{
	"id": "488de4e1-79e2-4382-87a2-d8fd4ae924a9",
	"created_at": "2026-04-10T03:21:16.402434Z",
	"updated_at": "2026-04-10T13:12:09.190896Z",
	"deleted_at": null,
	"sha1_hash": "287a13b3666f0f63aa18edfc543c863dfad36602",
	"title": "Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp - Ransomware Help \u0026 Tech Support",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 322136,
	"plain_text": "Smrss32 (.encrypted) Ransomware Help \u0026 Support -\r\n_HOW_TO_Decrypt.bmp - Ransomware Help \u0026 Tech Support\r\nBy Demonslay335\r\nArchived: 2026-04-10 02:12:51 UTC\r\n#1 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #1\r\nDemonslay335\r\nRansomware Hunter\r\nAvatar image\r\nSecurity Colleague\r\n4,770 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nLocation:USA\r\nLocal time:08:12 PM\r\nPosted 11 August 2016 - 07:52 PM\r\nA new ransomware has been floating around for the past few weeks, and only now have we been able to find\r\ninformation on it.\r\nDubbed Smrss32 based on internal project settings of the malware, this ransomware encrypts files with AES and\r\nappends the extension \".encrypted\" (which is also used by several other ransomwares). The ransom note\r\n\"_HOW_TO_Decrypt.bmp\" is dropped in every folder that is hit, and will look like the following image, asking\r\nthe victim to contact the criminals at helprecover@ghostmail.com, among other email addresses.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 1 of 14\n\nAmong the large wall of text, it does try to call itself \"CryptoWall Software\", but it is in no way nearly as\r\nsophisticated as the real thing.\r\nBased on the way this ransomware behaves, and the project file associated with it, it is assumed this variant is\r\nspread via manual RDP hacks into a system.\r\nI do not recommend paying the ransom at this time.\r\nIf you have been hit by this ransomware, please post 2-3 different well-known encrypted files here (e.g.\r\n.png, .doc, .docx, .xls, .xlsx, .pdf, or .zip), and we will contact you via PM with a key and decrypter.\r\nEdited by Demonslay335, 22 August 2016 - 02:36 PM.\r\n Back to top\r\nBC AdBot (Login to Remove)\r\nBleepingComputer.com\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 2 of 14\n\nRegister to remove ads\r\n#2 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #2\r\nAmigo-A\r\nAmigo-A\r\nSecurity specialist and Ransomware expert. Volunteer Helper\r\nAvatar image\r\nMembers\r\n3,203 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nLocation:Bering Strait\r\nLocal time:07:12 AM\r\nPosted 12 August 2016 - 04:34 AM\r\nSmrss32 skipped files with the extension .bmp.\r\nThe listed of targeted extensions:\r\n.18113 .3gp2 .3gpp .8pbs .acs2 .acsm .aifc .aiff .albm .amff .ascx .asmx .aspx .azw3 .back .backup .backupdb\r\n.bank .bdmv .blob .bndl .book .bsdl .cache .calb .cals .cctor .cdda .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .ciff .class .clipflair\r\n .clpi .conf .config .contact .craw .crtr .crtx .ctor .ctuxa .d3dbsp .data .dazip .ddat .ddoc .ddrw .desc .divx .djvu\r\n.dmsk .dnax .docb .docm .docx .dotm .dotx .dsp2 .dump .encrypted .epfs .epub .exif .fh10 .flac .fmpp .forge\r\n.fsproj .gray .grey .group .gtif .gzip .h264 .hkdb .hplg .html .hvpl .ibank .icns .icxs .ilbm .im30 .incpas .indd .indt\r\n.ipsw .itc2 .itdb .ithmb .iw44 .java .jfif .jhtml .jnlp .jpeg .json .kdbx .kext .keychain .keychain .kpdx .lang .latex\r\n.lay6 .layout .ldif .litemod .log1 .log2 .log3 .log4 .log5 .log6 .log7 .log8 .log9 .m2ts .m3url .macp .maff .mcmeta\r\n.mdbackup .mddata .mdmp .menu .midi .mobi .moneywell .mp2v .mpeg .mpga .mpls .mpnt .mpqge .mpv2\r\n.mrwref .ms11 .msmessagestore .mspx .mswmm .oeaccount .opus .otpsc .pack .pages .paint .phtml .pict .pj64\r\n.pkpass .pntg .potm .potx .ppam .ppsm .ppsx .pptm .pptx .ppxps .psafe3 .psmdoc .pspimage .qcow2 .qdat .qzip\r\n.rels .rgss3a .rmvb .rofl .rppm .rtsp .s3db  .sas7bcat .sas7bdat .sas7bndx .sas7bpgm .sas7bvew .sidd .sidn .sitx .skin\r\n.sldm .sldx .smil  .sqlitedb .svg2 .svgz .targa .temp .test .text .tiff .tmpl .torrent .trace .tt10 .uns2 .urls .user .vcmf\r\n.vfs0 .view .vmdk .wallet .wbmp .webm .webp .wlmp .wotreplay .wrml .xbel .xfdl .xhtml .xlam .xlsb .xlsm .xlsx\r\n.xltm .xltx .xspf .xvid .ycbcra .ychat .yenc .zdct .zhtml .zipx .ztmp\r\nTotal: 233 extensions, the list is cleaned from duplicates is type .BACKUPDB and .backupdb and others.\r\nIf i something do not see - fix.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 3 of 14\n\nBack to top\r\n#3 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #3\r\nloopbackbr\r\nloopbackbr\r\nAvatar image\r\nMembers\r\n1 posts\r\nOFFLINE\r\n \r\nLocal time:11:12 PM\r\nPosted 12 August 2016 - 12:23 PM\r\nIf anybody want's additional info, the infected machine stills untouched.\r\n Back to top\r\n#4 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #4\r\nGrinler\r\nGrinler\r\nLawrence Abrams\r\nAvatar image\r\nAdmin\r\n45,400 posts\r\nONLINE\r\n \r\nGender:Male\r\nLocation:USA\r\nLocal time:10:12 PM\r\nPosted 12 August 2016 - 05:22 PM\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 4 of 14\n\nThanks...we are still trying to figure out a solution. Hang tight. You may want to image the drive if you need to get\r\nit up and running again.\r\n Back to top\r\n#5 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #5\r\ntrixiebix\r\ntrixiebix\r\nAvatar image\r\nMembers\r\n2 posts\r\nOFFLINE\r\n \r\nLocal time:10:12 PM\r\nPosted 16 August 2016 - 09:26 AM\r\nWe had a customer get hit with this last week. Found that their local profiles still had \"previous versions\" (shadow\r\ncopies) accessible. So we were able to recover their profiles and documents that way. Found some of the\r\ncomputers had smrss32.exe in the c:\\encryptor folder. Some were empty. Also found a few computers that were\r\nnot affected had their profiles wiped out, which was strange. They rdp'd into the servers and to any desktops they\r\ncould hit. \r\nEdited by trixiebix, 16 August 2016 - 09:47 AM.\r\n Back to top\r\n#6 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #6\r\nDemonslay335\r\nDemonslay335\r\nRansomware Hunter\r\nTopic Starter\r\nAvatar image\r\nSecurity Colleague\r\n4,770 posts\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 5 of 14\n\nOFFLINE\r\n \r\nGender:Male\r\nLocation:USA\r\nLocal time:08:12 PM\r\nPosted 16 August 2016 - 10:02 AM\r\nIf anyone has paid for a key, I would love to see it via PM please.\r\n@trixiebix\r\nCan you submit the smrss32.exe here so I can verify there are no\r\nmodifications? http://www.bleepingcomputer.com/submit-malware.php?channel=168\r\nAlso if any files are left along with smrss32.exe in the same folder as it.\r\n Back to top\r\n#7 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #7\r\n0E800\r\n0E800\r\nAvatar image\r\nMembers\r\n1 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nLocal time:07:12 PM\r\nPosted 16 August 2016 - 02:22 PM\r\nOnce on the systems, the attacker launches a web page and visits the following site to download the ransomware\r\npayload:\r\n$USER/AppData/Roaming/Microsoft/Windows/Recent/uyy.lnk (was unable to get remote address)\r\nA zip file with a random three letter filename is then dropped onto the system. The ransomware payload\r\n(smrs32.exe) is then unpacked and launched.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 6 of 14\n\nNote that it appears the malware is not compatible with WS2003 as only Windows 7 and WS2008 machines were\r\nencrypted with the ransomeware.\r\nIt was confirmed that the attackers did access our older servers but none of those systems were tampered with.\r\nBest thing to do is to turn off computers when not in use, and make sure to have a password lockout policy in\r\nplace.\r\nChange the RDP port to something other than default. Do not use easy to guess passwords.\r\n \r\n Back to top\r\n#8 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #8\r\nPraetorians\r\nPraetorians\r\nAvatar image\r\nMembers\r\n19 posts\r\nOFFLINE\r\n \r\nLocal time:03:12 AM\r\nPosted 17 August 2016 - 04:07 AM\r\nHello all. Since this is my first post in this forum, initially I would like to thank all the members for their\r\ninvaluable input and help.\r\nYesterday one of our computers, a Win7 machine was infected with a ransomware resulting in all files being\r\nencrypted with \".encrypted\" extension. Many of the files were backed up on an external hdd 4TB, which\r\nunfortunately was also left connected to the PC overnight. UAC was disabled on the machine and Sophos\r\napparently wasn't able to do much. The PC had also RDP enabled default ports and weak pass... yep I know :(\r\nThankfully when the user woke up his PC in the morning, the first thing he did was disconnecting the external hdd\r\nso not all the files were encrypted in there (too many files and many large ones like videos etc. I presume).\r\nI'm not a very tech savvy person, so after bypassing dhe \"lockscreen\" through Safe Mode, I tried to identify the\r\nransomeware through HitmanPro and Malwarebytes with not much luck. All I could find were some WinIo32.sys,\r\nwinlogon.exe and conhost.exe files apparently malicious identified as Trojan.backdoors.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 7 of 14\n\nAfter that I tried to identify the threat online through ID Ransomware by uploading the text file and one encrypted\r\nfile.\r\nI got 2 results: potentially Apocalypse or Smrss32.\r\nI tried both Emsisoft and AVG Apocalypse decryptors on the files with no success. Emsisot says \"apparently the\r\nfiles are not encrypted\", while AVG returns 0 decryptions. The text files appears to be more like the one of\r\nApocalyspse than the Smrss32 one I see here. However I think I'm left with with Smrss32 as the only remaining\r\noption\r\nCan anyone suggest another identification method to be certain if it is or not Smrss32? There was no c:\\encrypted\r\nfolder on my PC from what I see here.\r\nThanks in advance guys.\r\nP.S. - At least around 7.500 files were also encrypted on the external backup HDD.\r\nEdited by Praetorians, 17 August 2016 - 04:19 AM.\r\n Back to top\r\n#9 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #9\r\nquietman7\r\nquietman7\r\nBleepin' Gumshoe\r\nAvatar image\r\nGlobal Moderator\r\n65,779 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nLocation:Virginia, USA\r\nLocal time:10:12 PM\r\nPosted 17 August 2016 - 05:50 AM\r\nPraetorians, on 17 Aug 2016 - 09:07 AM, said: Quote snapback image\r\n...Can anyone suggest another identification method to be certain if it is or not Smrss32? There was no\r\nc:\\encrypted folder on my ...\r\nTorrentLocker (Crypt0L0cker), Apocalypse, Crypren, Smrss32, and KeRanger OS X Ransomware all add an\r\n.encrypted extension to the end of filenames.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 8 of 14\n\nSmrss32 Ransomware will leave files (ransom notes) named _HOW_TO_Decrypt.bmp which advises your files\r\nhave been encrypted with \"CryptoWall\" Software.\r\nApocalypse Ransomware will leave files (ransom notes) named\r\nfilename.extension.encrypted.How_To_Decrypt.txt, filename.extension.encrypted.How_To_Get_Back.txt (i.e.\r\nfamily.jpg.encrypted.How_To_Decrypt.txt) for each file encrypted. The ransom note asks you to contact\r\n\"decryptionservice@inbox.ru\" or \"decryptdata@inbox.ru\" and contains a personal ID.\r\nCrypren Ransomware will leave files (ransom notes) named READ_THIS_TO_DECRYPT.html.\r\nCrypt0L0cker (TorrentLocker) will leave files (ransom notes) with names like\r\nDECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML,\r\nINSTRUCCIONES_DESCIFRADO.HTML, How_To_Recover_Files.txt, How_To_Restore_Files.txt and\r\nHOW_TO_RESTORE_FILES.HTML.\r\nKeRanger OS X Ransomware will leave files (ransom notes) named README_FOR_DECRYPT.txt.\r\n Back to top\r\n#10 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #10\r\nPraetorians\r\nPraetorians\r\nAvatar image\r\nMembers\r\n19 posts\r\nOFFLINE\r\n \r\nLocal time:03:12 AM\r\nPosted 17 August 2016 - 05:52 AM\r\nquietman7, on 17 Aug 2016 - 10:50 AM, said: Quote snapback image\r\nSmrss32 Ransomware leaves files (ransom notes) named _HOW_TO_Decrypt.bmp which advises\r\nyour files have been encrypted with \"CryptoWall\" Software.\r\nApocalypse Ransomware leaves files (ransom notes) named\r\nfilename.extension.encrypted.How_To_Decrypt.txt,\r\nfilename.extension.encrypted.How_To_Get_Back.txt (i.e. family.jpg.encrypted.How_To_Decrypt.txt)\r\nfor each file encrypted. The ransom note asks you to contact \"decryptionservice@inbox.ru\" or\r\n\"decryptdata@inbox.ru\" and contains a personal ID.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 9 of 14\n\nThank you very much quietman7. Than definitely it is not Smrss32 since also my bitmaps were encrypted.\r\nI will have to move my problem to the appropriate apocalypse thread then.\r\nBelow is what the ransom note consistent with Apocalypse says:\r\nTHIS COMPUTER HAS BEEN LOCKED AND ALL THE FILES HAVE BEEN CRYPTED.\r\n(images, videos, documents, backups, etc ).\r\nContact by Email for data recovery.\r\nThen, we'll provide Unlock-Password and Data Decryption Software to you.\r\nEmail: fabiansomware@mail.ru\r\nWARNING: If you don't contact in 48 hours, then all DATA will be damaged unrecoverably!!!\r\nEdited by Praetorians, 17 August 2016 - 05:57 AM.\r\n Back to top\r\n#11 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #11\r\nDemonslay335\r\nDemonslay335\r\nRansomware Hunter\r\nTopic Starter\r\nAvatar image\r\nSecurity Colleague\r\n4,770 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nLocation:USA\r\nLocal time:08:12 PM\r\nPosted 17 August 2016 - 08:26 AM\r\n@Praetorians\r\nSee my reply in the Apocalypse topic. You definitely have the newest Apocalypse we uncovered yesterday, which\r\nID Ransomware will pickup on by the extension, ransom note name, and email address in the ransom note. You'll\r\nneed to use the ApocalypseVM decrypter for that particular variant.\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 10 of 14\n\nhttp://www.bleepingcomputer.com/forums/t/617212/apocalypse-encrypted-ransomware-help-topic-filenamehow-to-decrypttxt/?p=4065585\r\n Back to top\r\n#12 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #12\r\nDemonslay335\r\nDemonslay335\r\nRansomware Hunter\r\nTopic Starter\r\nAvatar image\r\nSecurity Colleague\r\n4,770 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nLocation:USA\r\nLocal time:08:12 PM\r\nPosted 17 August 2016 - 10:10 AM\r\n@All\r\nIf anyone has been hit by this ransomware and has not paid, please share an encrypted image or Office file (e.g.,\r\n*.png.encrypted, *.jpg.encrypted, *.doc.encrypted, etc.). We will be able to provide a key and decrypter via PM.\r\n:)\r\n Back to top\r\n#13 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #13\r\nR2D2015\r\nR2D2015\r\nAvatar image\r\nMembers\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 11 of 14\n\n6 posts\r\nOFFLINE\r\n \r\nLocal time:09:12 PM\r\nPosted 17 August 2016 - 12:51 PM\r\nDemonslay335, on 17 Aug 2016 - 3:10 PM, said: Quote snapback image\r\n@All\r\nIf anyone has been hit by this ransomware and has not paid, please share an encrypted image or Office\r\nfile (e.g., *.png.encrypted, *.jpg.encrypted, *.doc.encrypted, etc.). We will be able to provide a key and\r\ndecrypter via PM. :)\r\nDid you get my .PNG.Encrypted files?\r\n Back to top\r\n#14 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #14\r\nFrakkle\r\nFrakkle\r\nAvatar image\r\nMembers\r\n1 posts\r\nOFFLINE\r\n \r\nLocal time:10:12 PM\r\nPosted 17 August 2016 - 01:15 PM\r\nDemonslay335, on 12 Aug 2016 - 12:52 AM, said: Quote snapback image\r\nA new ransomware has been floating around for the past few weeks, and only now have we been able to\r\nfind information on it.\r\nDubbed Smrss32 based on internal project settings of the malware, this ransomware encrypts files with\r\nAES and appends the extension \".encrypted\" (which is also used by several other ransomwares). The\r\nransom note \"_HOW_TO_Decrypt.bmp\" is dropped in every folder that is hit, and will look like the\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 12 of 14\n\nfollowing image, asking the victim to contact the criminals at helprecover@ghostmail.com, among\r\nother email addresses.\r\nAmong the large wall of text, it does try to call itself \"CryptoWall Software\", but it is in no way nearly\r\nas sophisticated as the real thing.\r\nBased on the way this ransomware behaves, and the project file associated with it, it is assumed this\r\nvariant is spread via manual RDP hacks into a system.\r\nIf you or someone you know has been hit by this ransomware, please post in this topic. We are looking\r\nto gather more information if possible, including whether files still exist in the directory \"C:\\encryptor\"\r\nor another suspicious folder on the root of the drive.\r\nI do not recommend paying the ransom at this time.\r\nIf you have been hit by this ransomware, please post an encrypted file here, and we will contact\r\nyou via PM with a key and decrypter.\r\nEncrypted and unencrypted version of file:\r\nhttps://www.dropbox.com/sh/9erahtg50g2ak47/AACyL1dzQjnSSxxAyKFOTbtfa?dl=0\r\nI hope you can help.\r\n---\r\nFollow-up:  Machine is fully restored now.  Thanks again so much, you guys are amazing.\r\nEdited by Frakkle, 17 August 2016 - 08:30 PM.\r\n Back to top\r\n#15 Smrss32 (.encrypted) Ransomware Help \u0026 Support - _HOW_TO_Decrypt.bmp: post #15\r\nDemonslay335\r\nDemonslay335\r\nRansomware Hunter\r\nTopic Starter\r\nAvatar image\r\nSecurity Colleague\r\n4,770 posts\r\nOFFLINE\r\n \r\nGender:Male\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 13 of 14\n\nLocation:USA\r\nLocal time:08:12 PM\r\nPosted 17 August 2016 - 01:52 PM\r\n@R2D2015\r\nThanks for the reminder, I have your files and will contact you when we have a key.\r\n@Frakkle\r\nI will contact you when we have a key as well.\r\n Back to top\r\nSource: https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nhttps://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/\r\nPage 14 of 14\n\nSmrss32 skipped files The listed of targeted with the extension extensions: .bmp.   \n.18113 .3gp2 .3gpp .8pbs .acs2 .acsm .aifc .aiff .albm .amff .ascx .asmx .aspx .azw3 .back .backup .backupdb\n.bank .bdmv .blob .bndl .book .bsdl .cache .calb .cals .cctor .cdda .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .ciff .class .clipflair\n.clpi .conf .config .contact .craw .crtr .crtx .ctor .ctuxa .d3dbsp .data .dazip .ddat .ddoc .ddrw .desc .divx .djvu\n.dmsk .dnax .docb .docm .docx .dotm .dotx .dsp2 .dump .encrypted .epfs .epub .exif .fh10 .flac .fmpp .forge\n.fsproj .gray .grey .group .gtif .gzip .h264 .hkdb .hplg .html .hvpl .ibank .icns .icxs .ilbm .im30 .incpas .indd .indt\n.ipsw .itc2 .itdb .ithmb .iw44 .java .jfif .jhtml .jnlp .jpeg .json .kdbx .kext .keychain .keychain .kpdx .lang .latex\n.lay6 .layout .ldif .litemod .log1 .log2 .log3 .log4 .log5 .log6 .log7 .log8 .log9 .m2ts .m3url .macp .maff .mcmeta\n.mdbackup .mddata .mdmp .menu .midi .mobi .moneywell .mp2v .mpeg .mpga .mpls .mpnt .mpqge .mpv2\n.mrwref .ms11 .msmessagestore .mspx .mswmm .oeaccount .opus .otpsc .pack .pages .paint .phtml .pict .pj64\n.pkpass .pntg .potm .potx .ppam .ppsm .ppsx .pptm .pptx .ppxps .psafe3 .psmdoc .pspimage .qcow2 .qdat .qzip\n.rels .rgss3a .rmvb .rofl .rppm .rtsp .s3db .sas7bcat .sas7bdat .sas7bndx .sas7bpgm .sas7bvew .sidd .sidn .sitx .skin\n.sldm .sldx .smil .sqlitedb .svg2 .svgz .targa .temp .test .text .tiff .tmpl .torrent .trace .tt10 .uns2 .urls .user .vcmf\n.vfs0 .view .vmdk .wallet .wbmp .webm .webp .wlmp .wotreplay .wrml .xbel .xfdl .xhtml .xlam .xlsb .xlsm .xlsx\n.xltm .xltx .xspf .xvid .ycbcra .ychat .yenc .zdct .zhtml .zipx .ztmp  \nTotal: 233 extensions, the list is cleaned from duplicates is type .BACKUPDB and .backupdb and others.\nIf i something do not see-fix.    \n  Page 3 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/"
	],
	"report_names": [
		"smrss32-encrypted-ransomware-help-support-how-to-decryptbmp"
	],
	"threat_actors": [],
	"ts_created_at": 1775791276,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/287a13b3666f0f63aa18edfc543c863dfad36602.pdf",
		"text": "https://archive.orkl.eu/287a13b3666f0f63aa18edfc543c863dfad36602.txt",
		"img": "https://archive.orkl.eu/287a13b3666f0f63aa18edfc543c863dfad36602.jpg"
	}
}