Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


another unknown with minimal info

  • Please log in to reply
3 replies to this topic

#1 nikant


  • Members
  • 2 posts
  • Local time:06:33 AM

Posted 04 May 2018 - 11:14 AM

Hi and thank you for your time beforehand.


Trying to help a friend that has no idea about "tech". Unfortunately all I have are some samples. No ransom note, no email nothing :(

The technician that "cleaned" his PC left only his encrypted files behind. 


ID Ransomware doesn't give me back something.


SHA1: 56cce147f511eff4324166a7478882cbc26771ec

SHA1: 735c2604d740fc541488d3400c82fd64e39ddce2


I have a .docx file and a .jpg


Both start with 16 45 99 44 3D 0D BE 27 B2 A9 6A 43 C3 28 2A D0


If someone recognizes this pattern..

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:33 PM

Posted 04 May 2018 - 04:54 PM

Please be patient until Demonslay335 has a chance to review the case SHA1 you provided. Bleeping Computer is inundated with support requests and he is not logged in at the moment.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,561 posts
  • Gender:Male
  • Location:USA
  • Local time:10:33 PM

Posted 04 May 2018 - 09:34 PM

I don't recognize any filemarkers in them. The fact those two files both have the same first 16 bytes means it could just be an ID or IV used for the encryption. Doesn't necessarily mean it is a filemarker without analyzing the malware.


Only way to identify would be with a ransom note or the malware executable.


If this was encrypted a few years ago, I would suggest it could be CryptoWall 3.0 or 4.0, they left what I think was an IV as the first 16 bytes of every file.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#4 nikant

  • Topic Starter

  • Members
  • 2 posts
  • Local time:06:33 AM

Posted 04 May 2018 - 11:38 PM

thank you again for your time.. I will try to find more info..

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users