b6b6-8a37f1d0ea87", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "parent-of" + } + ], "uuid": "201eff54-d41e-4f70-916c-5dfb9301730a", "value": "Conti" }, @@ -23905,7 +23947,10 @@ { "description": "ransomware", "meta": { - "date": "November 2020" + "date": "November 2020", + "synonyms": [ + "FiveHands" + ] }, "uuid": "022c995a-f1ba-498f-b67e-92ef01fd06a3", "value": "HelloKitty" @@ -24603,7 +24648,189 @@ }, "uuid": "d513199e-7f21-43fd-9610-ed708c3f6409", "value": "Lorenz Ransomware" + }, + { + "description": "First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.", + "meta": { + "ransomnotes": [ + "Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:v \n http://hive[REDACTED].onion/\n \n Login: [REDACTED]\n Password: [REDACTED]\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not modify, rename or delete *.key.abc12 files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed.", + "Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:\n \n http://hive[REDACTED].onion/\n \n Login: test_hive_username\n Password: test_hive_password\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not delete or reinstall VMs. There will be nothing to decrypt.\n- Do not modify, rename or delete *.key files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed" + ], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", + "https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/", + "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", + "https://www.varonis.com/blog/hive-ransomware-analysis" + ] + }, + "uuid": "8ce915d3-8c6d-4841-b509-18379d7a8999", + "value": "Hive" + }, + { + "description": "", + "meta": { + "ransomnotes-refs": [ + "https://www.guidepointsecurity.com/wp-content/uploads/2021/04/Anonymized-Ransom-Note-1-1024x655.png" + ], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", + "https://securityscorecard.pathfactory.com/research/quantum-ransomware", + "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", + "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", + "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", + "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://github.com/Finch4/Malware-Analysis-Reports/tree/master/MountLocker", + "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", + "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", + "https://thedfirreport.com/2022/04/25/quantum-ransomware/" + ], + "synonyms": [ + "Quantum", + "Mount Locker", + "DagonLocker" + ] + }, + "related": [ + { + "dest-uuid": "7513650c-ba09-49bf-b011-d2974c7ae023", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "successor-of" + } + ], + "uuid": "0ca6ac54-ad2b-4945-9580-ac90e702fd2c", + "value": "QuantumLocker" + }, + { + "description": "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.", + "meta": { + "extensions": [ + ".basta" + ], + "ransomnotes": [ + "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]" + ], + "ransomnotes-files": [ + "readme.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/b/black-basta/wallpaper.jpg", + "https://www.bleepstatic.com/images/news/ransomware/b/black-basta/ransom-note.jpg", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/e/examining-the-black-basta-ransomwares-infection-routine/blackbasta07PII.PNG", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/e/examining-the-black-basta-ransomwares-infection-routine/blackbasta08PII.PNG" + ], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta", + "https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/", + "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/", + "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/", + "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://gbhackers.com/black-basta-ransomware/", + "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", + "https://securelist.com/luna-black-basta-ransomware/106950/", + "https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", + "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" + ] + }, + "related": [ + { + "dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "successor-of" + }, + { + "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "9db5f425-fe49-4137-8598-840e7290ed0f", + "value": "BlackBasta" + }, + { + "description": "Ransomware", + "related": [ + { + "dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "successor-of" + } + ], + "uuid": "1c43524e-0f2e-4468-b6b6-8a37f1d0ea87", + "value": "BlackByte" + }, + { + "description": "Ransomware", + "uuid": "549c9766-b45d-4d14-86e8-e6a74d69d067", + "value": "RedAlert" + }, + { + "description": "Ransomware", + "uuid": "00638cb0-d8c5-46c2-9c57-39d93d5bfa36", + "value": "Cheerscrypt" + }, + { + "description": "Ransomware", + "uuid": "b4d24c48-c2f7-4ae7-a708-8b321b98075a", + "value": "GwisinLocker" + }, + { + "description": "Ransomware", + "uuid": "2950977b-59bb-464a-8dd8-21728887f72f", + "value": "Luna Ransomware" + }, + { + "description": "Ransomware", + "uuid": "73d3d8f8-83cc-4fdc-a645-d03b9a7b5a9b", + "value": "AvosLocker" + }, + { + "description": "Ransomware", + "uuid": "fec32bbf-c4f8-499d-8e2a-743bcdd071e7", + "value": "PLAY Ransomware" + }, + { + "description": "Ransomware", + "uuid": "1d8cadb9-501c-493e-b89b-b5574ed3f722", + "value": "Qyick Ransomware" + }, + { + "description": "Ransomware", + "uuid": "9796a1a4-b2d7-4e68-bfb4-57093fd32fef", + "value": "Agenda Ransomware" + }, + { + "description": "Ransomware", + "uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42", + "value": "Karakurt" } ], - "version": 109 + "version": 110 } From f4abf37b01d1eff512545f0219134fc72c8058fa Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 22 Nov 2022 12:45:15 +0100 Subject: [PATCH 5/6] fix versions --- clusters/botnet.json | 2 +- clusters/threat-actor.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 0df6e77..dad5596 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1404,5 +1404,5 @@ "value": "KmsdBot" } ], - "version": 29 + "version": 30 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ea4f045..fa1f2ac 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9943,5 +9943,5 @@ "value": "Evasive Panda" } ], - "version": 253 + "version": 254 } From 5f0d7f6d68885faf8ccbb40461b8486bfd243fbe Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 22 Nov 2022 14:55:10 +0100 Subject: [PATCH 6/6] add VJw0rm description --- clusters/rat.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index d41e703..e2d5d02 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2693,10 +2693,16 @@ "value": "Revenge-RAT" }, { + "description": "“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly available “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and hacking related forums and channels.\n\nVJwOrm is a JavaScript-based malware and combines characteristics of Worm, Information Stealer, Remote-Access Trojan (RAT), Denial-of-Service (DOS) malware, and spam-bot.\n\nVJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.\n\nOnce executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a removeable drive is found, VJwOrm will infect it if configured to do so.\n\nIt will continue to gather victim information such as operating system details, user’s details, installed anti-virus product details, stored browser cookies, the presence of vbc.exe on the system (Microsoft’s .NET Visual Basic Compiler, this indicates that .NET is installed on the system and can affect the actor’s choice of additional malware delivery), and whether the system has been previously infected.\n\nVJw0rm will then report this information back to its command-and-control server and await further commands, such as downloading and executing additional malware or employing any of its other numerous capabilities.\n\nFinally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task, or any combination of these methods.", "meta": { "date": "2016", "refs": [ "https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en" + ], + "synonym": [ + "Vengeance Justice Worm", + "VJw0rm", + "VJwOrm" ] }, "uuid": "bf86d7a6-80af-4d22-a092-f822bf7201d2", @@ -3544,5 +3550,5 @@ "value": "Ragnatela" } ], - "version": 41 + "version": 42 }