Demonslay335

Visiting Expert
  • Content Count

    68
  • Joined

  • Last visited

  • Days Won

    6

Demonslay335 last won the day on August 9

Demonslay335 had the most liked content!

Community Reputation

11 Good

About Demonslay335

  • Rank
    Active Member
  • Birthday 12/12/1991

Contact Methods

  • Website URL
    https://id-ransomware.malwarehunterteam.com

Profile Information

  • Gender
    Male
  • Location
    USA
  • Interests
    Cats, coding, ransomware.

Recent Profile Visitors

3261 profile views
  1. Hello

    Pl help and reply

    1. Tahir Moeen

      Tahir Moeen

      Hello Demonslay335

      Did you find the solution of nelasod. It has been reportd to you by Mr. Amigo-A

      Thanks

  2. @broniusr I've fixed that now. Please try re-downloading for v1.0.0.1.
  3.  

    Hello, please support

    [*] ID: s9KkuHGOgdCYV8Rim63CFMrxZFXlO0mp7S0wmKbd (.mtogas )

    [*] MACs: 64:80:99:7D:56:9D, 64:80:99:7D:56:9C, F0:1F:AF:66:3B:0C

    Is there a solution to this problem? Even after a while!!!!!!

    Do I wait and leave the encrypted files as they are?

    _readme.txt

    50793901_1454499264684933_1188840440657346560_n.jpg.mtogas

  4. My computer was infected by nelasod ransomware and my case was forwarded to you by Amigo-A (Emsisoft) . Did you find any solution? Sir i will be grateful if you consider my case.

    Regards 

    Tahir

    Following are my ID and Mac. The ransom note is also attached

    [+] Loaded 67 offline keys
    Please archive the following info in case of future decryption:
    [*] ID: PiZTrTjGj2ERDjqCNEDpJWJfZwuWtP8FHxJeXuSa
    [*] ID: 4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1
    [*] MACs: A0:B3:CC:48:0B:46, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8E
    This info has also been logged to STOPDecrypter-log.txt

     

    +] Loaded 77 offline keys
    Please archive the following info in case of future decryption:
    [*] ID: PiZTrTjGj2ERDjqCNEDpJWJfZwuWtP8FHxJeXuSa
    [*] ID: 4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1
    [*] MACs: A0:B3:CC:48:0B:46, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8E
    This info has also been logged to STOPDecrypter-log.txt
    Selected directory: F:\
    Selected directory: E:\

     

    _readme.txt

    1. Tahir Moeen

      Tahir Moeen

      Waiting for your comment/help

    2. Tahir Moeen

      Tahir Moeen

      Hello. Sir waiting for your response.

      Tahir

       

  5. @broniusr The decryptor has been updated, please try downloading it again. If you run it from the same directory as before, it should pickup the key file from the previous session, and you won't have to re-bruteforce it. Thanks for reporting the bug.
  6. You were encrypted more recently than we have keys for, that's why you get that message. Nothing we can do at the present time.
  7. @broniusr You are correct, the malware encrypts up to 0x27100 bytes of the file, and I forgot to test bait files smaller than that limit. I'll post here once the decryptor has been updated to factor for that bug in the malware. Every version of this malware family has had at least one such bug relating to the crypto, so annoying...
  8. Not yet, but decryption of 3.0 is coming soon. The idiot who coded it has an annoying bug that corrupts many files that we have to overcome.
  9. Please upload this file to VirusTotal and provide a link here. C:\Users\dasba\AppData\Local\a8402009-cadb-4977-b8d8-209fe362c63a\2.exe
  10. My files got encrypted by .TODAR and .LAPOI extension.

    After running the STOP Decrypter the following message was shown:

    [+] Loaded 59 offline keys
    Please archive the following info in case of future decryption:
    [*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw
    [*] ID: mneaFv6qsoloG3BSRWuiOULjQBJDJLQHrQuadMpl
    [*] ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
    [*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
    This info has also been logged to STOPDecrypter-log.txt
    Selected directory: C:\Users\dasba\OneDrive\Desktop\New folder
    Starting decryption...

    [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-03-09-57-02-734.jpg.todar
    [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

    [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-11-00-06-25-558.jpg.todar
    [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

    [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-06-20-14-40-29-599.jpg.todar
    [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

    [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-34-29-971.jpg.todar
    [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

    [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-39-33-310.jpg.todar
    [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

    [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-10-15-49-11-156.jpg.todar
    [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

    Decrypted 0 files!
    Skipped 6 files.

    [!] No keys were found for the following IDs:
    [*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )
    Please archive these IDs and the following MAC addresses in case of future decryption:
    [*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
    This info has also been logged to STOPDecrypter-log.txt

     

     

     

    Please Help me.

    Also added the ransomware note.

    STOPDecrypter-log.txt

    _readme.txt

  11. Yep, as I suspected. The files are corrupted. What's going on is the MP3 format is likely a little bit tolerant of some data loss. GlobeImposter 2.0 does not encrypt the whole file, only like the first few MB I believe. If you were to simply remove the ".DOCM" extension from the file, you would get the exact same result. GetCrypt Ransomware uses a random 4-character uppercase extension, so that's the only reason the decrypter is fooled into "accepting" your file pair. Due to the way I am breaking that ransomware, the tool also cannot actually verify whether the decryption was successful, it just has to blindly throw the crypto at the file.
  12. Mind sharing some of these encrypted MP3s that are supposedly "decrypted"? I have an idea as to what is going on, and it's not actually decryption...
  13. If you can find a file "bginfo.png" on the system in the same folder as the executable, there might be a chance. Otherwise, so far it does not look like it can be decrypted without that file at the current time.
  14. We will really need the executable or commands used to encrypt the files in order to analyze it any more. By the way, the filepair you provided are not the same file before/after the encryption. The encrypted file's filename decodes to "rollup.png". It's just simple base64 encoding on the name.
  15. my files are encrypted ransomware hacker and convert all my file format to extension (.delle) please help me how my data decrypt (.delle)

    dentified by

    • ransomnote_email: [email protected]
    • sample_extension: .dalle
    • sample_bytes: [0x374DB - 0x374F5] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D
    Decrypted 115 files!
    Skipped 82224 files.
    [!] No keys were found for the following IDs:
    [*] ID: onoONoeRoRiIIL9NhEJ9kd4eugwAgOoMDxlonc5F (.dalle )
    Please archive these IDs and the following MAC addresses in case of future decryption:
    [*] MACs: 00:FF:47:9B:63:3F, 00:FF:FA:3C:1F:43, 60:6C:66:2D:C5:8F, 20:89:84:46:B8:3D, 00:50:56:C0:00:01, 00:50:56:C0:00:08
    This info has also been logged to STOPDecrypter-log.txt
     

    Decrypted 50 files!
    Skipped 26548 files.

    [!] No keys were found for the following IDs:
    [*] ID: onoONoeRoRiIIL9NhEJ9kd4eugwAgOoMDxlonc5F (.dalle )
    Please archive these IDs and the following MAC addresses in case of future decryption:
    [*] MACs: 00:FF:47:9B:63:3F, 00:FF:FA:3C:1F:43, 60:6C:66:2D:C5:8F, 20:89:84:46:B8:3D, 00:50:56:C0:00:01, 00:50:56:C0:00:08
    This info has also been logged to STOPDecrypter-log.txt