{"id":145,"date":"2014-02-05T11:45:51","date_gmt":"2014-02-05T11:45:51","guid":{"rendered":"http:\/\/www.adlice.com\/?p=145"},"modified":"2022-12-21T10:40:36","modified_gmt":"2022-12-21T10:40:36","slug":"symmi-ransomware-decryption","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/es\/symmi-ransomware-decryption\/","title":{"rendered":"Symmi Ransomware Decryption"},"content":{"rendered":"\n

Recently on Malekal.com forum, I came across a challenge. Some people got infected by a brand new ransomware having the particularity to encrypt documents<\/strong> (based on extension, .jpg, .doc, and so on). Having a dropper, I decided to have a look into it and find a way to decrypt those files (if possible)…<\/p>\n\n\n\n

The dropper is detected as Win32.Symmi<\/strong> on Virus Total:
https:\/\/www.virustotal.com\/file\/2aca300b45371b3e01e1ab044798bc6777e11345435713027bc8cae6292dda0f\/analysis\/<\/a><\/p>\n\n\n\n


Static analysis – What has changed on files?<\/h4>\n\n\n\n

After launched the dropper, I looked at the modified files. After a little wait, the infection showed up a window saying lots of documents where compromised. The infection is self restarted by a registry key (RUN).
 <\/p>\n\n\n\n

\"The<\/a>
The process and its run key<\/figcaption><\/figure>\n\n\n\n
\"<\/a>
Disclaimer claiming to be able to contact Microsoft to recover<\/figcaption><\/figure>\n\n\n\n
\"List<\/a>
List of compromised files<\/figcaption><\/figure>\n\n\n\n

It looked like the very first 100 bytes where overwritten, with no kind of logical (the null bytes where randomly overwritten). No basic encryption here then. I’ll have to go further.
 <\/p>\n\n\n\n

\"Above<\/a>
Above : encrypted file – Below : original file<\/figcaption><\/figure>\n\n\n\n



Dropping the Paypload<\/h4>\n\n\n\n

The dropper uses basic tricks to avoid debugging. It’s not packed nor protected, but does massive usage of GetProcAddress<\/a> to make the routine detection more difficult. I found nothing useful by first looking at the dropper in OllyDbg, so I went to APIMonitor.<\/p>\n\n\n\n

What APIMonitor showed is fun \ud83d\ude42 <\/strong>
The dropper was indeed trying to escape of debugging by also create threads and new processes:<\/p>\n\n\n\n

– First, It creates new thread and quit the main thread
 
\"apiMonThread\"<\/a><\/p>\n\n\n\n

– Then, the second thread fires a new process
 
\"apiMonProcess\"<\/a><\/p>\n\n\n\n

Let’s see this in OllyDB!<\/em><\/strong><\/p>\n\n\n\n

After setting a breakpoint into GetProcAddress (kernel32.dll), I found the place where CreateThread<\/strong> was called.
 
\"getProc\"<\/a><\/p>\n\n\n\n

I could then place a breakpoint into the StartAddress (0x00C70000<\/strong>) of the thread to break into it.
 
\"CreateThread\"<\/a><\/p>\n\n\n\n

In this new Thread, I’ve done the same to find the place where CreateProcess<\/strong><\/em> was called.
It was recreating a new process over the same file! (quite unusual, as we could expect some infinite loop).
 
\"CreateProcess\"<\/a><\/p>\n\n\n\n

In fact, the process is created using the flag CREATE_SUSPENDED<\/strong> (see the “PUSH 4” before the call), and later we will see a WriteProcessMemory<\/strong>, and then a ResumeThread<\/strong>.<\/p>\n\n\n\n

The WriteProcessMemory routine is indeed writing a whole new PE at StartAddress (0x400000) of our new process<\/strong>, completely overwriting itself. I’ve made a dump of this code section, it’s a standalone PE (our Payload). We will analyse it right after.<\/p>\n\n\n\n

To finish ResumeThread resumes the new process<\/strong> (which is now a brand new one, with nothing in common with our dropper).
 
\"WriteProcessMem\"<\/a>
\"ResumeThread\"<\/a><\/p>\n\n\n\n

The Paypload is detected as Generic (quite bad) in Virus Total :
https:\/\/www.virustotal.com\/file\/8387e5d7e76a3c36708ca50eed438245a5906fa4ed07c6229621b1798a13bced\/analysis\/<\/a><\/p>\n\n\n\n


Analysing the Payload<\/h4>\n\n\n\n

Once the payload dumped, and loaded into OllyDbg, we can have a quick overview by looking into the strings and intermodular calls. And this is indeed our encrypter<\/strong> \ud83d\ude42
What is remarkable is the calls to the APIs : FindFirstFile<\/strong>, FindNextFile <\/strong>(files enumeration), CreateFile <\/strong>(file opening), and WriteFile <\/strong>(file overwriting).
 
\"dumped_calls1\"<\/a><\/p>\n\n\n\n

\"dumped_calls2\"<\/a><\/figure>\n\n\n\n
\"dumped_calls3\"<\/a><\/figure>\n\n\n\n
\"dumped_strings\"<\/a><\/figure>\n\n\n\n

After loading it into API Monitor, we have a dynamic overview of the scheme of file overwriting<\/strong>. This will be useful to understand where to search for a way to decrypt them. We can see the scheme: SetFileAttributes, CreateFile, ReadFile, and then WriteFile (with 100 bytes)<\/strong>
 
\"apimon1\"<\/a><\/p>\n\n\n\n

In OllyDBG, I quickly found where the ReadFile and WriteFile were performed. WriteFile was indeed done on the firsts 100 bytes<\/strong> (0x64), as expected (see API Monitor capture above).
 
\"read\"<\/a>
\"write\"<\/a><\/p>\n\n\n\n

Interesting thing, this malware was doing a Sleep of 180 seconds to evade some sandboxes<\/strong>. For debugging purposes, I’ve nopped this call to avoid waiting for nothing \ud83d\ude42
 
\"Sleep\"<\/a><\/p>\n\n\n\n

To finish, I found where the file was encrypted, and how. It was a “simple” XOR routine, with a key of -1398550687 (ASCII), on my VM<\/strong>.
I suspected the key to be dynamically build<\/strong>, and not hardcoded.
 
\"encKey\"<\/a>
\"encrroutine\"<\/a><\/p>\n\n\n\n


Let’s find the key!<\/h4>\n\n\n\n

In my tale to find the key, I ran into the fact that the malware was calling an API called GetVolumeInformation right before the call to the routine to XOR the file<\/strong>. My little finger told me it was important in order to get the key, so I put a breakpoint on the return buffer of this API.
 
\"getvolinfo\"<\/a><\/p>\n\n\n\n

Indeed, it was important. Once the routine responsible for key’s computing found, I saw that the Volume serial number was the only thing able to change the key’s content<\/strong>.In the main loop, the “Push EDI” was pushing the volume serial number onto the stack for later use.<\/p>\n\n\n\n

The key’s routine is displayed above. This is not very clear, but nevermind.
I’ve translated it into C++ code below to able to restore the files.
 
\"encRoutine1\"<\/a><\/p>\n\n\n\n

\"encRoutine2\"<\/a><\/figure>\n\n\n\n
\"encRoutine3\"<\/a><\/figure>\n\n\n\n

The keys also needs another parameter to find the first ASCII character (here, a “-“). It’s the buffer size (0x64), which is hardcoded in the data section. I’ll hardcode myself too then.
 
\"length\"<\/a><\/p>\n\n\n\n


Let’s restore the files!<\/h4>\n\n\n\n

I’ve made a little program able to retrieve the key corresponding to a hard drive<\/strong> (the program must be on the same drive than the file to restore), and apply a XOR with this key on the 100 first bytes of a given file<\/strong> (it does the same as the malware, but as XOR is reversible, it restores the file).<\/p>\n\n\n\n

Here’s the routine to get the key. It’s a basic algorithm, but not trivial to reverse…<\/p>\n\n\n\n

void GetKey(char* &amp; key)\n{\n DWORD volumeSerial = 0, modifiedSerial = 0;\n DWORD initial = 0, tmp = 0, tmp2 = 0, result = 0;\n DWORD operand = 0x0A;\n TCHAR buff[1024];\n char keytmp[1024];\n int count = 0;\n  \n \/\/ Volume info\n GetVolumeInformation(L\"\\\\\", NULL, 0, &amp;volumeSerial, NULL, NULL, NULL, NULL);\n  \n \/\/ Modified\n modifiedSerial = -volumeSerial;\n \n memset(keytmp, '\\0', 1024);\n initial = modifiedSerial;\n while(initial != 0)\n {\n  tmp = initial \/ operand;\n  tmp2 = tmp * operand;\n  result = - (tmp2 - initial);\n  result += 0x30; \/\/go to ACSII\n  initial = tmp;\n \n  keytmp[count] = (char)result;\n  count++;\n }\n \n \/\/ Invert buffer, add -\n key = (char*)malloc(count + 1 + 1); \/\/1 for -, 1 for null byte\n memset(key, '\\0', count + 1 + 1);\n \n key[0] = 0x2D; \/\/ - char\n for (u_int i = 0 ; i &lt; count ; i++)\n {\n  key[count - i] = keytmp[i];\n }\n}\n<\/code><\/pre>\n\n\n\n
The program to restore your files is available here : 
To use it, simply move a file to restore on the program’s icon, it will trigger the program with its path on parameter, and restore the file. It works also by selecting multiple files at once.
 
\"decryptAvant\"<\/a><\/p>\n\n\n\n
\"decryptAPRES\"<\/a><\/figure>\n\n\n\n
\"decrypted\"<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"
Anlysis of Win32.Symmi Ransomware – Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.<\/p>\n","protected":false},"author":1,"featured_media":176,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[7,153,8,128,127],"class_list":["post-145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analysis","tag-analysis","tag-decryption","tag-malware","tag-ransom","tag-ransomware","category-36","description-off"],"views":508,"yoast_score":67,"yoast_readable":30,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"},"yoast_head":"\nSymmi Ransomware | Analysis & Decryption \u2022 Adlice Software<\/title>\n<meta name=\"description\" content=\"Anlysis of Win32.Symmi Ransomware. Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Symmi Ransomware | Analysis & Decryption \u2022 Adlice Software\" \/>\n<meta property=\"og:description\" content=\"Anlysis of Win32.Symmi Ransomware. Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\" \/>\n<meta property=\"og:site_name\" content=\"Adlice Software\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RogueKiller\" \/>\n<meta property=\"article:published_time\" content=\"2014-02-05T11:45:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-21T10:40:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"840\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"tigzy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:site\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"tigzy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\"},\"author\":{\"name\":\"tigzy\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\"},\"headline\":\"Symmi Ransomware Decryption\",\"datePublished\":\"2014-02-05T11:45:51+00:00\",\"dateModified\":\"2022-12-21T10:40:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\"},\"wordCount\":982,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg\",\"keywords\":[\"analysis\",\"decryption\",\"malware\",\"ransom\",\"ransomware\"],\"articleSection\":[\"Analysis\"],\"inLanguage\":\"es\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\",\"url\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\",\"name\":\"Symmi Ransomware | Analysis & Decryption \u2022 Adlice Software\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg\",\"datePublished\":\"2014-02-05T11:45:51+00:00\",\"dateModified\":\"2022-12-21T10:40:36+00:00\",\"description\":\"Anlysis of Win32.Symmi Ransomware. Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg\",\"width\":1280,\"height\":840},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.adlice.com\/es\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Symmi Ransomware Decryption\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.adlice.com\/#website\",\"url\":\"https:\/\/www.adlice.com\/\",\"name\":\"Adlice Software\",\"description\":\"Anti-malware and analysis tools\",\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.adlice.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.adlice.com\/#organization\",\"name\":\"Adlice Software\",\"url\":\"https:\/\/www.adlice.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"width\":276,\"height\":276,\"caption\":\"Adlice Software\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RogueKiller\",\"https:\/\/x.com\/AdliceSoftware\",\"https:\/\/fr.linkedin.com\/company\/adlice-software\",\"https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\",\"name\":\"tigzy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"caption\":\"tigzy\"},\"description\":\"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.\",\"url\":\"https:\/\/www.adlice.com\/es\/author\/tigzy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Symmi Ransomware | Analysis & Decryption \u2022 Adlice Software","description":"Anlysis of Win32.Symmi Ransomware. Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/","og_locale":"es_ES","og_type":"article","og_title":"Symmi Ransomware | Analysis & Decryption \u2022 Adlice Software","og_description":"Anlysis of Win32.Symmi Ransomware. Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.","og_url":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/","og_site_name":"Adlice Software","article_publisher":"https:\/\/www.facebook.com\/RogueKiller","article_published_time":"2014-02-05T11:45:51+00:00","article_modified_time":"2022-12-21T10:40:36+00:00","og_image":[{"width":1280,"height":840,"url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg","type":"image\/jpeg"}],"author":"tigzy","twitter_card":"summary_large_image","twitter_creator":"@AdliceSoftware","twitter_site":"@AdliceSoftware","twitter_misc":{"Escrito por":"tigzy","Tiempo de lectura":"11 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#article","isPartOf":{"@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/"},"author":{"name":"tigzy","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d"},"headline":"Symmi Ransomware Decryption","datePublished":"2014-02-05T11:45:51+00:00","dateModified":"2022-12-21T10:40:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/"},"wordCount":982,"commentCount":0,"publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"image":{"@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg","keywords":["analysis","decryption","malware","ransom","ransomware"],"articleSection":["Analysis"],"inLanguage":"es"},{"@type":"WebPage","@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/","url":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/","name":"Symmi Ransomware | Analysis & Decryption \u2022 Adlice Software","isPartOf":{"@id":"https:\/\/www.adlice.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage"},"image":{"@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg","datePublished":"2014-02-05T11:45:51+00:00","dateModified":"2022-12-21T10:40:36+00:00","description":"Anlysis of Win32.Symmi Ransomware. Learn how this ransomware encrypts your files, and how to defeat it to decrypt your personal data.","breadcrumb":{"@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.adlice.com\/symmi-ransomware-decryption\/"]}]},{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#primaryimage","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/ransomware-expert-tips-featured.jpg","width":1280,"height":840},{"@type":"BreadcrumbList","@id":"https:\/\/www.adlice.com\/symmi-ransomware-decryption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.adlice.com\/es\/"},{"@type":"ListItem","position":2,"name":"Symmi Ransomware Decryption"}]},{"@type":"WebSite","@id":"https:\/\/www.adlice.com\/#website","url":"https:\/\/www.adlice.com\/","name":"Adlice Software","description":"Anti-malware and analysis tools","publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.adlice.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/www.adlice.com\/#organization","name":"Adlice Software","url":"https:\/\/www.adlice.com\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","width":276,"height":276,"caption":"Adlice Software"},"image":{"@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RogueKiller","https:\/\/x.com\/AdliceSoftware","https:\/\/fr.linkedin.com\/company\/adlice-software","https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ"]},{"@type":"Person","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d","name":"tigzy","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","caption":"tigzy"},"description":"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.","url":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/comments?post=145"}],"version-history":[{"count":0,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/145\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media\/176"}],"wp:attachment":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media?parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/categories?post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/tags?post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}