Resubmissions
18/04/2024, 05:22
240418-f2z8nscc74 1018/04/2024, 05:22
240418-f2njwade8w 1018/04/2024, 05:21
240418-f2gfkade8s 718/04/2024, 05:21
240418-f2csdacc53 1018/04/2024, 05:21
240418-f2b6vade7x 7Analysis
-
max time kernel
592s -
max time network
585s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18/04/2024, 05:21
General
-
Target
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
-
Size
371KB
-
MD5
bb8cd5df2be7e8bcc5be439675b3d0a2
-
SHA1
627ac60f64974d5caaf81c2de8ca0977c91f4219
-
SHA256
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a
-
SHA512
57031eb7d7b2c27d7ecacdc085d07065ced46a742128f9818f62c9fe6633c31aa8eb20ffc52c8415613787946060f5a6b5adf8b977d5ca4fed9656233ebd9cfa
-
SSDEEP
6144:tnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLvLRXdYX9ji+uhi2PsrhY:hzQnkM1oSiBGI8bxn5m6i+uo20tY
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e9f37970-0ce0-4373-a561-300cf94dde5f}\_DECRYPT_INFO_kewdxn.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>kewdxn decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713418590+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/kewdxn.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
YCE7J-JQUNA-3KTZX-CARWZ-YXGCF-XY57B-JMXJQ-YV3TN-VW4SZ-3D120-MQ0G7-FNTWD-RNQZ6-WKAXD
Y2XH5-0G5UK-FVVAV-S8AN3-K1PXJ-4A6Q0-8T7B7-KCAQB-GJSA6-YY6PC-07XGB-Q3H8A-XNZ67-EDHF4
WKN18-NSYS4-2B2QA-XJHRB-NZC44-3H20Q-EPT45-4G7PS-V14SA-NYPK2-6CVRC-JGMQY-S0HXV-Q1ND6
EEC78-T8CDM-U3RAZ-QQYF2-5FQ03-TGB5X-K1Z37-F4HDU-M6K0J-DGE2M-YSHMQ-PK4W0-21Z5X-42W3V
S802P-V3Q0Z-WCTUA-20525-JVE2S-0UVDA-66XB7-H35GD-TPBY7-27DZT-CS108-M04Y0-7A3K5-T8VDR
0AR04-HNX2S-P16XE-AKKWV-WCYYC-F1YYA-BRW2R-BMTG7-YF1N7-AEWV4-4X715-8NAET
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
Path
C:\_DECRYPT_INFO_kewdxn.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>kewdxn decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713418591+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/kewdxn.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
YCE7J-JQUNA-3KTZX-CARWZ-YXGCF-XY57B-JMXJQ-YV3TN-VW4SZ-3D120-MQ0G7-FNTWD-RNQZ6-WKAXD
Y2XH5-0G5UK-FVVAV-S8AN3-K1PXJ-4A6Q0-8T7B7-KCAQB-GJSA6-YY6PC-07XGB-Q3H8A-XNZ67-EDHF4
WKN18-NSYS4-2B2QA-XJHRB-NZC44-3H20Q-EPT45-4G7PS-V14SA-NYPK2-6CVRC-JGMQY-S0HXV-Q1ND6
EEC78-T8CDM-U3RAZ-QQYF2-5FQ03-TGB5X-K1Z37-F4HDU-M6K0J-DGE2M-YSHMQ-PK4W0-21Z5X-42W3V
S802P-V3Q0Z-WCTUA-20525-JVE2S-0UVDA-66XB7-H35GD-TPBY7-27DZT-CS108-M04Y0-7A3K5-T8VDR
0AR04-HNX2S-P16XE-AKKWV-WCYYC-F1YYA-BRW2R-BMTG7-YF1N7-AEWV4-4X715-8NAET
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
Path
C:\Users\Admin\Searches\_DECRYPT_INFO_kewdxn.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>kewdxn decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713418592+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/kewdxn.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
YCE7J-JQUNA-3KTZX-CARWZ-YXGCF-XY57B-JMXJQ-YV3TN-VW4SZ-3D120-MQ0G7-FNTWD-RNQZ6-WKAXD
Y2XH5-0G5UK-FVVAV-S8AN3-K1PXJ-4A6Q0-8T7B7-KCAQB-GJSA6-YY6PC-07XGB-Q3H8A-XNZ67-EDHF4
WKN18-NSYS4-2B2QA-XJHRB-NZC44-3H20Q-EPT45-4G7PS-V14SA-NYPK2-6CVRC-JGMQY-S0HXV-Q1ND6
EEC78-T8CDM-U3RAZ-QQYF2-5FQ03-TGB5X-K1Z37-F4HDU-M6K0J-DGE2M-YSHMQ-PK4W0-21Z5X-42W3V
S802P-V3Q0Z-WCTUA-20525-JVE2S-0UVDA-66XB7-H35GD-TPBY7-27DZT-CS108-M04Y0-7A3K5-T8VDR
0AR04-HNX2S-P16XE-AKKWV-WCYYC-F1YYA-BRW2R-BMTG7-YF1N7-AEWV4-4X715-8NAET
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
Path
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\_DECRYPT_INFO_kewdxn.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>kewdxn decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713418597+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/kewdxn.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
YCE7J-JQUNA-3KTZX-CARWZ-YXGCF-XY57B-JMXJQ-YV3TN-VW4SZ-3D120-MQ0G7-FNTWD-RNQZ6-WKAXD
Y2XH5-0G5UK-FVVAV-S8AN3-K1PXJ-4A6Q0-8T7B7-KCAQB-GJSA6-YY6PC-07XGB-Q3H8A-XNZ67-EDHF4
WKN18-NSYS4-2B2QA-XJHRB-NZC44-3H20Q-EPT45-4G7PS-V14SA-NYPK2-6CVRC-JGMQY-S0HXV-Q1ND6
EEC78-T8CDM-U3RAZ-QQYF2-5FQ03-TGB5X-K1Z37-F4HDU-M6K0J-DGE2M-YSHMQ-PK4W0-21Z5X-42W3V
S802P-V3Q0Z-WCTUA-20525-JVE2S-0UVDA-66XB7-H35GD-TPBY7-27DZT-CS108-M04Y0-7A3K5-T8VDR
0AR04-HNX2S-P16XE-AKKWV-WCYYC-F1YYA-BRW2R-BMTG7-YF1N7-AEWV4-4X715-8NAET
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (238) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD58f0385282c378e2a2a949a0f83d10fda
SHA1fc667f7ddb4b9ac16ce335559adbfdc7b639f41d
SHA2563db9e1b2ce4a22b0c3013abfd5aa4cdc19b211a9cf8862fe1a29cbcead43e0ad
SHA512a8c12ba47f339bb2229fabe2eca393f7283b8d17dd804c29d09d41f4c9808f4520f8333de437cb25052ff6915767613c921772eac35ece38a1540b66ace7da2c
-
Filesize
48B
MD5908b0084f43617e6e6c45dcb2452dff4
SHA10d97bbae08011ee1ba26e94851d6ba321e1fddf6
SHA2566fa7649d0bbef3fea138cfdcb5665d4264e535768f1e0e46553afd25cb4fd6f2
SHA512a26bb27e7dce70f063680bbe01ba0ecca983ebb772c815dad8807d22871237cd1be952dc26f6dc6ccc0cdbb6c3fcd8ac30d6ca1a29151a129b17bfa84d230779
-
Filesize
48B
MD527877f2130721822ef44c97015015cd0
SHA1e51b12c98ed248dade02165cadec482a34ef08d5
SHA25612d86ec25fc3facf2286b0ed4cca9ccd83d5341ec7d03aa6fe7a4d91c9be30e4
SHA512fdf68120a760d3d516b866bdcfdf583457666e8e442265eb93eee1d64d8a404624db70c48a6e36d93f4354cdfcf7f00e2e58ef7ee3bae5fbd4f24e374675116b
-
Filesize
12KB
MD53ae63d82d250dffffa7199fab94701ef
SHA1ef90ebf2be441d50cd6867e5884339697f89798d
SHA256fe735895dc097528c9b91c2a1bbc6c6fff14217c1c9642eebe69442833392e85
SHA5124551548951fd137d3ff6fecd158c6f7e449ac4c06b0803b44c76ee7c60bf66aa726506fd19e6cca2d9a74c74d6c561e811bfe1c46eb57539075df92597f25d64
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
4KB
MD52d5020c82de674b48cfd17cc20fcbba2
SHA14e317eaeebd839ee5f6eb3925a9fbee819c5349c
SHA256120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a
SHA512ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d
-
Filesize
12KB
MD51e95c448db32200e8fe3c86efd9a0b71
SHA10be1df4aeec2314326c4f3fc1f965a1d2f9bcf90
SHA2566d0e29069f795701270661faddee64a65a8d4e0e98eb7f6df8d764a94b977913
SHA5124da47fa0b5c490cba68759c1d2ecce1a49141ee5001060d16f621956842a2d10fae9fb17e8959b2fb85f6eb23def0c9baabcad8698631ac3edbe6241c8b0f0df
-
Filesize
12KB
MD5c02e54ef7dbd817a84bc54e2fe5679c5
SHA1d967abe98fbbc515fabd9cd5382035c3a5103943
SHA2568f47566cb9e82e7ceb3e9116707f3448caaa56352b02c4c528593c995c2b1c19
SHA512366c92893672d331a94a886995e01bb803bdefefad33926573096abaf2ca55f27178c112e84058813c78f3d935e9a54eb0052abe2d8551cd1054447a5f73ab4f
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
388KB
-
Filesize
72KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
32KB
-
Filesize
160KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
388KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB