Concrete signature match: Trojan - Appears legitimate but performs malicious actions for W32 platform, family Ransom
This is a concrete detection of a W32 ransomware variant designed to encrypt user files or lock the system, demanding payment through suspicious URLs like 'backdoor-guard.com' and 'adultfake.ru'. It employs techniques such as disabling input devices, terminating processes via 'pskill.exe', and establishing persistence to ensure its malicious operations.
Relevant strings associated with this threat:
- wl.exe CADOff KeysOff MouseOff (PEHSTR)
- http://www.backdoor-guard.com/index.php?module=pay&msg=win&uid= (PEHSTR)
- pskill.exe /accepteula wl.exe (PEHSTR)
- pskill.exe /accepteula iexplore.exe (PEHSTR)
- otstuk.bat (PEHSTR)
- locker.exe (PEHSTR)
- "Software\KJ\Share\DateInfo\Wareki\ (PEHSTR)
- \amvbak.lnk (FILEPATH)
- \amediaview.lnk (FILEPATH)
- \startup\amvbak.lnk (FILEPATH)
- \startup\amediaview.lnk (FILEPATH)
- Software\AMediaView (REGKEY)
- %http://adultfake.ru/members.php (PEHSTR)
- unixtime.dat (PEHSTR)
- lnk.lnk (PEHSTR)
- activate.exe (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- DllCanUnloadNow (PEHSTR_EXT)
- DllGetClassObject (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- DllUnregisterServer (PEHSTR_EXT)
- C:\WINDOWS\xstopit (PEHSTR_EXT)
- IEDataFeeder.dll (PEHSTR_EXT)
- )http://gw.netlinkinvest.com/checkcode.php (PEHSTR)
- &document=openoffice.2010-fr. (PEHSTR)
- unlock your computer (PEHSTR_EXT)
- YOUR COMPUTER IS INFECTED BY SPYWARE !!! (PEHSTR_EXT)
- firefox.exe" (PEHSTR)
- opera.exe" (PEHSTR)
- Jreg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run" (PEHSTR)
- Software\WebMoney\path (PEHSTR)
- http://%s/_req/?type=%c&sid=%d&sw= (PEHSTR_EXT)
- avastsvc.exe (PEHSTR_EXT)
- support.kaspersky.ru/viruses/deblocker (PEHSTR_EXT)
- attrib +H "C:\Documents and Settings\All Users\ (PEHSTR_EXT)
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run" /v Shell /t REG_SZ /d (PEHSTR_EXT)
- mover.bat (PEHSTR_EXT)
- config.bat (PEHSTR_EXT)
- hide.bat (PEHSTR_EXT)
- moving.bat (PEHSTR_EXT)
- prefetching.txt (PEHSTR_EXT)
- delock.txt (PEHSTR_EXT)
- pornhub.com (PEHSTR_EXT)
- Scr (PEHSTR_EXT)
- een.jpg (PEHSTR_EXT)
- r http:/ (PEHSTR_EXT)
- .Pnet (PEHSTR_EXT)
- \SOFTWARE\Microsoft\Outlook Express\ (PEHSTR_EXT)
- tempsys.exe (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- C:\WINDOWS\system32\xxx_video.exe (PEHSTR_EXT)
- C:\windows\system32\taskmgr.exe (PEHSTR_EXT)
- =ADEBITATO UN IMPORTO DI SEIS E DIVIANNOVE EURO (IVA INCLUSA). (PEHSTR)
- www.netlinkinvest.com/support/it (PEHSTR)
- 0H0 >?5@0F8>==0O A8AB5<0 701;>:8@>20=0 70 =0@CH5=85 8A?>;L7>20=8O A5B8 8=B5@=5B. (PEHSTR_EXT)
- System\ControlSet001\Control\SafeBoot\fuck (PEHSTR_EXT)
- System\ControlSet001\Control\SafeBoot\you (PEHSTR_EXT)
- HOW TO DECRYPT FILES. (PEHSTR_EXT)
- SOFTWARE\Microsoft\Internet Explorer\startingp (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PEHSTR_EXT)
- exe.rerolpxe (PEHSTR)
- Software\Microsoft\Licenser\aasum (PEHSTR_EXT)
- taskkill /im (PEHSTR_EXT)
- \System\DisableTaskMgr (PEHSTR_EXT)
- \System\DisableRegistryTools (PEHSTR_EXT)
- SOFTWARE\Microsoft\Internet Explorer (PEHSTR_EXT)
- Software\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
- System\CurrentControlSet\Control\SafeBoot (PEHSTR_EXT)
- delete.bat (PEHSTR)
- "http://%s/_req/?type=%c&sid=%d&sw= (PEHSTR)
- avastsvc.exe (PEHSTR)
- real-goodporno.info (PEHSTR)
- Delete.bat (PEHSTR_EXT)
- \Sound.exe (PEHSTR_EXT)
- System\CurrentControlSet\Control\SafeBoot\ (PEHSTR_EXT)
- \taskmgr.exe (PEHSTR_EXT)
- \del.bat (PEHSTR_EXT)
- %userprofilE%\ (PEHSTR_EXT)
- \ound (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- HTTP/1.0 (PEHSTR_EXT)
- /locker.php (PEHSTR_EXT)
- /f /im explorer.exe (PEHSTR_EXT)
- taskkill.exe (PEHSTR_EXT)
- %WinDir%\Win32.exe (PEHSTR_EXT)
- taskmgr.exe (PEHSTR_EXT)
- Now your computer is blocked by newly installed software (PEHSTR_EXT)
- %s\Identities\%s\svghost.exe (PEHSTR_EXT)
- \winlock.pdb (PEHSTR_EXT)
- /f /im explorer.exe (PEHSTR)
- \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ (PEHSTR_EXT)
- 12321312020.tmp (PEHSTR_EXT)
- Software\Microsoft\Internet Explorer\Main (PEHSTR_EXT)
- CHROME.EXE (PEHSTR_EXT)
- IEXPLORE.EXE (PEHSTR_EXT)
- OPERA.EXE (PEHSTR_EXT)
- FIREFOX.EXE (PEHSTR_EXT)
- SAFARI.EXE (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- /gate.php?hwid= (PEHSTR_EXT)
- nuR\noisreVtnerruC\swodniW\tfosorciM\ERAWTFOS (PEHSTR_EXT)
- stnenopmoC dellatsnI\puteS evitcA\tfosorciM\ERAWTFOS (PEHSTR_EXT)
- /ActiveX (PEHSTR_EXT)
- decodersoft@Safe-mail.net (PEHSTR_EXT)
- taskkill /F /IM explorer.exe (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
- .tmp,X50 (PEHSTR_EXT)
- ctfmon.lnk (PEHSTR_EXT)
- %systemroot%\system32\ctfmon.exe (PEHSTR_EXT)
- \Run\ctfmon.exe (PEHSTR_EXT)
- \SENS\Parameters\ServiceDll (PEHSTR_EXT)
- SOFTWARE\LID (PEHSTR_EXT)
- Send Recv Complite (PEHSTR_EXT)
- Silence_lock_bot.pdb (PEHSTR_EXT)
- /n/get.php?pin= (PEHSTR_EXT)
- /n/get.php?ot= (PEHSTR_EXT)
- We are processing your payment. (PEHSTR_EXT)
- CurrentControlSet\Services\SENS\Parameters\ServiceDll (PEHSTR_EXT)
- CurrentVersion\Explorer\Shell Folders\Startup (PEHSTR_EXT)
- CurrentVersion\Explorer\Shell Folders\Common AppData (PEHSTR_EXT)
- Windows\CurrentVersion\Run\ctfmon.exe (PEHSTR_EXT)
- \Silence_lock_bot\Release\Silence_lock_bot.pdb (PEHSTR_EXT)
- \SafeBoot\M (PEHSTR_EXT)
- \Policies\Explorer\Run (PEHSTR_EXT)
- the1024rsa@i2pmail.org (PEHSTR_EXT)
- (photos,documents etc.) (PEHSTR_EXT)
- HOW TO DECRYPT FILES.txt (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- explorer_new.exe (PEHSTR_EXT)
- dilly/ (PEHSTR_EXT)
- bot.pdb (PEHSTR_EXT)
- bat.bat (PEHSTR_EXT)
- key.reg (PEHSTR_EXT)
- AdobeReader.exe (PEHSTR_EXT)
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] (PEHSTR_EXT)
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] (PEHSTR_EXT)
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] (PEHSTR_EXT)
- bootstat.dat (PEHSTR_EXT)
- netsh.exe (PEHSTR_EXT)
- C:\Serl_log.txt (PEHSTR_EXT)
- 79.76.71.166 (PEHSTR_EXT)
- FileMem.dll (PEHSTR_EXT)
- Lock.dll (PEHSTR_EXT)
- winlock.Properties (PEHSTR_EXT)
- /get_dsn.php (PEHSTR)
- http:// (PEHSTR_EXT)
- dll (PEHSTR_EXT)
- \\.\PHYSICALDRIVE0 (PEHSTR_EXT)
- \msconfig.lnk (FILEPATH)
- \nuR\noisreVtnerruC\swodniW\tfosorciM\ERAWTFOS (PEHSTR_EXT)
- jsj (PEHSTR_EXT)
- ?httpu (PEHSTR_EXT)
- snapz.dib (PEHSTR_EXT)
- /get.php (PEHSTR_EXT)
- *.block (PEHSTR_EXT)
- .decrypt (PEHSTR_EXT)
- *.wri (PEHSTR_EXT)
- *.css (PEHSTR_EXT)
- *.asm (PEHSTR_EXT)
- *.html (PEHSTR_EXT)
- Filesop.txt.block (PEHSTR_EXT)
- /konu.php?hwid= (PEHSTR_EXT)
- \stnenopmoC dellatsnI\puteS evitcA\tfosorciM\ERAWTFOS (PEHSTR_EXT)
- Page is loading, please wait. This may take up to 30 seconds. (PEHSTR_EXT)
- /img.php?gimmeImg (PEHSTR_EXT)
- &Status=Lock HTTP/1.1 (PEHSTR_EXT)
- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v (PEHSTR_EXT)
- \iexplore.lnk (FILEPATH)
- /getunlock.php (PEHSTR_EXT)
- x{\qqj (PEHSTR_EXT)
- /get_dsn.php (PEHSTR_EXT)
- /get_coce.php (PEHSTR_EXT)
- /topic.php (PEHSTR_EXT)
- dfrg.msc- (PEHSTR_EXT)
- net share c$ /del (PEHSTR_EXT)
- net localgroup Administrators Forbidden /add (PEHSTR_EXT)
- net user Administrator /active:no (PEHSTR_EXT)
- C:\WIND (PEHSTR)
- r.exe (PEHSTR)
- System\CurrentControlSet\Control\SafeBoot\minimal (PEHSTR_EXT)
- Windows. (PEHSTR_EXT)
- Microsoft. (PEHSTR_EXT)
- C:\setup.rnd (PEHSTR_EXT)
- \qw2jd.exe (FILEPATH)
- C:\WIND (FILEPATH)
- r.exe (FILEPATH)
- picture.php (PEHSTR_EXT)
- unlock.php (PEHSTR_EXT)
- JimmMonsterNew\ServerWinlock (PEHSTR_EXT)
- runctf.lnk (PEHSTR_EXT)
- CurrentVersion\Winlogon\Shell (PEHSTR_EXT)
- \task scheduler.lnk (FILEPATH)
- 8.tor (PEHSTR_EXT)
- /lock.none (PEHSTR_EXT)
- \Control\SafeBoot\M (PEHSTR_EXT)
- Fire-toll For SEO Masters.exe (PEHSTR_EXT)
- \CurrentVersion\Run (PEHSTR_EXT)
- \flashplayer\sys\#local\ (PEHSTR_EXT)
- ://local/123.swf (PEHSTR_EXT)
- ServiceAntiWinLocker.exe (PEHSTR_EXT)
- AntiWinLockerTray.exe (PEHSTR_EXT)
- NoManageMyComputerVerb (PEHSTR_EXT)
- .tmph (PEHSTR_EXT)
- /nymain/ (PEHSTR_EXT)
- /index.php: (PEHSTR_EXT)
- FBI - Computer locked. (PEHSTR_EXT)
- FBI Online Agent v.2. (PEHSTR_EXT)
- After paying the fine your computer will be unlocked (PEHSTR_EXT)
- \WORK\WORK_PECEPB\ (PEHSTR_EXT)
- \injc\Release\injc.pdb (PEHSTR_EXT)
- <m>Press ESC and try to connect to the Internet. (PEHSTR_EXT)
- h.phphmain (PEHSTR_EXT)
- lock.dll (PEHSTR_EXT)
- Global\uyuy766rgdyr55 (PEHSTR_EXT)
- Global\ou86ge58gy (PEHSTR_EXT)
- Global\iioy88hgy6 (PEHSTR_EXT)
- picture.php?pin= (PEHSTR_EXT)
- /hcybnq/vzt.wct (PEHSTR_EXT)
- gnfxzte.rkr (PEHSTR_EXT)
- getunlock.php (PEHSTR_EXT)
- %s\1.bmp (PEHSTR_EXT)
- %s\1.jpg (PEHSTR_EXT)
- trghaybpx.cuc (PEHSTR_EXT)
- \systemroot.exe (FILEPATH)
- \displayswitch.exe (FILEPATH)
- RUNDLL32.EXE (PEHSTR_EXT)
- msconfig.lnk (PEHSTR_EXT)
- .iniV (PEHSTR_EXT)
- com (PEHSTR_EXT)
- c:\temp\filotf.txt (PEHSTR_EXT)
- 88888are\classes (PEHSTR_EXT)
- cssfile\defaulticon (PEHSTR_EXT)
- regmonstd.lnk (PEHSTR_EXT)
- GL300 Function Start Complite (PEHSTR_EXT)
- \system32\rundll32.exe (PEHSTR_EXT)
- \fs20 Bitcoin is a cryptocurrency where (PEHSTR_EXT)
- Getting started with Bitcoin}}}\cf1\ulnone\b0\f0\fs20\par (PEHSTR_EXT)
- nobody and never will be able\b0 to restore files...\par (PEHSTR_EXT)
- %AMOUNT_USD% USD\b0 / \b %AMOUNT_EUR% EUR\b0 (PEHSTR_EXT)
- Your important files \b encryption\b0 produced on this computer: photos, videos, documents, etc. (PEHSTR_EXT)
- cmd (PEHSTR)
- Software\Microsoft\Windows\CurrentVersion\Run\\CryptoLocker (REGKEY)
- Software\Microsoft\Windows\CurrentVersion\RunOnce\\*CryptoLocker (REGKEY)
- XL200 Function Start Complite (PEHSTR_EXT)
- FFZ1 Function Lock Start Complite (PEHSTR_EXT)
- CCZ1 Function Lock Start Complite (PEHSTR_EXT)
- Start Dicompress To Loadlib (PEHSTR_EXT)
- Lock DLL Download (PEHSTR_EXT)
- X:\PGP\Programming\JimmMonsterNew\ServerWinlock\ (PEHSTR_EXT)
- \HELP_DECRYPT.LNK (FILEPATH)
- \HELP_DECRYPT.PNG (FILEPATH)
- \HELP_DECRYPT.TXT (FILEPATH)
- \HELP_DECRYPT.URL (FILEPATH)
- \HELP_DECRYPT.HTML (FILEPATH)
- get.php?os=%s&arch=%s&pin=%s (PEHSTR_EXT)
- PYour important files on this computer were encrypted: photos, videos, documents, (PEHSTR)
- @you need to pay 300 USD / EUR / similar amount in Bitcoin. (PEHSTR)
- 0.resources (PEHSTR)
- msunet.frm5.resources (PEHSTR)
- msunet.frm2.res (PEHSTR)
- Your Keeper ID could not be sent. (PEHSTR_EXT)
- data will be decrypted in backround mode. (PEHSTR_EXT)
- /e.php?id= (PEHSTR_EXT)
- Bitcomint (PEHSTR_EXT)
- bitcrypt.ccw (PEHSTR_EXT)
- cryptovirus. (PEHSTR_EXT)
- more information you should find txt file named Bitcrypt.txt on your hard drive. (PEHSTR_EXT)
- cmd.exe (PEHSTR_EXT)
- /K bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- BitCrypt.bmp (PEHSTR_EXT)
- .%USER_CODE% (PEHSTR)
- = CreateObject("WScript.Shell") (MACROHSTR_EXT)
- .Run "powershell.exe" & " -noexit -encodedcommand " & (MACROHSTR_EXT)
- X:\racketeer\ (PEHSTR_EXT)
- \DECRYPT_INSTRUCTIONS.txt (FILEPATH)
- \DECRYPT_INSTRUCTIONS.html (FILEPATH)
- \????????????????\0?000000 (FILEPATH)
- (Payment Received. Proceed to decryption. (PEHSTR)
- WALLET.DAT (PEHSTR_EXT)
- \Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- $&%04\svchost.exe (PEHSTR_EXT)
- @$&%04\ (PEHSTR_EXT)
- *.ChipDale (PEHSTR_EXT)
- PING -n 5 -w 1000 127.0.0.1 > nul (PEHSTR_EXT)
- del systemTrayW.exe (PEHSTR_EXT)
- chip_and_dale.vzhk (PEHSTR_EXT)
- Create random address. (PEHSTR_EXT)
- main locker window, follow the instructions on the locker. (PEHSTR_EXT)
- :*.mdf:*.xls:*.DT: (PEHSTR_EXT)
- *.pptx|||{}|||000 (PEHSTR_EXT)
- Transaction was sent and will be verified soon. (PEHSTR_EXT)
- Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server. (PEHSTR_EXT)
- :Visit www.localbitcoins.com to find a seller in your area. (PEHSTR)
- C:\ZeroLocker\ZeroRescue.exe (FILEPATH)
- encrypted.%f0%%c0% (PEHSTR_EXT)
- %a1%%f3%%c3%Test decryption.%f0%%c0% (PEHSTR_EXT)
- %a1%%f3%%c3%Requesting private key.%f0%%c0% (PEHSTR_EXT)
- POST /unlock HTTP/1.1 (PEHSTR_EXT)
- block@mail2tor.com (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (PEHSTR_EXT)
- cleen.bat (PEHSTR_EXT)
- .two@AUSI.COM (PEHSTR_EXT)
- .docx (PEHSTR_EXT)
- africa.bmp (PEHSTR_EXT)
- .jpeg (PEHSTR_EXT)
- /close/script.php (PEHSTR_EXT)
- .com/open/script.php (PEHSTR_EXT)
- /invoke.php?prefix=%d (PEHSTR_EXT)
- /upload.php?id=%s&filename=%s_%S (PEHSTR_EXT)
- winver=%d.%d.%d (PEHSTR_EXT)
- RtlDecompressBuffer (PEHSTR_EXT)
- )]6UUt8\ (SNID)
- ?WinRAR\Rar.exe" a -r -y -ri15 -df -m0 -inul -p%pass% %filename% (PEHSTR)
- -WinRAR\Rar.exe" c %filename% -z%commentsfile% (PEHSTR)
- Lock.rar (PEHSTR)
- ecies.public.key (PEHSTR_EXT)
- won't EVER get your files back. (PEHSTR_EXT)
- .php?hwid= (PEHSTR_EXT)
- 0/crypt/gate.php (PEHSTR)
- 1.0.0.1 (PEHSTR)
- %s?cmd=%d&ver=%s&uid=%s (PEHSTR)
- -.xlsm (PEHSTR)
- .xlsx (PEHSTR)
- %s.crypted (PEHSTR)
- .crypted (PEHSTR)
- Decrypting files... (PEHSTR)
- The only way to restore them - purchase the unique unlock code. (PEHSTR_EXT)
- BUYUNLOCKCODE.txt (PEHSTR_EXT)
- .enc0ded (PEHSTR_EXT)
- .bat (PEHSTR_EXT)
- help@antivirusebola.com (PEHSTR_EXT)
- denge.batcave.net/gaza/ (PEHSTR_EXT)
- dayriyzyith.comeze.com/ (PEHSTR_EXT)
- ebola.bmp (PEHSTR_EXT)
- /asm/test.php (PEHSTR_EXT)
- /task/res.php (PEHSTR_EXT)
- reg.php (PEHSTR_EXT)
- Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!. (PEHSTR_EXT)
- delete shadows /all (PEHSTR_EXT)
- \HELP_RESTORE_FILES (PEHSTR_EXT)
- \RESTORE_FILES (PEHSTR_EXT)
- %lld&OS=%ld&ID=%d&subid=%d&gate=G%d&is_admin=%d&is_64=%d&ip=%s&exe_type= (PEHSTR_EXT)
- /state (PEHSTR_EXT)
- .php?%s (PEHSTR_EXT)
- /tsdfewr (PEHSTR_EXT)
- All files Decrypted Everything is fine, now decrypting all files. (PEHSTR_EXT)
- Your files have been safely encrypted on this PC: photos,videos, documents,etc. (PEHSTR_EXT)
- Everything is fine, now decrypting all files. (PEHSTR_EXT)
- \CryptoLocker.lnk (PEHSTR_EXT)
- \Save_Files.lnk (PEHSTR_EXT)
- \HELP_TO_DECRYPT_YOUR_FILES (PEHSTR_EXT)
- \HELP_TO_SAVE_YOUR_FILES (PEHSTR_EXT)
- \RECOVERY_KEY.TXT (PEHSTR_EXT)
- \CryptoLocker.lnk (FILEPATH)
- \HELP_RESTORE_FILES.bmp (FILEPATH)
- \HELP_RESTORE_FILES.txt (FILEPATH)
- \HELP_TO_SAVE_YOUR_FILES.bmp (FILEPATH)
- ping 127.0.0.1 (PEHSTR_EXT)
- del /f (PEHSTR_EXT)
- *.odt,*.ods,*.odp,*.odb,*. (PEHSTR)
- *.tar,*.eml,*.1cd,* (PEHSTR)
- /startenc.txt (PEHSTR)
- lst.php?str= (PEHSTR)
- /index.php?ids= (PEHSTR)
- </key> (PEHSTR)
- chickenkiller.com (PEHSTR)
- \\.\PhysicalDrive6 (PEHSTR_EXT)
- \\.\PhysicalDrive7 (PEHSTR_EXT)
- &date=%lld&OS=%ld&ID=%d&subid=%d&gate=G%d&is_admin=%d&is_64=%d&ip=%s&exe_type=%d (PEHSTR_EXT)
- L:\0x00\[ransomware]\ (PEHSTR_EXT)
- TeslaCryptDecoder.dll (PEHSTR_EXT)
- /inf.safe.360.cn/api/key?key= (PEHSTR_EXT)
- ROOT\SecurityCenter2 (PEHSTR_EXT)
- .ibank (PEHSTR_EXT)
- .wallet (PEHSTR_EXT)
- \~Z/S (SNID)
- ,QAW/ (SNID)
- .blockchain.info/en/wallet (PEHSTR_EXT)
- rack-core.bin (PEHSTR_EXT)
- identity;q=1.0, *;q=0 (PEHSTR_EXT)
- inetOpen: [http://%s%s] [%s] [%s] (PEHSTR_EXT)
- decrypt and suicide (1)... (PEHSTR_EXT)
- processing %u subdirs... (PEHSTR_EXT)
- WinLockDll.dll (PEHSTR_EXT)
- software\microsoft\windows\CurrentVersion\Run\blue (PEHSTR_EXT)
- exeName (PEHSTR_EXT)
- \TOX RANSOM.html (PEHSTR_EXT)
- \tox.log (PEHSTR_EXT)
- \tox_tor\ (PEHSTR_EXT)
- .toxcrypt (PEHSTR_EXT)
- \tox.done.log (PEHSTR_EXT)
- \CryptoApp\build\bin\Release\KeepAlive.pdb (PEHSTR_EXT)
- \CryptoApp\build\bin\Release\SelfDestroy.pdb (PEHSTR_EXT)
- bitcoin_address=%s&empid=%s&comp=%s&ipv4=%s&blkk=%s&publ=%s&priv=%s (PEHSTR_EXT)
- How can you decrypt your files</legend> (PEHSTR_EXT)
- \crypttro\Release\crypttro.pdb (PEHSTR_EXT)
- %s\%s.decryptmy@india.com (PEHSTR_EXT)
- %s\help-decrypt-file.enc (PEHSTR_EXT)
- %s\sicretkey.enc (PEHSTR_EXT)
- crrsa@inet.ua (PEHSTR_EXT)
- .b781cbb29054db12f88f08c6e161c199.rsa (PEHSTR_EXT)
- http://premiumtabs.org/combat/index.php/api/gettextdata?data={%22id%22:%221%22} (PEHSTR_EXT)
- C:\Windows\combat.txt (PEHSTR_EXT)
- .randomname- (PEHSTR_EXT)
- .to/vict?cust= (PEHSTR_EXT)
- encryptor_raas_readme_liesmich.txt (PEHSTR_EXT)
- The files on your computer have been securely encrypted by Encryptor RaaS. (PEHSTR_EXT)
- wallet.dat (PEHSTR_EXT)
- encfiles.txt (PEHSTR_EXT)
- files.list (PEHSTR_EXT)
- encmsg.html (PEHSTR_EXT)
- win.exe (PEHSTR_EXT)
- winstart.exe (PEHSTR_EXT)
- </EncryptionKey> (PEHSTR_EXT)
- /index.php?act=s&s= (PEHSTR_EXT)
- 3see your computer explode!!! NOBODY CAN DELETE THIS (PEHSTR)
- ;Computer destroyed succesfully, rebooting to finish process (PEHSTR)
- &enter the key and re-use your computer (PEHSTR)
- ?COMPUTER DESTROYED, YOU BETTER PAYED THE FEE, see you next time (PEHSTR)
- *://satoshibox.com/5578e40712fb6d9f028b45a1 (PEHSTR)
- UC:\Users\Owner\Desktop\TOR ransomware\Ransomware 2.0\obj\Debug\TOR_DEALER_CUSTOM1.pdb (PEHSTR)
- Bassmonster68@safe-mail.net (PEHSTR)
- \obj\x86\Release\ (PEHSTR_EXT)
- enter your Payment ID from above.<br> (PEHSTR_EXT)
- \Bin\a2hooks32.pdb (PEHSTR_EXT)
- \{A2IPC} (PEHSTR_EXT)
- electrum.dat (PEHSTR_EXT)
- /C vssadmin Delete Shadows /Quiet /All (PEHSTR_EXT)
- The files on your computer have been securely encrypted by Encryptor (PEHSTR_EXT)
- RaaS. (PEHSTR_EXT)
- ://decryptoraveidf7.onion.cab (PEHSTR_EXT)
- Tartarus Ransome Instructions</title> (PEHSTR_EXT)
- Detox Ransome Instructions (PEHSTR_EXT)
- detoxransome@sigaint.org (PEHSTR_EXT)
- ShellExecuteA (PEHSTR_EXT)
- \Srv Lock\ (PEHSTR_EXT)
- bcdedit.exe /set {current} recoveryenabled off (PEHSTR_EXT)
- .tor2web (PEHSTR_EXT)
- bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures (PEHSTR_EXT)
- All your files were encrypted with the public key, which has been transferred to your computer via the Internet. (PEHSTR_EXT)
- .onion/%S</font><br> (PEHSTR_EXT)
- suggest you do not waste valuable time searching for other solutions because they do not exist. (PEHSTR_EXT)
- dmin.exe (PEHSTR_EXT)
- /Quiet (PEHSTR_EXT)
- two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. (PEHSTR_EXT)
- .onion/%S (PEHSTR_EXT)
- If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. (PEHSTR_EXT)
- !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. (PEHSTR_EXT)
- cryptlocker.Properties.Resources (PEHSTR_EXT)
- <a href="mailto:filesos@yeah.net">filesos@yeah.net</a> (PEHSTR_EXT)
- *.doc,*.docx,*.docm,*.odt,*.xls,*.xlsx,*.xlsm,*.csv,*.xlsb,*.ods,*.sxc,*.ppt,*.pptx,*.pptm,*.odp,*.dbf,*.mdb,*.ACCDA,*.ACCDB, (PEHSTR_EXT)
- .ExecQuery("Select * From Win32_ShadowCopy") (PEHSTR_EXT)
- HELP_DECRYPT. (PEHSTR_EXT)
- %s.crypt (PEHSTR_EXT)
- \YOUR_FILES_ARE_ENCRYPTED.HTML (PEHSTR_EXT)
- <title>Chimera® Ransomware</title> (PEHSTR_EXT)
- Sie wurden Opfer der Chimera Malware. (PEHSTR_EXT)
- NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" (PEHSTR_EXT)
- @have been encrypted using a military grade encryption algorithm. (PEHSTR)
- */k vssadmin.exe Delete Shadows /All /Quiet (PEHSTR)
- \ReadDecryptFilesHere.txt (PEHSTR)
- Software\CryptInfinite (PEHSTR)
- #.onion.direct/lending/bot.php?name= (PEHSTR)
- .block (PEHSTR_EXT)
- email yagababushka@yahoo.com (PEHSTR_EXT)
- /READ_ME_FOR_DECRYPT.txt (PEHSTR_EXT)
- /READ ME FOR DECRYPT.txt (PEHSTR_EXT)
- %s%s.RDM (PEHSTR)
- YOUR_FILES.url (PEHSTR)
- Dprocess call create "cmd.exe /c vssadmin delete shadows /all /quiet" (PEHSTR)
- URL=http://%s/ld/?id=%s (PEHSTR)
- .onion.to/%S (PEHSTR_EXT)
- Email us two encrypted files along with secret.key file (PEHSTR_EXT)
- \NEED_READ.TXT (PEHSTR_EXT)
- NetworkSubsystem.lnk (PEHSTR_EXT)
- upd.php? (PEHSTR_EXT)
- /task.php? (PEHSTR_EXT)
- .onion (PEHSTR_EXT)
- \Csrss\Configuration\ (PEHSTR_EXT)
- /stat/ (PEHSTR_EXT)
- /pass/ (PEHSTR_EXT)
- Control Panel\Desktop (PEHSTR_EXT)
- work\ml1\Release (PEHSTR)
- .vscrypt (PEHSTR)
- :\vsworkdir (PEHSTR)
- *.pdf (PEHSTR)
- schtasks.exe /delete /TN uac /F (PEHSTR)
- *bcdedit /set {current} recoveryenabled off (PEHSTR)
- /nointeractive (PEHSTR_EXT)
- FileLocker. (PEHSTR)
- *fr-fr/acheter/trouver-des-points-de-vente/ (PEHSTR)
- *.*crypt (PEHSTR)
- ?changecomment=& (PEHSTR)
- Software\xxxsys\ (PEHSTR_EXT)
- %s\%s+%s. (PEHSTR_EXT)
- %s\help_recover_instructions (PEHSTR_EXT)
- /set {current} bootstatuspolicy IgnoreAllFailures (PEHSTR_EXT)
- /set {current} (PEHSTR_EXT)
- 83.217.8.61 (PEHSTR_EXT)
- 31.202.130.9 (PEHSTR_EXT)
- 91.234.35.106 (PEHSTR_EXT)
- /checkupdate (PEHSTR_EXT)
- =$|$=-=.~ (PEHSTR_EXT)
- y\PHX& (SNID)
- Cryptowall.Properties (PEHSTR_EXT)
- PadCrypt.pdb (PEHSTR_EXT)
- Cryptowall\bin\Debug\Obfuscated\ (PEHSTR_EXT)
- PadCrypt.exe (PEHSTR_EXT)
- 1. http://{TOR}.{SITE_1}/{PC_ID} (PEHSTR_EXT)
- Local private.key file found (PEHSTR_EXT)
- Wqs}\ (SNID)
- @6"|. (SNID)
- k\Ew! (SNID)
- + Q/|I (SNID)
- 6. tc? (SNID)
- PSub=%s&dh=%s&addr=%s&size=%lld&version=4.0&OS=%ld&ID=%d&inst_id=%X%X%X%X%X%X%X%X (PEHSTR)
- .onion/%S (PEHSTR)
- .com/%S (PEHSTR)
- .at/%S (PEHSTR)
- /eGSk (SNID)
- encryptor.dll (PEHSTR)
- ://zvnvp2rhe3ljwf2m.onion (PEHSTR)
- PetyaExtractor.exe (PEHSTR_EXT)
- You became victim of the PETYA RANSOMWARE! (PEHSTR_EXT)
- ://petya (PEHSTR_EXT)
- \history\ (PEHSTR_EXT)
- \mozilla\ (PEHSTR_EXT)
- \chrome\ (PEHSTR_EXT)
- \temp\ (PEHSTR_EXT)
- jfif,jpe,jpeg,jpg,js,kdb,kdc,kf,layout, (PEHSTR_EXT)
- .html (PEHSTR_EXT)
- shadowcopy delete /nointeractive (PEHSTR_EXT)
- \-!recover!-!file!-.txt (PEHSTR_EXT)
- \desctop._ini (PEHSTR_EXT)
- S-1-5-18\Software\Axronics (PEHSTR_EXT)
- \Run /v %s /t REG_SZ /d "%s" /f (PEHSTR_EXT)
- Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko (PEHSTR_EXT)
- */*, Crypted, Ping, data=%s (PEHSTR_EXT)
- xe:Zone.Identifier (PEHSTR_EXT)
- Delete Shadows /all /quiet (PEHSTR_EXT)
- .replace(/\\\\{id\\\\}/g, (PEHSTR_EXT)
- yl.mC (SNID)
- RansomUsd (PEHSTR_EXT)
- VAULT.KEY<br> (PEHSTR_EXT)
- ="http://dist.torproject.org/torbrowser (PEHSTR_EXT)
- ="http://torscreen.org (PEHSTR_EXT)
- .crypt (PEHSTR_EXT)
- !!! Specially for your PC was generated personal RSA4096 Key , both public and private. (PEHSTR_EXT)
- \CryptProjectXXX\Loader\DDetours.pas (PEHSTR_EXT)
- \CryptProjectXXX\Loader\InstDecode.pas (PEHSTR_EXT)
- :443 HTTP (PEHSTR_EXT)
- momsbestfriend@protonmail.com or torrenttracker@india.com (PEHSTR_EXT)
- Your files are now encrypted. I have the key to decrypt them back. (PEHSTR_EXT)
- System32\vssadmin.exe (PEHSTR_EXT)
- delete shadows /all /Quiet (PEHSTR_EXT)
- Software\LockFish (PEHSTR)
- \fileencrypt.exe (PEHSTR)
- .fishing (PEHSTR)
- /add.php?prvkey= (PEHSTR)
- Encrypted.dat (PEHSTR_EXT)
- \Microsoft\TrueCrypter\ (PEHSTR_EXT)
- Config/Infos/Encrypted (PEHSTR_EXT)
- /C choice /C Y /N /D Y /T 1 & Del (PEHSTR_EXT)
- /Status.php (PEHSTR_EXT)
- \Microsoft\Crypto (PEHSTR_EXT)
- /Transaction.php (PEHSTR_EXT)
- .enigma (PEHSTR_EXT)
- \\?\%s%c%c%c%c%c%c (PEHSTR_EXT)
- .crypted_pony_test_build_xxx_xxx_xxx_xxx_xxx (PEHSTR_EXT)
- *.bat (PEHSTR_EXT)
- *.bfc (PEHSTR_EXT)
- *.bin (PEHSTR_EXT)
- *.bk2 (PEHSTR_EXT)
- *.bmp (PEHSTR_EXT)
- *.bnk (PEHSTR_EXT)
- 4<h1>You became victim of the MISCHA RANSOMWARE!</h1> (PEHSTR)
- ://mischa (PEHSTR)
- <title>MISCHA Ransomware</title> (PEHSTR)
- Mischa.dll (PEHSTR)
- ##URL1##<br/> ##URL2## (PEHSTR)
- ##CODE## </body></html> (PEHSTR)
- .pspimage (PEHSTR)
- \$Recycle.Bin (PEHSTR)
- encrypted_list.txt (PEHSTR_EXT)
- encrypted_readme.txt (PEHSTR_EXT)
- datakey.txt (PEHSTR_EXT)
- Root/desktop file, will process later... (PEHSTR_EXT)
- %s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$. (PEHSTR_EXT)
- vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- C:\crysis\Release\PDB\payload.pdb (PEHSTR_EXT)
- DMA Locker 4.0 (PEHSTR_EXT)
- DMALOCK.ENCDECDD (PEHSTR_EXT)
- !DMALOCK4.0 (PEHSTR_EXT)
- Executing fist knock (PEHSTR_EXT)
- /crypto/gate?action= (PEHSTR_EXT)
- //%s/crypto/client_payment_instructions?botId=%s (PEHSTR_EXT)
- //%s/crypto/client_free_decrypt?botId=%s (PEHSTR_EXT)
- ransom_amount_increase_amount (PEHSTR_EXT)
- ransom_amount_increase_timestamp (PEHSTR_EXT)
- \vssadmin.exe delete shadows (PEHSTR_EXT)
- @zerobit.email (PEHSTR_EXT)
- \cryptinfo.txt (PEHSTR_EXT)
- \svchosd.exe (PEHSTR_EXT)
- \decrypting.txt (PEHSTR_EXT)
- \select.bat (PEHSTR_EXT)
- .vbs (PEHSTR_EXT)
- F:\trash\code\work\cerber\bin\Debug\cerber_x86.pdb (PEHSTR_EXT)
- \Release\MyEncrypter2.pdb (PEHSTR_EXT)
- zcrypt.exe (PEHSTR_EXT)
- \How to decrypt files.html (PEHSTR_EXT)
- ALL YOUR PERSONAL FILES ARE ENCRYPTED</font></p> (PEHSTR_EXT)
- autorun.inf (PEHSTR_EXT)
- #vssadmin delete shadows /all /quiet (PEHSTR)
- c:\Users\ss\Desktop\ihate11\ihate11\obj\Release\ihate11.pdb (PEHSTR_EXT)
- \CurrentVersion\GooglePic (PEHSTR_EXT)
- \Application Data\service.exe (PEHSTR_EXT)
- WinHTTP BotName/1.0 (PEHSTR_EXT)
- Key received ! Decryption starting now ... (PEHSTR_EXT)
- Procedure complete! (PEHSTR_EXT)
- delete shadows /all /quiet (PEHSTR_EXT)
- locked/ (PEHSTR_EXT)
- exodus99.ru (PEHSTR_EXT)
- out.bin (PEHSTR_EXT)
- InternetExplorer.Application (PEHSTR_EXT)
- recover.txt (PEHSTR)
- \recover.bmp (PEHSTR)
- .bart (PEHSTR)
- %s\VSSADMIN.EXE (PEHSTR_EXT)
- id=%d&code=%d&sdata=%d.%d.%d (PEHSTR_EXT)
- html.lnk (PEHSTR_EXT)
- bmp.lnk (PEHSTR_EXT)
- txt.lnk (PEHSTR_EXT)
- 123.temp (PEHSTR_EXT)
- .evil (PEHSTR)
- All your attempts to restore files on their own, lead to the loss of the possibility of recovery and we are not going to help you.< (PEHSTR)
- RemindMe_Ransom (PEHSTR)
- \DECRYPT_YOUR_FILES.HTML (PEHSTR)
- .korrektor (PEHSTR)
- korrektorfile\shell\open\command (PEHSTR)
- c:\look.jpg (PEHSTR)
- ;boot.ini;NTDETECT.COM;Bootfont.bin;ntldr;bootmgr;BOOTNXT;BOOTSECT.BAK;NTUSER.DAT;PDOXUSRS.NET; (PEHSTR_EXT)
- CryptON\lock\xAES.pas (PEHSTR_EXT)
- /payment.html (PEHSTR)
- /stat.html (PEHSTR)
- \\physicaldrive0 (PEHSTR_EXT)
- 2. 1-2 encrypted files (please dont send files bigger than 1 MB) (PEHSTR_EXT)
- recoveryhelp@bk.ru (PEHSTR_EXT)
- decryptionservice@mail.ru (PEHSTR_EXT)
- ransomware. (PEHSTR_EXT)
- .resources (PEHSTR_EXT)
- HitlerRansomware_Load (PEHSTR_EXT)
- http://%s%simg.jpg (PEHSTR_EXT)
- vssadmin.exe (PEHSTR_EXT)
- \R980\Release\R980.pdb (PEHSTR_EXT)
- \VenusLockerV2\VenusLocker\obj\Release\VenusLocker.pdb (PEHSTR_EXT)
- VenusLocker.exe (PEHSTR_EXT)
- (in your case \"Cerber Decryptor\" software) for safe and complete (PEHSTR_EXT)
- <h3>C E R B E R R A N S O M W A R E</h3> (PEHSTR_EXT)
- ShinoLockerMain.exe (PEHSTR_EXT)
- .shino (PEHSTR_EXT)
- ShinoLockerMain.My (PEHSTR_EXT)
- DetoxCrypto\DetoxCrypto\obj\Debug\MicrosoftHost.pdb (PEHSTR_EXT)
- detoxcrypto.net16.net/generate.php (PEHSTR_EXT)
- \Pokemon\key.txt (PEHSTR_EXT)
- \Pokemon\total.txt (PEHSTR_EXT)
- \Downloads\Pokemon\pokbg.jpg (PEHSTR_EXT)
- \Downloads\Pokemon\Pokemon.exe (PEHSTR_EXT)
- Shark.exe (PEHSTR)
- smtp.noproblembro.com (PEHSTR_EXT)
- decryptor2013@gmail.com, (PEHSTR_EXT)
- Delete Shadows /All /Quiet (PEHSTR_EXT)
- .locked (PEHSTR_EXT)
- /hiddentear/ (PEHSTR_EXT)
- delete shadows /all /quiet (PEHSTR)
- secret.key (PEHSTR)
- READTHISNOW!!!.txtd (PEHSTR)
- Go to http://bitmessage.org/ (PEHSTR_EXT)
- tar,jar,bmp,swm,vault,xtbl,ctb,113,73b,a3d,abf (PEHSTR_EXT)
- @@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@ (PEHSTR_EXT)
- setupapi.dll (PEHSTR_EXT)
- code\tor\torr\libressl-2.3.1\crypto\ (PEHSTR_EXT)
- tor\torr\libressl-2.3.1\ssl\ssl_lib.c (PEHSTR_EXT)
- ..\..\sources\ext-libs\libtomcrypt\ciphers\aes (PEHSTR_EXT)
- %s.cry (PEHSTR)
- %s\%u.tmp (PEHSTR)
- 0%s\*.* (PEHSTR)
- %s\old_shortcuts (PEHSTR)
- https://pastee.org/% (PEHSTR)
- @imgur.com (PEHSTR)
- /upload/checkcaptcha (PEHSTR)
- /maps/api/browserlocation/json?brows (PEHSTR)
- %s\!Recovery_%s.html (PEHSTR)
- Invoice\HiDdEn-TeAr\obj\Debug\invoice.pdb (PEHSTR_EXT)
- C:\DC22\netpass.exe (PEHSTR_EXT)
- net user /add mythbusters (PEHSTR_EXT)
- (w889901665@yandex.com) (PEHSTR_EXT)
- Your H.D.D Encrypted , Contact Us For Decryption Key (PEHSTR_EXT)
- \Ransomware\Ransomware\obj\Debug\R.pdb (PEHSTR_EXT)
- PYour email address %s@mailinator.com Wait up to 24 hours for validation your TX (PEHSTR)
- 0help_dcfile.txt (PEHSTR)
- `mailinator.com/inbox2.jsp?public_to=%s (PEHSTR)
- help_dcfile.txt (PEHSTR_EXT)
- /c schtasks /create /tn enc /tr "C:\Program Files\ (PEHSTR_EXT)
- .exe" /sc onlogon /rl highest /f (PEHSTR_EXT)
- /rd hyghnhy /ig wfnwvra /e (PEHSTR_EXT)
- /d rdwalrxr /divlav /ay vyd /ai (PEHSTR_EXT)
- KillerLocker.exe (PEHSTR_EXT)
- encrypt .rip (PEHSTR_EXT)
- sua chave serao eliminadas em 48 horas. (PEHSTR_EXT)
- \KillerLocker\KillerLocker\obj\Release\KillerLocker.pdb (PEHSTR_EXT)
- criptografia AES 256 BIT Muito forte.Realize o pagamento em: (PEHSTR_EXT)
- .dbf.pll.ntx.ovl.prn.chm.bmp.ini (PEHSTR_EXT)
- ReadMe.TxT (PEHSTR_EXT)
- /victim.php?info=s (PEHSTR)
- encryptor.pywt (PEHSTR)
- encryptor.py (PEHSTR)
- ;bcdedit /set {default} bootstatuspolicy ignoreallfailuresss (PEHSTR)
- pREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v DisableRegistryTools /d 1 (PEHSTR)
- jREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v DisableTaskMgr /d 1 (PEHSTR)
- fREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v DisableCMD /d 1 (PEHSTR)
- cREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /t REG_DWORD /v NoRun /d 1 (PEHSTR)
- Delete Shadows /All /Quiet (PEHSTR)
- Win_encryptor.pyw (PEHSTR)
- sREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 (PEHSTR)
- create_remote_desktop. (PEHSTR)
- _README_FOR_DECRYPT.t (PEHSTR)
- start hard drive encryption... (PEHSTR_EXT)
- & taskkill /im Mount.exe (PEHSTR_EXT)
- .ransom\cs\ransom\ransom\obj\Debug\ransom.pdb (PEHSTR)
- /c ping 1.1.1.1 -n 1 -w (PEHSTR_EXT)
- info_%.8X.info (PEHSTR_EXT)
- \sosad_%.8X (PEHSTR_EXT)
- goopdate.dll (PEHSTR_EXT)
- shadows /all (PEHSTR_EXT)
- crp.cfg (PEHSTR_EXT)
- /addressbalance/%s?confirmations=%d (PEHSTR_EXT)
- %s?id=%.8X&getpm (PEHSTR_EXT)
- %s_%.8X.qr.png (PEHSTR_EXT)
- karma Ransomware (PEHSTR_EXT)
- /xUser.php?user= (PEHSTR_EXT)
- # DECRYPT MY FILES #.html (PEHSTR_EXT)
- .onion/x1234 (PEHSTR_EXT)
- WindowsTuneUp.Resources (PEHSTR_EXT)
- 127.0.0.1:%u/splash?ctrl=%u&f=1&id=%s (PEHSTR_EXT)
- api.ipify.org (PEHSTR_EXT)
- linkedin.com (PEHSTR_EXT)
- %s\shared.xml (PEHSTR_EXT)
- Decryption Software. (PEHSTR_EXT)
- C:\Users\public.Unkonw\Desktop\CRP_95_08_30_v3\CRP\Release\Mount.pdb (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PEHSTR_EXT)
- /add (PEHSTR_EXT)
- @/add (PEHSTR_EXT)
- @/active:yes (PEHSTR_EXT)
- \BleedGreen.pdb (PEHSTR)
- Encrypting done. Time left: %dms (PEHSTR_EXT)
- Network searching done. Time left: %dms (PEHSTR_EXT)
- NkQ/~ (SNID)
- Welcome to my Ransomware! (PEHSTR_EXT)
- In order to have relationship with us, and pay the ransom; (PEHSTR_EXT)
- zXz.html (PEHSTR_EXT)
- osieyrgvbsgnhkflkstesadfakdhaksjfgyjqqwgjrwgehjgfdjgdffg (PEHSTR_EXT)
- zdsrfvdg23.exe (PEHSTR_EXT)
- rock2.exe (PEHSTR_EXT)
- egzertyuhfgdfhjs.exe (PEHSTR_EXT)
- exturydtcfdg.exe (PEHSTR_EXT)
- dllhgjdvdfgdf (PEHSTR_EXT)
- dsjhfcgfnjsghfuytaweyajgshdfsdf (PEHSTR_EXT)
- %s.sage (PEHSTR_EXT)
- /maps/api/browserlocation/json?brows (PEHSTR_EXT)
- !Recovery_%s.html (PEHSTR_EXT)
- /test_site_scripts/moduls/traffic/get_info.php (PEHSTR_EXT)
- 45.76.81.110 (PEHSTR_EXT)
- mailsupload.php (PEHSTR_EXT)
- /test_site_scripts/moduls/connects/ (PEHSTR_EXT)
- %s\OfficeTab\Favorites (PEHSTR_EXT)
- \ExcelFavorite.acl (PEHSTR_EXT)
- %s\MicroSoftWare (PEHSTR_EXT)
- %s\1FAAXB2.tmp (PEHSTR_EXT)
- %s\%s.HTML (PEHSTR_EXT)
- %s\%s.TXT (PEHSTR_EXT)
- %s\Stop Ransomware Decrypts Tools.exe (PEHSTR_EXT)
- %s\MicroSoftWare\SmartScreen\%s.exe (PEHSTR_EXT)
- momory could not be read. (PEHSTR_EXT)
- Windows SmartScreen Updater (PEHSTR_EXT)
- cmd /c vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- /To buy the decryptor, you must pay the cost of: (PEHSTR)
- hmshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\ (PEHSTR)
- taskkill /F /T /PID (PEHSTR_EXT)
- \Desktop\ (PEHSTR_EXT)
- HOW_OPEN_FILES.hta (PEHSTR_EXT)
- \wall.jpg (PEHSTR_EXT)
- qwtyufdlkj.tmp (PEHSTR_EXT)
- rsa_priv_testing.txt (PEHSTR_EXT)
- .707RECOVER-FILE (PEHSTR_EXT)
- del Default.rdp (PEHSTR_EXT)
- vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
- for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" (PEHSTR_EXT)
- reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f (PEHSTR_EXT)
- .HakunaMatata (PEHSTR_EXT)
- *bootmgr* *boot* *boot* *CONFIG.SYS* (PEHSTR_EXT)
- *\java\* *\TeamViewer\* *\windows\* (PEHSTR_EXT)
- <img src='data:image/gif;base64,R0lGOD (PEHSTR_EXT)
- All your files are encrypted.Using AES256-bit encryption (PEHSTR_EXT)
- Crypter with problems. Screwed up configuration. (PEHSTR_EXT)
- Hugs, NMoreira Core Dev. (PEHSTR_EXT)
- Recovers files yako.html (PEHSTR_EXT)
- notbadbat,.bat (PEHSTR_EXT)
- %SystemRoot%\System32\shell32.dll,47 (PEHSTR_EXT)
- braincrypt.go (PEHSTR)
- /gateway/gate.php (PEHSTR)
- qbelow to other people, if two or more people will install this file and pay, we will decrypt your files for free. (PEHSTR)
- OTo decrypt your files you need to buy the special software 'Serpent Decrypter'. (PEHSTR)
- M<a href="[paymentdomain0]/[hwid]" target="_BLANK">[paymentdomain0]/[hwid]</a> (PEHSTR)
- M<a href="[paymentdomain1]/[hwid]" target="_BLANK">[paymentdomain1]/[hwid]</a> (PEHSTR)
- 0[paymentdomain0]/[hwid] (PEHSTR)
- [paymentdomain1]/[hwid] (PEHSTR)
- 3o4kqe6khkfgx25g.onion (PEHSTR)
- //vdpbkmwbnp.pw (PEHSTR)
- //hnxrvobhgm.pw (PEHSTR)
- //146.71.84.110:8080 (PEHSTR)
- //185.175.208.12:8080 (PEHSTR)
- //94.140.120.88:8080 (PEHSTR)
- .serpent (PEHSTR)
- agntsvc.exeisqlplussvc.exe (PEHSTR)
- serpent.ini (PEHSTR)
- \HOW_TO_DECRYPT_YOUR_FILES_ (PEHSTR)
- encryptionsoftware.Resources (PEHSTR)
- <rsa_public></rsa_public> (PEHSTR)
- \$recycle.bin\ (PEHSTR)
- ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile (PEHSTR_EXT)
- :\DEV\GLOBE\LOCKER\uBigIntsV3.pas (PEHSTR_EXT)
- .exe D (PEHSTR_EXT)
- dows /A (PEHSTR_EXT)
- ll /Q (PEHSTR_EXT)
- :\crysis\Release\PDB\payload.pdb (PEHSTR)
- AYes, To Unlock Your PC Now, You can 2 things. You have to play us (PEHSTR)
- HThanks for Buying the Passcode. Wish you could have no Virus from today, (PEHSTR)
- microsoftxyber@hackindex.com (PEHSTR)
- '</a><br><a class="submit"href="https:// (PEHSTR)
- $<title>Your data was locked!</title> (PEHSTR)
- N(bootsect.bak|iconcache.db|ntuser.dat|thumbs.db|activationstore.dat|microsoft) (PEHSTR)
- %s%08X%08X%08X%08X.%s (PEHSTR_EXT)
- :\USERDATA\*.* (PEHSTR_EXT)
- ACH.ADB.ADS.AIT.AL.APJ. (PEHSTR_EXT)
- /js/other_scripts/get.php (PEHSTR_EXT)
- %s\Microsofts\Windows NT\%s.exe (PEHSTR_EXT)
- MS Common User Interface (PEHSTR_EXT)
- Virus and spyware definitions couldn't be updated. (PEHSTR_EXT)
- agntsvc.exeisqlplussvc.exe (PEHSTR_EXT)
- Lick.real.decrypter (PEHSTR)
- Kirk.real (PEHSTR)
- qfjgmfgmkj.tmp (PEHSTR)
- rsa_priv_testing.txt (PEHSTR)
- \wall.jpg (PEHSTR)
- \Users\a11chemist\Documents\ (PEHSTR)
- \a13lock_final.pdb (PEHSTR)
- CERBER RANSOMWARE (PEHSTR_EXT)
- url('data:image/gif;base64,R0lGOD (PEHSTR_EXT)
- <h1>CERBER RANSOMWARE</h1> (PEHSTR_EXT)
- (blackList.indexOf(macAddress) (PEHSTR_EXT)
- ("en, ar, zh, nl, fr, de, it, ja, ko, pl, pt, es, tr".indexOf(nav_lang) (PEHSTR_EXT)
- "%TEMP%\[EXE_NAME]" (PEHSTR_EXT)
- \Run" /v "[HTA_NAME]" /t REG_SZ /f /d "\"[HTA_PATH]"\" (PEHSTR_EXT)
- \Shell Icons" /v "29" /t REG_SZ /f /d "[ICO_PATH],0" (PEHSTR_EXT)
- "[FILENAME]" /E /G %USERNAME%:F /C (PEHSTR_EXT)
- /f /q "[TO_PATH]" (PEHSTR_EXT)
- "[DIR_NAME]\[HID_NAME]" > "%TEMP%\[EXE_NAME]" (PEHSTR_EXT)
- prog.php (PEHSTR_EXT)
- err.php (PEHSTR_EXT)
- cmd.php (PEHSTR_EXT)
- sys.php (PEHSTR_EXT)
- shd.php (PEHSTR_EXT)
- .no_more_ransom (PEHSTR_EXT)
- .tyson (PEHSTR_EXT)
- desktop.ini|boot.ini|Bootfont.bin|ntuser.ini|NTUSER.DAT|IconCache.db (PEHSTR_EXT)
- a4ad4ip2xzclh6fd.onion (PEHSTR_EXT)
- SOFTWARE\System32\Configuration\ (PEHSTR_EXT)
- csrss.lnk (PEHSTR_EXT)
- \BTCWare\btcw\ (PEHSTR_EXT)
- DsrIWhQ4PmbYbkxqL1f4Kdi/SXSZplZ+ZJ0JzRAW/0PPe+i+obKQjPr25iTqQDfP7 (PEHSTR_EXT)
- no.btcw@protonmail.ch (PEHSTR_EXT)
- LETTER ATTACH YOUR FILE key.dat! (PEHSTR_EXT)
- BTCWare-locker. (PEHSTR_EXT)
- .db_journa (PEHSTR_EXT)
- .plus_muhd (PEHSTR_EXT)
- %s\key.dat (PEHSTR_EXT)
- %s\mfskSkfkls.exe (PEHSTR_EXT)
- %s\#_HOW_TO_FIX.inf (PEHSTR_EXT)
- %s.[%s].btcware (PEHSTR_EXT)
- /c vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
- /c bcdedit.exe /set {default} recoveryenabled No (PEHSTR_EXT)
- /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- launcher.dll (PEHSTR)
- mssecsvc.exe (PEHSTR)
- f.wnry (PEHSTR_EXT)
- %.1f BTC (PEHSTR_EXT)
- @WanaDecryptor@.exe (PEHSTR_EXT)
- %08X.eky (PEHSTR_EXT)
- %08X.pky (PEHSTR_EXT)
- %08X.res (PEHSTR_EXT)
- tasksche.exed (PEHSTR_EXT)
- tasksche.exe (PEHSTR_EXT)
- t.wnry (PEHSTR_EXT)
- icacls . /grant Everyone:F / (PEHSTR_EXT)
- msg/m_korean.wnry (PEHSTR_EXT)
- pmsg/m_latvian.wnry (PEHSTR_EXT)
- taskdl.exe (PEHSTR_EXT)
- cmd. (PEHSTR_EXT)
- u.wnry (PEHSTR_EXT)
- cmd.exe /c reg add (PEHSTR_EXT)
- \s.wnry (FILEPATH)
- \u.wnry (FILEPATH)
- "\Desktop\HOW_TO_DECRYPT_FILES.html (PEHSTR)
- .onion.to/decrypt/ (PEHSTR)
- )Microsoft.VisualBasic.ApplicationServices (PEHSTR)
- System.Reflection (PEHSTR)
- M?\J. (SNID)
- %s\!HELP_SOS.hta (PEHSTR_EXT)
- System.Net.Security (PEHSTR_EXT)
- Your computer has been infected (PEHSTR_EXT)
- Microsoft.VisualBasic (PEHSTR_EXT)
- /scripts/superfish/js/supersubs.php (PEHSTR_EXT)
- 212.47.254.187 (PEHSTR_EXT)
- %s\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT (PEHSTR_EXT)
- bcdedit /set {default} recoveryenabled No (PEHSTR_EXT)
- %d.%d.%d.%d2 (PEHSTR)
- \\%s\ipc$ (PEHSTR)
- taskhcst.exe (PEHSTR)
- lsasvs.exe (PEHSTR)
- icacls . /grant Everyone (PEHSTR_EXT)
- cmd.exe /c (PEHSTR_EXT)
- .lay6 (PEHSTR_EXT)
- .sqlite3 (PEHSTR_EXT)
- .sqlitedb (PEHSTR_EXT)
- .accdb (PEHSTR_EXT)
- .java (PEHSTR_EXT)
- .class (PEHSTR_EXT)
- .mpeg (PEHSTR_EXT)
- .djvu (PEHSTR_EXT)
- .tiff (PEHSTR_EXT)
- .backup (PEHSTR_EXT)
- .vmdk (PEHSTR_EXT)
- .sldm (PEHSTR_EXT)
- .sldx (PEHSTR_EXT)
- .onetoc2 (PEHSTR_EXT)
- .vsdx (PEHSTR_EXT)
- .potm (PEHSTR_EXT)
- .potx (PEHSTR_EXT)
- .ppam (PEHSTR_EXT)
- !WannaDecryptor!.exe (PEHSTR)
- u.wry (PEHSTR)
- %.1f BTC (PEHSTR)
- ,WScript.CreateObject("WScript.Shell")> c.vbs (PEHSTR)
- Global\MsWinZonesCacheCounterMutexAd (PEHSTR_EXT)
- t.wnryd (PEHSTR_EXT)
- m_%s.wnry (PEHSTR_EXT)
- SintaRun.py (PEHSTR_EXT)
- Crypto.CipherR( (PEHSTR_EXT)
- api.php?info=s (PEHSTR_EXT)
- /t REG_DWORD /v DisableRegistryTools /d 1 (PEHSTR_EXT)
- *.unity3d (PEHSTR_EXT)
- *.vmdk (PEHSTR_EXT)
- *.vmx (PEHSTR_EXT)
- *.SQLITEDB (PEHSTR_EXT)
- *.SQLITE3 (PEHSTR_EXT)
- %%ID%%.UIWIX (PEHSTR_EXT)
- .onion/ (PEHSTR_EXT)
- .php; (PEHSTR_EXT)
- _DECODE_FILES.txt (PEHSTR_EXT)
- :TMemModule.: (PEHSTR_EXT)
- n<hta:application windowstate="minimize"/><script>new ActiveXObject("WScript.Shell").Run("cmd /c \"\""+window.l (PEHSTR)
- \HELP_%s.html (PEHSTR_EXT)
- process call create "cmd.exe /c vssadmin.exe delete shadows (PEHSTR_EXT)
- PG1ldGEgaHR0cC1lcXVpdj0ncmVmcmVzaCcgY29udGVudD0nMDsgdXJsPWh0dHA6Ly8 (PEHSTR_EXT)
- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYEYkIZivftqlhZCLdPcGwu4/MAHwbsB965BHJ120L9G1tmynAPpZc (PEHSTR_EXT)
- %02hu.%02hu.%04hu; (PEHSTR_EXT)
- REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d (PEHSTR_EXT)
- DECRYPT_INFORMATION.html (PEHSTR_EXT)
- del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk (PEHSTR_EXT)
- %u.%u.%u.%u (PEHSTR_EXT)
- @bitmessage.ch (PEHSTR)
- Your computer was attacked by trojan called cryptolocker. All your files are encrypted with cryptographically strong algorithm, and without original decryption key recovery is impossible. (PEHSTR)
- desk1.bmp (PEHSTR)
- ,bin:com:exe:bat:png:bmp:dat:log:ini:dll:sys: (PEHSTR)
- .aaf .aep .aepx .plb (PEHSTR_EXT)
- .3g2 .asf .asx .flv (PEHSTR_EXT)
- .dbf .mdb .pdb .sql (PEHSTR_EXT)
- ExeSmartCopy (PEHSTR_EXT)
- targetExePath (PEHSTR_EXT)
- Your computer files have been encryted. (PEHSTR_EXT)
- But, don't worry! they are not deleted yet. (PEHSTR_EXT)
- Great job, I'm decrypting your files... (PEHSTR_EXT)
- your files will be deleted in 72 hours. (PEHSTR_EXT)
- EncryptedFileList.txt (PEHSTR_EXT)
- NotTxtTest.nottxt (PEHSTR_EXT)
- DeleteItself.bat (PEHSTR_EXT)
- I am NOT a txt test. (PEHSTR_EXT)
- I am a txt test. (PEHSTR_EXT)
- !#_DECRYPT_#!.inf (PEHSTR_EXT)
- !#_READ_ME_#!.hta (PEHSTR_EXT)
- .onyon (PEHSTR_EXT)
- nintendonx@qq.com (PEHSTR_EXT)
- %s\*.lnk (PEHSTR_EXT)
- %[^/]%[/]%d (PEHSTR_EXT)
- \cerber_debug.txt (PEHSTR_EXT)
- //{TOR}.onion/{PC_ID} (PEHSTR_EXT)
- ]DECRYPTION.TXT[ (PEHSTR_EXT)
- [/MESSAGE][TASKNAME]guide.exe[/TASKNAME] (PEHSTR_EXT)
- .oled (PEHSTR_EXT)
- black.mirror@qq.com (PEHSTR_EXT)
- [/TASKNA (PEHSTR_EXT)
- _Recover_Instructions. (PEHSTR_EXT)
- /C ping 1.1.1.1 -n 1 -w 1 > Nul & Del (PEHSTR_EXT)
- .LIGHTNING (PEHSTR_EXT)
- a0142503.xsph.ru (PEHSTR)
- cmd.exe /c explorer.exe (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage (PEHSTR_EXT)
- d_dukens@aol.com (PEHSTR_EXT)
- vssadmin delete shadows /all (PEHSTR_EXT)
- \4rw5wDecryptor\obj\Debug\4rw5wDecryptor.pdb (PEHSTR_EXT)
- \FileCrypterJoke\obj\Debug\FileCrypterJoke.pdb (PEHSTR_EXT)
- 5cmd.exe /C ping 1.1.1.1 -n 5 -w 3000 > Nul & Del "%s" (PEHSTR)
- read_to_txt_file.yyto (PEHSTR)
- help_to_decrypt.txt (PEHSTR)
- \\.\PhysicalDrive (PEHSTR)
- perfc.dat (PEHSTR)
- YOU HAVE BEEN INFECTED WITH RANSOMWARE (PEHSTR_EXT)
- karo.ReadMe.html (PEHSTR_EXT)
- karo.exe (PEHSTR_EXT)
- wYp.< (SNID)
- MoWare_H.F.D.Myd (PEHSTR_EXT)
- \cloudsword.pdbd (PEHSTR_EXT)
- C:\Users\mohamed\Desktop\WindowsApplication1\WindowsApplication1\obj\x86\Debug\WindowsApplication1.pdbd (PEHSTR_EXT)
- C:\Users\Jared\Desktop\ransomware\KKKryptoLocker\KKKryptoLocker\obj\Debug\KKKryptoLocker.pdb (PEHSTR_EXT)
- \wp_encrypt.pdb (PEHSTR_EXT)
- C:\yl.ini (PEHSTR_EXT)
- ico.ico (PEHSTR_EXT)
- 1.jpg (PEHSTR_EXT)
- *.e|*.doc|*.jpg|*.png|*.txt|*.pdf|*.wps (PEHSTR_EXT)
- Ransomware-master\Shiva (PEHSTR)
- AMMOUNT.txt (PEHSTR_EXT)
- move /y readme. (PEHSTR_EXT)
- cmd /c net view (PEHSTR_EXT)
- /s /b /a-d >> (PEHSTR_EXT)
- \desktop\readme\ (PEHSTR_EXT)
- readme.png" && exit (PEHSTR_EXT)
- readme.html" && exit (PEHSTR_EXT)
- start tmp.bat (PEHSTR_EXT)
- if exist "sync.exe" goto Repeat (PEHSTR_EXT)
- tmp.bat (PEHSTR_EXT)
- \BackupClient (PEHSTR_EXT)
- #How_Decrypt_Files.txt (PEHSTR_EXT)
- \Desktop\test\READ_IT.txt (PEHSTR_EXT)
- \Desktop\Hacked.txt (PEHSTR_EXT)
- InfiniteDecryptor@Protonmail.com (PEHSTR_EXT)
- blackgold123@protonmail.com (PEHSTR_EXT)
- vnransomware@zoho.com (PEHSTR_EXT)
- Ransomware Ultimo (PEHSTR_EXT)
- "InfiniteTear Ransomware" (PEHSTR_EXT)
- "Infinite Ransomware" (PEHSTR_EXT)
- .Infinite (PEHSTR_EXT)
- vssadmin.exe delete shadows /all /Quiet (PEHSTR_EXT)
- WMIC.exe shadowcopy delete (PEHSTR_EXT)
- Bcdedit.exe /set {default} recoveryenabled no (PEHSTR_EXT)
- Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- (\\[a-zA-Z0-9_ ]+|[a-zA-Z]:)(((\\.+?(\\|))+(?=[<>":\/|?*\n\r\t]))|((\\.+(\\|))+)) (PEHSTR_EXT)
- kinaesthetic-electr.000webhostapp.com (PEHSTR_EXT)
- pe\kiket (PEHSTR_EXT)
- path=".+" (PEHSTR_EXT)
- uri=".+" (PEHSTR_EXT)
- <include>.+</include> (PEHSTR_EXT)
- i.php (PEHSTR_EXT)
- \FILES.TXT (PEHSTR_EXT)
- Encryption is very sophisticated and without paying a ransom you won't get your files back. (PEHSTR_EXT)
- glushkov@protonmail.ch (PEHSTR_EXT)
- glushkov@tutanota.de (PEHSTR_EXT)
- igor.glushkov.83@mail.ru (PEHSTR_EXT)
- #%s.[chines34@protonmail.ch].gryphon (PEHSTR)
- chines34@protonmail.ch (PEHSTR)
- oceannew_vb@protonmail.com (PEHSTR)
- !## DECRYPT FILES ##!.txt (PEHSTR)
- .gryphon (PEHSTR)
- */c vssadmin.exe Delete Shadows /All /Quiet (PEHSTR)
- 0/c bcdedit.exe /set {default} recoveryenabled No (PEHSTR)
- @/c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PEHSTR)
- CryptoJoker\CryptoJokerGUI\obj\Debug\CryptoJoker.pdb (PEHSTR_EXT)
- /C sc stop WinDefend (PEHSTR_EXT)
- /C sc stop wscsvc (PEHSTR_EXT)
- /C sc stop wuauserv (PEHSTR_EXT)
- \\.\\physicaldrive0 (PEHSTR_EXT)
- Your computer is locked (PEHSTR_EXT)
- rd /S /Q "%s" (PEHSTR_EXT)
- del /F "%s" (PEHSTR_EXT)
- %s.[%s]-id-%X. (PEHSTR_EXT)
- [/EXTENSION][TARGETS] (PEHSTR)
- [/TASKNAME][AUTOEXEC][README] (PEHSTR)
- decrypts@airmail.cc (PEHSTR)
- 8HOW TO RECOVER ENCRYPTED FILES - decrypts@airmail.cc.TXT (PEHSTR)
- \DECRYPT_INFORMATION.txt (PEHSTR_EXT)
- shadowstorage vssadmin Delete vssadmin resize .dsk (PEHSTR_EXT)
- Builder Ransom.pdb (PEHSTR)
- plumber@cock.li (PEHSTR_EXT)
- decryption,so you will pay me and them anyways.Please (PEHSTR_EXT)
- call uninstall /nointeractive (PEHSTR_EXT)
- jsX (PEHSTR_EXT)
- H\Users\sabri\documents\visual studio 2010\Projects\cripto\Debug\Stub.pdb (PEHSTR)
- J\Users\sabri\documents\visual studio 2010\Projects\cripto\Release\Stub.pdb (PEHSTR)
- You became victim of the GOLDENEYE RANSOMWARE! (PEHSTR_EXT)
- %s\System32\kernel32.dll:12345678 (PEHSTR_EXT)
- %s\system32\%c*%c.exe (PEHSTR_EXT)
- %s\system32\%s (PEHSTR_EXT)
- %s\{%s} (PEHSTR_EXT)
- ://golden (PEHSTR_EXT)
- ://ipinfo.io/ip (PEHSTR_EXT)
- %s\f%u.vbs (PEHSTR)
- \\?\%S (PEHSTR)
- %s\f%u.hta (PEHSTR)
- %s\%s.exe (PEHSTR_EXT)
- %s\%s.tmp (PEHSTR_EXT)
- %s\f%u.hta (PEHSTR_EXT)
- %s\f%u.vbs (PEHSTR_EXT)
- %S... (PEHSTR_EXT)
- /YourRansom/main.go (PEHSTR_EXT)
- /YourRansom/funcs.go (PEHSTR_EXT)
- YR0x02.key (PEHSTR_EXT)
- $Jt/= (PEHSTR_EXT)
- cscc.dat (PEHSTR_EXT)
- We Guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. (PEHSTR_EXT)
- caforssztxqzf2nm.onion (PEHSTR_EXT)
- infpub.dat,#1 (PEHSTR_EXT)
- .3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc. (PEHSTR_EXT)
- .\dcrypt (PEHSTR_EXT)
- /c schtasks /Delete /F /TN rhaegal (PEHSTR_EXT)
- /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00 (PEHSTR_EXT)
- @@schtasks /Delete /F /TN rhaegal (PEHSTR_EXT)
- /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR (PEHSTR_EXT)
- %ws C:\Windows\%ws,#1 %ws (PEHSTR_EXT)
- rundll32 %s,#2 %s (PEHSTR_EXT)
- /Create /SC once /TN drogon /RU SYSTEM /TR (PEHSTR_EXT)
- \cscc.dat (FILEPATH)
- To restore the files, wrote to the email:bomboms123@mail.ru (PEHSTR_EXT)
- if you do not receive a response from this mail within 24 hours then write to the subsidiary:yourfood20@mail.ru (PEHSTR_EXT)
- 5.8.88.237 (PEHSTR_EXT)
- Projets\Lockon Ransomware\Lockon Ransomware\obj\Debug\Lockon Ransomware.pdb (PEHSTR_EXT)
- tech support employees at 89755610@protonmail.com. (PEHSTR_EXT)
- SuccWare.exe (PEHSTR_EXT)
- C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb (PEHSTR_EXT)
- Bathochrome5 (PEHSTR_EXT)
- cd %userprofile%\documents\ (PEHSTR_EXT)
- attrib Default.rdp -s -h (PEHSTR_EXT)
- ..doc (PEHSTR)
- Read___ME.html (PEHSTR)
- MZ.......................................................!....... (PEHSTR_EXT)
- SYSDOWN.exe (PEHSTR_EXT)
- SYSDOWN.pdb (PEHSTR_EXT)
- SYSDOWN.My.Resources (PEHSTR_EXT)
- SYSDOWN.Form1.resources (PEHSTR_EXT)
- SYSDOWN.Resources.resources (PEHSTR_EXT)
- SYSDOWN.g.resources (PEHSTR_EXT)
- s test file for proof of decryption MMM Ransomware. (PEHSTR_EXT)
- <title>TripleM Ransomware</title> (PEHSTR_EXT)
- \MMM\obj\Release\MMM.pdb (PEHSTR_EXT)
- C:\Users\Ciara&Cody\Desktop\DUMB-master\DUMB\obj\Release\DUMB.pdb (PEHSTR_EXT)
- Ransomware.exe (PEHSTR_EXT)
- C:\Users\d.koporushkin\Desktop\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Ransomware.pdb (PEHSTR_EXT)
- LongTermMemoryLoss.exe (PEHSTR_EXT)
- C:\Users\Asmcx15\documents\visual studio 2017\Projects\LongTermMemoryLoss\LongTermMemoryLoss\obj\Debug\LongTermMemoryLoss.pdb (PEHSTR_EXT)
- LongTermMemoryLoss.WarnGUI.resources (PEHSTR_EXT)
- death.bat" del "C:\TEMP\afolder\death.bat" (PEHSTR_EXT)
- deathnote.bat" del "C:\TEMP\afolder\deathnote.bat" (PEHSTR_EXT)
- WIFI-CONNECT.bat" del "C:\TEMP\afolder\WIFI-CONNECT.bat" (PEHSTR_EXT)
- windows defender.bat" del "C:\TEMP\afolder\windows defender.bat" (PEHSTR_EXT)
- WIFI.lnk" del "C:\TEMP\afolder\WIFI.lnk" (PEHSTR_EXT)
- WINDEFEND.lnk" del "C:\TEMP\afolder\WINDEFEND.lnk" (PEHSTR_EXT)
- death.lnk" del "C:\TEMP\afolder\death.lnk" (PEHSTR_EXT)
- deathnote.lnk" del "C:\TEMP\afolder\deathnote.lnk" (PEHSTR_EXT)
- frog.exe (PEHSTR_EXT)
- d:\project_mini\mwave\frog\frog\obj\Release\frog.pdb (PEHSTR_EXT)
- jmqapf3nflatei35.onion.link (PEHSTR_EXT)
- 19204ur2907ut982gi3hoje9sfa.exe (PEHSTR_EXT)
- You have not paid the ransom. (PEHSTR_EXT)
- Congrats: you've paid. Click OK to decrypt your files (This will take a while so be patient). (PEHSTR_EXT)
- MoneroPayAgent.exe (PEHSTR_EXT)
- REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /F /t REG_SZ /V "MoneroPay" /D (PEHSTR_EXT)
- e:\Projects\brc\brc\obj\x86\Release\brc.pdb (PEHSTR_EXT)
- \Release\Springbeep.pdb (PEHSTR_EXT)
- main.encrypt (PEHSTR)
- >Your files have been encrypted. (PEHSTR)
- spritecoind.dat (PEHSTR)
- spritecoind.exe (PEHSTR)
- libgcj-13.dll (PEHSTR)
- RSoftware\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION (PEHSTR)
- \get_my_files.txt (PEHSTR_EXT)
- jz3sncvmveprhihk.onion (need Tor-browser) (PEHSTR_EXT)
- jz3sncvmveprhihk.onion.rip (PEHSTR_EXT)
- jz3sncvmveprhihk.onion.cab (PEHSTR_EXT)
- jz3sncvmveprhihk.hiddenservice.net (PEHSTR_EXT)
- davidfreemon2@aol.com (PEHSTR_EXT)
- .david (PEHSTR_EXT)
- gdcbghvjyqy7jclk.onion.top (PEHSTR_EXT)
- gandcrab.bit (PEHSTR_EXT)
- nomoreransom.coin (PEHSTR_EXT)
- del /s /f .wbcat f:\*.bkf \*.bac h:\*.bak \*.set h:\*.win bkf h:\Backup*.*ac f:\*.bak f:\*et f:\*.win f:\*:\backup*.* g:\*/q g:\*.VHD g:\* (PEHSTR_EXT)
- /for=d: /on=d: storage /for=g: e shadowstorage vssadmin Delete vssadmin resize .dsk (PEHSTR_EXT)
- .-' '-. (PEHSTR_EXT)
- / \ (PEHSTR_EXT)
- |, .-. .-. ,| (PEHSTR_EXT)
- | )(__/ \__)( | (PEHSTR_EXT)
- |/ /\ \| (PEHSTR_EXT)
- \__|IIIIII|__/ (PEHSTR_EXT)
- | \IIIIII/ | (PEHSTR_EXT)
- \ / (PEHSTR_EXT)
- ReadMe_Decryptor.txt (PEHSTR_EXT)
- cmd.exe /c bcdedit /set {default} recoveryenabled No (PEHSTR_EXT)
- cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- cmd.exe /c vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- cmd.exe /c wmic shadowcopy delete (PEHSTR_EXT)
- cmd.exe /c wbadmin delete catalog -quiet (PEHSTR_EXT)
- taskkill /f /im MSExchange* (PEHSTR_EXT)
- taskkill /f /im Microsoft.Exchange.* (PEHSTR_EXT)
- taskkill /f /im sqlserver.exe (PEHSTR_EXT)
- taskkill /f /im sqlwriter.exe (PEHSTR_EXT)
- All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptor@cock.li (PEHSTR_EXT)
- All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: aidcompany@tutanota.com (PEHSTR_EXT)
- In case of no answer in 24 hours write us to theese e-mails: masterdecrypt@openmailbox.org (PEHSTR_EXT)
- In case of no answer in 48 hours write us to theese e-mails: aidcompanu@cock.li (PEHSTR_EXT)
- You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. (PEHSTR_EXT)
- Before paying you can send us up to 5 files for free decryption. (PEHSTR_EXT)
- After payment we will send you the decryption tool that will decrypt all your files. (PEHSTR_EXT)
- If you want restore your files write on email - twist@airmail.cc (PEHSTR_EXT)
- If you want restore your files write on email - blind@airmail.cc (PEHSTR_EXT)
- How_Decrypt_Files.txt (PEHSTR_EXT)
- \#DECRYPT_MY_FILES#.html (PEHSTR)
- \#DECRYPT_MY_FILES#.txt (PEHSTR)
- \#DECRYPT_MY_FILES#.vbs (PEHSTR)
- su34pwhpcafeiztt.onion (PEHSTR)
- 5cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "%s" (PEHSTR)
- */C vssadmin.exe delete shadows /all /quiet (PEHSTR)
- wmic.exe shadowcopy delete (PEHSTR)
- 9bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR)
- )bcdedit /set {default} recoveryenabled no (PEHSTR)
- annabelle85x9tbxiyki.onion (PEHSTR_EXT)
- annabelle59j3mbtyyki.onion (PEHSTR_EXT)
- shutdown.exe -r -f -t 0 (PEHSTR_EXT)
- taskkill.exe /F /IM wininit.exe (PEHSTR_EXT)
- D:\Work\Thanatos\Release\Thanatos.pdb (PEHSTR_EXT)
- D:\Thanatos\Release\Thanatos.pdb (PEHSTR_EXT)
- \Thanatos-master\Debug\Thanatos.pdb (PEHSTR_EXT)
- .THANATOS (PEHSTR_EXT)
- .PENTAGON (PEHSTR_EXT)
- \Desktop\README.txt (PEHSTR_EXT)
- All data will be lost if you do not pay 0.01 BTC to the specified BTC wallet (PEHSTR_EXT)
- encryption.dll (PEHSTR_EXT)
- CRYSTALCRYPT RANSOMWARE! (PEHSTR_EXT)
- YOU BECAME A VICTIM OF THE CRYSTALCRYPT RANSOMWARE! (PEHSTR_EXT)
- PAY 0.17 BITCOINS TO THIS ADDRESS : 1LSgvYFY7SDNje2Mhsm51FxhqPsbvXEhpE (PEHSTR_EXT)
- YOU CAN FIND THEM ON YOUR DESKTOP IN "CRYSTALCRYPT_UNIQEID.TXT" (PEHSTR_EXT)
- %APPDATA%\Readerpdf\Adobe.exe (PEHSTR_EXT)
- learn how to pay us https://www.youtube.com/watch?v= (PEHSTR_EXT)
- ddos.slowloris.stop (PEHSTR_EXT)
- gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s (PEHSTR_EXT)
- Your computer is encrypted . Mail (PEHSTR_EXT)
- @. Send your ID (PEHSTR_EXT)
- "%s/README_DECRYPT.txt (PEHSTR_EXT)
- taskkill /F /IM sql (PEHSTR_EXT)
- taskkill /F /IM chrome.exe (PEHSTR_EXT)
- taskkill /F /IM ie.exe (PEHSTR_EXT)
- taskkill /F /IM firefox.exe (PEHSTR_EXT)
- taskkill /F /IM opera.exe (PEHSTR_EXT)
- taskkill /F /IM safari.exe (PEHSTR_EXT)
- taskkill /F /IM taskmgr.exe (PEHSTR_EXT)
- taskkill /F /IM 1c (PEHSTR_EXT)
- vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
- bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- bcdedit.exe bcdedit /set {default} recoveryenabled no (PEHSTR_EXT)
- wbadmin.exe wbadmin delete catalog -quiet (PEHSTR_EXT)
- del /Q /F /S %s$recycle.bin (PEHSTR_EXT)
- Z:\Shadow\SilentSpring\Release\$_1.pdb (PEHSTR_EXT)
- write you country to dorispackman@tuta.io (PEHSTR_EXT)
- aaa_TouchMeNot_.txt (PEHSTR_EXT)
- BlackStarMafia@qq.com (PEHSTR_EXT)
- D:\#_src\projects\RansomwareTest\Debug\RansomwareTest.pdb (PEHSTR_EXT)
- B040A3ED27C166CBC4E8D0E1286347F3.MOLE66 (PEHSTR_EXT)
- C:\Users\delta\source\repos\desuCrypt\Release\desuCrypt.pdb (PEHSTR_EXT)
- *.Stinger (PEHSTR_EXT)
- E-mail:hackcwand@protonmail.com (PEHSTR_EXT)
- About .Stinger unlocking instructions.txt (PEHSTR_EXT)
- .ladon (PEHSTR_EXT)
- cdmsxo25y4lfht6v.onion.casa (PEHSTR_EXT)
- \READ_ME.html (PEHSTR_EXT)
- wmic.exe shadowcopy delete /nointeractive (PEHSTR_EXT)
- .onion (PEHSTR)
- /index.php (PEHSTR)
- ALL YOUR FILES ARE ENCRYPTED BY RAPID 2.0 RANSOMWARE (PEHSTR_EXT)
- delete Rapid from your PC. (PEHSTR_EXT)
- supp1decr@cock.li (PEHSTR_EXT)
- supp2decr@cock.li (PEHSTR_EXT)
- Dont try to use third-party decryptor tools because it will destroy your files. (PEHSTR_EXT)
- C:\Users\Krysto\source\repos\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\EGG.pdb (PEHSTR_EXT)
- C:\Users\Krysto\source\repos\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\WindowsFormsApp1.pdb (PEHSTR_EXT)
- .LCKD (PEHSTR_EXT)
- But if you want to decrypt all your files, you need to pay. (PEHSTR_EXT)
- decryptorsoon301@aol.com (PEHSTR_EXT)
- J:\Programs\JF Ransomware\JF Ransomware\obj\Debug\JF Ransomware.pdb (PEHSTR_EXT)
- JF Ransomware (PEHSTR_EXT)
- JF_Ransomware (PEHSTR_EXT)
- deleteMyProgram.bat (PEHSTR_EXT)
- .sorry (PEHSTR_EXT)
- c:\Windows\hrf.txt (PEHSTR_EXT)
- systems@hitler.rocks (PEHSTR_EXT)
- systems@tutanota.com (PEHSTR_EXT)
- How Recovery Files.txt (PEHSTR_EXT)
- get_ransom (PEHSTR_EXT)
- set_ransom (PEHSTR_EXT)
- HAXERBOI RANSOM (PEHSTR_EXT)
- Injecting RansomWare (PEHSTR_EXT)
- hackerBoi\hackerBoi\obj\Debug\hackerBoi.pdb (PEHSTR_EXT)
- GandCrabGandCrabnomoreransom.coinomoreransom.bit (PEHSTR_EXT)
- malwarehunterteaGandCrabGandCrabpolitiaromana.bi (PEHSTR_EXT)
- RansomBuilder1 (PEHSTR_EXT)
- RansomBuilder1.0\RansomBuilder1.0\obj\Debug\RansomBuilder1.0.pdb (PEHSTR_EXT)
- D:\[!]Dn13\Ransomware\Project Final\Backup H34rtBl33d\anu\1\KNTLCrypt\obj\x86\Debug\DnThirTeen.pdb (PEHSTR_EXT)
- D3g1d5.zip (PEHSTR_EXT)
- d3g1d5.exe (PEHSTR_EXT)
- H34rtBl33d.bmp (PEHSTR_EXT)
- H34rtBl33d.html (PEHSTR_EXT)
- H34rtBl33d.txt (PEHSTR_EXT)
- H34rtBl33d.exe (PEHSTR_EXT)
- H34rtBl33d Ransomware (PEHSTR_EXT)
- Net user D3g1d5 Dwixtkj37 /add (PEHSTR_EXT)
- Net localgroup Administrators D3g1d5 /add (PEHSTR_EXT)
- vssadmin delete shadows /for=c: /all /quiet (PEHSTR_EXT)
- vssadmin delete shadows /for=d: /all /quiet (PEHSTR_EXT)
- bcdedit /set {bootmgr} displaybootmenu no (PEHSTR_EXT)
- m.bif (PEHSTR_EXT)
- re.bf (PEHSTR_EXT)
- ransom_id (PEHSTR_EXT)
- ransom_id= (PEHSTR_EXT)
- /c shutdown -r -t 1 -f (PEHSTR_EXT)
- %s\CRAB-DECRYPT.txt (PEHSTR_EXT)
- ---= GANDCRAB V2.1 =--- (PEHSTR_EXT)
- //gandcrab2pie73et.onion.to/ (PEHSTR_EXT)
- ransomware@sj.ms (PEHSTR_EXT)
- //sj.ms/register.php (PEHSTR_EXT)
- extension: .CRAB (PEHSTR_EXT)
- /c timeout -c 5 & del "%s" /f /q (PEHSTR_EXT)
- synack@scryptmail.com (PEHSTR_EXT)
- synack@countermail.com (PEHSTR_EXT)
- do not panic and write on BitMessage (using site https://bitmsg.me/): (PEHSTR_EXT)
- SynAck Team. (PEHSTR_EXT)
- extort money, files restore is an optional service. (PEHSTR_EXT)
- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (PEHSTR_EXT)
- %s\%s.locky (PEHSTR_EXT)
- vssadmin.exe vssadmin delete shadows / all / quiet (PEHSTR_EXT)
- icacls . / grant Everyone : F / T / C / Q (PEHSTR_EXT)
- /c vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- paradise_key_pub.bin (PEHSTR_EXT)
- with respect Ransomware Paradise Team (PEHSTR_EXT)
- \Start Menu\Programs\Startup\start.bat (PEHSTR_EXT)
- \users\Public\run.sct (PEHSTR_EXT)
- cmd.exe /c vssadmin Delete Shadows /All /Quiet (PEHSTR_EXT)
- Files should have both .LOCK extension (PEHSTR_EXT)
- Screenshot_1 (PEHSTR_EXT)
- swchost.exe (PEHSTR_EXT)
- onion. (PEHSTR_EXT)
- /mafiaEgnima.php (PEHSTR_EXT)
- .MAFIA (PEHSTR_EXT)
- 32.df (PEHSTR_EXT)
- vssadmin Delete Shadows /all /quiet (PEHSTR_EXT)
- vssadmin resize shadowstorage /for= (PEHSTR_EXT)
- : /on= (PEHSTR_EXT)
- : /maxsize= (PEHSTR_EXT)
- del /s /f /q (PEHSTR_EXT)
- :\*.VHD (PEHSTR_EXT)
- :\*.bac (PEHSTR_EXT)
- :\*.bak (PEHSTR_EXT)
- :\*.wbcat (PEHSTR_EXT)
- :\*.bkf (PEHSTR_EXT)
- :\Backup*.* (PEHSTR_EXT)
- :\backup*.* (PEHSTR_EXT)
- :\*.set (PEHSTR_EXT)
- :\*.win (PEHSTR_EXT)
- :\*.dsk (PEHSTR_EXT)
- copy "Locdoor.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\temp00000000.exe"6 (PEHSTR_EXT)
- echo Your computer's files have been encrypted to Locdoor Ransomware!6 (PEHSTR_EXT)
- start http://9w37hde92oqvcew235.creatorlink.net/6 (PEHSTR_EXT)
- Your computer's important files have been encrypted! (PEHSTR_EXT)
- ren *.mp4 *.door1 (PEHSTR_EXT)
- ren *.avi *.door2 (PEHSTR_EXT)
- ren *.mp3 *.doo3r (PEHSTR_EXT)
- ren *.txt *.door4 (PEHSTR_EXT)
- ren *.hwp *.doo5r (PEHSTR_EXT)
- ren *.pptx *.door6 (PEHSTR_EXT)
- ren *.docx *.door7 (PEHSTR_EXT)
- ren *.xlsx *.door8 (PEHSTR_EXT)
- ren *.html *.door9 (PEHSTR_EXT)
- ren *.xml *.door10 (PEHSTR_EXT)
- ren *.amr *.door11 (PEHSTR_EXT)
- ren *.mov *.door12 (PEHSTR_EXT)
- ren *.mkv *.door13 (PEHSTR_EXT)
- ren *.wav *.door14 (PEHSTR_EXT)
- ren *.wmv *.door15 (PEHSTR_EXT)
- ren *.wma *.door16 (PEHSTR_EXT)
- Your files, photos, documents, databases and other important files are encrypted and have the extension: .SAVEfiles (PEHSTR_EXT)
- All your files, documents, photos, databases and other important files are encrypted and have the extension: .WHY (PEHSTR_EXT)
- !!!SAVE_FILES_INFO!!!.txt (PEHSTR_EXT)
- !!!WHY__MY__FILES__NOT__OPEN!!!.txt (PEHSTR_EXT)
- BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch (PEHSTR_EXT)
- BM-2cUm1HG5NFf9fYMhPzLhjoBdXqde26iBm2@bitmessage.ch (PEHSTR_EXT)
- Only we can give you this key and only we can recover your files. (PEHSTR_EXT)
- you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. (PEHSTR_EXT)
- C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
- C:\TEMP\\delself.bat (PEHSTR_EXT)
- http://www.terranowwa.org/orgasmatron/get.php (PEHSTR_EXT)
- http://www.terranowwa.org/syssvr.exe$run (PEHSTR_EXT)
- http://www.terranowwa.org/systime.exe$run (PEHSTR_EXT)
- C:\Users\Multi\Desktop\Tutti i miei progetti\VB.NET\WindowsApp1\WindowsApp1\obj\Debug\WindowsApp1.pdb (PEHSTR_EXT)
- WindowsApp1.SuriProtector.resources (PEHSTR_EXT)
- Ransom.BL (PEHSTR_EXT)
- Ransom.PL (PEHSTR_EXT)
- Ransomware.resources (PEHSTR_EXT)
- Godsomware.My.Resources (PEHSTR_EXT)
- Godsomware.Form (PEHSTR_EXT)
- .resources (PEHSTR_EXT)
- Godsomware.Resources.resources (PEHSTR_EXT)
- Godsomware.exe (PEHSTR_EXT)
- Ransomware God Crypt v1.0 by NinjaGhost (PEHSTR_EXT)
- get_WannaCry_ransom_note__Please_Read_Me__txt (PEHSTR_EXT)
- Godsomware by NinjaGhost\Godsomware\Godsomware (PEHSTR_EXT)
- Godsomware.pdb (PEHSTR_EXT)
- Dear %1!\r\nAll of your files such as documents, images, videos and other files\r\nwith the different names and extensions are encrypted. (PEHSTR_EXT)
- Read the instructions file named \"%2\" for more information. (PEHSTR_EXT)
- You can find this file everywhere on your computer. (PEHSTR_EXT)
- * Don't Delete Encrypted Files\r\n* Don't Modify Encrypted Files\r\n* Don't Rename Encrypted Files (PEHSTR_EXT)
- "comment": "Researchers Editon: Zero Resistance" (PEHSTR_EXT)
- "support_email": "nikolatesla@cock.li" (PEHSTR_EXT)
- "support_email": "onionhelp@memeware.net" (PEHSTR_EXT)
- "support_alternativea": "nikolateslaproton@protonmail.com" (PEHSTR_EXT)
- "support_alternativea": "BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage.ch" (PEHSTR_EXT)
- Kraken.exe (PEHSTR_EXT)
- We guarantee that you can recover all your files soon safely. (PEHSTR_EXT)
- You can decrypt one of your encrypted smaller file for free in the first contact with us. (PEHSTR_EXT)
- After your payment made, all of your encrypted files has been decrypted. (PEHSTR_EXT)
- This price is for the contact with us in first week otherwise it will increase. (PEHSTR_EXT)
- DON'T USE THIRD PARTY, PUBLIC TOOLS/SOFTWARE TO DECRYPT YOUR FILES, THIS CAUSE DAMAGE YOUR FILES PERMANENTLY! (PEHSTR_EXT)
- DownloadFile('http://92.63.197.48/ (PEHSTR_EXT)
- .exe','%temp%\ (PEHSTR_EXT)
- .exe'); (PEHSTR_EXT)
- Start-Process '%temp%\ (PEHSTR_EXT)
- .exe' (PEHSTR_EXT)
- LPE DLL: Trying to Open Pipe - %ws (PEHSTR_EXT)
- LPE DLL: Target path: %ws (PEHSTR_EXT)
- Minotaur.exe (PEHSTR_EXT)
- minotaur@420blaze.it (PEHSTR_EXT)
- ALL YOUR FILES ARE ENCRYPTED BY (MINOTAUR) RANSOMWARE! (PEHSTR_EXT)
- FOR DECRYPT YOUR FILES NEED TO PAY US A (0.125 BTC)! (PEHSTR_EXT)
- How To Decrypt Files.txt (PEHSTR_EXT)
- Private\Minotaur\Minotaur (PEHSTR_EXT)
- \Minotaur.pdb (PEHSTR_EXT)
- \ransom.pdb (PEHSTR)
- \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb (PEHSTR_EXT)
- Program.exe (PEHSTR_EXT)
- Your personal email: 5btc@protonmail.com (PEHSTR_EXT)
- DECRYPT.html (PEHSTR_EXT)
- 5btc@protonmail.com (PEHSTR_EXT)
- \GUScryptolocker - update\Release\locker.pdb (PEHSTR_EXT)
- Write to our email - help@wizrac.com (PEHSTR_EXT)
- FILES ENCRYPTED.txt (PEHSTR_EXT)
- TouchMeNot_.txt (PEHSTR_EXT)
- @aol.com (PEHSTR_EXT)
- \HOW TO DECRYPT FILES.txt (PEHSTR_EXT)
- http://crypt443sgtkyz4l.onion (PEHSTR_EXT)
- .*?\.crypt (PEHSTR_EXT)
- \ntuser.profile (PEHSTR_EXT)
- @_RESTORE-FILES_@.txt (PEHSTR_EXT)
- !-GET_MY_FILES-!.txt (PEHSTR_EXT)
- #RECOVERY-PC#.txt (PEHSTR_EXT)
- Z:\stop\sorces\Aurora\old_sorc\Debug\Ransom.pdb (PEHSTR_EXT)
- Your computer (or server) is blocked by Gerber 4 due a security reasons (PEHSTR_EXT)
- Contact to email address: memoyanov.artur79@cock.li or bestleveldaypayday@cock.li (PEHSTR_EXT)
- Warning: You can't decrypt files without note: Decrypt.TXT (PEHSTR_EXT)
- Contact to email address: memoyanov.artur79@bitmessage.ch or bestleveldaypayday@bitmessage.ch (PEHSTR_EXT)
- launcher.dll (PEHSTR_EXT)
- ransomware_sample (PEHSTR_EXT)
- \ransomware_sample\obj\ (PEHSTR_EXT)
- \ransomware_sample.pdb (PEHSTR_EXT)
- AesCryptoServiceProvider (PEHSTR_EXT)
- Locker.pdb (PEHSTR_EXT)
- \obj\Debug\ScreenLocker.pdb (PEHSTR_EXT)
- \obj\Release\ss2.pdb (PEHSTR_EXT)
- /ransomware/client (PEHSTR_EXT)
- FILES_ENCRYPTED.htmlDesktop\READ_TO_DECRYPT.html (PEHSTR_EXT)
- XiaoBa-Ransomware (PEHSTR_EXT)
- cmd /c vssadmin delete shadow /all /quiet (PEHSTR_EXT)
- bcdedit /set {default} boostatuspolicy ignoreallfailures (PEHSTR_EXT)
- bcdedit /set {default} recoveryenabled no (PEHSTR_EXT)
- jwransomeware_Load (PEHSTR_EXT)
- juwonRansomeware.exe (PEHSTR_EXT)
- juwonRansomeware.pdb (PEHSTR_EXT)
- [C:\Users\dennis\Desktop\Software\BSS_ransomware\BSS_ransomware\obj\Debug\BSS_ransomware.pdb (PEHSTR)
- Your files is encrypred by PUBG Ransomware! (PEHSTR_EXT)
- C:\Users\ryank\source\repos\PUBG_Ransomware\PUBG_Ransomware\obj\Debug\PUBG_Ransomware.pdb (PEHSTR_EXT)
- onionhelp@memeware.net (PEHSTR_EXT)
- Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb (PEHSTR_EXT)
- ka%pv%JK@%OUB%CLI@%JKI\%hd}%755ng%qj%a (PEHSTR_EXT)
- stub j2.exe (PEHSTR_EXT)
- README_LOCKED.txt (PEHSTR)
- crypto-locker\tpls_MSVC\ (PEHSTR_EXT)
- /exception/detail/exception_ptr.hpp (PEHSTR_EXT)
- .docb (PEHSTR_EXT)
- .dotx (PEHSTR_EXT)
- jmCFIbUSLG+XNcT1V3riHlpNAehoj1s7Y50fIFfRZG/5MwAyhwnISxXkjUWhUGbE (PEHSTR_EXT)
- \crypto-locker\tpls_MSVC (PEHSTR_EXT)
- \crypto-locker\cryptopp\src (PEHSTR_EXT)
- svch0st. (PEHSTR_EXT)
- DharmaParrack@protonmail.com (PEHSTR_EXT)
- wyattpettigrew8922555@mail.com (PEHSTR_EXT)
- c:/cl.log (PEHSTR_EXT)
- README_LOCKED.txt (PEHSTR_EXT)
- README-NOW.txt (PEHSTR_EXT)
- work\Projects\LockerGoga (PEHSTR)
- "HOW TO RECOVER ENCRYPTED FILES.TXT (PEHSTR)
- cannot be run in DOS mode. (PEHSTR_EXT)
- C:\mou_jvsoS1.log (PEHSTR_EXT)
- Wr/teF/le (PEHSTR_EXT)
- :\Users\Fox\Desktop\Fox\ (PEHSTR_EXT)
- Do not shutdown your computer or try to close this program: All your personnal data will be deleted ! (PEHSTR_EXT)
- 49H8Kbf15JFN2diG5evGHA5G49qhgFBuDid86z3MKxTv59dcqySCzFWUL3SgsEk2SufzTziHp3UE5P8BatwuyFuv1bBKQw2 (PEHSTR_EXT)
- You can get monero here : https://localmonero.co/ (PEHSTR_EXT)
- \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb (PEHSTR_EXT)
- have been encrypted with Rush Ransomware (PEHSTR_EXT)
- \Sanction Ransomware\Project Encryptor\hidden-tear (PEHSTR_EXT)
- Your computer has been attacked by virus-encoder (PEHSTR_EXT)
- boooam@cock.li (PEHSTR_EXT)
- ExpBoot.exe (PEHSTR_EXT)
- \mpsvc.dll (FILEPATH)
- \tmp_ (PEHSTR_EXT)
- \bin\ (PEHSTR_EXT)
- C:\mypath\somepath\somefile.xls (PEHSTR_EXT)
- \Doc\My work (C++)\_New 2018\Encryption\Release\encrypt.pdb (PEHSTR_EXT)
- @@_BENI_OKU_@@.txt (PEHSTR_EXT)
- @@_DIKKAT_@@.txt (PEHSTR_EXT)
- \Release\Ransom.pdb (PEHSTR_EXT)
- you_offer.txt (PEHSTR)
- /c del "%s" >> NUL (PEHSTR)
- %s\resort0-0-0-1-1-0.bat (PEHSTR)
- %s\systempdisk_11_23_556_6.bat (PEHSTR)
- %s\clearnetworkdns_11-22-33.bat (PEHSTR)
- %s\clearsystems-10-1.bat (PEHSTR)
- \Desktop\@LooCipher_wallpaper.bmp (PEHSTR_EXT)
- \Desktop\@Please_Read_Me.txt (PEHSTR_EXT)
- \Desktop\c2056.ini (PEHSTR_EXT)
- \LooCipher.pdb (PEHSTR_EXT)
- nine.exe (PEHSTR_EXT)
- \source\repos\Cryble (PEHSTR_EXT)
- \Cryble (PEHSTR_EXT)
- \obj\Debug\Cryble (PEHSTR_EXT)
- %s\CIopReadMe.txt (PEHSTR_EXT)
- /c del "%s" >> NUL (PEHSTR_EXT)
- VipreAAPSvc.exe (PEHSTR_EXT)
- NEMTY-DECRYPT.txt (PEHSTR_EXT)
- /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} (PEHSTR_EXT)
- https://pbs.twimg.com/media/Dn4vwaRW0AY-tUu.jpg (PEHSTR_EXT)
- DECRYPT.hta (PEHSTR_EXT)
- JSWORM (PEHSTR_EXT)
- /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zapiska" /d " (PEHSTR_EXT)
- /c vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
- JSWORM-DECRYPT.txt (PEHSTR_EXT)
- DECRYPT.txt (PEHSTR_EXT)
- ID-RANSOMWARE, IT'S JUST THE BEGINING OF SOMETHING NEW... (PEHSTR_EXT)
- {EXT}-readme.txt","exp":false,"img": (PEHSTR_EXT)
- SyrkProject.exe (PEHSTR_EXT)
- /v private /t reg_sz /d "%SYSTEMDRIVE%\Intel\privat.exe" /f (PEHSTR_EXT)
- %SYSTEMDRIVE%\Intel\sender.exe -to (PEHSTR_EXT)
- del /q %SYSTEMDRIVE%\Intel\enable.cmd (PEHSTR_EXT)
- nname":"{EXT}-readme.txt" (PEHSTR)
- %jax-interim-and-projectmanagement.com (PEHSTR)
- mpsvc.dll (PEHSTR_EXT)
- MsMpEng.exe (PEHSTR_EXT)
- \\.\pipe\UxdEvent_API_Service (PEHSTR)
- http://10.103.2.247 (PEHSTR)
- \nemty.exe (PEHSTR)
- -DECRYPT.txt (PEHSTR)
- 'vssadmin.exe delete shadows /all /quiet (PEHSTR)
- /c vssadmin.exe delete shadows (PEHSTR_EXT)
- Decoder.hta (PEHSTR_EXT)
- sherminator.help@tutanota.com (PEHSTR_EXT)
- you.help5@protonmail.com (PEHSTR_EXT)
- C:\WINDOWS\delog.bat (PEHSTR_EXT)
- Y).8-+Jk (SNID)
- 92.63.197.60 (PEHSTR_EXT)
- 123.56.228.49 (PEHSTR_EXT)
- ns1.kriston.ug (PEHSTR_EXT)
- ns2.chalekin.ug (PEHSTR_EXT)
- ns3.unalelath.ug (PEHSTR_EXT)
- ns4.andromath.ug (PEHSTR_EXT)
- C:\shit\gavno.pdb (PEHSTR_EXT)
- C:\aaa_TouchMeNot_.txt (PEHSTR_EXT)
- \DUMB (PEHSTR_EXT)
- \DUMB\obj\ (PEHSTR_EXT)
- \DUMB.pdb (PEHSTR_EXT)
- MedusaLocker.pdb (PEHSTR)
- 4Your files are encrypted, and currently unavailable. (PEHSTR)
- \motherfucker\ (PEHSTR_EXT)
- \motherfucker.pdb (PEHSTR_EXT)
- YYour important files produced on this computer have been encrypted due a security problem (PEHSTR)
- doctor666@mail.fr (PEHSTR)
- mime.percentHexUnescape (PEHSTR)
- ?Do not rename encrypted files. You may have permanent data loss (PEHSTR)
- 8Files have been encrypted by The GoRansom POC Ransomware (PEHSTR)
- ARun the ransomware in the command line with one argument, decrypt (PEHSTR)
- >C:\Users\ElPro\source\repos\ransom\ransom\obj\Debug\ransom.pdb (PEHSTR)
- http://b2xhIG0zbiB4ZA.onion (PEHSTR)
- http://4kx812nk2SZ93cKz290.onion (PEHSTR)
- C:\Users\user\Desktop\WindowsApplication1\WindowsApplication1\obj\x86\Release\Windows Application.pdb (PEHSTR_EXT)
- >cryptopp.dll (PEHSTR)
- DllRegisterServer (PEHSTR)
- ?Your computer has been locked and your files are now encrypted. (PEHSTR)
- /C choice /C Y /N /D Y /T 3 & Del (PEHSTR_EXT)
- ONCE RANSOM PAID (PEHSTR_EXT)
- kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion (PEHSTR_EXT)
- Cyborg Builder Ransomware (PEHSTR_EXT)
- syborg1finf.exe (PEHSTR_EXT)
- fi|$.c (PEHSTR)
- C:\Users\mvj\Music\mehdi ransomware\mehdi update (PEHSTR_EXT)
- Ransom\Exe\Statik Version\CrypterLastVersion\CrypterLastVersion\obj\Release\JavaEmbededLibrary.pdb (PEHSTR_EXT)
- -Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- taskkill /f /im explorer.exe (PEHSTR)
- \SystemProcess.exe (PEHSTR)
- Ransomware Snc.exe (PEHSTR)
- 7WCry\WCry\Banner\WpfApp1\obj\Release\Ransomware Snc.pdb (PEHSTR)
- KDo not turn off or restart the NAS equipment. This will result in data loss (PEHSTR)
- main.encryptfile.func1 (PEHSTR)
- main.makeReadmeFile.func1 (PEHSTR)
- DEATHRANSOM (PEHSTR)
- SOFTWARE\Wacatac (PEHSTR)
- >Your all your files are encrypted and only I can decrypt them. (PEHSTR)
- You may be a victim of fraud. (PEHSTR)
- README_5OAXN_DATA.txt (PEHSTR)
- /root/go/src/snatch/config.go (PEHSTR)
- /root/go/src/snatch/services.go (PEHSTR)
- /root/go/src/snatch/main.go (PEHSTR)
- /root/go/src/snatch/loger.go (PEHSTR)
- /root/go/src/snatch/files.go (PEHSTR)
- /root/go/src/snatch/dirs.go (PEHSTR)
- main.stopingService (PEHSTR)
- main.encryptFile.func (PEHSTR)
- README_5OAXN_DATA.txt (PEHSTR_EXT)
- You may be a victim of fraud. (PEHSTR_EXT)
- /root/go/src/snatch/config.go (PEHSTR_EXT)
- /root/go/src/snatch/services.go (PEHSTR_EXT)
- /root/go/src/snatch/main.go (PEHSTR_EXT)
- /root/go/src/snatch/loger.go (PEHSTR_EXT)
- /root/go/src/snatch/files.go (PEHSTR_EXT)
- /root/go/src/snatch/dirs.go (PEHSTR_EXT)
- jackpot@jabber.cd ( (PEHSTR)
- INSTRUCTION.txt (PEHSTR)
- \!!! READ THIS !!!.hta (PEHSTR)
- background.png (PEHSTR)
- 6Every byte on any types of your devices was encrypted. (PEHSTR)
- 7Don't try to use backups because it were encrypted too. (PEHSTR)
- \UPirate\UPirate\ (PEHSTR_EXT)
- \UPirate.pdb (PEHSTR_EXT)
- Uninstall/disable all antivirus (and Windows Defender) before using this (PEHSTR_EXT)
- Software\Buran V\Stop (PEHSTR_EXT)
- MAPO-Readme.txt (PEHSTR)
- LockBit Ransom (PEHSTR_EXT)
- SOFTWARE\LockBit (PEHSTR_EXT)
- Restore-My-Files.txt (PEHSTR_EXT)
- bg.txt.clown (PEHSTR_EXT)
- !!! READ THIS !!!.hta (PEHSTR_EXT)
- HOW TO RECOVER ENCRYPTED FILES.txt (PEHSTR_EXT)
- \TheDMR_Encrypter\ (PEHSTR_EXT)
- \TheDMR_Encrypter.pdb (PEHSTR_EXT)
- vssadmin delete shadows /all (PEHSTR)
- RansomRATClient (PEHSTR)
- README.txt (PEHSTR_EXT)
- Some files in your computer have been encrypted! (PEHSTR_EXT)
- power@ransomware.com (PEHSTR_EXT)
- \PowerRansom\ (PEHSTR_EXT)
- \PowerRansom.pdb (PEHSTR_EXT)
- kill\yourself\@YongruiTan\chinese\idiot.pdb (PEHSTR_EXT)
- C:\ProgramData\5ss5c (PEHSTR_EXT)
- 5ss5c@mail.ru (PEHSTR_EXT)
- repos\Ransomware\Ransomware\obj\Debug\Ransomware.pdb (PEHSTR_EXT)
- Debug\Ransomware.pdb (PEHSTR_EXT)
- +\PassLock\PassLock\obj\Release\PassLock.pdb (PEHSTR)
- .netsh advfirewall set currentprofile state off (PEHSTR)
- main.scanDir (PEHSTR)
- main.encryptFile (PEHSTR)
- main.makeReadmeFile (PEHSTR)
- main.writeLog (PEHSTR)
- main.encryptFile.func1 (PEHSTR)
- main.writeLog.func1 (PEHSTR)
- -Your system is LOCKED. Write us on the emails (PEHSTR)
- 1DO NOT TRY to decrypt files using other software. (PEHSTR)
- @protonmail.com (PEHSTR)
- Death\obj\Release\ssvchost.pdb (PEHSTR_EXT)
- jigsaw-ransomware (PEHSTR)
- +bitsadmin /transfer mydownloadjob /download (PEHSTR)
- <reg add HKEY_CURRENT_USER\Control Panel\Desktop /v Wallpaper (PEHSTR)
- SaveTheQueen.exe (PEHSTR)
- M[/MESSAGE][MELT][TASKNAME]sysem.exe[/TASKNAME][AUTOEXEC][ONCEELEVATE][README] (PEHSTR)
- encrypted-not-wall\Release\encrypted-not-wall.pdb (PEHSTR_EXT)
- news.html (PEHSTR_EXT)
- Your files on this computer have been encrypted due to security issues (PEHSTR_EXT)
- http://lockbitks2tvnmwk.onion (PEHSTR_EXT)
- Killyourself.dll (PEHSTR_EXT)
- /C netsh advfirewall set domainprofile state off (PEHSTR_EXT)
- /C netsh advfirewall set currentprofile state off (PEHSTR_EXT)
- /C netsh advfirewall set privateprofile state off (PEHSTR_EXT)
- /C netsh advfirewall set publicprofile state off (PEHSTR_EXT)
- /C netsh advfirewall set allprofiles state off (PEHSTR_EXT)
- /C netsh firewall set opmode mode=DISABLE (PEHSTR_EXT)
- !/set {default} recoveryenabled No (PEHSTR)
- n -Inf.bat.cmd.com.exe3125 (PEHSTR_EXT)
- Encrypt.exebad (PEHSTR_EXT)
- main.deriveKey (PEHSTR_EXT)
- 5ATTENTION! Your computer has been infected by sepSys! (PEHSTR)
- .inisepSys (PEHSTR)
- \virusTests\sepSys (PEHSTR)
- Software\NEMTY\ (PEHSTR_EXT)
- \teg.gp\fssdf.pdb (PEHSTR_EXT)
- repos\ransomlol\ransomlol\obj\Debug\ransomlol.pdb (PEHSTR_EXT)
- PC/SC Reader/Card operation: Open/Close/Reset/Transmit. (PEHSTR_EXT)
- WannaCry Ransomware (PEHSTR_EXT)
- Your important files are encrypted. (PEHSTR_EXT)
- Payment is accepted in Bitcoins only. (PEHSTR_EXT)
- \COVID-19.pdb (PEHSTR_EXT)
- \NEFILIM.pdb (PEHSTR_EXT)
- README_encrypted.txt (PEHSTR_EXT)
- RANSOMWARE_KDF_INFO (PEHSTR_EXT)
- \ReportGenerator\obj\Debug\Crypton.pdb (PEHSTR_EXT)
- Go build ID: "YhS0YaqxdkEQpD3Akucg/LGDmooMWxCU68gWk_Aom/vaWVJ2STDy0iZGHyoOWV/GJE6UU4RoVT0gr--R0KD (PEHSTR_EXT)
- CreateDirectoryWDnsNameCompare_WDuplicateTokenExEncryptOAEP (PEHSTR_EXT)
- 5tyj7f3xss6kdrgc.onion (PEHSTR_EXT)
- Do not try to recover data, it's wasting your time. (PEHSTR_EXT)
- Every 7 days the price doubles. (PEHSTR_EXT)
- Jigsaw-Ransomware-master (PEHSTR)
- \WindowsDefender\obj\ (PEHSTR_EXT)
- \Application_Def.pdb (PEHSTR_EXT)
- TakDfLdvHuWdPxREXDROEs7XCoMA (PEHSTR)
- \RESTORE_DLL_FILES.HTML (PEHSTR_EXT)
- \delete.bat (PEHSTR_EXT)
- Ransom.Properties.Resources (PEHSTR_EXT)
- dnNzYWRtaW4gZGVsZXRlIHNoYWRvd3MgL2FsbCAvcXVpZXQgJiBiY2RlZGl0LmV4ZSAvc2V0IHtkZWZhdWx0fSByZWNvdmVyeWVuYWJsZWQgbm8gJiBiY2RlZGl0LmV4ZSAvc2V0IHtkZWZhdWx0fSBib290c3RhdHVzcG9saWN5IGlnbm9yZWFsbGZhaWx1cmVz (PEHSTR)
- RGlzYWJsZVRhc2tNZ3I= (PEHSTR)
- KEKW.exe (PEHSTR)
- repos\KEKW\obj\Debug\KEKW.pdb (PEHSTR)
- how to recover.txt (PEHSTR_EXT)
- 1.aaf .aep .aepx .plb .prel .prproj .aet .ppj .psd (PEHSTR)
- BB ransomware (PEHSTR_EXT)
- .encryptedbyBB (PEHSTR_EXT)
- FirstRansomStartup (PEHSTR_EXT)
- .likud (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run\ILElection (PEHSTR_EXT)
- ILElection2020_Ransomware (PEHSTR_EXT)
- http://restore-now.top/online-chat (PEHSTR_EXT)
- ProLock Ransomware (PEHSTR)
- :\Programdata\lock.xml (PEHSTR)
- 6NEPHILIM-DECRYPT.txt (PEHSTR_EXT)
- xInclude\pyconfig.h (PEHSTR)
- xbitcoin.bmp (PEHSTR)
- xlock.bmp (PEHSTR)
- xlock.ico (PEHSTR)
- xruntime.cfg (PEHSTR)
- zout00-PYZ.pyz (PEHSTR)
- #\_RMAMO\_RMAMO\obj\Debug\_RMAMO.pdb (PEHSTR)
- ,SOFTWARE\Policies\Microsoft\Windows Defender (PEHSTR)
- svhost.exe (PEHSTR)
- C:\Decoder.hta (PEHSTR)
- Data recovery.hta (PEHSTR)
- .WannaRen (PEHSTR_EXT)
- iaminfected.sac@elude.i (PEHSTR_EXT)
- :\ProgramData\cmdkey.bat (PEHSTR_EXT)
- :\Windows\System32\cmdkey.exe (PEHSTR_EXT)
- \Unlock_All_Files.txt (PEHSTR_EXT)
- FileUnlockFileEx\Encrypt.exe (PEHSTR_EXT)
- @gmail.com or https://t.me/filedecrypt002 (PEHSTR_EXT)
- Bear.exe (PEHSTR)
- \Bear\obj\ (PEHSTR_EXT)
- \Bear.pdb (PEHSTR_EXT)
- Creepy Ransomware (PEHSTR)
- Its a powerful ransomware (PEHSTR)
- %s.lock (PEHSTR_EXT)
- 0empty.lock (PEHSTR_EXT)
- DECRPToffice@gmail.com (PEHSTR_EXT)
- \Decryption-Info.HTA (PEHSTR_EXT)
- D:\yo\chaos\Release\chaos.pdb (PEHSTR_EXT)
- C:\ProgramData\pubkey.txt (PEHSTR_EXT)
- C:\ProgramData\IDo.txt (PEHSTR_EXT)
- RtlSetProcessIsCritical (PEHSTR_EXT)
- S/F /Create /TN Tencentid /sc minute /MO 1 /TR C:\Users\Public\Music\tencentsoso.exe (PEHSTR)
- Music\cia.plan (PEHSTR)
- e/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v tencentid /t REG_SZ /d "Rundll32.exe (PEHSTR)
- \Users\Public\Music\SideBar.dll (PEHSTR)
- $Recycle.Bin (PEHSTR_EXT)
- bootsect.bak (PEHSTR_EXT)
- DllInstall (PEHSTR_EXT)
- RANSOMWARE (PEHSTR_EXT)
- CyberThanos.pdb (PEHSTR_EXT)
- bcdedit /set {default} bootstatuspolicy (PEHSTR_EXT)
- C:\\Please Read Me!!!.hta (PEHSTR_EXT)
- D:\\Please Read Me!!!.hta (PEHSTR_EXT)
- A:\\Please Read Me!!!.hta (PEHSTR_EXT)
- B:\\Please Read Me!!!.hta (PEHSTR_EXT)
- \Downloads\Please Read Me!!!.hta (PEHSTR_EXT)
- \Beni_Oku!!!.hta (PEHSTR_EXT)
- .txt;.doc;.docx;.intex;.pdf;.zip;.rar;.onetoc; (PEHSTR_EXT)
- avp.exe (PEHSTR_EXT)
- \FILES.txt (PEHSTR_EXT)
- \\.\pipe\turum (PEHSTR_EXT)
- avpui.exe (PEHSTR_EXT)
- \WannaBe.exe (PEHSTR_EXT)
- \AppData\Local\Google\Chrome\_k1.exe (PEHSTR_EXT)
- \AppData\Local\MSData\k2.exe (PEHSTR_EXT)
- C:\temp_ (PEHSTR_EXT)
- Netwalker_dll.dll (PEHSTR_EXT)
- /c timeout 1 && del "%s" (PEHSTR_EXT)
- ReadMe.txt (PEHSTR_EXT)
- sodinsupport@cock.li (PEHSTR_EXT)
- Geminis3's(R) Ransominator (PEHSTR)
- \Desktop\README.txt (PEHSTR)
- \Ransomware.pdb (PEHSTR)
- 3C:/Users/windows/go/src/VashRansomwarev2/Encrypt.go (PEHSTR)
- .decrypt all your files after paying the ransom (PEHSTR)
- .ragnarok (PEHSTR_EXT)
- C:\aaa_TouchMeNot_\aaa_TouchMeNot_.txt (PEHSTR_EXT)
- /c WmIc ShaDowcoPY delEte (PEHSTR_EXT)
- %compname% (PEHSTR)
- http://gisele.liroy.free.fr/bitmap (PEHSTR_EXT)
- %PUBLIC%\public_user.vcrypt (PEHSTR_EXT)
- %_music.vcrypt (PEHSTR_EXT)
- do "%TEMP%\ (PEHSTR_EXT)
- .exe" a -t7z -r -mx0 - (PEHSTR_EXT)
- #Go build ID: "SPlES9E155q_V-b330Fx/2 (PEHSTR)
- #Go build ID: "X6lNEpDhc_qgQl56x4du/ (PEHSTR)
- AES_EnDecryptor.Basement (PEHSTR)
- Encode.exe (PEHSTR)
- .locked (PEHSTR)
- .cryptd (PEHSTR)
- ?\wana\Ransomware_ALL_encode\dir_file\obj\x86\Release\Encode.pdb (PEHSTR)
- Cryptowall.htm (PEHSTR)
- fullscreen.vbs (PEHSTR)
- \ransomware\hutchins.pdb (PEHSTR_EXT)
- \fucking\idiotic\nonexisting\file\with\pdb\extension.pdb (PEHSTR_EXT)
- Encryptor.exe (PEHSTR_EXT)
- DESCryptoServiceProvider (PEHSTR_EXT)
- ollydbg.exe (PEHSTR)
- ProcessHacker.exe (PEHSTR)
- Computer Information (PEHSTR)
- isRansomePopup (PEHSTR)
- ransomeEncPath (PEHSTR)
- :8083/welcome.do (PEHSTR)
- mpr.dll (PEHSTR_EXT)
- eventvwr.exe (PEHSTR_EXT)
- slui.exe (PEHSTR_EXT)
- exefile (PEHSTR_EXT)
- \COBRA\COBRA\ (PEHSTR_EXT)
- \COBRA.pdb (PEHSTR_EXT)
- NEPHILIN-DECRYPT.txt (PEHSTR_EXT)
- /c bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- Ransomware.Jigsaw\obj\x86\Debug\ConsoleApplication.pdb (PEHSTR_EXT)
- +/+4oC (PEHSTR)
- Your personal files are being deleted. Your photos, videos, documents, etc (PEHSTR_EXT)
- I want to play a game with you.., however, let me explain the golden RULES (PEHSTR_EXT)
- But, don't worry! It will only happen if you don't comply (PEHSTR_EXT)
- However, I've already encrypted your personal files, so you cannot access them. (PEHSTR_EXT)
- should you restart the computer, Game Over!!!, you lose (PEHSTR_EXT)
- Wasting your key entries will just cause permanent data damage to your computer (PEHSTR_EXT)
- Encrypted_FileList.txt (PEHSTR_EXT)
- \Release\Coco2020.pdb (PEHSTR_EXT)
- \Decrypt Instructions.txt (PEHSTR_EXT)
- \Release\ParaEncrypt.pdb (PEHSTR_EXT)
- Your documents, photos, databases and other important files are encrypted and have the extension: .ZRB (PEHSTR_EXT)
- #Go build ID: "CYMmKsMymnihvPTjf35k/ (PEHSTR)
- Sapphire Ransomware (PEHSTR_EXT)
- \Sapphire-Ransomware-master\Sapphire Ransomware\obj\Debug\ (PEHSTR_EXT)
- \vb\wifi hacker (PEHSTR_EXT)
- c:\wh\wh.jpg (PEHSTR_EXT)
- \virubim_eshky.jpg (PEHSTR_EXT)
- SIGARETA-RESTORE.txt (PEHSTR_EXT)
- \Release\SIGARETA.pdb (PEHSTR_EXT)
- .SIGARETA (PEHSTR_EXT)
- Ransomeware.My.Resources (PEHSTR)
- Ransomeware.pdb (PEHSTR)
- We are so sorry... Your files were encrypted! (PEHSTR_EXT)
- /c vSSAdmiN dELeTe ShaDowS /AlL /qUieT (PEHSTR_EXT)
- %fileid%-DECRYPT.txt (PEHSTR_EXT)
- g-DECRYPT.txt (PEHSTR_EXT)
- "ip":"%ip%","country":"%cnt%","version":"%ver%","computer_name":"%compname%","username":"%user%","os":"%win%","pr_key": (PEHSTR_EXT)
- description.Text (PEHSTR_EXT)
- modify, rename, delete or change the encrypted (.dsec) files (PEHSTR_EXT)
- Your photos, music, documents, work files, etc. are now encoded and unreadable. (PEHSTR_EXT)
- CardersLiveMatter.pdb (PEHSTR_EXT)
- gfg9urwyf7.pdb (PEHSTR_EXT)
- DECRYPT_FILES.TXT (PEHSTR)
- #\HOW TO RESTORE ENCRYPTED FILES.TXT (PEHSTR)
- RECOVER YOUR FILES.hta (PEHSTR_EXT)
- RECOVER YOUR FILES.txt (PEHSTR_EXT)
- .[{0}].bclaw (PEHSTR_EXT)
- .bclaw (PEHSTR_EXT)
- https://claw.black/ (PEHSTR_EXT)
- /C choice /C Y /N /D Y /T 3 & Del " (PEHSTR_EXT)
- CryptApp.pdb (PEHSTR)
- Do not rename encrypted files. (PEHSTR)
- CLOWN RANSOMWARE (PEHSTR)
- 2All personal files on your computer are encrypted! (PEHSTR)
- "HOW TO RECOVER ENCRYPTED FILES.txt (PEHSTR)
- AdminEnc@Protonmail.com (PEHSTR)
- DecryptAdmin@prtonmail.com (PEHSTR)
- .backupdb (PEHSTR_EXT)
- \System Volume Information\ (PEHSTR_EXT)
- %s\Readme.README (PEHSTR_EXT)
- n.locked (PEHSTR_EXT)
- C:\WINDOWS\SYSTEM32\drivers\root\system\*.* (PEHSTR_EXT)
- C:\WINDOWS\SYSTEM32\drivers\gmreadme.txt (PEHSTR_EXT)
- Delete crypter *.txt files (PEHSTR_EXT)
- /Your network has been infected by <span>Avaddon (PEHSTR)
- 1\BIN\%s.exe (PEHSTR)
- \XMedCon\bin\medcon.exe (PEHSTR)
- Ransomware (PEHSTR_EXT)
- main.makeBatFile (PEHSTR)
- main.deleteShadowCopy (PEHSTR)
- main.reboot (PEHSTR)
- main.randomBatFileName (PEHSTR)
- crypto/rsa.encrypt (PEHSTR)
- main.(*myService).Execute (PEHSTR)
- bGo build ID: "GerjxNEfy4gHBYpB64v2/joNTalGJe9U8Yg6dfPy2/umrIDSyjS4lMeiC6xWjV/KsxLmA7v9NoUmVBtr-4E" (PEHSTR)
- size = .mwahahah244140625 (PEHSTR)
- such-crypt/main.go (PEHSTR)
- _adv.exe (PEHSTR_EXT)
- \sosat' kiki\devka\Release\TELEGRAM.pdb (PEHSTR_EXT)
- aGo build ID: "2sK6gSW734NfBguuyn0H/FTFUloLoiAroVGT6Jb_E/F2jnF9VZC9JpBNTJ_ovO/8t_8v1ozd3K69RX_SxvO (PEHSTR)
- System.Security.Cryptography (PEHSTR)
- /deletevalue {current} safeboot (PEHSTR)
- bcdedit.exe (PEHSTR)
- /C shutdown /r /f /t 0 (PEHSTR)
- ,X/MHvS8r2rsf+xMoFoVuXNN9VP7QeQZAsvpVldZEujE= (PEHSTR)
- Windows.old (PEHSTR)
- testRansome.pdb (PEHSTR)
- Data.txt (PEHSTR)
- RansomewareInfoBackup (PEHSTR)
- .txt.doc.docx.xls.xlsx.ppt.pptx.pst.ost.msg.em.vsd.vsdx.csv.rtf.123.wks.wk1.pdf.dwg.onetoc2.snt.docb.docm.dot.dotm.dotx.xlsm.xlsb.xlw.xlt.xlm. (PEHSTR)
- 1\BIN\gm.exe (PEHSTR)
- ,<p>Do not try to recover files yourself!</p> (PEHSTR)
- C:/Users/ADMIN/go/scr/Encrypt/Encrypt.go (PEHSTR_EXT)
- main.encrypt (PEHSTR_EXT)
- \Users\roile\source\repos\WastedBit\ (PEHSTR_EXT)
- \WastedBit.pdb (PEHSTR_EXT)
- \Documents\WastedBit\Wasted.bmp (PEHSTR_EXT)
- \Documents\WastedBit\mario.wav (PEHSTR_EXT)
- srv-file7.gofile.io/download/6MAQQl/Mario-PixTeller.png (PEHSTR_EXT)
- @Readme.txt (PEHSTR_EXT)
- .wasted (PEHSTR_EXT)
- \GOMER-README.txt (PEHSTR_EXT)
- \encryptFiles.pdb (PEHSTR_EXT)
- gomer.ini (PEHSTR_EXT)
- .gomer (PEHSTR_EXT)
- cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete (PEHSTR_EXT)
- # How To Decrypt Files #.hta (PEHSTR_EXT)
- Copy Cpriv.key %appdata%\Cpriv.key (PEHSTR_EXT)
- !TXDOT_READ_ME!.txt (PEHSTR_EXT)
- Mail us: txdot911@protonmail.com (PEHSTR_EXT)
- Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable (PEHSTR_EXT)
- \How_to_Unlock_Files.txt (PEHSTR_EXT)
- \How_To_Decrypt_Files.txt (PEHSTR_EXT)
- we can decrypt all your files after paying the ransom (PEHSTR_EXT)
- @gmail.com or https://t.me/File (PEHSTR_EXT)
- C:/Users/ (PEHSTR_EXT)
- /go/src/ (PEHSTR_EXT)
- /Encrypt.go (PEHSTR_EXT)
- csrsse.exe (PEHSTR_EXT)
- .52pojie (PEHSTR_EXT)
- \shell\open\command (PEHSTR_EXT)
- (*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG (PEHSTR_EXT)
- \XMedCon\bin\medcon (PEHSTR)
- taskkill /IM sql* /f (PEHSTR_EXT)
- \enc\ (PEHSTR_EXT)
- \enc.pdb (PEHSTR_EXT)
- <title>Avaddon</title> (PEHSTR)
- taskkill /f /im taskmgr.exe (PEHSTR)
- #del /f /s /q %userprofile%\Desktop\ (PEHSTR)
- *del /f /s /q "C:\Program Files\WindowsApps (PEHSTR)
- .Cobra (PEHSTR_EXT)
- ransomware (PEHSTR_EXT)
- CashCat.g.resources (PEHSTR)
- &CashCat.Properties.Resources.resources (PEHSTR)
- CashCatRansomwareSimulator (PEHSTR)
- J\Documents\GitHub\CashCatRansomwareSimulator\CashCat\obj\Debug\CashCat.pdb (PEHSTR)
- CashCat.exe (PEHSTR)
- LComputer code on a screen with a skull representing a computer virus / malware attack. (PEHSTR_EXT)
- reha_ransomware_650x381 (PEHSTR_EXT)
- pList.txt (PEHSTR_EXT)
- robnr.sys (PEHSTR_EXT)
- m=+Inf, n -Inf.bat.cmd.com.exe (PEHSTR_EXT)
- function.enc_robbin_hood (PEHSTR_EXT)
- (nil)+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930. (PEHSTR_EXT)
- .rbhd (PEHSTR_EXT)
- Go build ID: "te2kDHCtcNEzM793uSK-/qcX4_9l5TMx0upjvHY1c/6wAv8MU9rb9S69d0iU8U/aFx7UDqYGYkpNLCqBo1P" (PEHSTR_EXT)
- Go build ID: "qp9Xe0v8Zzt9IwBj9_Wt/tilZJP1eGWylLw-kTJuw/Bqr7IIku6bame9non3UZ/fLk4axx9eYm_wDu6J7Xk" (PEHSTR_EXT)
- Go build ID: "GbDR9syJNsY0KEkc2yeo/WxCLZBUe_KSPefUo9FaI/iK00GaI0oV_ZuXJMjnzq/gfJBwJ_2fRFj5LH7GU_Q" (PEHSTR_EXT)
- \Temp\gdrv.sys (FILEPATH)
- \Temp\rbnl.sys (FILEPATH)
- go/src/NewBoss (PEHSTR_EXT)
- /main.go (PEHSTR_EXT)
- go/src/NewBoss2/main.go (PEHSTR_EXT)
- _Square\up\winlogon.exe (PEHSTR_EXT)
- 2cmd.exe /c sc.exe stop BackupExecManagementService (PEHSTR)
- 4cmd.exe /c sc.exe stop "Sophos File Scanner Service" (PEHSTR)
- 4cmd.exe /c sc.exe stop MSSQLFDLauncher$SBSMONITORING (PEHSTR)
- 1cmd.exe /c sc.exe stop McAfeeFrameworkMcAfeeFrame (PEHSTR)
- .cmd.exe /c sc.exe stop ReportServer$SYSTEM_BGC (PEHSTR)
- %wmic shadowcopy delete /nointeractive (PEHSTR)
- .panther (PEHSTR)
- stubAES.Resources (PEHSTR_EXT)
- .dsfdsf (PEHSTR_EXT)
- You Successfully Paid Part/All Of Your Outstanding Balance (PEHSTR_EXT)
- http://www.fusionpak.xyz/mal/verify.php (PEHSTR_EXT)
- C:\Users\Samb2\Desktop\DUMB-master\DUMB\obj\Release\DUMB.pdb (PEHSTR_EXT)
- All these actions will lead to data loss and unrecoverable. (PEHSTR_EXT)
- Your files on this computer have been encrypted due to security issues. (PEHSTR_EXT)
- wmic.exe shadowcopy delete (PEHSTR_EXT)
- schtasks /delete /tn WM /F (PEHSTR_EXT)
- I am so sorry ! All your files have been encryptd by RSA-1024 and AES-256 due to a computer security problems (PEHSTR_EXT)
- Do not try to use other software. For decryption KEY write HERE (PEHSTR_EXT)
- flapalinta1950@protonmail.com (PEHSTR_EXT)
- xersami@protonmail.com (PEHSTR_EXT)
- <div>To do this, please send your unique ID to the contacts below.</div> (PEHSTR_EXT)
- The longer you wait, the higher will become the decryption key price (PEHSTR_EXT)
- <title>CryLock</title> (PEHSTR_EXT)
- Encrypted by BlackRabbit. (PEHSTR_EXT)
- how_to_decrypt.hta (PEHSTR_EXT)
- aGo build ID: "BfUvnTM6FFYH3WSvi0DS/mGO2ay6vyoGkFwdwQaTD/exXn-FZ3HzR2jVTpiLBu/34lCPROA9vh2AZkZbgCU (PEHSTR)
- \README.html_ (PEHSTR)
- Administrator\Application Data\csrss.exe (PEHSTR_EXT)
- cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailuresh (PEHSTR_EXT)
- HOW TO DECRYPT FILES.TXT (PEHSTR_EXT)
- C:\ProgramData\IDk.txt (PEHSTR_EXT)
- C:\ProgramData\pubk.txt (PEHSTR_EXT)
- .Sophos (PEHSTR_EXT)
- bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- Go build ID: "R6dvaUktgv2SjVXDoMdo/kKgwagwoLRC88DpIXAmx/eipNq7_PQCTCOhZ6Q74q/RHJkCaNdTbd6qgYiA-EC" (PEHSTR_EXT)
- unreachableuserenv.dll (PEHSTR_EXT)
- -DECRYPT.txt (PEHSTR_EXT)
- .avi.css.doc.gif.htm.jpg.mov.mp3.mp4.mpg.pdf.png.ppt.rar.svg.txt.xls.xml.zip (PEHSTR_EXT)
- 2copy %temp%\paying\pay-to-unlock.txt %SystemDrive% (PEHSTR)
- ,del /q /s /f %temp%\paying\pay-to-unlock.exe (PEHSTR)
- %systemdrive%\ (PEHSTR_EXT)
- \ESET\ESET NOD32 Antivirus\callmsi.exe" /x { (PEHSTR_EXT)
- } /quiet (PEHSTR_EXT)
- %systemdrive%\Windows\System32\msiexec.exe /x { (PEHSTR_EXT)
- %SYSTEMDRIVE%\ (PEHSTR_EXT)
- \Avira\AntiVir Desktop\setup.exe" /remsilentnoreboot (PEHSTR_EXT)
- \SMADAV\unins000.exe" /SILENT (PEHSTR_EXT)
- \AVG\Av\avgmfapx.exe" /Appmode=Setup /uninstall /uilevel=Silent /dontrestart (PEHSTR_EXT)
- %ProgramFiles%\McAfee Security Scan\uninstall.exe" /S /inner (PEHSTR_EXT)
- del /q /s /f %systemdrive%\ (PEHSTR_EXT)
- \Baidu Security\PC Faster\*.* (PEHSTR_EXT)
- set datadir=%systemdrive%\ (PEHSTR_EXT)
- \avira (PEHSTR_EXT)
- del /q /s /f "%datadir%" (PEHSTR_EXT)
- rem /////////////////////////////////////////////////////////////////////////PA-b2edecompile (PEHSTR_EXT)
- :\Windows\JRansomBootScreen.exe (PEHSTR_EXT)
- taskmgr.exe,cmd.exe,chrome.exe,firefox.exe,opera.exe,microsoftedge.exe,microsoftedgecp.exe,notepad++,notepad.exe,iexplore.exe (PEHSTR_EXT)
- jaemin1508@naver.com (PEHSTR_EXT)
- desktop.ini (PEHSTR_EXT)
- _READ_ME_.txt (PEHSTR_EXT)
- \wyvernlocker\ (PEHSTR_EXT)
- \wyvernlocker.pdb (PEHSTR_EXT)
- \Start Menu\Programs\Startup\README.html (PEHSTR_EXT)
- testers.exe (PEHSTR_EXT)
- D:/GoProj/src/YourRansom/data.go (PEHSTR_EXT)
- \\.\PHYSICALDRIVE%d (PEHSTR_EXT)
- $!.txt (PEHSTR_EXT)
- .ragn@r (PEHSTR_EXT)
- .Lock (PEHSTR_EXT)
- /c del C:\* /s /q (PEHSTR_EXT)
- xbase_library.zip (PEHSTR_EXT)
- xbitcoin.bmp (PEHSTR_EXT)
- xlock.bmp (PEHSTR_EXT)
- xlock.ico (PEHSTR_EXT)
- taskkill /f /im explorer.exe (PEHSTR_EXT)
- IF YOU DO NOT HAVE A JABBER. TO WRITE TO US TO REGISTER (PEHSTR_EXT)
- system32.exe (PEHSTR_EXT)
- [/TASKNAME][AUTOEXEC][README]HOW TO RECOVE (PEHSTR_EXT)
- edzjkphvesw.uxe (PEHSTR_EXT)
- \Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe (PEHSTR_EXT)
- /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete (PEHSTR_EXT)
- component/app.xaml (PEHSTR_EXT)
- CyptedReady.ini (PEHSTR_EXT)
- component/mainwindow.xaml (PEHSTR_EXT)
- Ransome Ware (PEHSTR_EXT)
- Ransome Ware.g.resources (PEHSTR_EXT)
- Ransome_Ware.Properties.Resources (PEHSTR_EXT)
- Your Windows Computer Has Contracked (PEHSTR_EXT)
- ReadME-Decrypt.txt (PEHSTR_EXT)
- https://paxful.com (PEHSTR_EXT)
- mailto:MREncptor@protonmail.com (PEHSTR_EXT)
- file-recovery-instructions.html (PEHSTR_EXT)
- The only way to recover your files is to pay .1 Bitcoins (PEHSTR_EXT)
- For Help email: help@zerodaysample2018.net (PEHSTR_EXT)
- we will publish all private data on http://conti.news/TEST (PEHSTR_EXT)
- /c del C:* /s /q (PEHSTR_EXT)
- Ransomnote (PEHSTR_EXT)
- /c taskkill /im explorer.exe /f (PEHSTR_EXT)
- shit.pdb (PEHSTR_EXT)
- creepyshit.log (PEHSTR_EXT)
- reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
- How To Decrypt Files.hta (PEHSTR_EXT)
- Help.txt (PEHSTR_EXT)
- schtasks /CREATE /SC ONLOGON /TN (PEHSTR_EXT)
- RansomBlox.exe (PEHSTR_EXT)
- RansomBlox.Properties (PEHSTR_EXT)
- Ransomeware (PEHSTR_EXT)
- hackermtc2k@india.com (PEHSTR_EXT)
- WanaCry Fake.ini (PEHSTR_EXT)
- https://ylhsakxusnjablzqytnsdmrrpt0.000webhostapp.com/ramsom.php (PEHSTR_EXT)
- Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- \svchost.exe (PEHSTR_EXT)
- TASKKILL /F /IM (PEHSTR_EXT)
- /C killme.bat >> NUL (PEHSTR_EXT)
- .AMJIXIUS (PEHSTR_EXT)
- batch.bat (PEHSTR_EXT)
- .z3back (PEHSTR_EXT)
- .z3enc (PEHSTR_EXT)
- \Desktop\Sandbox (PEHSTR_EXT)
- \key.txt (PEHSTR_EXT)
- \iv.txt (PEHSTR_EXT)
- _readme.txt (PEHSTR_EXT)
- config.txt (PEHSTR_EXT)
- hta.txt (PEHSTR_EXT)
- /c "ping 0.0.0.0&del " (PEHSTR_EXT)
- Files have been encrypted!And Your computer has been limited! (PEHSTR_EXT)
- cuteRansomware (PEHSTR_EXT)
- secret.txt (PEHSTR_EXT)
- Ransomware.pdb (PEHSTR_EXT)
- RANSOM_FILENAME (PEHSTR_EXT)
- RANSOM_NOTE (PEHSTR_EXT)
- Ransomware Test (PEHSTR_EXT)
- Ransomware2.0 (PEHSTR_EXT)
- SC_Ransom (PEHSTR_EXT)
- Ransomware2._0.Properties.Resources (PEHSTR_EXT)
- Now pay me the ransomware. BTC Address: (PEHSTR_EXT)
- Corona.pdb (PEHSTR_EXT)
- Your personal files are being deleted. Your photos, videos, documents, etc... (PEHSTR_EXT)
- Encryption Complete (PEHSTR_EXT)
- .HUSTONWEHAVEAPROBLEM@KEEMAIL.ME (PEHSTR_EXT)
- checkip.dyndns.org (PEHSTR_EXT)
- Do not try to decrypt your data using third party software, it may cause permanent data loss. (PEHSTR_EXT)
- ----------- [ Welcome to Dark ] -------------> (PEHSTR_EXT)
- First of all we have uploaded more then 100 GB data. (PEHSTR_EXT)
- After publication, your data will be available for at least 6 months on our tor cdn servers. (PEHSTR_EXT)
- .PATPAT (PEHSTR_EXT)
- patpatware.Properties.Resources (PEHSTR_EXT)
- Still locked. Just pay. (PEHSTR_EXT)
- Unlocked. Thanks for paying. (PEHSTR_EXT)
- password.txt (PEHSTR_EXT)
- MALWARE.pdb (PEHSTR_EXT)
- Encrypter.pdb (PEHSTR_EXT)
- \d78b6f30225cdc811adfe8d4e7c9fd34\Encrypter.exe (PEHSTR_EXT)
- \d78b6f30225cdc811adfe8d4e7c9fd34\Decrypter.exe (PEHSTR_EXT)
- \Death_Shadow\bin\ (PEHSTR_EXT)
- \Secured\Death_Shadow.pdb (PEHSTR_EXT)
- txt|vbs|jsp|php|wav|swf|wmv|mpg|mpeg|avi|mov|mkv|flv|svg|psd|gif|bmp|iso|bck (PEHSTR_EXT)
- download/Decryptor.exe (PEHSTR_EXT)
- download/Backdoor.exe (PEHSTR_EXT)
- RANSOMWARE_SEC (PEHSTR_EXT)
- PSNSOMWARE - A PSN RANSOMWARE - Can't execute ! (PEHSTR_EXT)
- \AppData\psnomware (PEHSTR_EXT)
- .psnomware (PEHSTR_EXT)
- \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.exe (PEHSTR_EXT)
- \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.html (PEHSTR_EXT)
- <title>PSNOMWARE ransomware</title> (PEHSTR_EXT)
- \Desktop\Decryptor.exe (PEHSTR_EXT)
- \Desktop\README.HTML (PEHSTR_EXT)
- ._____TBTT_____ (PEHSTR_EXT)
- encryptor.Properties.Resources (PEHSTR_EXT)
- encryptor.pdb (PEHSTR_EXT)
- To decrypt more, contact: programiletisim1@gmail.com (PEHSTR_EXT)
- .zeronine (PEHSTR_EXT)
- All your important data has been encrypted. (PEHSTR_EXT)
- Send 1 test image or text file squadhack@email.tg (PEHSTR_EXT)
- !RECOVER.txt (PEHSTR_EXT)
- If you are smart you know how to decrypt your files with this key. (PEHSTR_EXT)
- Key is wrong! Please restart the program to send it again. (PEHSTR_EXT)
- del /Q /F C:\Program Files\kasper (PEHSTR_EXT)
- del /Q /F C:\Program Files\Norton (PEHSTR_EXT)
- del /Q /F C:\Program Files\Mcafee (PEHSTR_EXT)
- del /Q /F C:\Program Files\trojan (PEHSTR_EXT)
- del /Q /F C:\Program Files\nood32 (PEHSTR_EXT)
- del /Q /F C:\Program Files\panda (PEHSTR_EXT)
- \crysis\Release\PDB\payload.pdb (PEHSTR_EXT)
- Your Computer has been injected by TapRiF Trojans! (PEHSTR_EXT)
- 2478290.bat (PEHSTR_EXT)
- \TapPiF\obj\ (PEHSTR_EXT)
- \TapPiF.pdb (PEHSTR_EXT)
- \Documents\DeleteFile.exe (PEHSTR_EXT)
- Your personal files are being encrypted by Syrk Malware. (PEHSTR_EXT)
- *.Syrk (PEHSTR_EXT)
- .CONTI (PEHSTR_EXT)
- HOW_TO_DECRYPT.txt (PEHSTR_EXT)
- $RECYCLE.BIN (PEHSTR_EXT)
- !!!READ_ME!!!.txt (PEHSTR_EXT)
- READ_ME.txt (PEHSTR_EXT)
- cmd.exe /C ping 1.1.1.1 -n 10 -w 3000 > Nul & Del /f /q "%s" (PEHSTR_EXT)
- c:\111\hermes\cryptopp (PEHSTR_EXT)
- READ_ME.TXT (PEHSTR_EXT)
- HELP_PC.EZDZ-REMOVE.txt (PEHSTR_EXT)
- encrypted_key.bin (PEHSTR_EXT)
- @protonmail.com (PEHSTR_EXT)
- !!!Readme!!!Help!!!.txt (PEHSTR_EXT)
- data1992@protonmail.com (PEHSTR_EXT)
- shutdown.exe (PEHSTR_EXT)
- System.IO.Compression (PEHSTR_EXT)
- If you wanna support me, you can send me a beer money via cryptocurrency. Thanks a lot. (PEHSTR_EXT)
- JonCrypt.pdb (PEHSTR_EXT)
- ransomware.exe (PEHSTR_EXT)
- ransomware.pdb (PEHSTR_EXT)
- Cynet Ransom Protection(DON'T DELETE) (PEHSTR_EXT)
- C:\Windows\Logs\kekw.exe (PEHSTR_EXT)
- https://cdn.discordapp.com/attachments/734517412287873038/746088022356918463/ (PEHSTR_EXT)
- Files on your computers are encoded by a hard algorithm (PEHSTR_EXT)
- *.morseop- (PEHSTR_EXT)
- Dont_Worry.txt (PEHSTR_EXT)
- paycrypt@gmail_com (PEHSTR_EXT)
- .wncry (PEHSTR_EXT)
- aaa_TouchMeNot_\aaa_TouchMeNot_.txt (PEHSTR_EXT)
- CONTI_README.txt (PEHSTR_EXT)
- cmd.exe /c net stop VeeamBrokerSvc /y (PEHSTR_EXT)
- cmd.exe /c net stop mfefire /y (PEHSTR_EXT)
- cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y (PEHSTR_EXT)
- cmd.exe /c net stop VeeamEnterpriseManagerSvc (PEHSTR_EXT)
- kremez and hszrd fuckoff.txt (PEHSTR_EXT)
- Default User\finish (PEHSTR_EXT)
- src/Lock/internal/pkg/encryption (PEHSTR_EXT)
- Cryptolocker.txt (PEHSTR_EXT)
- Help to decrypt.txt (PEHSTR_EXT)
- schtasks /Create /SC MINUTE /TN (PEHSTR_EXT)
- bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- bcdedit.exe / set{ default } recoveryenabled No (PEHSTR_EXT)
- vssadmin.exe Delete Shadows / All / Quiet (PEHSTR_EXT)
- HOW TO RESTORE FILES.TXT (PEHSTR_EXT)
- .mouse (PEHSTR_EXT)
- All encrypted files for this computer has extension: .9465bb (PEHSTR_EXT)
- Rebooting/shutdown will cause you to lose files without the possibility of recovery (PEHSTR_EXT)
- <.onion (PEHSTR_EXT)
- restoremanager@airmail.cc (PEHSTR_EXT)
- https://we.tl/t-ccUfUrQOhF (PEHSTR_EXT)
- Your files are NOT damaged! Your files are modified only. This modification is reversible (PEHSTR_EXT)
- "fls":["boot.ini","iconcache.db","bootsect.bak","thumbs.db" (PEHSTR_EXT)
- "dmn":"ravensnesthomegoods.com;hypozentrum.com;xn--singlebrsen-vergleich-nec.com; (PEHSTR_EXT)
- bcdedit.exe /set {default} recoveryenabled No (PEHSTR_EXT)
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- wmic.exe SHADOWCOPY /nointeractive (PEHSTR_EXT)
- Desktop\README.txt (PEHSTR_EXT)
- .bigbosshorse (PEHSTR)
- #Decryption#.txt (PEHSTR)
- %appdata%\_uninstalling_.png (PEHSTR)
- /C sc delete VSSA (PEHSTR_EXT)
- You have to pay in Bitcoins. (PEHSTR_EXT)
- System.Security.Cryptography (PEHSTR_EXT)
- </CRYPTED> (PEHSTR_EXT)
- sysnative\vssadmin.exe (PEHSTR_EXT)
- cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q (PEHSTR_EXT)
- \root\cimv2 (PEHSTR_EXT)
- Consciousness Ransomware Text Message.txt (PEHSTR_EXT)
- Hacking activities had been run through out your computer/Laptop (PEHSTR_EXT)
- transfer $400.00 to us with bitcoin (PEHSTR_EXT)
- .Consciousness (PEHSTR_EXT)
- Read-Me-Now.txt (PEHSTR_EXT)
- \Desktop\Fuck.txt (PEHSTR_EXT)
- If you want restore files write on e-mail - jimmyneytron@tuta.io (PEHSTR_EXT)
- .rapid (PEHSTR_EXT)
- ! How Decrypt Files.txt (PEHSTR_EXT)
- .guesswho (PEHSTR_EXT)
- rapid@airmail.cc (PEHSTR_EXT)
- SCHTASKS /DELETE /TN (PEHSTR_EXT)
- networkauto.top (PEHSTR_EXT)
- gate.php (PEHSTR_EXT)
- run/v msascui/f reg delete (PEHSTR)
- RANSOM.txt (PEHSTR_EXT)
- .shit (PEHSTR_EXT)
- How__to__decrypt__files.txt (PEHSTR_EXT)
- sicck@protonmail.com (PEHSTR_EXT)
- cmd.exe /c taskkill /f /im (PEHSTR_EXT)
- cmd.exe /c ping 127.0.0.1>nul & del /q (PEHSTR_EXT)
- cry_demo.dll (PEHSTR_EXT)
- cmd_shadow (PEHSTR_EXT)
- If you do not pay, we will publish private data on our news site. (PEHSTR_EXT)
- How_To_Decrypt.txt (PEHSTR_EXT)
- .ini.encrypted (PEHSTR_EXT)
- mARASUF@cock.li (PEHSTR_EXT)
- !INFO.HTA (PEHSTR_EXT)
- Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring (PEHSTR_EXT)
- Now with twice the ransom! (PEHSTR_EXT)
- Your files are encrypted, and currently unavailable. (PEHSTR_EXT)
- We absolutely do not care about you and your deals, except getting benefits. (PEHSTR_EXT)
- There you can decrypt one file for free. That is our guarantee. (PEHSTR_EXT)
- Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml (PEHSTR_EXT)
- main.ransomNote (PEHSTR_EXT)
- .encrypted (PEHSTR_EXT)
- Rasomware2.0 (PEHSTR_EXT)
- .Dusk (PEHSTR_EXT)
- cyber.duskfly@protonmail.com (PEHSTR_EXT)
- REPLACE_COMMAND_LINE (PEHSTR_EXT)
- \system32\cmstp.exe (PEHSTR_EXT)
- ig.exe (PEHSTR_EXT)
- Start Ransomware (PEHSTR_EXT)
- DeletedItems.txt (PEHSTR_EXT)
- Local\RustBacktraceMutex (PEHSTR_EXT)
- \Recover files.hta (PEHSTR_EXT)
- .CRPTD (PEHSTR_EXT)
- wevtutil cl "%1"\start_after.bat (PEHSTR_EXT)
- \release\deps\untitled.pdb (PEHSTR_EXT)
- \CONTI_README.txt (PEHSTR_EXT)
- The system is LOCKED. Do not try to unlock with other software. For KEY write on emails: (PEHSTR_EXT)
- \aaa_TouchMeNot_.txt (PEHSTR_EXT)
- Starting fake svchost.exe... (PEHSTR_EXT)
- Infecting computer... (PEHSTR_EXT)
- HOW_TO_DECYPHER_FILES.txt (PEHSTR_EXT)
- HOW_TO_DECYPHER_FILES.hta (PEHSTR_EXT)
- \MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb (PEHSTR_EXT)
- SOFTWARE\Medusa (PEHSTR_EXT)
- SOFTWARE\MDSLK (PEHSTR_EXT)
- vssadmin.exe delete (PEHSTR_EXT)
- bcdedit.exe /set {default} (PEHSTR_EXT)
- .exe,.dll,.sys,.ini,.lnk,.rdp,.encrypted (PEHSTR_EXT)
- SOFTWARE\akocfg (PEHSTR_EXT)
- YOUR COMPANY NETWORK HAS BEEN PENETRATED (PEHSTR_EXT)
- Recovery_Instructions.html (PEHSTR_EXT)
- msftesql.exe;sqlagent.exe;sqlbrowser.exe;sqlwriter.exe; (PEHSTR_EXT)
- Go build ID: "iiuL9q5ZYrfmy4wOFyiM/KaD8D4zsl63EgnfKUFaC/2aszngurlKaNbWyZAmzg/OwXzx0IqQiqnwkVyihGr (PEHSTR_EXT)
- http.http2ClientConn (PEHSTR_EXT)
- All of your network computers files is encrypted (PEHSTR_EXT)
- HELP_DECRYPT_YOUR_FILES.txt (PEHSTR_EXT)
- TelegramRansomware (PEHSTR_EXT)
- This is a private ransomware developed by our team and there is no decryption file for it (PEHSTR_EXT)
- Cryptor_noVSSnoPers.pdb (PEHSTR_EXT)
- Cryptor.exe (PEHSTR_EXT)
- teiuq/ lla/ swodahs eteled exe.nimdassv c/ dmc (PEHSTR_EXT)
- \Sapphire Ransomware.pdb (PEHSTR_EXT)
- How To Unlock Files.txt (PEHSTR_EXT)
- readme.tmp (PEHSTR_EXT)
- \ColdLocker\obj\Release\ColdLocker.pdb (PEHSTR_EXT)
- ransom.jpg (PEHSTR_EXT)
- READ_IT.txt.locked (PEHSTR_EXT)
- http://i.imgur.com/ (PEHSTR_EXT)
- TotalFiles.txt (PEHSTR_EXT)
- /c del (PEHSTR_EXT)
- HOW_TO_RECOVERY_FILES.txt (PEHSTR_EXT)
- ShellExecuteExW (PEHSTR_EXT)
- COMODO (PEHSTR_EXT)
- Dr.Web (PEHSTR_EXT)
- @tuta.io (PEHSTR_EXT)
- encrypted with powerful military grade Ransomware (PEHSTR_EXT)
- .Nibiru (PEHSTR_EXT)
- .fucked (PEHSTR_EXT)
- you are encrypted with powerful military grade Ransomware/Doxware (PEHSTR_EXT)
- pay us $4.5 Million of Bitcoin within 52 hours (PEHSTR_EXT)
- All your files are encrypted by Babax Ransomware! (PEHSTR_EXT)
- babaxRansom (PEHSTR_EXT)
- .babaxed (PEHSTR_EXT)
- babaxv2.exe (PEHSTR_EXT)
- \BABAX-Stealer\BabaxStealer v2\Babax (PEHSTR_EXT)
- \cryptopp800\sha_simd.cpp (PEHSTR_EXT)
- repter@tuta.io (PEHSTR_EXT)
- LockBit Decryptor 1.3 (PEHSTR_EXT)
- YOU HAVE BEEN ATTACKED. PLEASE CONTACT ON THIS EMAIL IF YOU WANT TO GET YOUR FILES BACK. (PEHSTR_EXT)
- encrypt.exe (PEHSTR_EXT)
- RecInstruct.osnoned (PEHSTR_EXT)
- Osno Ransomware (PEHSTR_EXT)
- OsnoDebug.txt (PEHSTR_EXT)
- process.env.hook = 'Osno' (PEHSTR_EXT)
- Osno Ransomware - How to recover your files (PEHSTR_EXT)
- Started the ransomware! (PEHSTR_EXT)
- All your files are encrypted by Osno Ransomware! (PEHSTR_EXT)
- MERIN-DECRYPTING.txt (PEHSTR_EXT)
- iD8s8SJDhHFJDkdkfOFig8g8hDjSkDlA (PEHSTR_EXT)
- Read For Decryption.lnk (PEHSTR_EXT)
- Decryptor.lnk (PEHSTR_EXT)
- /grant Users:F (PEHSTR_EXT)
- \Desktop\Decryption Note.txt (PEHSTR_EXT)
- Send 0.3 BTC To: (PEHSTR_EXT)
- $\__READ_ME_TO_RECOVER_YOUR_FILES.txt (PEHSTR)
- .encrp (PEHSTR)
- ?C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb (PEHSTR)
- GachaLife_Update.pdb (PEHSTR_EXT)
- \Ransomware21.pdb (PEHSTR_EXT)
- CIRCETsupport@secmail.pro (PEHSTR_EXT)
- read_me_lkd.txt (PEHSTR_EXT)
- Read this message CAREFULLY and contact someone from IT department. (PEHSTR_EXT)
- Ratlin.SVMf (PEHSTR_EXT)
- RMtPMq.LBMfhFukkXMEn (PEHSTR_EXT)
- C:\Users\Phoenix\Downloads\cryptopp800 (PEHSTR_EXT)
- Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f (PEHSTR_EXT)
- "status":"Complete"} (PEHSTR_EXT)
- \CryptoSomware.pdb (PEHSTR_EXT)
- Paradise v1.00 (PEHSTR_EXT)
- C:\Users\Public\Music\key.txt (PEHSTR_EXT)
- src/bin/ransomware.rs (PEHSTR_EXT)
- !!!README!!!.txt (PEHSTR_EXT)
- \.no_more_ransom (PEHSTR_EXT)
- \tasks\hddidlescan.job (PEHSTR_EXT)
- .keybtc@gmail_com (PEHSTR_EXT)
- .paycrypt@gmail_com (PEHSTR_EXT)
- _CryLocker_.exe (PEHSTR_EXT)
- get_BlueScreenFake (PEHSTR_EXT)
- HEY. AS YOU ALREADY UNDERSTOOD, I HAVE ALL THE LOGINS/PASSWORDS (PEHSTR_EXT)
- FOR ALL YOUR ACCOUNTS AND ENCRYPT SOME YOUR FILES. (PEHSTR_EXT)
- \Release\Install.pdb (PEHSTR_EXT)
- \Documents\pay.jpg (PEHSTR_EXT)
- \shell\legacysamples\appbar\ (PEHSTR_EXT)
- \AppBar.pdb (PEHSTR_EXT)
- Ransomware2_Load (PEHSTR_EXT)
- Rasomware2._0.Properties.Resources (PEHSTR_EXT)
- ransomware.g.resources (PEHSTR_EXT)
- ransomware_or_somethink_idk (PEHSTR_EXT)
- ransomware.Properties.Resources (PEHSTR_EXT)
- .SNPDRGN (PEHSTR_EXT)
- NO TRATES DE BORRAR EL RANSOMWARE (PEHSTR_EXT)
- VFJJUExFTShNTU0pIFJFQk9STiBSQU5TT01XQVJFIHY0 (PEHSTR_EXT)
- DropShit.exe (PEHSTR_EXT)
- DECRYPT_FILES.txt (PEHSTR_EXT)
- SpadeRansom (PEHSTR_EXT)
- .Caterpillar (PEHSTR_EXT)
- RansomFile@tutanota.com (PEHSTR_EXT)
- .Peace (PEHSTR_EXT)
- \Startup\win32.exe (PEHSTR_EXT)
- Ransome (PEHSTR_EXT)
- Black World Ransomware.exe (PEHSTR_EXT)
- Black_World_Ransomware.Properties (PEHSTR_EXT)
- Black World Ransomware.pdb (PEHSTR_EXT)
- install\obj\Release\install.pdb (PEHSTR_EXT)
- Users\Public\pay.jpg (PEHSTR_EXT)
- .crypted (PEHSTR_EXT)
- ransomback.png (PEHSTR_EXT)
- UpdateDecrypter.exe (PEHSTR_EXT)
- ransomupdate (PEHSTR_EXT)
- B.crypted (PEHSTR_EXT)
- Win32_ShadowCopy.ID (PEHSTR_EXT)
- Ntdll.dll (PEHSTR_EXT)
- RyukReadMe.html (PEHSTR_EXT)
- .xlsx (PEHSTR_EXT)
- .pptx (PEHSTR_EXT)
- @ctemplar.com (PEHSTR_EXT)
- Rasomware2._0.Ransomware2.resources (PEHSTR_EXT)
- WannaPlaguE.exe (PEHSTR_EXT)
- ProgramData\IDk.txt (PEHSTR_EXT)
- ProgramData\pubk.txt (PEHSTR_EXT)
- https://pastebin.com/raw/E1MURCfS (PEHSTR_EXT)
- Users\Legion\source\repos\curl\Release\curl.pdb (PEHSTR_EXT)
- Read-For-Decrypt.HTA (PEHSTR_EXT)
- Your copmuter has been locked by BlackMamba 2.0 Ransomware (PEHSTR_EXT)
- Ransomware2._0.Properties.Resources.resources (PEHSTR_EXT)
- Pransomware (PEHSTR_EXT)
- Pransomware_Load (PEHSTR_EXT)
- Ransomware.Properties.Resources (PEHSTR_EXT)
- files have been encrypted with special encryption program. (PEHSTR_EXT)
- PAGE_EXECUTE_READWRITE (PEHSTR_EXT)
- DllInjectionResult (PEHSTR_EXT)
- export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- \BLOCK\obj\Debug\BLOCK.pdb (PEHSTR_EXT)
- main.encrypt_list (PEHSTR_EXT)
- main.GetFilesAndDirs (PEHSTR_EXT)
- main.writeReadMe (PEHSTR_EXT)
- main.fuckoff (PEHSTR_EXT)
- main.file_not_encrypt (PEHSTR_EXT)
- main.black_list_ext (PEHSTR_EXT)
- main.white_list_ext (PEHSTR_EXT)
- main.read_me_name (PEHSTR_EXT)
- paymeplease@sj.ms Yours PIN is: (PEHSTR_EXT)
- justfile.txt (PEHSTR_EXT)
- systms.exe (PEHSTR_EXT)
- Oops, all your documents, photos, videos and databases are encrypted by the Xy Ransomware (PEHSTR_EXT)
- You have 72 hours to pay, then ALL your files will be gone.@ (PEHSTR_EXT)
- E:\Ransomware\a\a\obj\Debug\a.pdb (PEHSTR_EXT)
- userPrivateIdKey.txt (PEHSTR_EXT)
- UnluckyWare.exe (PEHSTR_EXT)
- Bytelocker.Properties (PEHSTR_EXT)
- @READ_ME@.txt (PEHSTR_EXT)
- wal.bmp (PEHSTR_EXT)
- Ransomware Demonstration.exe (PEHSTR_EXT)
- RansomwareDemonstration.Properties.Resources (PEHSTR_EXT)
- This is a demonstration of ransomware applications. Do not use unethical (PEHSTR_EXT)
- CryptoJoker.exe (PEHSTR_EXT)
- CryptoJoker.Properties (PEHSTR_EXT)
- jokingwithyou.cryptojoker (PEHSTR_EXT)
- .cryptojoker (PEHSTR_EXT)
- Decryption.key (PEHSTR_EXT)
- .blacksun (PEHSTR_EXT)
- bck 4.0 2020//11/6 fix 5.virus by znkzz (PEHSTR_EXT)
- paymeplease@sj.ms (PEHSTR_EXT)
- INSTRUCTION.txt (PEHSTR_EXT)
- HOW_TO_RETURN_FILES.txt (PEHSTR_EXT)
- taskkill /im (PEHSTR_EXT)
- .exe /T /F (PEHSTR_EXT)
- https://contirecovery.info (PEHSTR_EXT)
- cleaner_.log (PEHSTR_EXT)
- .RADAMANT (PEHSTR_EXT)
- YOUR_FILES.url (PEHSTR_EXT)
- Hi Reverseing Engineers! I hate people who are too lazy to make their own ransomware (PEHSTR_EXT)
- RansomwareDisplay (PEHSTR_EXT)
- \Ransomware (PEHSTR_EXT)
- \Ransomware2.0.pdb (PEHSTR_EXT)
- \Rasomware (PEHSTR_EXT)
- \Rasomware2.0.pdb (PEHSTR_EXT)
- .encCould not send packet to . (PEHSTR_EXT)
- This program executes potentially dangreous operations (PEHSTR_EXT)
- We're going to encrypt ALL THE THINGS. Type 'YES' to continue. (PEHSTR_EXT)
- W00ormSP.exe (PEHSTR_EXT)
- p!o!we!rs!he!ll!.e!xe (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run\ (PEHSTR_EXT)
- \obj\Debug\BMI DataSender.pdb (PEHSTR_EXT)
- \r2block_Wallpaper.jpg (PEHSTR_EXT)
- envhost.exe (PEHSTR_EXT)
- :\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- \BMI DataSender.exe (PEHSTR_EXT)
- :\Users\Reza\Desktop\001 (PEHSTR_EXT)
- Instructions.txt (PEHSTR_EXT)
- RIP Your personal files if you dont pay... (PEHSTR_EXT)
- .himr (PEHSTR_EXT)
- net user /add RedROMAN p4zzaub71h (PEHSTR_EXT)
- \Desktop\ENTER-PASSWORD-HERE.txt (PEHSTR_EXT)
- \Microsoft\Windows\SystemRestore\SR" /disable (PEHSTR_EXT)
- /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- /set {default} recoveryenabled no (PEHSTR_EXT)
- cipher.exe (PEHSTR_EXT)
- encTest.exe (PEHSTR_EXT)
- r2block_Wallpaper.jpg (PEHSTR_EXT)
- r2bWallpaper.jpg (PEHSTR_EXT)
- BMI DataSender.pdb (PEHSTR_EXT)
- encTest.pdb (PEHSTR_EXT)
- .r2bbb.rar.zip.exe.dll.cub.iso.vdi.msi (PEHSTR_EXT)
- store.exe (PEHSTR_EXT)
- ping 127.0.0.1 && del "%s" (PEHSTR_EXT)
- http://prt-recovery.support/chat/ (PEHSTR_EXT)
- LOUD !!!!... (PEHSTR)
- C:\ddddss\eeerrr\iufyhfj.py (PEHSTR)
- Your files have been encrypted by CryRansomware (PEHSTR_EXT)
- cry.Properties.Resources (PEHSTR_EXT)
- \endn_log.exe (PEHSTR_EXT)
- C:\r2block_Wallpaper.jpg (PEHSTR_EXT)
- Encryption Completed !!! (PEHSTR_EXT)
- .onion.pet/http/get.php (PEHSTR_EXT)
- ~Ransomware (PEHSTR_EXT)
- /v NoRunNowBackup /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- /v DisableTaskMgr /t REG_DWORD /d 0 /f (PEHSTR_EXT)
- CRYPT.exe (PEHSTR_EXT)
- \honor's malware.pdb (PEHSTR_EXT)
- HOW TO DECRYPT FILES.txt (PEHSTR_EXT)
- You have reached a limit of attempts - your data is irrevocably broken. (PEHSTR_EXT)
- vssadmin delete shadows /All /Quiet (PEHSTR_EXT)
- CHOOSE YOUR KEYFILE.txt (PEHSTR_EXT)
- .beethoven (PEHSTR_EXT)
- @yandex.ru (PEHSTR_EXT)
- To decrypt your files you need to purchase an decryption key. (PEHSTR_EXT)
- .clarity (PEHSTR_EXT)
- HiddenTear.Properties.Resources (PEHSTR_EXT)
- RANSOM_NOTE.txt (PEHSTR_EXT)
- /C vssadmin Delete Shadows /All /Quiet (PEHSTR_EXT)
- .LOCKED (PEHSTR_EXT)
- pool.minexmr.com (PEHSTR)
- Ransom_Note (PEHSTR_EXT)
- Select * from Win32_ComputerSystem (PEHSTR_EXT)
- Locker.exe (PEHSTR_EXT)
- 84s)UHg-)IPSvAn:R#f80gi(.resources (PEHSTR_EXT)
- SNg'G9h\]\[vSUuq9qJOkk$(SS!.resources (PEHSTR_EXT)
- READ_ME.html (PEHSTR_EXT)
- http://trustmordor.pw/readme.php?id= (PEHSTR_EXT)
- NOTHERSPACE_USE.Properties.Resources (PEHSTR_EXT)
- Web\crypt\joise\obj\Debug\NOTHERSPACE_USE.pdb (PEHSTR_EXT)
- NOTHERSPACE_USE.exe (PEHSTR_EXT)
- Welcome to DarkSide (PEHSTR_EXT)
- OnyxLocker.Classes (PEHSTR_EXT)
- Rasomware2.0.exe (PEHSTR_EXT)
- Rasomware2._0.Properties (PEHSTR_EXT)
- Rasomware2.0.pdb (PEHSTR_EXT)
- ZeroLocker.Resources (PEHSTR_EXT)
- ZeroLocker will be now removed from your Computer! (PEHSTR_EXT)
- Your files have been encrypted by CryRansomware! (PEHSTR_EXT)
- Never open random files. This is your warning (PEHSTR_EXT)
- love.Properties.Resources (PEHSTR_EXT)
- Crypt32.dll (PEHSTR_EXT)
- \fasm\INCLUDE\API\fasm.pdb (PEHSTR_EXT)
- :\hehe\cybercom.pdb (PEHSTR_EXT)
- :\sc\p\sed.pdb (PEHSTR_EXT)
- :\defaultlog\installator\debug\dss.pdb (PEHSTR_EXT)
- DISK_ENCODER.exe (PEHSTR_EXT)
- DISK_ENCODER.pdb (PEHSTR_EXT)
- .fmfgmfgm (PEHSTR_EXT)
- cryptor_dll.pdb (PEHSTR_EXT)
- deReadMe!!!.txt (PEHSTR_EXT)
- kill.bat (PEHSTR_EXT)
- killme.bat (PEHSTR_EXT)
- .cring (PEHSTR_EXT)
- @protonmail.ch (PEHSTR_EXT)
- Encrypted.php (PEHSTR_EXT)
- /C sc delete VSS (PEHSTR_EXT)
- DecryptionInfo.auth (PEHSTR_EXT)
- .onion.cab/data.php (PEHSTR_EXT)
- NOTHERSPACE_USE.pdb (PEHSTR_EXT)
- NOTHERSPACE_USE.Properties (PEHSTR_EXT)
- conti_v3\Release\cryptor.pdb (PEHSTR_EXT)
- contirecovery.info (PEHSTR_EXT)
- test.txt (PEHSTR_EXT)
- Message to be written in test.txt (PEHSTR_EXT)
- Povlsomware 2.0 (PEHSTR_EXT)
- @forgetit.com (PEHSTR_EXT)
- %s.Cllp (PEHSTR_EXT)
- temp.dat (PEHSTR_EXT)
- /C vssadmin Delete Shadows /all /quiet (PEHSTR_EXT)
- %s\README_README.txt (PEHSTR_EXT)
- /C net stop BackupExecVSSProvider /y (PEHSTR_EXT)
- README_README.txt (PEHSTR_EXT)
- We got your documents and files encrypted and you cannot access them. (PEHSTR_EXT)
- lose all of your data and files. How much time would it take to recover losses? You only may guess. (PEHSTR_EXT)
- we will either send those data to rivals, or publish them. (PEHSTR_EXT)
- All we need is to earn. Should we be unfair guys, no one would work with us. (PEHSTR_EXT)
- :\Heil Egregor\ (PEHSTR_EXT)
- \ficker.py (PEHSTR_EXT)
- \Cobalt\ (PEHSTR_EXT)
- \Client\Cobalt.Client.pdb (PEHSTR_EXT)
- locked.zip (PEHSTR_EXT)
- Ionic.Zlib (PEHSTR_EXT)
- Build.exe (PEHSTR_EXT)
- HowToDecrypt.txt (PEHSTR_EXT)
- Credit_Cards.log (PEHSTR_EXT)
- .loki (PEHSTR_EXT)
- AlbCry 2.0 (PEHSTR_EXT)
- Razy_5._0.Ransomware (PEHSTR_EXT)
- sendBack.txt (PEHSTR_EXT)
- vssadmin.exe Delete Shadows /All (PEHSTR)
- LockFolder.pdb (PEHSTR_EXT)
- LockFolder.Properties.Resources (PEHSTR_EXT)
- WormLocker2.0 (PEHSTR_EXT)
- ransom_voice.vbs (PEHSTR_EXT)
- \conti_v3\x64\Release\cryptor_dll.pdb (PEHSTR_EXT)
- you to decrypt 2 random files completely free of charge (PEHSTR_EXT)
- <Ransom_Note_Load>b (PEHSTR_EXT)
- \exorcist\exorcist\ (PEHSTR_EXT)
- \exorcist.pdb (PEHSTR_EXT)
- we will either send those data to rivals, or publish them. GDPR (PEHSTR_EXT)
- GetExecutingAssembly (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- Your files can only be retrived by entering the correct password. (PEHSTR_EXT)
- Wrong Password..buy it.. (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransomtoad (PEHSTR_EXT)
- RansomeToad.txt (PEHSTR_EXT)
- \Dotfuscated\love.pdb (PEHSTR_EXT)
- BitcoinBlackmailer\BitcoinBlackmailer\bin\Release\BitcoinBlackmailer.pdb (PEHSTR_EXT)
- BitcoinBlackmailer.exe (PEHSTR_EXT)
- via this contact email "excite@protonmail.com (PEHSTR_EXT)
- \Neptune_remote.pdb (PEHSTR_EXT)
- All your files are encrypted. (PEHSTR_EXT)
- Background Ransom (PEHSTR_EXT)
- preventchangedesktop.bat (PEHSTR_EXT)
- Let_sBuildRansom.Resources (PEHSTR_EXT)
- !README!.hta (PEHSTR_EXT)
- @tutanota.com (PEHSTR_EXT)
- \CurrentVersion\Policies\Explorer /v NoRun (PEHSTR_EXT)
- \CurrentVersion\Policies\System /v DisableTaskMgr (PEHSTR_EXT)
- Ransomware\Fonix (PEHSTR_EXT)
- Encryption Completed (PEHSTR_EXT)
- Your computers and servers are encrypted (PEHSTR_EXT)
- How To Restore Your Files.txt (PEHSTR_EXT)
- ecdh_pub_k.bin (PEHSTR_EXT)
- http://babuk (PEHSTR_EXT)
- .onion/login.php?id= (PEHSTR_EXT)
- .babyk (PEHSTR_EXT)
- CL0PREADME.txt (PEHSTR_EXT)
- .Cl0p (PEHSTR_EXT)
- res3.txt.CIop (PEHSTR_EXT)
- HOW TO BACK YOUR FILES.exe (PEHSTR_EXT)
- Requirements.pdb (PEHSTR_EXT)
- .EXTEN (PEHSTR_EXT)
- <Ransom_Note_Load> (PEHSTR_EXT)
- pay for code: InstantRansom@gmail.com (PEHSTR_EXT)
- :\Windows\System32\ransom_voice.vbs (PEHSTR_EXT)
- \worm_tool.sys (PEHSTR_EXT)
- \OPSIE\Projet_Ransomware_csharp_BROCARD_BASSAID_BENHADDAD\Ransomware\Ransomware\ (PEHSTR_EXT)
- 0\Adobe Reader.pdb (PEHSTR_EXT)
- 0RxwEQwgtkSWC9sNTT.exPcKrbSb12M75mfcs (PEHSTR_EXT)
- MvfdfvKNUdwvxfpM4P.2vpl5uS9L0Q3cXZgoO (PEHSTR_EXT)
- Gorgon.Properties.Resources (PEHSTR_EXT)
- .ZIEBF_4561drgf (PEHSTR_EXT)
- temp10.png (PEHSTR_EXT)
- B6541265123.Properties.Resources (PEHSTR_EXT)
- B6541265123.exe (PEHSTR_EXT)
- Mammoti.Properties.Resources (PEHSTR_EXT)
- mammoti.jpg (PEHSTR_EXT)
- ALL FILES LOADED... (PEHSTR_EXT)
- Rasomware2._0.Properties.Resources.resources (PEHSTR_EXT)
- corona.vbs (PEHSTR_EXT)
- PayloadMBR.exe (PEHSTR_EXT)
- C:\TEMP\Panda\sppser.exe (PEHSTR_EXT)
- READ_ME_TO_RECOVER_YOUR_FILES.txt (PEHSTR_EXT)
- Your computer ID is: (PEHSTR_EXT)
- @buxod.com (PEHSTR_EXT)
- exe|msi|doc|docx|xls|xlsx|xlsm|ppt|pdf|jpg|jpeg|png|rar|7z|zip|bdf (PEHSTR_EXT)
- .solaso (PEHSTR_EXT)
- unknowndll.pdb (PEHSTR_EXT)
- helpmedecode@tutanota.com (PEHSTR_EXT)
- decryptioner@airmail.cc (PEHSTR_EXT)
- TinyEvil.exe (PEHSTR_EXT)
- clrjit.dll (PEHSTR_EXT)
- TinyEvil.Properties (PEHSTR_EXT)
- friendly.cyber.criminal (PEHSTR_EXT)
- .jcrypt (PEHSTR_EXT)
- SystemFuckRansom (PEHSTR_EXT)
- Niros.Properties.Resources.resources (PEHSTR_EXT)
- msg/m_danish.wnry (PEHSTR_EXT)
- msg/m_dutch.wnry (PEHSTR_EXT)
- msg/m_filipino.wnry (PEHSTR_EXT)
- msg/m_french.wnry (PEHSTR_EXT)
- msg/m_german.wnry (PEHSTR_EXT)
- King Of Ransom (PEHSTR_EXT)
- ReadThis.HTA (PEHSTR_EXT)
- InfoRans.txt (PEHSTR_EXT)
- https://api.telegram.org/bot (PEHSTR_EXT)
- __READ_ME_PLEASE.txt__ (PEHSTR_EXT)
- Hello, you cant open your files. (PEHSTR_EXT)
- The only way to open and use your files again is using a tool that only we have. (PEHSTR_EXT)
- email: sammy70p_y61m@buxod.com (PEHSTR_EXT)
- C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb (PEHSTR_EXT)
- .encrypted11 (PEHSTR_EXT)
- .slank (PEHSTR_EXT)
- All you important files are encrypted with AES 256 algoritm. No one can help you to restore (PEHSTR_EXT)
- You have to pay to decrypt other files. (PEHSTR_EXT)
- But after 3 hours all your files will be deleted. (PEHSTR_EXT)
- /f /im Niros.exe (PEHSTR_EXT)
- \Cobra_Locker\Cobra_Locker\ (PEHSTR_EXT)
- \Cobra_Locker.pdb (PEHSTR_EXT)
- bcdedit /set (PEHSTR_EXT)
- \__READ.txt (PEHSTR_EXT)
- \__READ_ME_TO_RECOVER_YOUR_FILES.txt (PEHSTR_EXT)
- exe|msi|doc|docx|xls|xlsx|xlsm|ppt|pdf|jpg|jpeg|png|rar (PEHSTR_EXT)
- \ENCRIPTAR\ (PEHSTR_EXT)
- \ENCRIPTAR.pdb (PEHSTR_EXT)
- \SOFTWARE\Lucy (PEHSTR_EXT)
- *.txt (PEHSTR_EXT)
- /*.odt (PEHSTR_EXT)
- /*.wps (PEHSTR_EXT)
- .Encode (PEHSTR_EXT)
- File.Lusy (PEHSTR_EXT)
- del C:\Windows\System32\Taskmgr.exe (PEHSTR_EXT)
- Your computer is infected with a virus (PEHSTR_EXT)
- .info.hta (PEHSTR_EXT)
- .Baphomet (PEHSTR_EXT)
- get.php (PEHSTR_EXT)
- yourkey.key (PEHSTR_EXT)
- cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet (PEHSTR_EXT)
- cmd.exe /c "WMIC.exe shadowcopy delete (PEHSTR_EXT)
- repacomre1972@protonmail.com (PEHSTR_EXT)
- m@ai@l.@ro@tb@la@u.@eu@ (PEHSTR_EXT)
- Cur@ren@tVer@sion\R@un (PEHSTR_EXT)
- .destroyed (PEHSTR_EXT)
- .[neftet@tutanota.com].boom (PEHSTR_EXT)
- READ_ME.hta (PEHSTR_EXT)
- *.bak*.csv*.dat*.dbf*.jpg*.png*.rar*.sql*.txt*.xls*.zip (PEHSTR_EXT)
- Decrypt.txt (PEHSTR_EXT)
- GEHENNA-KEY-README.txt (PEHSTR_EXT)
- GEHENNA-README-WARNING.html (PEHSTR_EXT)
- LogonUIRansomware (PEHSTR_EXT)
- friendly.cyber.criminal@gmail.com (PEHSTR_EXT)
- |*.pdf (PEHSTR_EXT)
- XBundlerTlsHelper.pdb (PEHSTR_EXT)
- Ghost.exe (PEHSTR_EXT)
- erawosnar.exe (PEHSTR_EXT)
- erawosnar.g.resources (PEHSTR_EXT)
- README.VOVALEX.txt (PEHSTR_EXT)
- The decryptor costs 0.5 XMR (PEHSTR_EXT)
- @cock.li (PEHSTR_EXT)
- BankiaCry.exe (PEHSTR_EXT)
- C:\Users\chacel\source\repos\ransom\ransom\BankiaCry\obj\x64\Debug\BankiaCry.pdb (PEHSTR_EXT)
- Your computer is encrypted!! All your data belongs to us! (PEHSTR_EXT)
- bankia-server.com (PEHSTR_EXT)
- \README!!!!.TXT (PEHSTR_EXT)
- SELECT SystemSKUNumber from Win32_ComputerSystem (PEHSTR_EXT)
- vasa_dbg.txt (PEHSTR_EXT)
- \SATAN ENCRYPTED YOU\ (PEHSTR_EXT)
- \SATAN ENCRYPTED YOU.pdb (PEHSTR_EXT)
- /c vssadmin.exe delete shadows /all (PEHSTR_EXT)
- Data recovery.hta (PEHSTR_EXT)
- \READ_ME.hta (PEHSTR_EXT)
- .betarasite (PEHSTR_EXT)
- .parasite (PEHSTR_EXT)
- @READ_ME_FILE_ENCRYPTED@.html (PEHSTR_EXT)
- Email:dbger@protonmail.com (PEHSTR_EXT)
- C:\_How_to_decrypt_files.txt (PEHSTR_EXT)
- C:\Program Files\WebMoney\[dbger@protonmail.com]__empty.dbger (PEHSTR_EXT)
- mally@mailfence.com (PEHSTR_EXT)
- fake.pdb (PEHSTR_EXT)
- Ransom (PEHSTR_EXT)
- Desktop\readme.txt (PEHSTR_EXT)
- .Encrypted (PEHSTR_EXT)
- Important.txt (PEHSTR_EXT)
- .dark (PEHSTR_EXT)
- worm_tool.sys (PEHSTR_EXT)
- .desu (PEHSTR_EXT)
- meme.jpeg (PEHSTR_EXT)
- RECOVER__FILES__.locked.txt (PEHSTR_EXT)
- Cry.img (PEHSTR_EXT)
- @toututa.com (PEHSTR_EXT)
- DECRYPT_ME_.TXT.locked (PEHSTR_EXT)
- Send 0.01 Bitcoin to the following address: (PEHSTR_EXT)
- Encryption completed (PEHSTR_EXT)
- Alo Minegames ransomware (PEHSTR_EXT)
- Ransom1.Properties.Resources (PEHSTR_EXT)
- RansomeviL (PEHSTR_EXT)
- .seth (PEHSTR_EXT)
- %USERPROFILE%\Desktop\HOW_DECRYPT_FILES.seth.txt (PEHSTR_EXT)
- %appdata%\codebind.bat (PEHSTR_EXT)
- Ransom - Backup (PEHSTR_EXT)
- Legion.Properties.Resources (PEHSTR_EXT)
- Rasomware2._0 (PEHSTR_EXT)
- Decryptor.exe (PEHSTR_EXT)
- HOW TO BACK YOUR FILES.txt (PEHSTR_EXT)
- Executing a Mock Ransomware (PEHSTR_EXT)
- Please pay ransom using Bitcoin within 24hrs to get them back safely (PEHSTR_EXT)
- This is a Mock Ransomware (PEHSTR_EXT)
- \MockRansomeware\Debug\MockRansomeware.pdb (PEHSTR_EXT)
- Please_Read_Me @ .txt (PEHSTR_EXT)
- https://contirecovery.best (PEHSTR_EXT)
- http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion (PEHSTR_EXT)
- Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP (PEHSTR_EXT)
- \ENCRIPTAR\x64\Release\ENCRIPTAR.pdb (PEHSTR_EXT)
- \__READ_ME_ (PEHSTR_EXT)
- sammy70p_y61m@buxod.com (PEHSTR_EXT)
- ReadToRestore.txt (PEHSTR_EXT)
- .REVENGE (PEHSTR_EXT)
- i.imgur.com (PEHSTR_EXT)
- tantoporciento.com (PEHSTR_EXT)
- md %windir%\SysWOW64\java\jawa (PEHSTR_EXT)
- getrartime.bat (PEHSTR_EXT)
- getrartime.exe (PEHSTR_EXT)
- copy wr-3.-71.zip wr-3.-71.exe (PEHSTR_EXT)
- "del /q /s /f system@interrupts.exe (PEHSTR)
- md %windir%\SysWOW64\java\jawa (PEHSTR)
- %del %windir%\system32\superdatvpn.exe (PEHSTR)
- %temp%\rarcek.txt (PEHSTR)
- RESTORE_FILES_INFO.txt (PEHSTR_EXT)
- torproject.org (PEHSTR_EXT)
- How To Decrypt My Files.html (PEHSTR_EXT)
- @yandex.com (PEHSTR_EXT)
- encryptionwinapi\Salsa20.inl (PEHSTR_EXT)
- bowsakkdestx.txt (PEHSTR_EXT)
- C:\SystemID\PersonalID.txt (PEHSTR_EXT)
- delself.bat (PEHSTR_EXT)
- http://darkside (PEHSTR_EXT)
- DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. (PEHSTR_EXT)
- We guarantee to decrypt one file for free. Go to the site and contact us (PEHSTR_EXT)
- http://babukq4e2p4wu4iq.onion (PEHSTR_EXT)
- QUICK >>> UNDECRYPTABLE >>> ENCRYPTING RANDOM FILEBLOCKS /// THIS IS BURAN /// GENERATION (PEHSTR_EXT)
- Software\Buran V\Service\Public Key (PEHSTR_EXT)
- Executing a Mock Ransomware..... (PEHSTR_EXT)
- www.makup0000.com (PEHSTR_EXT)
- \@ Please_Read_Me @ .txt (PEHSTR_EXT)
- \MockRansomeware\ (PEHSTR_EXT)
- \MockRansomeware.pdb (PEHSTR_EXT)
- If you want back your files write to: helper.china@aol.com (PEHSTR_EXT)
- This Ransomware was created using NRMW (MACROHSTR_EXT)
- code by Necronomikon/[D00MRiderz] (MACROHSTR_EXT)
- Shell Environ(""SYSDIR"") & ""\ftp.exe -s:c:\nec.ftp"", vbHide (MACROHSTR_EXT)
- Shell ""c:\infos4u.txt (MACROHSTR_EXT)
- Shell ""c:\ (MACROHSTR_EXT)
- .scr (MACROHSTR_EXT)
- Ziggy.Properties (PEHSTR_EXT)
- Ziggy.Core (PEHSTR_EXT)
- COM Surrogate (PEHSTR_EXT)
- cryptormsg.hta (PEHSTR_EXT)
- Pay 0.0002 BTC (PEHSTR_EXT)
- ransomware@gmail.com (PEHSTR_EXT)
- KA RANSOMWARE (PEHSTR_EXT)
- CashCatRansomwareSimulator (PEHSTR_EXT)
- pay the Ransom! (PEHSTR_EXT)
- encrypted files on your computer (PEHSTR_EXT)
- RememberThatThisRansomwareIsCodedForEducationnalPurposes (PEHSTR_EXT)
- \x65454\ (PEHSTR_EXT)
- \x65454.pdb (PEHSTR_EXT)
- Run GlitchByte ransomware (PEHSTR)
- PadCrypt 3.0.exe (PEHSTR_EXT)
- iphlpapi.pdb (PEHSTR_EXT)
- \xxx\source\repos\Launcher\Launcher\obj\Debug\BY.pdb (PEHSTR_EXT)
- Launcher.Properties.Resources (PEHSTR_EXT)
- /f /im BY.exe (PEHSTR_EXT)
- BabaYaga.exe (PEHSTR_EXT)
- .wannapay (PEHSTR_EXT)
- .daddycrypt (PEHSTR_EXT)
- /C vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
- /C wmic shadowcopy delete (PEHSTR_EXT)
- .omfl (PEHSTR_EXT)
- Malware 2.0 (PEHSTR_EXT)
- Malware_2._0.Payloads (PEHSTR_EXT)
- PoC Ransomware (PEHSTR_EXT)
- /C wbadmin delete catalog -quiet (PEHSTR_EXT)
- .iask.in (PEHSTR_EXT)
- lock.txt (PEHSTR_EXT)
- ATTENTION!!!.txt (PEHSTR_EXT)
- RunAsDll (PEHSTR_EXT)
- killswitch.php (PEHSTR_EXT)
- wallpaper.bmp (PEHSTR_EXT)
- .Annabelle( (PEHSTR_EXT)
- .bagli( (PEHSTR_EXT)
- .LOCKED_BY_WAANNACRY( (PEHSTR_EXT)
- btc.blockr.io (PEHSTR_EXT)
- Ransomware.tor (PEHSTR_EXT)
- .weed (PEHSTR_EXT)
- wallpaper.jpg (PEHSTR_EXT)
- .REYPTSON (PEHSTR_EXT)
- Como_Recuperar_Tus_Ficheros.txt (PEHSTR_EXT)
- .pornoransom (PEHSTR_EXT)
- protonmail.com (PEHSTR_EXT)
- .sapphire (PEHSTR_EXT)
- CLSID\%1\InprocHandler32 (PEHSTR_EXT)
- CLSID\%1\LocalServer32 (PEHSTR_EXT)
- %2\protocol\StdFileEditing\server (PEHSTR_EXT)
- ddeexec (PEHSTR_EXT)
- C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb (PEHSTR_EXT)
- 2021FIRST@tutanota.com (PEHSTR_EXT)
- 2021FIRST@protonmail.com (PEHSTR_EXT)
- lazparking-message.txt (PEHSTR_EXT)
- @.assist (PEHSTR_EXT)
- assist.ini (PEHSTR_EXT)
- cmd.exe /C ping 1.1.1.1 -n 1 -w (PEHSTR_EXT)
- Ext=log|log1|log2|tmp|sys|bootmgr|dll|theme|bat|cmd|gdcb (PEHSTR_EXT)
- Prc=w3wp|sql|exchan|node|scan|outlook|thebat|chrome|firefox (PEHSTR_EXT)
- FName=ASSIST-README.txt (PEHSTR_EXT)
- \sivo.pdb (PEHSTR_EXT)
- Sivo-README.txt (PEHSTR_EXT)
- \spoolssv.pdb (PEHSTR_EXT)
- READ.txt (PEHSTR_EXT)
- rd /q /s "%systemdrive%\$Recycle.bin (PEHSTR_EXT)
- key2.ico (PEHSTR_EXT)
- AlbCry.g.resources (PEHSTR_EXT)
- Your computer files have been encrypted (PEHSTR_EXT)
- .[Crimsonware@protonmail.ch] (PEHSTR_EXT)
- INFO.hta (PEHSTR_EXT)
- .JVUAE (PEHSTR_EXT)
- .cryptshield (PEHSTR_EXT)
- 2this ransomware dont encrypt your files, erases it (PEHSTR)
- .birbb (PEHSTR_EXT)
- ransom.Properties.Resources (PEHSTR_EXT)
- Baddy.Resources (PEHSTR_EXT)
- .baddy (PEHSTR_EXT)
- Wrong.Hahaha. (PEHSTR_EXT)
- Crapsomware.Properties (PEHSTR_EXT)
- KEY.cryptolocker (PEHSTR_EXT)
- Recovery Information.txt (PEHSTR_EXT)
- .WeSt Net Fake (PEHSTR_EXT)
- cryptolocker.exe (PEHSTR_EXT)
- Cheia privata a fost distrusa. YAD A INVINS. (PEHSTR_EXT)
- @\\.\PhysicalDrive0 (PEHSTR_EXT)
- YAD Ransomware (PEHSTR_EXT)
- K4Kransom (PEHSTR_EXT)
- Dark Ransomeware (PEHSTR_EXT)
- Please_Read.txt (PEHSTR_EXT)
- @mail.com (PEHSTR_EXT)
- GDCB-DECRYPT.txt (PEHSTR_EXT)
- Ransom_Form (PEHSTR_EXT)
- ARTEMON RANSOMWARE (PEHSTR_EXT)
- HYDRA Ransomware (PEHSTR_EXT)
- *If you want to decrypt, please contact us. (PEHSTR)
- Annabelle.exe (PEHSTR_EXT)
- readme.txt (PEHSTR_EXT)
- C:\Users\john\Documents\Visual Studio 2008\Projects\EncryptFile -svcV2\Release\EncryptFile.exe.pdb (PEHSTR_EXT)
- Ziggy Ransomware (PEHSTR_EXT)
- RansomeToad (PEHSTR_EXT)
- encrypted_sound.wav (PEHSTR_EXT)
- .gopher (PEHSTR_EXT)
- babuk ransomware (PEHSTR_EXT)
- .HANTA (PEHSTR_EXT)
- RSAKey.txt (PEHSTR_EXT)
- RansomwarePOC (PEHSTR_EXT)
- Penta ransomware (PEHSTR_EXT)
- Wirusik_Ransom (PEHSTR_EXT)
- randomkey.bin (PEHSTR_EXT)
- .RENSENWARE (PEHSTR_EXT)
- .Crypted (PEHSTR_EXT)
- .ncovid (PEHSTR_EXT)
- kWYZrzIYZR.html (PEHSTR_EXT)
- rdpunlocker1@cock.li (PEHSTR_EXT)
- covid.Properties (PEHSTR_EXT)
- infected with ransomware (PEHSTR_EXT)
- \RESTORE_FILES_INFO. (PEHSTR_EXT)
- Jesus Ransom (PEHSTR_EXT)
- EncryptionNotComplet (PEHSTR_EXT)
- .wnry (PEHSTR_EXT)
- RECYCLER\__empty (PEHSTR_EXT)
- System Volume Information\__empty (PEHSTR_EXT)
- /c vssadmin.exe delete shadows /quiet /all (PEHSTR_EXT)
- RansomNote (PEHSTR_EXT)
- DummyRansom (PEHSTR_EXT)
- JigsawRansomware (PEHSTR_EXT)
- .CrYpTeD (PEHSTR_EXT)
- %userappdata%\RestartApp.exe (PEHSTR_EXT)
- contact info@oreans.com (PEHSTR_EXT)
- \README.txt (PEHSTR_EXT)
- CL 1.3.1.0 (PEHSTR_EXT)
- software\microsoft\windows\currentversion\run (PEHSTR_EXT)
- bin:com:exe:bat:png:bmp:dat:log:ini:dll:sys: (PEHSTR_EXT)
- /Run /tn VssDataRestore (PEHSTR_EXT)
- .encrpt3d (PEHSTR_EXT)
- C:\ProgramData\CheckServiceD.exe (PEHSTR_EXT)
- Whiteblackgroup002@gmail.com (PEHSTR_EXT)
- Wbgroup022@gmail.com (PEHSTR_EXT)
- FridayProject.Properties (PEHSTR_EXT)
- Annabelle.Resources.resources (PEHSTR_EXT)
- babuk ransomware gree (PEHSTR_EXT)
- BackupExecVSSProvider (PEHSTR_EXT)
- BackupExecAgentAccelerator (PEHSTR_EXT)
- BackupExecAgentBrowser (PEHSTR_EXT)
- BackupExecDiveciMediaService (PEHSTR_EXT)
- BackupExecJobEngine (PEHSTR_EXT)
- BackupExecManagementService (PEHSTR_EXT)
- BackupExecRPCService (PEHSTR_EXT)
- pkey.txt (PEHSTR_EXT)
- IDk.txt (PEHSTR_EXT)
- Go build ID: "P4z8W_zE_Z1dBq9diUQ7/ZEWD0EbqrBj-4XIMJl-o/wmKXC0C-fvJC0y_Endgh/24FUsZkSqEY6b6UrreeX (PEHSTR_EXT)
- .glock (PEHSTR_EXT)
- READ-ME-NOW.txt (PEHSTR_EXT)
- Jormungand/main.go (PEHSTR_EXT)
- Ransomware.dll (PEHSTR_EXT)
- .test (PEHSTR_EXT)
- .DARXIS (PEHSTR_EXT)
- .DcRat (PEHSTR_EXT)
- \IS_room_start.pdb (PEHSTR_EXT)
- khjf ransomware2 (PEHSTR_EXT)
- NitroRansomware2 (PEHSTR_EXT)
- encKey.aes (PEHSTR_EXT)
- SAYGOODBYE.exe2 (PEHSTR_EXT)
- ___RECOVER__FILES__.heart.txt (PEHSTR_EXT)
- .kanmani (PEHSTR_EXT)
- \Heartbeat\keys.json (PEHSTR_EXT)
- BitcoinStealer.exe (PEHSTR_EXT)
- Your SERVER/COMPUTER is encrypted by us (PEHSTR_EXT)
- \#ReadThis.HTA (PEHSTR_EXT)
- key.txt.LIZARD (PEHSTR_EXT)
- simple-ransomware2 (PEHSTR_EXT)
- DECRYPTION_LOG.txt (PEHSTR_EXT)
- DECRYPT_ReadMe1.TXT (PEHSTR_EXT)
- .flyper (PEHSTR_EXT)
- .lock (PEHSTR)
- [byte[]]@(, 0 * 1mb); Set-Content -Path $proc.FileName -Force -Confirm:0 -Value $buff; Remove-Item -Path $proc.FileName -Force -Confirm:0 " (PEHSTR)
- SOFTWARE\Policies\Microsoft\Windows Defender (PEHSTR_EXT)
- Software\Policies\Microsoft\Windows NT\SystemRestores (PEHSTR_EXT)
- SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (PEHSTR_EXT)
- .kfuald (PEHSTR_EXT)
- Oops... Your computer has been locked (PEHSTR_EXT)
- .hjgkdf (PEHSTR_EXT)
- .NotStonks (PEHSTR_EXT)
- DeletedFilesAmmount.txt (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (PEHSTR_EXT)
- \Boot\ (PEHSTR_EXT)
- \BOOTSECT (PEHSTR_EXT)
- \pagefile (PEHSTR_EXT)
- \Recovery (PEHSTR_EXT)
- \Microsoft (PEHSTR_EXT)
- onionmail.org (PEHSTR_EXT)
- friendly.cyber.criminal2 (PEHSTR_EXT)
- This computer has been hacked (PEHSTR_EXT)
- .givemenitro (PEHSTR_EXT)
- slamransomwareasistance (PEHSTR_EXT)
- .deria (PEHSTR_EXT)
- FridayProject.Properties.Resources (PEHSTR_EXT)
- FridayProject.0 (PEHSTR_EXT)
- \Ransom\Ransom\ (PEHSTR_EXT)
- \Ransom.pdb (PEHSTR_EXT)
- Wrong code. Hahaha (PEHSTR_EXT)
- .pubg (PEHSTR_EXT)
- GBUPRansomware (PEHSTR_EXT)
- PUBG Ransomware (PEHSTR_EXT)
- hidden_tear2.exe (PEHSTR_EXT)
- hidden_tear2.Properties (PEHSTR_EXT)
- vssadmin Delete shadows /all /quiet2 (PEHSTR_EXT)
- .amogus (PEHSTR_EXT)
- del /s /f /q C:\*.VHD (PEHSTR_EXT)
- window.bat (PEHSTR_EXT)
- NitroRansomware.Properties.Resources (PEHSTR_EXT)
- file:/// (PEHSTR_EXT)
- UnlockYourFiles.Login (PEHSTR_EXT)
- UnlockYourFiles.Properties.Resources (PEHSTR_EXT)
- V2._0.Properties2 (PEHSTR_EXT)
- insane_uriel_by_urielstock_4.jpg (PEHSTR_EXT)
- .kuru (PEHSTR_EXT)
- .henry217 (PEHSTR_EXT)
- LegionLocker2.1 (PEHSTR_EXT)
- @.themida (PEHSTR_EXT)
- decrypt files? write here 3335799@protonmail.com (PEHSTR_EXT)
- log:dat:bmp:png:bat:exe:com:bin: (PEHSTR_EXT)
- Executioner Ransomware (PEHSTR_EXT)
- .Kern (PEHSTR_EXT)
- DiscoRansomware2 (PEHSTR_EXT)
- Runcount.cry2 (PEHSTR_EXT)
- .dolphin (PEHSTR_EXT)
- hidden_tear.Properties (PEHSTR_EXT)
- $Recycle.bin (PEHSTR_EXT)
- YOUR_FILES_ARE_ENCRYPTED.HTML (PEHSTR_EXT)
- @disroot.org (PEHSTR_EXT)
- "CompName": "%s" (PEHSTR_EXT)
- .matryoshka2 (PEHSTR_EXT)
- .Baphomet2 (PEHSTR_EXT)
- bapho.jpg (PEHSTR_EXT)
- hanta_ransom (PEHSTR_EXT)
- ipinfo.io (PEHSTR_EXT)
- \test7\ (PEHSTR_EXT)
- \test7.pdb (PEHSTR_EXT)
- READ_ME.crypted.txt (PEHSTR_EXT)
- Avalon Ransomware (PEHSTR_EXT)
- .avalon (PEHSTR_EXT)
- Go build ID: "juLDtqZciqqlSfnu77oh/6_EPf8zvlj1mHNu (PEHSTR_EXT)
- hijackedhttp (PEHSTR_EXT)
- I am ransomware (PEHSTR_EXT)
- jok.crypt (PEHSTR_EXT)
- \Leen.pdb (PEHSTR_EXT)
- conti_v3.dll (PEHSTR_EXT)
- http://anubiscloud.xyz (PEHSTR_EXT)
- \read_it.txt (PEHSTR_EXT)
- ransomware virus (PEHSTR_EXT)
- vssadmin delete shadows /all /quiet & wmic shadowcopy delete (PEHSTR_EXT)
- read_it.txt (PEHSTR_EXT)
- .lock (PEHSTR_EXT)
- main.SaveNote.func (PEHSTR_EXT)
- main.FileSearch.func (PEHSTR_EXT)
- main.getdrives (PEHSTR_EXT)
- main.UnixFile (PEHSTR_EXT)
- main.GenerateRandomBytes (PEHSTR_EXT)
- path/filepath.SkipDir (PEHSTR_EXT)
- Global\CYMULATE_EDR (PEHSTR_EXT)
- CymulateEDRScenarioExecutor (PEHSTR_EXT)
- Files\cymulate\edr\ (PEHSTR_EXT)
- NativeRansomeware (PEHSTR_EXT)
- nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
- http://mail.rotblau.eu:15332/ (PEHSTR_EXT)
- read_me_lock.txt (PEHSTR)
- .Spyro (PEHSTR_EXT)
- eiklot@hi2.in (PEHSTR_EXT)
- How_Recover_Files.txt (PEHSTR_EXT)
- JesusCrypt (PEHSTR_EXT)
- SendServerInfo@hitler.rocks (PEHSTR_EXT)
- mail.cock.li (PEHSTR_EXT)
- Jesus_Ransom (PEHSTR_EXT)
- All Your Files Encrypted By Jesus Ransomware (PEHSTR_EXT)
- .wannacry (PEHSTR_EXT)
- @Please_Read_Me@.txt (PEHSTR_EXT)
- WannaCry 3.0 @Please_Read_Me@ (PEHSTR_EXT)
- :!:(:/:6:C:\:m: (PEHSTR_EXT)
- Your computer was infected with a ransomware virus (PEHSTR_EXT)
- read_apis.txt (PEHSTR_EXT)
- Microsoft System.exe (PEHSTR_EXT)
- M&TTER RANSOMWARE (PEHSTR_EXT)
- Software\WLkt (PEHSTR_EXT)
- .palestine2 (PEHSTR_EXT)
- Rasomware2.02 (PEHSTR_EXT)
- UrFile.TXT (PEHSTR_EXT)
- .army (PEHSTR_EXT)
- .arsium (PEHSTR_EXT)
- .AES64 (PEHSTR_EXT)
- Your computer has been infected2 (PEHSTR_EXT)
- .rsjon (PEHSTR_EXT)
- .jasmin (PEHSTR_EXT)
- READ_ME_PLZ.txt (PEHSTR_EXT)
- .malki (PEHSTR_EXT)
- Ransomware virus (PEHSTR_EXT)
- LockScreen (PEHSTR_EXT)
- .sick (PEHSTR_EXT)
- warning.BackgroundImage (PEHSTR_EXT)
- \WannaMad\ (PEHSTR_EXT)
- Debug\WannaMad.pdb (PEHSTR_EXT)
- Vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
- github.com/mauri870/ransomware (PEHSTR_EXT)
- main.encrypt0Files (PEHSTR_EXT)
- Desktop/ransomware/ransomware/cmd/common.go (PEHSTR_EXT)
- \Reder_lock\ (PEHSTR_EXT)
- \Reder_lock.pdb (PEHSTR_EXT)
- Chaos Ransomware2 (PEHSTR_EXT)
- .firecrypt (PEHSTR_EXT)
- .chaos (PEHSTR_EXT)
- .DarkCry (PEHSTR_EXT)
- @sigaint.org (PEHSTR_EXT)
- RansomwareWannaMad2 (PEHSTR_EXT)
- Nitro Ransomware (PEHSTR_EXT)
- LockBit Ransomware (PEHSTR_EXT)
- .ransimulator (PEHSTR_EXT)
- unlock your files.lnk (PEHSTR_EXT)
- ///END PROCESSES WHITE LIST\\\ (PEHSTR_EXT)
- ///END UNENCRYPT FILES LIST\\\ (PEHSTR_EXT)
- !!!WHY_MY_FILES_NOT_OPEN!!!.txt (PEHSTR_EXT)
- Ransomware.exe2 (PEHSTR_EXT)
- Stub.Properties.Resources (PEHSTR_EXT)
- .DEDSEC (PEHSTR_EXT)
- .deadsecure (PEHSTR_EXT)
- Read Me.TXT (PEHSTR_EXT)
- SOFTWARE\Redeemer (PEHSTR_EXT)
- Info.hta (PEHSTR_EXT)
- .[Delta] (PEHSTR_EXT)
- vssadmin.exe delete shadows /all (PEHSTR_EXT)
- C:\Windows\delog.cmd (PEHSTR_EXT)
- @onionmail.org (PEHSTR)
- 8Your network has been breached by Karma ransomware group (PEHSTR)
- .Xerog (PEHSTR_EXT)
- NoCry.pdb (PEHSTR_EXT)
- Do not fool yourself. (PEHSTR_EXT)
- You will lose them. (PEHSTR_EXT)
- taskkill /F /IM LogonUI.exe (PEHSTR_EXT)
- slamransomware (PEHSTR_EXT)
- slam/key.txt (PEHSTR_EXT)
- ShareWare_Ransomware (PEHSTR_EXT)
- FILES_ENCRYPTED.html (PEHSTR_EXT)
- READ_TO_DECRYPT.html (PEHSTR_EXT)
- ekati.RansomMessage.resources (PEHSTR_EXT)
- TestRansom (PEHSTR_EXT)
- onion.jpg (PEHSTR_EXT)
- RansomeWare.Properties.Resources.resources (PEHSTR_EXT)
- RansomeWare.pdb (PEHSTR_EXT)
- Ransomware.Functions.resources (PEHSTR_EXT)
- NitroRansomware. (PEHSTR_EXT)
- .FancyLeaks (PEHSTR_EXT)
- LegionLocker4._0 (PEHSTR_EXT)
- RansomMessage (PEHSTR_EXT)
- IMPORTANT READ ME.html (PEHSTR_EXT)
- mimikatz_trunk.zip (PEHSTR_EXT)
- .Legion (PEHSTR_EXT)
- Ransom\Release\Ransom.pdb (PEHSTR_EXT)
- For unlock your files follow the instructions from the readme_for_unlock.txt (PEHSTR_EXT)
- \stop-adw.txt (PEHSTR_EXT)
- /Create /SC MINUTE /TN Encrypter /TR (PEHSTR_EXT)
- /Create /SC ONLOGON /TN EncrypterSt /TR (PEHSTR_EXT)
- !DECRYPT_FILES.txt (PEHSTR_EXT)
- vmware-vmx.exe (PEHSTR_EXT)
- thunderbird.exe (PEHSTR_EXT)
- \noputana.exe (PEHSTR_EXT)
- Your important files videos, music, images, documents ... etc are encrypted with encryption (PEHSTR_EXT)
- .fucking (PEHSTR_EXT)
- decryptor.exe2 (PEHSTR_EXT)
- RSA_Keys.pub (PEHSTR_EXT)
- All of your files have been encrypted. (PEHSTR_EXT)
- No files to FUCK. (PEHSTR_EXT)
- READ_THIS_TO_DECRYPT. (PEHSTR_EXT)
- Kis is running... (PEHSTR_EXT)
- RansomeWare.Form1.resources (PEHSTR_EXT)
- INFORMATION_READ_ME.txt (PEHSTR_EXT)
- rk-2.exe2 (PEHSTR_EXT)
- /C icacls %USERPROFILE%\Documents\* /grant Everyone:F /T /C /Q (PEHSTR_EXT)
- Test\READ_IT.txt (PEHSTR_EXT)
- Worm Locker.exe (PEHSTR_EXT)
- Decompress (PEHSTR_EXT)
- .azazel (PEHSTR_EXT)
- kk.exe (PEHSTR_EXT)
- Ransomware.Properties (PEHSTR_EXT)
- dropRansomLetter (PEHSTR_EXT)
- HACKERRANSOMWARE2 (PEHSTR_EXT)
- Your important files videos, music, images, documents ... etc are encrypted with encryption2 (PEHSTR_EXT)
- RansomDecry0r2 (PEHSTR_EXT)
- YJSNPIL0cker (PEHSTR_EXT)
- Message.txt (PEHSTR_EXT)
- Tor\explorer.exe (PEHSTR_EXT)
- RansomHOS (PEHSTR_EXT)
- ranso4.jpg (PEHSTR_EXT)
- helloworld.pr.txt (PEHSTR)
- \$SysReset\Logs (PEHSTR)
- \NOTHERSPACE_USE.pdb (PEHSTR_EXT)
- Urgent Notice.txt (PEHSTR_EXT)
- .deltapaymentbitcoin (PEHSTR_EXT)
- Nopyfy_Ransomware (PEHSTR_EXT)
- Your Computer Has Been Compromised! (PEHSTR_EXT)
- Dark Matter Recovery Information.txt (PEHSTR_EXT)
- System.Threading (PEHSTR_EXT)
- 0.5 bitcons | Address: (PEHSTR_EXT)
- LCRY_WALL.bmp (PEHSTR_EXT)
- LCRY RANSOMWARE (PEHSTR_EXT)
- LCRY_MACHINEID.ID (PEHSTR_EXT)
- YOU ARE NOW VICTIM OF LCRY RANSOMWARE (PEHSTR_EXT)
- LCRY_README.txt (PEHSTR_EXT)
- killer@killercom (PEHSTR_EXT)
- what_happened_to_my_music.txt (PEHSTR_EXT)
- Blue_Eagle_Ransomware (PEHSTR_EXT)
- Ransomware.Resources (PEHSTR_EXT)
- <computername>%s</computername> (PEHSTR_EXT)
- <blocknum>%d</blocknum> (PEHSTR_EXT)
- winsta0\default (PEHSTR_EXT)
- your system is infected with freak.ransom (PEHSTR_EXT)
- freak ransom (PEHSTR_EXT)
- is my computer damaged? (PEHSTR_EXT)
- \al-madani\Release\HQ_52_42.pdb (PEHSTR_EXT)
- files/alertmsg.zip (PEHSTR_EXT)
- ro@tb@la@u.@eu@:1@53 (PEHSTR_EXT)
- .sanwai (PEHSTR_EXT)
- IMPORTANT.html (PEHSTR_EXT)
- README!!!!.txt (PEHSTR_EXT)
- \gerjjkrkjjk33.pdb (PEHSTR_EXT)
- Your computer has been infected by a Ransomware (PEHSTR_EXT)
- @tutanota.com (PEHSTR_EXT)
- .LEAKS (PEHSTR_EXT)
- LEAKS!!!DANGER.txt (PEHSTR_EXT)
- .IsEncryptedPEMBlock (PEHSTR_EXT)
- \Windows\Temp\Magix.exe (PEHSTR_EXT)
- video_pro_x.exe (PEHSTR_EXT)
- /_/_/_/_/_/ (PEHSTR_EXT)
- <title>Loki locker</title> (PEHSTR_EXT)
- localbitcoins.com (PEHSTR_EXT)
- coindesk.com (PEHSTR_EXT)
- C:\ProgramData\prvkey.txt (PEHSTR_EXT)
- schtasks /CREATE /SC ONLOGON /TN DHARMA /TR (PEHSTR_EXT)
- start cmd.exe /c taskkill /t /f /im (PEHSTR_EXT)
- SOFTWARE\Loki (PEHSTR_EXT)
- schtasks /CREATE /SC ONLOGON /TN Loki /TR (PEHSTR_EXT)
- Loki\shell\open\command (PEHSTR_EXT)
- Ransomware\eda2\eda2-master (PEHSTR_EXT)
- \cppEnd\ (PEHSTR_EXT)
- \cppEndx64.pdb (PEHSTR_EXT)
- encrypter.exe (PEHSTR_EXT)
- .atomsilo (PEHSTR_EXT)
- Recovery.bmp (PEHSTR_EXT)
- Windows defender/ any antivirus is off (PEHSTR_EXT)
- NitroRansomware.Resources (PEHSTR_EXT)
- \physicaldrive0 (PEHSTR_EXT)
- ip / host: (PEHSTR_EXT)
- shell\open\command (PEHSTR_EXT)
- .yanluowang (PEHSTR_EXT)
- /c powershell -command "Get-VM | Stop-VM -Force (PEHSTR_EXT)
- Local\$hYdr4Rans$ (PEHSTR_EXT)
- #FILESENCRYPTED.txt (PEHSTR_EXT)
- RansomwarePOC.covidblo (PEHSTR_EXT)
- .porn.txt (PEHSTR_EXT)
- Your documents will be corrupted if a shutdown occurs during the encryption process. (PEHSTR_EXT)
- HotCoffeeRansomware.pdb (PEHSTR_EXT)
- HOT_COFFEE_README.hta (PEHSTR_EXT)
- !! READ ME !!.txt (PEHSTR_EXT)
- .cuba (PEHSTR_EXT)
- %/666.mp3 (PEHSTR_EXT)
- %/ransomware_api.php?check_payment= (PEHSTR_EXT)
- GetComputerNameEx (PEHSTR_EXT)
- ComputerNameNetBIOS (PEHSTR_EXT)
- ComputerNamePhysicalNetBIOS (PEHSTR_EXT)
- ComputerNamePhysicalDnsHostname (PEHSTR_EXT)
- ProjectProton.proton.service.exe (PEHSTR_EXT)
- WRITE 'proton' TO RUN RANSOMWARE (PEHSTR_EXT)
- \README- (PEHSTR_EXT)
- PUSSIE RANSOMWARE (PEHSTR_EXT)
- Pussie Locker.pdb (PEHSTR_EXT)
- $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length) (PEHSTR_EXT)
- powershell -ExecutionPolicy ByPass -File (PEHSTR_EXT)
- -Suffix '.locked' -RemoveSource (PEHSTR_EXT)
- Readme_now.txt (PEHSTR_EXT)
- cry.ps1 (PEHSTR_EXT)
- vssadmin Delete Shadows /All /Quiet (PEHSTR_EXT)
- .hta (PEHSTR_EXT)
- \SayLessRnm Window.pdb (PEHSTR_EXT)
- Scorpion Ransomware (PEHSTR_EXT)
- SOFTWARE\ECCT2 (PEHSTR_EXT)
- MrPalang@Cock.li (PEHSTR_EXT)
- Wrong.Hahaha (PEHSTR_EXT)
- \___RECOVER__FILES__.yikes.txt (PEHSTR_EXT)
- /landing (PEHSTR_EXT)
- /wipe (PEHSTR_EXT)
- /ignore (PEHSTR_EXT)
- /priority (PEHSTR_EXT)
- /services (PEHSTR_EXT)
- README_FOR_DECRYPT.txt (PEHSTR_EXT)
- tor2web.org (PEHSTR_EXT)
- ".vbox",".vdi" (PEHSTR_EXT)
- HKEY_CURRENT_USER\SOFTWARE\Rnz (PEHSTR_EXT)
- bin_hdr_common (PEHSTR_EXT)
- CommonConfig (PEHSTR_EXT)
- hermes\ (PEHSTR_EXT)
- \bin_hdr_enc.pb.cc (PEHSTR_EXT)
- \bin_hdr_common.pb.cc (PEHSTR_EXT)
- /Bnyar8RsK04ug (PEHSTR_EXT)
- \zCeQ (PEHSTR)
- /c bcdedit /set {current} recoveryenabled no (PEHSTR_EXT)
- RECOVERY INFORMATION.txt (PEHSTR_EXT)
- Arcane Ransomware [ Your files are encrypted!] (PEHSTR_EXT)
- All your servers and computers are encrypted (PEHSTR_EXT)
- \bin_hdr_dec.pb.cc (PEHSTR_EXT)
- Your AES key is in LCRY's memory. (PEHSTR_EXT)
- taskkill /F /IM (PEHSTR_EXT)
- \Users\Public\Del.cmd (PEHSTR_EXT)
- \Del.cmd\Log.cmd\README. (PEHSTR_EXT)
- \ProgramData\microsoft.exe (PEHSTR_EXT)
- channeldecrypttool77@gmail.com (PEHSTR_EXT)
- -Inf-inf.Id-.bat.cmd.com.exe.txt (PEHSTR_EXT)
- taskkill /f /im (PEHSTR_EXT)
- .exe' delete /nointeractive (PEHSTR_EXT)
- .venus (PEHSTR_EXT)
- help2021me@aol.com (PEHSTR_EXT)
- /C kill.bat (PEHSTR_EXT)
- .UZANTICRYPT (PEHSTR_EXT)
- biorain@protonmail.com (PEHSTR_EXT)
- infected with a ransomware (PEHSTR_EXT)
- \AllTheThings.dll (PEHSTR_EXT)
- /C NetSh Advfirewall set allprofiles state off (PEHSTR_EXT)
- .compressed (PEHSTR_EXT)
- REG ADD "HKEY_USERS\ (PEHSTR_EXT)
- \Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D (PEHSTR_EXT)
- HELP_SECURITY_EVENT.html (PEHSTR_EXT)
- http://lorenz (PEHSTR_EXT)
- 5.onion (PEHSTR_EXT)
- \RunAsDll.pdb (PEHSTR_EXT)
- Paypal.Win32.Ransom (PEHSTR_EXT)
- 9http (PEHSTR_EXT)
- restore_file.txt (PEHSTR_EXT)
- /C wmic SHADOWCOPY DELETE (PEHSTR_EXT)
- \Hello.txt (PEHSTR_EXT)
- \WannaCry.pdb (PEHSTR_EXT)
- \Wana Decrypt Or 2.0.pdb (PEHSTR_EXT)
- vssadmin resize shadowstorage /for=c: /on=c: /maxsize= (PEHSTR_EXT)
- net stop "Sophos Message Router" /y (PEHSTR_EXT)
- net stop "Sophos MCS Client" /y (PEHSTR_EXT)
- net stop "Sophos MCS Agent" /y (PEHSTR_EXT)
- net stop "Sophos Device Control Service" /y (PEHSTR_EXT)
- net stop "Sophos Clean Service" /y (PEHSTR_EXT)
- net stop "Sophos Web Control Service" /y (PEHSTR_EXT)
- net stop "Sophos System Protection Service" /y (PEHSTR_EXT)
- net stop "Sophos Agent" /y (PEHSTR_EXT)
- net stop "Sophos AutoUpdate Service" /y (PEHSTR_EXT)
- net stop "Sophos File Scanner Service" /y (PEHSTR_EXT)
- net stop "Sophos Safestore Service" /y (PEHSTR_EXT)
- net stop "Sophos Health Service" /y (PEHSTR_EXT)
- net stop sophossps /y (PEHSTR_EXT)
- net stop McShield /y (PEHSTR_EXT)
- net stop Antivirus /y (PEHSTR_EXT)
- net stop VeeamDeploymentService /y (PEHSTR_EXT)
- net stop VeeamDeploySvc /y (PEHSTR_EXT)
- net stop VeeamCatalogSvc /y (PEHSTR_EXT)
- .boot (PEHSTR_EXT)
- .themida (PEHSTR_EXT)
- How_Decrypt_Files.hta (PEHSTR_EXT)
- .napoleon (PEHSTR_EXT)
- attach to email 3 crypted files. (files have to be less than 2 MB) (PEHSTR_EXT)
- oracle.exe (PEHSTR_EXT)
- sqlservr.exe (PEHSTR_EXT)
- REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d (PEHSTR_EXT)
- REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "testdecrypt" /t REG_SZ /d (PEHSTR_EXT)
- REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "Decrypt50" /t REG_SZ /d (PEHSTR_EXT)
- Maze\obj\Debug\Maze.pdb (PEHSTR_EXT)
- [Ransomware.Viper.A] (PEHSTR_EXT)
- \Viper_README.RW-SK.txt (PEHSTR_EXT)
- Your files were encrypted by Viper Ransomware (PEHSTR_EXT)
- \Arcane-Reborn\ (PEHSTR_EXT)
- \Arcane-Reborn.pdb (PEHSTR_EXT)
- Ransomware Demo (PEHSTR_EXT)
- Decrypt *.encry to original file extension. (PEHSTR_EXT)
- \EvilNominatus.pdb (PEHSTR_EXT)
- \HYDRA.pdb (PEHSTR_EXT)
- Shell.Run (PEHSTR_EXT)
- microsoft\windows\start menu\programs\startup\ (PEHSTR_EXT)
- neco_arc.png (PEHSTR_EXT)
- Ooops, You were been ransomwared :( (PEHSTR_EXT)
- Software\EncryptKeys (PEHSTR_EXT)
- \Heraxware.pdb (PEHSTR_EXT)
- \locky.pdb (PEHSTR_EXT)
- This file and all other files in your computer are encrypted by Loki locker (PEHSTR_EXT)
- info.Loki (PEHSTR_EXT)
- mshta.exe (PEHSTR_EXT)
- WARNING.TXT (PEHSTR_EXT)
- \MRAC\ (PEHSTR_EXT)
- \MRAC.pdb (PEHSTR_EXT)
- \SCrypt.pdb (PEHSTR_EXT)
- http://hivecust (PEHSTR)
- http://hiveleakdb (PEHSTR)
- encrypt_files.go (PEHSTR)
- erase_key.go (PEHSTR)
- kill_processes.go (PEHSTR)
- remove_shadow_copies.go (PEHSTR)
- stop_services_windows.go (PEHSTR)
- remove_itself_windows.go (PEHSTR)
- /encryptor/ (PEHSTR)
- HOW_TO_DECRYPT.txt (PEHSTR)
- 6- Do not fool yourself. Encryption has perfect secrecy (PEHSTR)
- .EncryptFiles. (PEHSTR)
- .EncryptFilename. (PEHSTR)
- ED*struct { F uintptr; data *[]uint8; seed *uint8; fnc *main.decFunc } (PEHSTR)
- 2golang.org/x/sys/windows.getSystemWindowsDirectory (PEHSTR)
- path/filepath.WalkDir (PEHSTR)
- /Bnyar8RsK04ug/ (PEHSTR_EXT)
- /BnpOnspQwtjCA/register (PEHSTR_EXT)
- 173.232.146.118 (PEHSTR_EXT)
- //blockchain.info/ (PEHSTR_EXT)
- FILES_BACK.txt (PEHSTR_EXT)
- /deny *S-1-1-0:(OI)(CI)(DE,DC) (PEHSTR_EXT)
- Readme if you want your files!.txt (PEHSTR_EXT)
- There is no way to get back your files. Happy coding (PEHSTR_EXT)
- .qqbangbang (PEHSTR_EXT)
- cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del (PEHSTR_EXT)
- FileLocker-master\ (PEHSTR_EXT)
- 0\Desk1.pdb (PEHSTR_EXT)
- Covid666.bat (PEHSTR_EXT)
- You became a victim of the Covid-666 Ransomware (PEHSTR_EXT)
- enigma_info.txt (PEHSTR_EXT)
- E_N_I_G_M_A.RSA (PEHSTR_EXT)
- teardrop.pdb (PEHSTR_EXT)
- <p>hackthedev/teardrop</p> (PEHSTR_EXT)
- teardrop.Properties.Resources (PEHSTR_EXT)
- .laposada- (PEHSTR_EXT)
- recover all your files. (PEHSTR_EXT)
- network was compromised. (PEHSTR_EXT)
- !!laposada_howtodecipher.inf (PEHSTR_EXT)
- ! cynet ransom protection(don't delete) (PEHSTR_EXT)
- Time Ransomware (PEHSTR_EXT)
- helpxm72.beget.tech (PEHSTR_EXT)
- xxxx.onion (PEHSTR_EXT)
- \Rx2o7d.txt (PEHSTR_EXT)
- ShellExecuteW (PEHSTR_EXT)
- Microsoft\Windows\Start Menu\Programs\Startup\h.vbs (PEHSTR_EXT)
- CreateObject("WScript.Shell") (PEHSTR_EXT)
- eicar.com (PEHSTR_EXT)
- taskkill /f /IM explorer.exe (PEHSTR_EXT)
- !P%@AP[4\PZX54(P (PEHSTR_EXT)
- \explorer.exe (PEHSTR_EXT)
- Mirc\script.ini.locked (PEHSTR_EXT)
- joanna.smith@domain.com (PEHSTR_EXT)
- choice /t 1 /d y /n >nul (PEHSTR_EXT)
- xxxx.onion/ (PEHSTR_EXT)
- .torrent (PEHSTR_EXT)
- .locky (PEHSTR_EXT)
- cmd.exe /c start (PEHSTR_EXT)
- documents on your computer are encrypted (PEHSTR_EXT)
- HOW_FIX_FILES.htm (PEHSTR_EXT)
- .onion/gate.php (PEHSTR_EXT)
- \\.\PhysicalDrive0 (PEHSTR_EXT)
- WMIC.exe shadowcopy delete /nointeractive (PEHSTR_EXT)
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures wbadmin DELETE SYSTEMSTATEBACKUP wbadmin DELETE (PEHSTR_EXT)
- net stop BackupExecAgentAccelerator /y (PEHSTR_EXT)
- net stop BackupExecAgentBrowser /y (PEHSTR_EXT)
- net stop McAfeeEngineService /y (PEHSTR_EXT)
- \matshure.pdb (PEHSTR_EXT)
- \WD30.pdb (PEHSTR_EXT)
- /C timeout 20 (PEHSTR_EXT)
- new/Qtbxgzla.jpg (PEHSTR_EXT)
- cryptmanager@protonmail.com (PEHSTR_EXT)
- \PhysicalDrive0 (PEHSTR_EXT)
- Monero/XMR (PEHSTR_EXT)
- \Desktop\Read-Me.txt (PEHSTR_EXT)
- taskkill /f /im taskmgr.exe (PEHSTR_EXT)
- Your computer was infected with a ransomware virus (PEHSTR_EXT)
- .nightsky (PEHSTR_EXT)
- \NightSkyReadMe.hta (PEHSTR_EXT)
- .onion/?cid=%CLIENT_ID% (PEHSTR_EXT)
- \encrypt_win_api.pdb (PEHSTR_EXT)
- Your system is LOCKED. (PEHSTR_EXT)
- System.Windows.Markup (PEHSTR_EXT)
- NoName\NoName\obj\Debug\NoName.pdb (PEHSTR_EXT)
- main.delshadows (PEHSTR_EXT)
- main.stopallsvc (PEHSTR_EXT)
- main.kill (PEHSTR_EXT)
- main.destroy (PEHSTR_EXT)
- main.listservices (PEHSTR_EXT)
- main.lanscan (PEHSTR_EXT)
- main.parsenetview (PEHSTR_EXT)
- main.shownote (PEHSTR_EXT)
- main.pognali (PEHSTR_EXT)
- \EvilNominatusCrypto.pdb (PEHSTR_EXT)
- \Antivirus.bat (PEHSTR_EXT)
- taskkill /IM mspub.exe /F (PEHSTR_EXT)
- net stop BMR Boot Service /y (PEHSTR_EXT)
- \Dropper\ (PEHSTR_EXT)
- \Dropper.pdb (PEHSTR_EXT)
- C:\Desktop\Cov-Locker\Cov-Locker\obj\Release\Cov-Locker.pdbd (PEHSTR_EXT)
- Ocelocker.pdb (PEHSTR_EXT)
- Writing ransom note (PEHSTR_EXT)
- \Goodwill Encryptor.pdb (PEHSTR_EXT)
- \sus.pdb (PEHSTR_EXT)
- VirusMSILNominatusStorm.pdb (PEHSTR_EXT)
- Oops your Computer Locked (PEHSTR_EXT)
- exeNULcouldn't generate random b (PEHSTR_EXT)
- \conti_v3\ (PEHSTR_EXT)
- \cryptor.pdb (PEHSTR_EXT)
- CONTI-Hiensiv_Ggydlela.png (PEHSTR_EXT)
- system32\cmd.exe (PEHSTR_EXT)
- shutdown /r /t %d (PEHSTR_EXT)
- /c del /F /S /Q %c:\*.* (PEHSTR_EXT)
- /c format %c: /Y /X /FS:NTFS (PEHSTR_EXT)
- .CI_0P (PEHSTR_EXT)
- C:\Users\sinez\source\repos\GonnaCope\GonnaCopeCryptor\obj\Debug\GonnaCopeCryptor.pdb (PEHSTR_EXT)
- HKCU\SOFTWARE\recfg\sk_key (PEHSTR_EXT)
- HKLM\SOFTWARE\recfg\pk_key (PEHSTR_EXT)
- HKLM\SOFTWARE\recfg\stat (PEHSTR_EXT)
- Done time: %.4f seconds, encrypted: %.4f gb (PEHSTR_EXT)
- schtasks /create /sc minute /mo (PEHSTR_EXT)
- All you filles have been encrypted by a ransomware. (PEHSTR_EXT)
- \Decrypt-info.txt (PEHSTR_EXT)
- /voidcrypt/index.php (PEHSTR_EXT)
- All your files are encrypted due to security problem with your computer (PEHSTR_EXT)
- The data will be published on TOR website if you do not pay the ransom (PEHSTR_EXT)
- Your company id for log in: (PEHSTR_EXT)
- windows_encrypt.dll (PEHSTR_EXT)
- dllinstall (PEHSTR_EXT)
- \RANSOMWARE3.0.pdb (PEHSTR_EXT)
- NOKOYAWA.ex (PEHSTR_EXT)
- WannaLock Ransomware (PEHSTR_EXT)
- YOUR PC HAS BEEN LOCKED BY WANNALOCK RANSOMWARE!!! (PEHSTR_EXT)
- PLEASE CONTACT https://message.bilibili.com/#whisper/mid490825280 TO FIX YOUR PC!!! (PEHSTR_EXT)
- YOU MUST COMPLETE THIS IN ONE HOUR!!!OR YOU MUST SAY BYE BYE TO YOUR PC!!! (PEHSTR_EXT)
- networkexplorer.DLL (PEHSTR_EXT)
- NlsData0000.DLL (PEHSTR_EXT)
- NetProjW.DLL (PEHSTR_EXT)
- Ghofr.DLL (PEHSTR_EXT)
- fg122.DLL (PEHSTR_EXT)
- RozbehInvaders.pdb (PEHSTR_EXT)
- 0->Detailed company information, Accountant files (PEHSTR)
- &->Financial documents, Commercial info (PEHSTR)
- EConti, HOW_TO_DECRYPTP, The system is LOCKED., The network is LOCKED. (PEHSTR_EXT)
- HKLM\SOFTWARE\recfg\sk_key (PEHSTR_EXT)
- ynet.co.il (PEHSTR_EXT)
- for /f %%%%F in ('dir *.exe /s /b') do copy /y Rozbeh.exe (PEHSTR_EXT)
- Rozbeh.bat (PEHSTR_EXT)
- DeskFL.vbs (PEHSTR_EXT)
- cmd.exe /c copy /y ..\Rozbeh.exe %%AppData%%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- Scanner.bat (PEHSTR_EXT)
- v1.0 MBRKiller new (PEHSTR_EXT)
- BabukRansomwareSourceCode (PEHSTR_EXT)
- KillMbr.pdb (PEHSTR_EXT)
- maui.key (PEHSTR_EXT)
- demigod.key (PEHSTR_EXT)
- 2/development/working_project/src/HolyGhostProject/ (PEHSTR)
- /development/src/HolyLocker/ (PEHSTR)
- "/development/src/HolyGhostProject/ (PEHSTR)
- http://193.56.29.123 (PEHSTR)
- (/src/HolyGhostProject/Network/network.go (PEHSTR)
- //src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go (PEHSTR)
- /src/HolyGhost/Main/common.go (PEHSTR)
- &/src/HolyGhost/Main/HolyLock/locker.go (PEHSTR)
- /src/HolyLocker/Main/common.go (PEHSTR)
- '/src/HolyLocker/Main/HolyLock/locker.go (PEHSTR)
- .h0lyenc (PEHSTR)
- NOKOYAWA v2.0.pdb (PEHSTR_EXT)
- mHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU (PEHSTR_EXT)
- vgLv/4CGSWX5CdAY5bVOmiK3URqJGG6MCpTC5MB (PEHSTR_EXT)
- Rp/ovZWeh65j6G5mVS3o3Ux5cH2pfT/VZ (PEHSTR_EXT)
- crypto/aes.encryptBlockGo (PEHSTR_EXT)
- crypto/aes.expandKeyGo (PEHSTR_EXT)
- path/filepath.WalkDir (PEHSTR_EXT)
- Cipher.psm1 (PEHSTR_EXT)
- $home\Desktop\Readme_now.txt (PEHSTR_EXT)
- \Documents\WindowsPowerShell\Modules\Cipher (PEHSTR_EXT)
- Look at this instruction.txt (PEHSTR_EXT)
- shadows /all /Quiet (PEHSTR_EXT)
- djdkduep62kz4nzx. (PEHSTR_EXT)
- /inst.php (PEHSTR_EXT)
- Freya Ransomware (PEHSTR_EXT)
- output.txt (PEHSTR_EXT)
- :\Windows\Temp\desktop.jpg (PEHSTR_EXT)
- RansomNote.PNT-RNSM (PEHSTR_EXT)
- PenterWare.exe (PEHSTR_EXT)
- crypto/cipher.xorBytesSSE2 (PEHSTR_EXT)
- by KAWAII ransomware (PEHSTR_EXT)
- \Anime.pdb (PEHSTR_EXT)
- KAWAII ransomware (PEHSTR_EXT)
- Your network/system was encrypted (PEHSTR_EXT)
- README-RECOVER-.txt (PEHSTR_EXT)
- Ghofr.D (PEHSTR_EXT)
- fg122.D (PEHSTR_EXT)
- README-MCBURGLAR.txt (PEHSTR_EXT)
- MCB.pdb (PEHSTR_EXT)
- SavitarRW.exe (PEHSTR_EXT)
- SavitarRW\SavitarRW\obj\Debug\SavitarRW.pdb (PEHSTR_EXT)
- Sapphire_Ransomware (PEHSTR_EXT)
- vssadmin.exe delete shadows (PEHSTR_EXT)
- .AES for x86, CRYPTOGAMS by <appro@openssl.org> (PEHSTR)
- \cryptor.pdb (PEHSTR_EXT)
- virus@satinfo.es (PEHSTR_EXT)
- Keylogger.Bladabindi (PEHSTR_EXT)
- Malware.Postal (PEHSTR_EXT)
- Ransom.Servcc (PEHSTR_EXT)
- Trojan.DistTrack (PEHSTR_EXT)
- Malware.Zambrano (PEHSTR_EXT)
- README.TXT (PEHSTR_EXT)
- .royal (PEHSTR_EXT)
- uncompressed (PEHSTR_EXT)
- access .onion website (PEHSTR_EXT)
- cmd.exe /c start /MAX notepad.exe (PEHSTR_EXT)
- .BlackMagic (PEHSTR_EXT)
- \HackedByBlackMagic.txt (PEHSTR_EXT)
- registration></scriptlet> (PEHSTR_EXT)
- /i:../../../ (PEHSTR_EXT)
- </html> (PEHSTR_EXT)
- vssadmin delete shadows /for=c: /all (PEHSTR_EXT)
- vssadminwsaioctl (forced) -> node= B exp.) (PEHSTR_EXT)
- crypto.DecryptFile.func1 (PEHSTR_EXT)
- crypto.EncryptFile.func1 (PEHSTR_EXT)
- file.WalkFiles.func1 (PEHSTR_EXT)
- snapshots.WipeSnapshots (PEHSTR_EXT)
- os/exec.lookExtensions (PEHSTR_EXT)
- os.(*Process).Kill (PEHSTR_EXT)
- c:\users\public\Documents\MicrosoftUpdate.dll.BlackMagic (PEHSTR_EXT)
- reg add "hkey_current_user\control panel\desktop" /v wallpaper /t reg_sz /d C:\Users\Public\Documents\back.bmp /f (PEHSTR_EXT)
- del /F "c:\users\public\Documents\back.bmp" (PEHSTR_EXT)
- reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /t reg_dword /d 1 /f (PEHSTR_EXT)
- ipconfig > c:\users\public\Documents\ip.txt (PEHSTR_EXT)
- /BlackMagic2511 (PEHSTR_EXT)
- 193.182.144.85 (PEHSTR_EXT)
- 5.230.70.49 (PEHSTR_EXT)
- /api/public/api/test?ip=&status=0&cnt=100&type=server&num=11111170 (PEHSTR_EXT)
- instructions_read_me.txt (PEHSTR_EXT)
- schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\ (PEHSTR_EXT)
- sensitive files were COMPROMISED (PEHSTR_EXT)
- if you do not pay ransom (PEHSTR_EXT)
- cyber insurance against ransomware attacks (PEHSTR_EXT)
- ANY MODIFICATION/RESTORATION ATTEMPTS WILL BREAK YOUR FILES AND YOU WILL NOT BE ABLE TO RECOVER THEM EVER AGAIN (PEHSTR_EXT)
- TO DECRYPT/RESTORE YOUR FILES -> WRITE AN EMAIL TO THIS ADDRESS FOR FURTHER INSTRUCTIONS (PEHSTR_EXT)
- crustom-support@proton.me (PEHSTR_EXT)
- C:\ProgramData\Service\SURTR_README.txt (PEHSTR_EXT)
- .seiv (PEHSTR_EXT)
- \private (PEHSTR_EXT)
- \ArtOfCrypt\ (PEHSTR_EXT)
- \ENcrypt0r.pdb (PEHSTR_EXT)
- it's complete loss. (PEHSTR_EXT)
- main.ScanForFiles.func1 (PEHSTR_EXT)
- main.main (PEHSTR_EXT)
- TestLocker.pdb (PEHSTR_EXT)
- pay a ransom (PEHSTR_EXT)
- pqrstOPghijklm963nouwz0214587.-JKLMNvQRSxyTUDEFGHIVWXYZabcdefABC (PEHSTR_EXT)
- .buddyransome (PEHSTR_EXT)
- white_ransomeware (PEHSTR_EXT)
- dx_ransomware\obj\Release\dx_ransomware.pdb (PEHSTR_EXT)
- C:\Work\conti_v (PEHSTR)
- Vel9AQAAX4vv6LQAAACL/VcGD6AHJqEw (PEHSTR_EXT)
- AOtFUVaLdTyLdDV4A/VWi3YgA/UzyUlB (PEHSTR_EXT)
- process call create "powershell -executionpolicy bypass -nop -w hidden %s" (PEHSTR_EXT)
- NitroRansomware.Resources.wl.png (PEHSTR)
- Lorenz.sz40 (PEHSTR)
- 5SCHTASKS /run /TN sz401&SCHTASKS /Delete /TN sz401 /F (PEHSTR)
- /PASSWORD:'crowen' (PEHSTR)
- 157.90.147.28 (PEHSTR)
- QYour files are downloaded, encrypted, and currently unavailable. You can check it (PEHSTR)
- C:\Users\user\Desktop\new\noko\target\release\deps\noko.pdb (PEHSTR_EXT)
- E:\cpp\out\out\out.pdb (PEHSTR)
- We can fix it and restore files. (PEHSTR_EXT)
- Decryption.helper@aol.com (PEHSTR_EXT)
- Decryption.help@cyberfear.com (PEHSTR_EXT)
- AXRIKN.exe (PEHSTR)
- JAOJNI.exe (PEHSTR)
- Failed to create ransom note (PEHSTR_EXT)
- SeroXen\SeroXen\obj\x64\Release\SeroXen.pdb (PEHSTR_EXT)
- bhv.encryption.encrypt_files (PEHSTR_EXT)
- bhv.ransom.ransom_note (PEHSTR_EXT)
- LockBit_Ransomware.hta (PEHSTR_EXT)
- .lockbit (PEHSTR_EXT)
- EnCrypt.Properties.Resources (PEHSTR_EXT)
- EnCrypt.pdb (PEHSTR_EXT)
- EnCryptExeName (PEHSTR_EXT)
- the internal infrastructure of your company is fully or partially dead (PEHSTR_EXT)
- D:\vcprojects\akira\asio\include\asio\impl (PEHSTR_EXT)
- .akira (PEHSTR_EXT)
- .L0v3sh3 (PEHSTR_EXT)
- .payme100usdz (PEHSTR_EXT)
- \RWare\RWare\ (PEHSTR_EXT)
- \RoWare.pdb (PEHSTR_EXT)
- \CryptoJoker.pdb (PEHSTR_EXT)
- \$`H#\$hH1 (PEHSTR)
- cpp\git2\Unicode Release\ (PEHSTR_EXT)
- .pdb (PEHSTR_EXT)
- You entire network has been compromised (PEHSTR_EXT)
- UNIZA RANSOMWARE (PEHSTR_EXT)
- pay the ransom and DM me (PEHSTR_EXT)
- Release\Rans.pdb (PEHSTR_EXT)
- akira_readme.txt (PEHSTR_EXT)
- Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead (PEHSTR_EXT)
- all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption (PEHSTR_EXT)
- Couldn't create ransom note (PEHSTR_EXT)
- DELETE_SHADOW\ (PEHSTR_EXT)
- Q:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\ (PEHSTR_EXT)
- /rustc/ (PEHSTR_EXT)
- Cylance Ransomware (PEHSTR_EXT)
- readme-asldkas.txt (PEHSTR_EXT)
- check-here.txt (PEHSTR_EXT)
- Users\YoavShaharabani\source\repos\windows-scenarios\Payloads\NativeRansomeware\x64\RemoteKey_ (PEHSTR_EXT)
- \Users\YoavShaharabani\source\repos\windows-scenarios\Payloads\NativeRansomewareDll\x64\RandomKey_ManualAes_Overwrite\NativeRansomewareDll.pdb (PEHSTR_EXT)
- \Users\YoavShaharabani\source\repos\windows-scenarios\Payloads\NativeRansomewareDll\x64\ (PEHSTR_EXT)
- 0\NativeRansomewareDll.pdb (PEHSTR_EXT)
- .lember (PEHSTR_EXT)
- %desktop%\ReadMe.txt (PEHSTR_EXT)
- encryption_path:string:c:\programdata\cymulate\EDR (PEHSTR_EXT)
- the internal infrastructure of your company is fully or partially dead, all your backups (PEHSTR_EXT)
- /C net stop VeeamDeploymentService /y (PEHSTR_EXT)
- /C net stop SstpSvc /y (PEHSTR_EXT)
- /C net stop VeeamBackupSvc /y (PEHSTR_EXT)
- /C vssadmin resize shadowstorage /for= (PEHSTR_EXT)
- Everything64.dll (PEHSTR)
- DontDecompileMePlease (PEHSTR_EXT)
- Keep in mind that the faster you will get in touch, the less damage we cause. (PEHSTR_EXT)
- powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" (PEHSTR_EXT)
- D:\vcprojects\akira\asio (PEHSTR_EXT)
- https://akiral (PEHSTR_EXT)
- vssadmin.exe Delete Shadows /all /quiet (PEHSTR_EXT)
- wmic.exe Shadowcopy Delete (PEHSTR_EXT)
- iisreset.exe /stop (PEHSTR_EXT)
- schtasks /delete /tn Microsoft_Auto_Scheduler (PEHSTR_EXT)
- \Restore_Your_Files.txt (PEHSTR_EXT)
- SOFTWARE\FCVdDodDeiWxLDNDX (PEHSTR_EXT)
- SOFTWARE\RRansom (PEHSTR_EXT)
- https://iplogger.com/ (PEHSTR_EXT)
- BigCashForYou.exe (PEHSTR_EXT)
- RansomWar_EOF (PEHSTR_EXT)
- At the moment, your system is not protected. (PEHSTR_EXT)
- To get started, send a file to decrypt trial. (PEHSTR_EXT)
- Malicious code executed (PEHSTR_EXT)
- Vyper Ransomware (PEHSTR_EXT)
- Xinfecter.exe (PEHSTR_EXT)
- locked@onionmail.org (PEHSTR_EXT)
- liveteam@onionmail.org (PEHSTR_EXT)
- Your network has been breached and all data was encrypted. Please contact us at: (PEHSTR_EXT)
- https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ (PEHSTR_EXT)
- Hello! Your company has been hacked! (PEHSTR_EXT)
- We are not a politically motivated group and we do not need anything other than your money. (PEHSTR_EXT)
- Life is too short to be sad. Be not sad, money, it is only paper. (PEHSTR_EXT)
- Warning! If you do not pay the ransom we will attack your company repeatedly again (PEHSTR_EXT)
- -KEY-README.txt (PEHSTR_EXT)
- o2b7eNVjYJ4gqsEoouj.SQOwhjVfrxWErP6jVXa (PEHSTR_EXT)
- CriticalBreachDetected.pdf (PEHSTR_EXT)
- e.onion (PEHSTR_EXT)
- cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f (PEHSTR_EXT)
- cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path (PEHSTR_EXT)
- encryptor\Release\encryptor.pdb (PEHSTR_EXT)
- The data will be published on TOR website if you do not pay the ransom (PEHSTR_EXT)
- Mail (OnionMail) Support: darkrace@onionmail.org (PEHSTR_EXT)
- DarkRace ransomware (PEHSTR_EXT)
- LockBit 3.0 the world's fastest ransomware (PEHSTR_EXT)
- Mail (OnionMail) Support: lockdark@onionmail.org (PEHSTR_EXT)
- COLIN RANSOMWARE (PEHSTR_EXT)
- bin\RuntimeBrokerPY.exe (PEHSTR_EXT)
- \EncryptDecryptFiles\obj\Debug\Colinware.pdb (PEHSTR_EXT)
- \___RECOVER__FILES__.Sology.txt (PEHSTR_EXT)
- moneybird.pdb (PEHSTR_EXT)
- floxen\source\repos\RanSom\obj\Debug\RanSom.pdb (PEHSTR_EXT)
- CONTI_LOG.txt (PEHSTR_EXT)
- C:\Users\Public\enc.exe (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
- rdprecovery@skiff.com (PEHSTR_EXT)
- Y:\X:\W:\V:\U:\T:\S:\R:\Q:\P:\O:\N:\M:\L:\K:\J:\I:\H:\G:\F:\E:\D:\C:\B:\A:\Z:\ (PEHSTR_EXT)
- CymulateDCOMInterfacesWorm (PEHSTR_EXT)
- CymulateEDRRansom (PEHSTR_EXT)
- akira_readme.txt (PEHSTR)
- RMoreover, we have taken a great amount of your corporate data prior to encryption. (PEHSTR)
- \git2\Unicode Debug\FingerText.pdb (PEHSTR_EXT)
- \AppData\Roaming\Microsoft\Office\MicrosoftH.exe (PEHSTR_EXT)
- \Z_PC\source\repos\Repos\Release\normall.pdb (PEHSTR_EXT)
- .rdata$voltmd (PEHSTR_EXT)
- .rdata$zzzdbg (PEHSTR_EXT)
- \Release\pwndll.pdb (PEHSTR_EXT)
- HACKED.png (PEHSTR_EXT)
- Pentest\source\repos\rustware\rustware\target\release\deps\rustware.pdb (PEHSTR_EXT)
- .README.txt (PEHSTR_EXT)
- Your computers and servers are encrypted, backups are deleted (PEHSTR_EXT)
- ://t.me/NovaGroup2023 (PEHSTR_EXT)
- ransomware is a part of the world of cyber security (PEHSTR_EXT)
- \target\release\deps\rcrypt.pdb (PEHSTR_EXT)
- temp.cmd %s (PEHSTR_EXT)
- The Underground team welcomes you! (PEHSTR_EXT)
- stop MSSQLSERVER /f /m (PEHSTR_EXT)
- http://undgrd (PEHSTR_EXT)
- slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\ConsoleApp2.pdb (PEHSTR_EXT)
- RanSom.pdb (PEHSTR_EXT)
- Lokkit v1\Lokkit v1\obj\Release\Lokkit v1.pdb (PEHSTR_EXT)
- encrypt_date.txt (PEHSTR_EXT)
- Peter'sRansomware (PEHSTR_EXT)
- .7z.rar.m4a.wma.avi.wmv.d3dbsp.sc2save (PEHSTR_EXT)
- SSEAR.pdb (PEHSTR_EXT)
- Do not shut down or restart your computer (PEHSTR_EXT)
- CONTACT US THROUGH EMAIL: kanti@dnmx.com (PEHSTR_EXT)
- Cooperating with us will guarantee that all your files will be recovered completely (PEHSTR_EXT)
- hellohowareyou@cock.li (PEHSTR_EXT)
- RANSOMWARE.pdb (PEHSTR_EXT)
- Example_RANSOMWARE.Encryption (PEHSTR_EXT)
- \QQMusicModel\vcruntime140\Release\vcruntime140.pdb (PEHSTR_EXT)
- Please pay a ransom of 100USDT to me! (PEHSTR_EXT)
- Otherwise, your files cannot be decrypted even if God comes (PEHSTR_EXT)
- FakeRansomware (PEHSTR_EXT)
- Black.Berserk@onionmail.org (PEHSTR_EXT)
- Loki.Utilities.Interfaces (PEHSTR_EXT)
- Loki.IO.Keyboards.Settings (PEHSTR_EXT)
- Loki.Pinvoke.Native.IP_ADAPTER_INFO (PEHSTR_EXT)
- Loki.IO.Algorithms.Zip.FileInfo.ZipFileInfo (PEHSTR_EXT)
- %PDF-1.4 (PEHSTR_EXT)
- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f (PEHSTR_EXT)
- \get_my_files.txt (PEHSTR)
- 6Hello. If you want to return files, write me to e-mail (PEHSTR)
- Loki.Payload.dll (PEHSTR_EXT)
- \Users\hello\OneDrive\Bureau\Ransomware\Ransomware\obj\Debug\Ransomware.pdb (PEHSTR_EXT)
- XRET Ransomware (PEHSTR_EXT)
- C:/Windows/Fonts/Arial.ttf (PEHSTR_EXT)
- C:/Users/Public/bg.jpg (PEHSTR_EXT)
- It's vital to note that any attempts to decrypt the encrypted files independently could lead to permanent data loss. (PEHSTR_EXT)
- ;http (PEHSTR_EXT)
- http://ransom (PEHSTR_EXT)
- cmd.exe /c vssadmin.exe Delete (PEHSTR_EXT)
- "white_files": ["NTUSER.DAT" (PEHSTR_EXT)
- Only process smb hosts inside defined host. -host (PEHSTR_EXT)
- notepad C:\SKYSTARSRANSOMWARE.txt (PEHSTR_EXT)
- myapp.exe.SKYSTARS (PEHSTR_EXT)
- !Recovery_%s.txt (PEHSTR_EXT)
- \BKRansomware\Release\BKRansomware.pdb (PEHSTR_EXT)
- \SYSTEM32\chcp.com.hainhc (PEHSTR_EXT)
- SAD RANSOMWARE (PEHSTR_EXT)
- Viagra\dotnetfx35setup\obj\x86\Debug\dotnetfx35setup.pdb (PEHSTR_EXT)
- .HTML in every folder, for instructions on how to get your files back. (PEHSTR_EXT)
- MyEncrypter2.pdb (PEHSTR)
- where_are_your_files.txt (PEHSTR)
- meteoritan6570@yandex.ru (PEHSTR)
- megazord_xi-1\Windows\x86_64-pc-windows-msvc\debug\deps\megazord.pdb (PEHSTR_EXT)
- \Ransomware\zorro\Zorro\Zorro\obj\Release\Zorro.pdb (PEHSTR_EXT)
- G:\Medusa\Release\gaze.pdb (PEHSTR_EXT)
- powershell -executionpolicy bypass -File (PEHSTR_EXT)
- uluBgXtWgrL1J51vrN.VE4RkDjh5NJQIifVR5 (PEHSTR_EXT)
- jhsIn2ICirN5bEZO4q.9Z9JGY34683HQn7fom (PEHSTR_EXT)
- Tn/^Q (SNID)
- \,:z-1 (SNID)
- T$.0O (PEHSTR_EXT)
- L$/0W (PEHSTR_EXT)
- ;\$ ~ (PEHSTR_EXT)
- HOW_TO_RECOVER_FILES.txt (PEHSTR_EXT)
- We are not a politically company and we are not interested in your private affairs (PEHSTR_EXT)
- taskkill /f /im (PEHSTR_EXT)
- MagasFinisher.pdb (PEHSTR_EXT)
- MagasFinisher.Properties (PEHSTR_EXT)
- /sendMessage?chat_id= (PEHSTR_EXT)
- .EMAIL = [alvarodecrypt@gmail.com]ID = (PEHSTR_EXT)
- .alvaro (PEHSTR_EXT)
- FILE ENCRYPTED.txt (PEHSTR_EXT)
- To restore the system write to both : alvarodecrypt@gmail.com (PEHSTR_EXT)
- alvarodecrypt@outlook.com (PEHSTR_EXT)
- Your system may not be connected to the internet. (PEHSTR_EXT)
- /8T^'fV3 (SNID)
- j/ $& (SNID)
- main.VDMOperationStarted (PEHSTR_EXT)
- crypto/rand/rand.go (PEHSTR_EXT)
- main.Toolhelp32ReadProcessMemory (PEHSTR_EXT)
- .Mortis (PEHSTR_EXT)
- \MortisLocker.pdb (PEHSTR_EXT)
- We guarantee to decrypt one file for free. Go to the site and contact us. (PEHSTR_EXT)
- Lambda Ransomware (PEHSTR_EXT)
- All your files are encrypted and stolen, but you need to follow our instructions. otherwise, you cant return your data (PEHSTR_EXT)
- Payola.pdb (PEHSTR_EXT)
- VTtfvhJFsVTtfJFsVTtf.Resources.resources (PEHSTR_EXT)
- VTtfvhJFsVTtfJFsVTtfhid.Resources.resources (PEHSTR_EXT)
- THEORETICAL RANSOM NOTE (PEHSTR_EXT)
- RansomwareWindowClass (PEHSTR_EXT)
- cmd /c reg delete HKCU\Software\Classes\ms-settings /f (PEHSTR_EXT)
- don't try to reset, your pc is already fucked by the time you read this line. (PEHSTR_EXT)
- file decryption is impossible. the decryption keys have already been deleted (PEHSTR_EXT)
- Medusa\Release\gaze.pdb (PEHSTR_EXT)
- stub_win_x64_encrypter.pdb (PEHSTR_EXT)
- eee.exe (PEHSTR_EXT)
- start info.txt (PEHSTR_EXT)
- ransomware001.pdb (PEHSTR_EXT)
- <target directory> [/v] [/s] [/o] [/a] [/r] [-c <number>] [-d <second>] (PEHSTR_EXT)
- Welcome to Bulls and Cows, a fun word game (PEHSTR_EXT)
- Do you want to play again with the same hidden word (y/n) (PEHSTR_EXT)
- Release\BullCowGame.pdb (PEHSTR_EXT)
- Data\rick.png (PEHSTR)
- */c vssadmin.exe delete shadows /all /quiet (PEHSTR)
- ExcludeExtensions=exe|dll|xml|log|dmp (PEHSTR_EXT)
- KeyFileText=Files on this computer encrypted (PEHSTR_EXT)
- K:/test/repos/SmallCryptoApp/Win/EnCryptor/TEMP/main.go (PEHSTR_EXT)
- encoding/asn1.parseBase128Int (PEHSTR_EXT)
- crypto/elliptic.bigFromHex (PEHSTR_EXT)
- CymulateNativeRansomwareGeneratedKey (PEHSTR_EXT)
- programdata\Cymulate (PEHSTR_EXT)
- AttacksLogs\edr (PEHSTR_EXT)
- SOFTWARE\Malwarebytes\Ekati\ (PEHSTR_EXT)
- We have downloaded compromising and sensitive data from you (PEHSTR_EXT)
- .README-RECOVER-.txt (PEHSTR_EXT)
- to help you get the cipher key. We encourage you to consider your decisions (PEHSTR_EXT)
- get_ExecutablePath (PEHSTR_EXT)
- http://94.103.91.246/ (PEHSTR_EXT)
- AceRansomware (PEHSTR_EXT)
- AceDotNet.dll (PEHSTR_EXT)
- E:\cpp\git5\x64\dll\SudSolver.pdb (PEHSTR_EXT)
- xO(\|+& (SNID)
- vssadmin.exe delete shadows /all /quiet /? (PEHSTR_EXT)
- kill loop for taskmgr, cmd, regedit, powershell yes/no (PEHSTR_EXT)
- reboot after end encryption of all files or disks yes/no (PEHSTR_EXT)
- .sick2 (PEHSTR_EXT)
- ghostbin.com (PEHSTR_EXT)
- HELP.txt (PEHSTR_EXT)
- \release\deps\megazord.pdb (PEHSTR)
- \Users\Public\C:\$RECYCLE.BIN (PEHSTR)
- MIIBCgKCAQEAw/4Mpnw7yV9NDzjISgNesWSHj7A (PEHSTR_EXT)
- The " Ransomware" is a cross-platform ransomware that encrypts (PEHSTR_EXT)
- Your data is stolen and encrypted. (PEHSTR_EXT)
- LockBit 3.0 the world's fastest and most stable ransomware (PEHSTR_EXT)
- grisu.rs (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr (PEHSTR_EXT)
- wallpaper_albabat.jpg (PEHSTR_EXT)
- Your files, videos, documents, and other important data have been encrypted. (PEHSTR_EXT)
- WARNING! if you restart computer to your file is can't recovery forever! (PEHSTR_EXT)
- \HoneyLocker.pdb (PEHSTR_EXT)
- Zjwimxfxz.Properties (PEHSTR_EXT)
- b6277946ccc47c.Resources (PEHSTR_EXT)
- ComputeProxy (PEHSTR_EXT)
- jsonWriter (PEHSTR_EXT)
- NitroRansomware.exe (PEHSTR_EXT)
- EncryptedExtension": ".LATCHNETWORK3 (PEHSTR_EXT)
- xaqipaxowq.exe (PEHSTR)
- \ShellLocker Ransomware\ShellLocker\ShellLocker\bin\ShellLocker.pdb (PEHSTR_EXT)
- \startRans.bat (PEHSTR_EXT)
- \recoveryKey.txt (PEHSTR_EXT)
- \Programs\Startup\startVs.bat (PEHSTR_EXT)
- \windows\system32\shutdown /r /t 0 (PEHSTR_EXT)
- ~~~~ INC Ransom ~~~~ (PEHSTR_EXT)
- http://incpay (PEHSTR_EXT)
- P.onion (PEHSTR_EXT)
- If you do not pay the ransom, we will attack your company again in the future (PEHSTR_EXT)
- Don't go to recovery companies (PEHSTR_EXT)
- Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees (PEHSTR_EXT)
- your network infrastructure has been compromised (PEHSTR_EXT)
- DEDSEC RANSOMWARE (PEHSTR_EXT)
- t.me/dedsecransom (PEHSTR_EXT)
- \ransom.py (PEHSTR_EXT)
- encrypt_file.<locals>.<genexpr> (PEHSTR_EXT)
- Trashing the system... (PEHSTR_EXT)
- , im sorry. (PEHSTR_EXT)
- ransom copy (PEHSTR_EXT)
- VCRUNTIME140.dll (PEHSTR_EXT)
- TinyTrigger.exe (PEHSTR_EXT)
- TaeMinVirus.exe (PEHSTR_EXT)
- I got into your computer (PEHSTR_EXT)
- AlcDif.exe (PEHSTR_EXT)
- to kill the ransomware (PEHSTR_EXT)
- P.l.e.w.t.b.q.f._ (PEHSTR)
- set_UseShellExecute (PEHSTR)
- !!!YOUR FILE HAS BEEN ENCRYPTED!!!.txt (PEHSTR_EXT)
- CriticalBreachDetected.pdf (PEHSTR)
- xreg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f (PEHSTR)
- \rounc.pdb (PEHSTR_EXT)
- Inf-Inf-key.bat.cmd.com.exe.ico (PEHSTR_EXT)
- at +0330+0430+0530+0545+0630+0845+1030+1245+1345-0930-pass.jpge (PEHSTR_EXT)
- -local.local.onion/Quiet (PEHSTR_EXT)
- Value>%s.lock (PEHSTR_EXT)
- .arika (PEHSTR_EXT)
- https://akira (PEHSTR_EXT)
- SendKeysSample.pdb (PEHSTR_EXT)
- RansomTuga-master (PEHSTR_EXT)
- C:\TEMP\ransombear.exe (PEHSTR_EXT)
- C:\TEMP\LaunchRansombear.dll (PEHSTR_EXT)
- C:\WINDOWS\system32\cmd.exe /c C:\ransombear.exe (PEHSTR_EXT)
- /x64/Release/DataDecryptor.exe (PEHSTR_EXT)
- x64/Release/debugFolder_backup/pdfsample.pdf (PEHSTR_EXT)
- ./emailSender.ps1 (PEHSTR_EXT)
- +Inf-Inf.bat.cmd.com.exe.png (PEHSTR_EXT)
- local.onion/quiet (PEHSTR_EXT)
- "kill_services\""; SetWallpaper (PEHSTR_EXT)
- "net_spread\""; SelfDelete (PEHSTR_EXT)
- avx512chan<-domainenableexec (PEHSTR_EXT)
- MalwareHunterTeam malwrhunterteam Ransomware (PEHSTR_EXT)
- ComponentResourceManager (PEHSTR_EXT)
- NBA_LOG.txt (PEHSTR_EXT)
- Unhook module: %ntdll.dll (PEHSTR_EXT)
- \Z>Qw (SNID)
- FileEncry.pdb (PEHSTR_EXT)
- payload.exe (PEHSTR_EXT)
- ransom (PEHSTR_EXT)
- Ransom.Form1.resources (PEHSTR_EXT)
- .root (PEHSTR_EXT)
- Ransom\Charity-master (PEHSTR_EXT)
- email.encoders (PEHSTR_EXT)
- EncDll.pdb (PEHSTR_EXT)
- fakecry.pdb (PEHSTR_EXT)
- Calculator.exe (PEHSTR_EXT)
- projectmars.exe (PEHSTR_EXT)
- V:\geritjei\adkmgrjgii\dfe\wfef.pdb (PEHSTR_EXT)
- Backup.ocx (PEHSTR_EXT)
- H4FAr4lQluM6QPWeV2d1/LY_BBfuGQbYRuWj4KPvD/69qVJ-VHV7LkDAMPzw9F/PdGgCmqa42Uq5tK0UsRg (PEHSTR_EXT)
- main.malicious (PEHSTR_EXT)
- main.infectBinaries (PEHSTR_EXT)
- main.notInfectBin (PEHSTR_EXT)
- main.xor (PEHSTR_EXT)
- main.runHost (PEHSTR_EXT)
- Lapsus__Ransom (PEHSTR_EXT)
- system is encrypted By RANSOMCRYPTO (PEHSTR_EXT)
- ://RansomCrypto_qoia6E1FkoQjefA9ia10.onion (PEHSTR_EXT)
- Wormhole.exe (PEHSTR_EXT)
- recover files encrypted by Wormhole.txt (PEHSTR_EXT)
- Do not rename encrypted files. (PEHSTR_EXT)
- http://193.233.132.177/ (PEHSTR_EXT)
- \Conti.pdb (PEHSTR_EXT)
- \BlackRansomwareFireeye.pdb (PEHSTR_EXT)
- clippy_ransomware.Properties.Resources (PEHSTR_EXT)
- limiteci/WannaCry/raw/main/WannaCry.EXE (PEHSTR_EXT)
- cmd /c image.png (PEHSTR_EXT)
- wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion (PEHSTR_EXT)
- HOW TO BACK FILES.txt (PEHSTR_EXT)
- SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart (PEHSTR_EXT)
- .mallox (PEHSTR_EXT)
- KadavroVectorRansomware.My.Resources (PEHSTR_EXT)
- CashRansomware.KeyAuth (PEHSTR_EXT)
- CashRansomware.UnknownF1.resources (PEHSTR_EXT)
- We recommend to you turn off or disable all antivirus and use your computer only for sending money until decryption does not complete (PEHSTR_EXT)
- Albabat.ekeyAlbabat.keyAlbabat_Searchpersonal_id.txt (PEHSTR_EXT)
- WKillServices bool "json:\"kill_services\""; SetWallpaper bool "json:\"set_wallpaper\""; (PEHSTR)
- NSelfDelete bool "json:\"self_delete\""; RunningOne bool "json:\"running_one\"" (PEHSTR)
- ULocalDisks bool "json:\"local_disks\""; NetworkShares bool "json:\"network_shares\""; (PEHSTR)
- cmd /c ping 127.0.0.1 (PEHSTR_EXT)
- .data_00 (PEHSTR_EXT)
- .data_01 (PEHSTR_EXT)
- phy968jx3.dll (PEHSTR_EXT)
- NoCry.My.Resources (PEHSTR_EXT)
- [!] All task finished, locker exiting. (PEHSTR_EXT)
- DO NOT PANIC! Yes, this is bad news, but we will have a good ones as well. (PEHSTR_EXT)
- C:\Windows\System32\cmd.exe/q/cbcdedit/set{default}recoveryenabledno (PEHSTR_EXT)
- keys generated. (PEHSTR_EXT)
- .txt can't be bigger than (PEHSTR_EXT)
- \A4I/ (SNID)
- \LockBit_Ransomware.hta (PEHSTR_EXT)
- Ransomware.hta (PEHSTR_EXT)
- royal_dll.dll (PEHSTR_EXT)
- If you are reading this, it means that your system were hit by Royal ransomware. (PEHSTR_EXT)
- http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/ (PEHSTR_EXT)
- n.pysa (PEHSTR_EXT)
- Every byte on any types of your devices was encrypted. (PEHSTR_EXT)
- \crypto-locker\ (PEHSTR_EXT)
- mydesktopqos.exe (PEHSTR_EXT)
- syscall.FindNextFile (PEHSTR_EXT)
- syscall.WriteFile (PEHSTR_EXT)
- filesdelete/quietLocker (PEHSTR_EXT)
- GlitchByte.bmp (PEHSTR_EXT)
- .GLBT (PEHSTR_EXT)
- if you thought this ransomware uses XOR (PEHSTR_EXT)
- system32\drivers\etc\hosts (PEHSTR_EXT)
- Payload executed and encryption process started (PEHSTR_EXT)
- [INFO|VM] Could be false positive. Performing other checks (PEHSTR_EXT)
- [INFO|VM] No guest VM key detected. Marking as false positive (PEHSTR_EXT)
- [INFO|VM] Hyper-V guest key detected. This is a VM (PEHSTR_EXT)
- 3-P8HXdP5lWesLeithgX/ViSEejkW7bn08eE7Ljkc/fd_CK8fC_Rx0KUVgUE4u/88Ax6Vg-ys90dKV5qmY_ (PEHSTR_EXT)
- .frnds (PEHSTR_EXT)
- RECOVER-README.txt (PEHSTR_EXT)
- Your network/system was encrypted. (PEHSTR_EXT)
- git66\dll_release\Dither.pdb (PEHSTR_EXT)
- \cryptobrick.pdb (PEHSTR)
- DCrSrv\Release\DCrSrv.pdb (PEHSTR_EXT)
- DCmod\DiskCryptor\DCrypt\Bin\boot\boot_hook_small.pdb (PEHSTR_EXT)
- DCmod\DiskCryptor\DCrypt\Bin\boot\boot_load.pdb (PEHSTR_EXT)
- FRNDS: %s /path/to/be/encrypted (PEHSTR_EXT)
- dropRansomLetter (PEHSTR)
- RansomTuga.exe (PEHSTR_EXT)
- C:\HELP-RANSOMWARE.txt (PEHSTR)
- Gpowershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File (PEHSTR)
- Infected.exe (PEHSTR_EXT)
- Client.exe (PEHSTR_EXT)
- Rapax Ransomware (PEHSTR_EXT)
- PAY A RANSOM (PEHSTR_EXT)
- Ransomware_Load (PEHSTR)
- alpacino.pdb (PEHSTR)
- ransomware (PEHSTR_EXT)
- \README.TXT (PEHSTR_EXT)
- \Payloads\Not_Petya_XOR_Dll\ (PEHSTR_EXT)
- \Release\Not_Petya_Dll.pdb (PEHSTR_EXT)
- XPolarized\ransom\ransom\Crypto\RSA (PEHSTR_EXT)
- \RansomWare-encrypt.pdb (PEHSTR_EXT)
- We Are Caesar. We Operate a Ransomware Operation! (PEHSTR_EXT)
- Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin (PEHSTR_EXT)
- Odyssey-RansomWare\RansomWare-encrypt\x64\Release\RansomWare-encrypt.pdb (PEHSTR_EXT)
- \GlitchByte.bm (PEHSTR_EXT)
- pdf.exe (PEHSTR_EXT)
- .NetForceZ (PEHSTR_EXT)
- Your files have been encrypted by the NetForceZ's Ransomware. (PEHSTR_EXT)
- -FILES.txt (PEHSTR_EXT)
- tdsoperational.pythonanywhere.com (PEHSTR_EXT)
- Your files have been encrypted. There's no way back (PEHSTR_EXT)
- malcrypt.pdb (PEHSTR_EXT)
- library\core\src\escape.rs (PEHSTR_EXT)
- C:\Users\falconDesktopencryption_note.txt (PEHSTR_EXT)
- you must pay a ransom of (PEHSTR_EXT)
- fCny/pMgNAO7GxU8JYcardP/3PQoVSzZ0zPbDAxbevtaJAiC5oSZVK6OVbf0dbrCAqjWV9wSGO2 (PEHSTR_EXT)
- decrypt_key.nky (PEHSTR_EXT)
- ransomware.rs (PEHSTR_EXT)
- All the files in your computer has been encrypted (PEHSTR_EXT)
- src/bin/ransomware.rs2 (PEHSTR_EXT)
- src\bin\ransomware.rs (PEHSTR_EXT)
- .enc202407 (PEHSTR_EXT)
- main.encryptFile (PEHSTR_EXT)
- xmb.pythonanywhere.com (PEHSTR_EXT)
- Play chess against me. If you win, you will get your files back (PEHSTR_EXT)
- .smert (PEHSTR_EXT)
- -DATA.txt (PEHSTR_EXT)
- [*.exe*.EXE*.DLL*.ini*.inf*.pol*.cmd*.ps1*.vbs*.bat*.pagefile.sys* (PEHSTR_EXT)
- sqldocrtfxlsjpgjpegpnggifwebptiffpsdrawbmppdfdocxdocmdotxdotmodtxlsxxlsmxlt (PEHSTR_EXT)
- %i in ('sc query state^= all ^| findstr /I ') do sc stop %i (PEHSTR_EXT)
- | ForEach-Object { Stop-VM -Name $_.Name -Force -Confirm:$false (PEHSTR_EXT)
- 0/encrypt.rs (PEHSTR_EXT)
- bcdedit/set{default}recoveryenabledno (PEHSTR_EXT)
- kill_serviceskill_procsvm_extensionsexcluded_vmscredsprivate_key (PEHSTR_EXT)
- "note_name":"HOW_TO_RECOVER_FILES.txt" (PEHSTR_EXT)
- "creds":["police. (PEHSTR_EXT)
- "vm_extensions":["*. (PEHSTR_EXT)
- .sola (PEHSTR_EXT)
- %s\README.txt (PEHSTR_EXT)
- Meow. (PEHSTR_EXT)
- rundll32.exe runcalc.dll,emptyzip (PEHSTR_EXT)
- trellix.digital (PEHSTR_EXT)
- All your files have been encrypted. Pay the ransom to get them back (PEHSTR_EXT)
- /c2/receiver (PEHSTR_EXT)
- \\.\PhysicalDrive (PEHSTR_EXT)
- shellexecute=DEAD97.exe (PEHSTR_EXT)
- YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN (PEHSTR_EXT)
- [f\0# (SNID)
- .pythonanywhere.com (PEHSTR_EXT)
- .crowdstrike (PEHSTR_EXT)
- \HiCrowdStrike.txt (PEHSTR_EXT)
- Prince-Ransomware (PEHSTR_EXT)
- paying us a ransom (PEHSTR_EXT)
- HOW TO DECRYPT.txt (PEHSTR_EXT)
- RSADecryptKey\KEY.DAT (PEHSTR_EXT)
- RSADecryptKey\Public.txt (PEHSTR_EXT)
- Mammon\Release\Mammon.pdb (PEHSTR_EXT)
- Enmity\Release\Enmity.pdb (PEHSTR_EXT)
- C:\keyforunlock\Key.txt (PEHSTR_EXT)
- C:\keyforunlock\RSAdecr.keys (PEHSTR_EXT)
- \Apophis\ (PEHSTR_EXT)
- \Apophis.pdb (PEHSTR_EXT)
- \FilesEncrypted.txt (PEHSTR_EXT)
- \MrRannyReworked.pdb (PEHSTR_EXT)
- ryukransom (PEHSTR_EXT)
- net stop mozyprobackup /y (PEHSTR)
- net stop EraserSvc11710 /y (PEHSTR)
- net stop SstpSvc /y (PEHSTR)
- net stop MSSQLSERVER /y (PEHSTR)
- net stop SQLWriter /y (PEHSTR)
- Desktop/EMAIL_ME.txt (PEHSTR_EXT)
- RansomWare.encrypt_fernet_key (PEHSTR_EXT)
- fireDrillRansomware (PEHSTR_EXT)
- .wcry (PEHSTR_EXT)
- reg add HKCU\Software (PEHSTR_EXT)
- DisableCMD (PEHSTR_EXT)
- .smert (PEHSTR)
- smert.exe (PEHSTR)
- Morgan\obj\Release\Morgan.pdb (PEHSTR_EXT)
- Users\Admin\source\repos\Somnia (PEHSTR_EXT)
- RansomwareHandler (PEHSTR_EXT)
- LEIA-ME.txt (PEHSTR_EXT)
- blawscriptFailed to execute self-deleting script (PEHSTR_EXT)
- BlackStriker.pdb (PEHSTR_EXT)
- bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS (PEHSTR_EXT)
- revsoks.bat (PEHSTR_EXT)
- Ryuk Ransomware (PEHSTR)
- Rusty Ransomware (PEHSTR)
- ransomnote.exe (PEHSTR)
- encrypt_date.txt (PEHSTR)
- README.txt file (PEHSTR_EXT)
- {0}\how_to_back_files.html (PEHSTR_EXT)
- {0}\WallPaper.bmp (PEHSTR_EXT)
- Your files are safe! Only modified. (PEHSTR_EXT)
- RECOVER--DATA.txt (PEHSTR_EXT)
- taskkill /IM * /F (PEHSTR_EXT)
- Bazek Ransomware (PEHSTR_EXT)
- Encrypts files and holds users for ransom (PEHSTR_EXT)
- main.Run (PEHSTR_EXT)
- main.dataMazedesktopPng (PEHSTR_EXT)
- DECRYPT-FILES.txt (PEHSTR_EXT)
- main.doEncrypt (PEHSTR_EXT)
- main.doDecrypt (PEHSTR_EXT)
- type:.eq.main.Config (PEHSTR_EXT)
- os.(*Process).kill (PEHSTR_EXT)
- main.erase (PEHSTR_EXT)
- DEATHRansom (PEHSTR_EXT)
- Write back to our e-mail: deathransom@airmail.cc (PEHSTR_EXT)
- vssadmin delete shadows //all //quiet & wmic shadowcopy delete (PEHSTR_EXT)
- \source\repos\Morgan\Morgan\obj\Release\Morgan.pdb (PEHSTR_EXT)
- RunProgram="hidcon:7za.exe i (PEHSTR_EXT)
- RunProgram="hidcon:7za.exe x -y -p (PEHSTR_EXT)
- Everything64.dll (PEHSTR_EXT)
- RunProgram="hidcon:\"datastore@cyberfear.com_no gui.exe\" %SfxVarCmdLine0% (PEHSTR_EXT)
- victim of the razrusheniye ransomware (PEHSTR_EXT)
- file with the .raz extension (PEHSTR_EXT)
- RanSomWare.exe (PEHSTR_EXT)
- RanSomWare.Properties (PEHSTR_EXT)
- FakeRansomware1.0\obj\Debug\FakeRansomware1.0.pdb (PEHSTR_EXT)
- s3.dualstack.us (PEHSTR_EXT)
- RESTORE-MY-FILES.txt (PEHSTR_EXT)
- .back (PEHSTR_EXT)
- conf64.dat (PEHSTR_EXT)
- .Zrdata (PEHSTR_EXT)
- !.bss (PEHSTR_EXT)
- isRansomePopup (PEHSTR_EXT)
- ransomeEncPath (PEHSTR_EXT)
- \!!!!!README.txt (PEHSTR_EXT)
- Malware Running.. (PEHSTR_EXT)
- Users\Admin\Desktop\Mammon\Release\Mammon.pdb (PEHSTR_EXT)
- IRIS RANSOMWARE GROUP (PEHSTR_EXT)
- completely locked down (PEHSTR_EXT)
- complete access to EVERYTHING (PEHSTR_EXT)
- look at any file with .raz extension (PEHSTR_EXT)
- AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- Bazek Ransomware.pdb (PEHSTR_EXT)
- Bazek Ransomware.exe (PEHSTR_EXT)
- CashCat.pdb (PEHSTR_EXT)
- CashCat.exe (PEHSTR_EXT)
- NOSU.pdb (PEHSTR_EXT)
- NOSU.Resources.resources (PEHSTR_EXT)
- How to restore your files.txt (PEHSTR_EXT)
- Your files have been encrypted due to unauthorized use of our item. (PEHSTR_EXT)
- To restore your files, you must buy a special program, this program belong to us alone. (PEHSTR_EXT)
- tongfake.dll (PEHSTR_EXT)
- You became victim of the razrusheniye ransomware! (PEHSTR_EXT)
- %s.raz (PEHSTR_EXT)
- Payload.LockForm.resources (PEHSTR_EXT)
- Crypto Locker\Payload\obj\Release\Payload.pdb (PEHSTR_EXT)
- K.G.B - Burhan Alassad (PEHSTR_EXT)
- %s.smert (PEHSTR_EXT)
- Your files have been fucked. There's no way back (PEHSTR_EXT)
- All your files have been encrypted by our Invisible Ransomware (PEHSTR_EXT)
- self_deleting_script.vbs (PEHSTR_EXT)
- run_command (PEHSTR_EXT)
- write_and_execute_batch (PEHSTR_EXT)
- .RANSOM_NOTE.txt (PEHSTR_EXT)
- Ransomworm (PEHSTR_EXT)
- .rustsomware (PEHSTR_EXT)
- YOUR SYSTEM IS COMPROMISED! READ THIS MESSAGE CAREFULLY! (PEHSTR_EXT)
- and all your system has been hijacked. Meaning we have access to ALL YOUR FILES (PEHSTR_EXT)
- for anyone to download. This includes your personal data, passwords, and more (PEHSTR_EXT)
- pinglocalhost-n1>nul&&del/C (PEHSTR_EXT)
- CyberVolk ransomware (PEHSTR)
- CyberVolk_ReadMe.txt (PEHSTR)
- This program will encrypt your files and cannot be recovered. Are you sure you want to run it? (PEHSTR_EXT)
- deleteshadows/quiet (PEHSTR_EXT)
- cmdnetconfigstart=disabledFailed to wipe (PEHSTR_EXT)
- /home/medusa/ (PEHSTR_EXT)
- cmd.exe /e:ON /v:OFF /d /c (PEHSTR_EXT)
- contact me on telegram https://t.me/sh3dddd to get your files back (PEHSTR_EXT)
- Hakuna Matata 2.3 (PEHSTR_EXT)
- cryptobrick.exe (PEHSTR_EXT)
- obj\Debug\Jigsaw.pdb (PEHSTR_EXT)
- Your system has been hacked with the AzzaSec ransomware virus (PEHSTR_EXT)
- ransomeware\obj\Debug\AzzaSec.pdb (PEHSTR_EXT)
- majordom\client\majordom\majordom\obj\Debug\majordom.pdb (PEHSTR_EXT)
- NoCry.exe (PEHSTR_EXT)
- your important files are encrypted. (PEHSTR_EXT)
- TOR Network: http://lynx (PEHSTR_EXT)
- TouchMeNot_.txt.[ (PEHSTR_EXT)
- ].DARKSET (PEHSTR_EXT)
- .DARKSET\DefaultIcon (PEHSTR_EXT)
- .DARKSET (PEHSTR_EXT)
- \what.txt (PEHSTR_EXT)
- EnternalRed\obj\Debug\JPG-Datei.pdb (PEHSTR_EXT)
- AlertaRansom (PEHSTR_EXT)
- mrmalransom\obj\Release\mrmalransom.pdb (PEHSTR_EXT)
- Mr. Malware (PEHSTR_EXT)
- mrmalransom.Properties.Resources (PEHSTR_EXT)
- Your computer files have been encrypted! (PEHSTR_EXT)
- .?AV?$clone_im (PEHSTR_EXT)
- Your purchase is not complete. Please reattempt payment (PEHSTR_EXT)
- Your system has been corrected. (PEHSTR_EXT)
- Data at the main critical points of your network has been compromised, and all of your company's critical data has been transferred to our servers. (PEHSTR_EXT)
- We can restore 100% of your systems and data. (PEHSTR_EXT)
- If we agree, only you and our team will know about this breach. (PEHSTR_EXT)
- .encrypted (PEHSTR)
- EByte-Ransomware (PEHSTR)
- AAA_READ_AAA.TXT (PEHSTR_EXT)
- .backup.wallet.onepkg.config.tar (PEHSTR_EXT)
- Your files have been encrypted. (PEHSTR_EXT)
- cmd.exe /c timeout 7 & del "%s" (PEHSTR_EXT)
- net stop "SQLsafe Filter Service" /y (PEHSTR_EXT)
- net stop ReportServer /y (PEHSTR_EXT)
- All your files have been encrypted by CyberVolk ransomware (PEHSTR_EXT)
- And you just need run this software on each computer that encrypted and all affected files will be decrypted (PEHSTR_EXT)
- What are the guarantees that I can decrypt my files after paying the ransom (PEHSTR_EXT)
- This means that we can decrypt all your files after paying the ransom (PEHSTR_EXT)
- rundll (PEHSTR_EXT)
- NoCry Ransomware (PEHSTR)
- Joyhv.pew (PEHSTR_EXT)
- recover files,view here.txt (PEHSTR_EXT)
- \x64\Release\Big Ransomware.pdb (PEHSTR_EXT)
- \ransom_note.txt (PEHSTR_EXT)
- YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. (PEHSTR_EXT)
- bcdedit /delete {bootmgr} /f (PEHSTR_EXT)
- DecryptionTool.Properties.Resources (PEHSTR_EXT)
- DecryptionTool.exe (PEHSTR_EXT)
- GonnaEncrypt.pdb (PEHSTR_EXT)
- Sending request for hidden service descriptor... (PEHSTR_EXT)
- Hidden service descriptor received... (PEHSTR_EXT)
- funksecschtasks /create /tn /tr "" /sc onstart (PEHSTR_EXT)
- Scheduled task created to run ransomware at startup. (PEHSTR_EXT)
- _README_.txt (PEHSTR_EXT)
- .dll.sys.exe.drv.com.cat (PEHSTR_EXT)
- Your organization, device has been successfully infiltrated by funksec ransomware! (PEHSTR_EXT)
- README-.md (PEHSTR_EXT)
- .funksec (PEHSTR_EXT)
- **Ransom Details** (PEHSTR_EXT)
- funkiydk7c6j3vvck5zk2giml2u746fa5irwalw2kjem6tvofji7rwid.onion (PEHSTR_EXT)
- Decryptfiles.txt (PEHSTR_EXT)
- boot.inidesktop.inintuser.daticoncache.dbbootsect.bakntuser.dat.logBootfont.binDecryptfiles.txt (PEHSTR_EXT)
- edfr789@tutanota.com (PEHSTR_EXT)
- .goodluck (PEHSTR_EXT)
- C:\Keylock\id.txt (PEHSTR_EXT)
- C:\Keylock\pb.txt (PEHSTR_EXT)
- Keylock\ky.DAT (PEHSTR_EXT)
- G:\Mammon\Release\Mammon.pdb (PEHSTR_EXT)
- @gmail.com (PEHSTR_EXT)
- main.decFunc (PEHSTR_EXT)
- main.Encrypt (PEHSTR_EXT)
- main.Aes256Encr (PEHSTR_EXT)
- main.DelShadows (PEHSTR_EXT)
- main.Destroy (PEHSTR_EXT)
- main.GrantAll (PEHSTR_EXT)
- main.EnableLongPaths (PEHSTR_EXT)
- main.GenDrives (PEHSTR_EXT)
- main.CheckBusy (PEHSTR_EXT)
- main.PreventSleep (PEHSTR_EXT)
- main.ShowNote (PEHSTR_EXT)
- main.Startproc (PEHSTR_EXT)
- main.EnableLink (PEHSTR_EXT)
- main.SetupKey (PEHSTR_EXT)
- main.MountDrives (PEHSTR_EXT)
- main.Kill (PEHSTR_EXT)
- main.StopAllsvc (PEHSTR_EXT)
- main.Encode (PEHSTR_EXT)
- main.ClearRecycle (PEHSTR_EXT)
- BlackByteGO/_cgo_gotypes.go (PEHSTR_EXT)
- Screen_Glitching@Payloads (PEHSTR_EXT)
- device has been successfully infiltrated by funksec ransomware! (PEHSTR_EXT)
- FilesWithExtensions.func1 (PEHSTR_EXT)
- main.myFileW (PEHSTR_EXT)
- main.ePL (PEHSTR_EXT)
- onion/chat (PEHSTR_EXT)
- WannaDecryption.pdb (PEHSTR_EXT)
- Decryption completed! (PEHSTR_EXT)
- Pay a ransom (PEHSTR_EXT)
- .doc.odt.sql.mdb.xls.ods.ppt (PEHSTR_EXT)
- Decryption Instructions.txt (PEHSTR_EXT)
- EByte-Rware/encryption.EncryptFile (PEHSTR_EXT)
- main.setWallpaper (PEHSTR_EXT)
- data is completely encrypted (PEHSTR_EXT)
- Start Menu\Programs\Startup (PEHSTR_EXT)
- Majordom V4.0\client\majordom\obj\Debug\majordom.pdb (PEHSTR_EXT)
- powershell -ExecutionPolicy Bypass -File (PEHSTR_EXT)
- payment is required. (PEHSTR_EXT)
- Please note that cost for file decryption and avoiding data publification is separate. (PEHSTR_EXT)
- lock.pe32Skip (PEHSTR_EXT)
- CipherLocker.exe (PEHSTR_EXT)
- on completed on (PEHSTR_EXT)
- .clocker (PEHSTR_EXT)
- Your personal files have been encrypted by CipherLocker. (PEHSTR_EXT)
- CipherLocker.Ransomware+<ProcessFilesAsync> (PEHSTR_EXT)
- CipherLocker.TelegramNotifier (PEHSTR_EXT)
- LockBit 3.0 (PEHSTR_EXT)
- world's fastest ransomware (PEHSTR_EXT)
- do not pay the ransom (PEHSTR_EXT)
- Esmeralda Ransomware (PEHSTR_EXT)
- .xlock (PEHSTR_EXT)
- LockBit 3.0 the world's fastest ransomware since 2019 (PEHSTR_EXT)
- You can contact us in email or qtox. (PEHSTR_EXT)
- main.traverseAndEncryptDisk (PEHSTR_EXT)
- main.loadRSAPublicKeyFromPEM (PEHSTR_EXT)
- Rans22.DecryptorApp (PEHSTR_EXT)
- HELLO_README.txt (PEHSTR_EXT)
- \\.\pipe\__rust_anonymous_pipe1__ (PEHSTR_EXT)
- Prince-Ransomware (PEHSTR)
- -SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- system_health.exe (PEHSTR)
- Clear-ComputerRestorePoint -All (PEHSTR)
- .vico (PEHSTR_EXT)
- \case_id.txt (PEHSTR_EXT)
- /c taskkill /f /im explorer.exe & taskkill /f /im taskmgr.exe (PEHSTR_EXT)
- /c shutdown /r /t 0 (PEHSTR_EXT)
- \Desktop\YOU-BETTER-README.txt (PEHSTR_EXT)
- NewEncryptApp.Properties.Resources (PEHSTR_EXT)
- petya37h5tbhyvki.onion/ (PEHSTR_EXT)
- petya5koahtsf7sv.onion/ (PEHSTR_EXT)
- .vanhelsing2 (PEHSTR_EXT)
- d.onion (PEHSTR_EXT)
- pay the ransom (PEHSTR_EXT)
- log.Println (PEHSTR_EXT)
- log.init (PEHSTR_EXT)
- log.New (PEHSTR_EXT)
- Prince-Ransomware/encryption.init.0 (PEHSTR_EXT)
- Prince-Ransomware/encryption.EncryptFile (PEHSTR_EXT)
- Prince-Ransomware/encryption.generateKey (PEHSTR_EXT)
- Prince-Ransomware/encryption.generateNonce (PEHSTR_EXT)
- %s.locked (PEHSTR_EXT)
- Vrunner.pdb (PEHSTR_EXT)
- Your computer has been destroyed by Vrunner (PEHSTR_EXT)
- You can get the key by paying the ransom (PEHSTR_EXT)
- I have no money, I restart now, at least the computer can still use it (PEHSTR_EXT)
- /h1:LYDUdQBzWPgCOuwoGl3qPECiKXwqE0+tA9JM1kvIpfw= (PEHSTR)
- main.setWallpaper (PEHSTR)
- -Prince-Ransomware/filewalker.EncryptDirectory (PEHSTR)
- Ransomware Simulation (PEHSTR_EXT)
- Command & Control (PEHSTR_EXT)
- Pay the ransom to get the decryption key. (PEHSTR_EXT)
- Ransomeware.pdb (PEHSTR_EXT)
- killing Cmdexec (PEHSTR_EXT)
- \Software\Microsoft\Outlook Express\5.0\Mail (PEHSTR_EXT)
- MAPIFindNext (PEHSTR_EXT)
- FAIL_STATE_NOTIFICATION.pdf (PEHSTR_EXT)
- 8.onion/? (PEHSTR_EXT)
- Mamona, R.I.P (PEHSTR_EXT)
- cmd /c "vssadmin Delete Shadows /All /Quiet" (PEHSTR_EXT)
- cmd /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (PEHSTR_EXT)
- cmd /c "taskkill /F /IM (PEHSTR_EXT)
- SAPI.Speak (PEHSTR_EXT)
- XIAOBA 2.0 Ransomware (PEHSTR_EXT)
- encv2.pdb (PEHSTR)
- vcry\x64\Release\vcry.pdb (PEHSTR_EXT)
- RALord ransomware (PEHSTR_EXT)
- LOCKIFY R1 RANSOMEWARE! (PEHSTR_EXT)
- All your personal informations, datas, Files, Documents, Pictures, Logins, Videos etc.. all were completely ENCRYPTED (PEHSTR_EXT)
- Worm_Locker\obj\Debug\Worm_Locker.pdb (PEHSTR_EXT)
- INC-README.txt..windowsprogram filesappdata$recycle.binINC.log.dll (PEHSTR_EXT)
- OBSIDIANMIRROR - PSYOPS/PSYWAR (PEHSTR_EXT)
- RANSOMNOTE.txt (PEHSTR_EXT)
- Executed anti-debug-thread (PEHSTR_EXT)
- exe (PEHSTR_EXT)
- Go/src/internal/chacha8rand/chacha8.go (PEHSTR_EXT)
- crypto/internal/fips140/aes.EncryptionKeySchedule (PEHSTR_EXT)
- crypto/internal/fips140/aes.encryptBlockAsm (PEHSTR_EXT)
- I am the walrus. I have taken the liberty of protecting the data on your machine by encrypting it all (PEHSTR_EXT)
- C:\flag.txt.tusk (PEHSTR_EXT)
- C:\DECRYPT_YOUR_FILES.txt (PEHSTR_EXT)
- repos\TuskLocker2\x64\Release\TuskLocker2.pdb (PEHSTR_EXT)
- Desktop wallpaper changed successfully. (PEHSTR_EXT)
- Failed to create flash window. Error code: (PEHSTR_EXT)
- Screen flash complete. (PEHSTR_EXT)
- Failed to set autostart registry value. Error code: (PEHSTR_EXT)
- %s.enc (PEHSTR_EXT)
- \source\ransomware\ransomware.cpp (PEHSTR_EXT)
- C:\nodecryptor.txt (PEHSTR)
- BAll your important files have been encrypted! Your data is locked. (PEHSTR)
- README.HAes.txt (PEHSTR_EXT)
- .HAES (PEHSTR_EXT)
- DECRYPTION_KEY.txt (PEHSTR_EXT)
- MACHINE_INFO.txt (PEHSTR_EXT)
- DO NOT MODIFY or try to RECOVER any files yourself.We WILL NOT be able to RESTORE them. (PEHSTR_EXT)
- R3ADM3.txt (PEHSTR_EXT)
- ransom payment (PEHSTR)
- \work\tools\ai\ak47\cpp\encrypt\encrypt\x64\Release\encrypt.pdb (PEHSTR_EXT)
- How to decrypt my data.txt (PEHSTR_EXT)
- decryptiondescription.pdf (PEHSTR_EXT)
- Important!!!.pdf (PEHSTR_EXT)
- How to decrypt my data.log (PEHSTR_EXT)
- COMPUTER HAS BEEN SEIZED (PEHSTR_EXT)
- RANSOMWARE! (PEHSTR_EXT)
- encryption algorithm. (PEHSTR_EXT)
- ransomeware.ps1 (PEHSTR_EXT)
- PAY THE RANSOM (PEHSTR_EXT)
- Global\VanHelsing (PEHSTR_EXT)
- PLEASE READ ME.txt (PEHSTR_EXT)
- \Hacker.pdb (PEHSTR_EXT)
- case_id.txt (PEHSTR_EXT)
- svchost_log.txt (PEHSTR_EXT)
- Important files encrypted. Check README files (PEHSTR_EXT)
- L to hide/show this window (PEHSTR_EXT)
- dropRansomNote (PEHSTR_EXT)
- Nano_Note.txt (PEHSTR_EXT)
- Your files are encrypted by Nano Ransomware, meaning that your data is encrypted (PEHSTR_EXT)
- il = .direwolf/ (PEHSTR_EXT)
- main.encryptFile.func2 (PEHSTR_EXT)
- main. (PEHSTR_EXT)
- FILE RECOVERY.txt (PEHSTR_EXT)
- This IS real ransomware. Are you sure you want to run it? (PEHSTR_EXT)
- encrypted_files.txt (PEHSTR_EXT)
- Software\Classes\.xcrypt\DefaultIcon (PEHSTR_EXT)
- newcryptor.pdb (PEHSTR_EXT)
- .onion/chat (PEHSTR_EXT)
- main.progressReporter (PEHSTR_EXT)
- main.progressReporter.deferwrap1 (PEHSTR_EXT)
- main.loadPublicKey (PEHSTR_EXT)
- main.dropNote (PEHSTR_EXT)
- main.encryptDirectory (PEHSTR_EXT)
- main.encryptDirectory.func2 (PEHSTR_EXT)
- This program can only run in Israel.exe (PEHSTR_EXT)
- .anubis (PEHSTR_EXT)
- .TANKIX (PEHSTR_EXT)
- All your computer files has been encrypted with a special algorithm by Tanki X. Your documents, photos, music, etc (PEHSTR_EXT)
- C:\Windows\BSOD.exe (PEHSTR_EXT)
- TankRansom_3._0.Properties.Resources (PEHSTR_EXT)
- C:/Windows/Warning.jpg (PEHSTR_EXT)
- TASKKILL /F /IM EXPLORER.EXE (PEHSTR_EXT)
- Trojan.Ransom.Emmyware (PEHSTR_EXT)
- Emmyware.Properties.Resources (PEHSTR_EXT)
- WhatHappenLabel.Text (PEHSTR_EXT)
- [!] LDAP mode requires username and password. Use -u and -p flags. (PEHSTR_EXT)
- Tanki X Ransomware 4.0 (PEHSTR_EXT)
- Attention! Your OS and your files is encrypted by Tanki X Ransomware (PEHSTR_EXT)
- /k taskkill /f /im AvastUI.exe && exit (PEHSTR_EXT)
- RESTORE FILES.txt (PEHSTR_EXT)
- /KEY= (PEHSTR_EXT)
- /WIPEMODE (PEHSTR_EXT)
- /elevated (PEHSTR_EXT)
- /PFAD= (PEHSTR_EXT)
- Deleting services... (PEHSTR_EXT)
- Encryption completed in: (PEHSTR_EXT)
- Directory walk completed with warnings: %v (PEHSTR_EXT)
- TankiXRansomware.Properties.Resources.resources (PEHSTR_EXT)
- TankiXRansomware\obj\Debug\TankiXRansomware.pdb (PEHSTR_EXT)
- Welcome! Your all files, and data is FULLY ENCRYPTED with a special algoritm TX! (PEHSTR_EXT)
- Don't try to kill ransomware - Your PC will burn (PEHSTR_EXT)
- [INC-README.txt..windowsprogram filesappdata (PEHSTR_EXT)
- $recycle.binprogramdataall userssophosINC.log.dll.exe (PEHSTR_EXT)
- After that we will public this situation and all data. (PEHSTR_EXT)
- DO NOT MODIFY FILES YOURSELF. (PEHSTR_EXT)
- DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. (PEHSTR_EXT)
- cmd /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /f (PEHSTR_EXT)
- .cyberlock (PEHSTR_EXT)
- All your files have been encrypted. (PEHSTR_EXT)
- We are CyberLock - Anonymous. (PEHSTR_EXT)
- ReadMeNow.txt (PEHSTR_EXT)
- HKCU:\Control Panel\Desktop (PEHSTR_EXT)
- Start-Process cipher.exe -ArgumentList "/w:$env:USERPROFILE" -WindowStyle Hidden (PEHSTR_EXT)
- Email: cyberspectreislocked@onionmail.org (PEHSTR_EXT)
- Please send a screenshot of the payment. We will respond within 5 hours with the decryption key. (PEHSTR_EXT)
- powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass (PEHSTR_EXT)
- del /q /f (PEHSTR_EXT)
- dirEncryption.ps1 (PEHSTR_EXT)
- EvilBunny_RANSOMWARE\obj\Debug\EvilBunny_RANSOMWARE.pdb (PEHSTR_EXT)
- EvilBunny_RANSOMWARE.Properties.Resources (PEHSTR_EXT)
- C:\Program Files\System32\voice.vbs (PEHSTR_EXT)
- Tanki X Ransomware 2.0 (PEHSTR_EXT)
- Tanki X Ransomware 2.0\obj\Debug\Tanki X Ransomware 2.0.pdb (PEHSTR_EXT)
- encrypted by NightSpire Ransomware (PEHSTR_EXT)
- UniKeyNT.exe (PEHSTR_EXT)
- critical points of your network has been compromised (PEHSTR_EXT)
- all of your company's critical data has been transferred to our servers (PEHSTR_EXT)
- .CyberVolk (PEHSTR_EXT)
- the higher ransom (PEHSTR_EXT)
- .MadiLock (PEHSTR_EXT)
- README_TO_RECOVER_FILES!!!.txt (PEHSTR_EXT)
- Files were encrypted and stolen. Pay to decrypt and delete stolen copies (PEHSTR_EXT)
- Nitrogen welcome you! (PEHSTR_EXT)
- _READ_ME_.TXT (PEHSTR_EXT)
- bcdedit /deletevalue {default} safeboot (PEHSTR_EXT)
- Your servers and files are locked and copied. (PEHSTR_EXT)
- Decryption would run here. (PEHSTR_EXT)
- Incorrect password. (PEHSTR_EXT)
- RansomSimWnd (PEHSTR_EXT)
- WannaCry - Ransomware (PEHSTR)
- vssadmin delete shadowstorage /all /quiet (PEHSTR_EXT)
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- RansomwareUIClass (PEHSTR_EXT)
- C:\ProgramData\Durr.lock (PEHSTR_EXT)
- schtasks /create /tn (PEHSTR_EXT)
- \Desktop\readme.txt (PEHSTR_EXT)
- \RANSOMNOTE.txt (PEHSTR_EXT)
- .heartbreaker (PEHSTR)
- github.com/saaaarwar/mimicore (PEHSTR)
- infected with a ransomware virus (PEHSTR)
- bitcoins.com (PEHSTR)
- GoodLock.exe (PEHSTR_EXT)
- GoodLock.Info.resources (PEHSTR_EXT)
- READ_TO_DECRYPT.txt (PEHSTR_EXT)
- /upload_stolen.php (PEHSTR_EXT)
- The Security of This Computer Has Been Compromised (PEHSTR_EXT)
- JupiterLocker has encrypted all the data on this computer with military-grade AES-256 encryption (PEHSTR_EXT)
- CYANMISCHA RANSOMWARE PERFC FILE!! (PEHSTR_EXT)
- You became victim of the CYANMISCHA RANSOMWARE!!! (PEHSTR_EXT)
- files in your computer have been safely encrypted by cyanmischa (PEHSTR_EXT)
- C:\Windows\System32\drivers\etc\hosts (PEHSTR_EXT)
- encryption_log.txt (PEHSTR_EXT)
- .LockedA (PEHSTR_EXT)
- DontDeleteThisFolder\Enc.key (PEHSTR_EXT)
- Ransom Note (PEHSTR_EXT)
- Desktop wallpaper changed to ransom image (PEHSTR_EXT)
- Your files have been encrypted. Contact attacker (PEHSTR_EXT)
- Ransom note sent to printers (PEHSTR_EXT)
- diskshadow_script.txt (PEHSTR_EXT)
- -Ransomware/encryption.EncryptFile (PEHSTR_EXT)
- -Ransomware/configuration.PublicKey= (PEHSTR_EXT)
- .ENCRYPT (PEHSTR_EXT)
- RansomWindowClass (PEHSTR_EXT)
- hijacked.pdb (PEHSTR_EXT)
- main.deleteVSS (PEHSTR_EXT)
- main.scanAndEncrypt (PEHSTR_EXT)
- main.shouldEncrypt (PEHSTR_EXT)
- main.shouldExclude (PEHSTR_EXT)
- @proton.me (PEHSTR_EXT)
- ai\ak47\writenull\x64\Release\writenull.pdb (PEHSTR_EXT)
- /LIST OF ENCRYPTED FILES (PEHSTR_EXT)
- /PAYMENT INSTRUCTIONS (PEHSTR_EXT)
- hours will result in the ransom amount increasing to (PEHSTR_EXT)
- /HOW TO DECRYPT (PEHSTR_EXT)
- /AllLocked.txt (PEHSTR_EXT)
- \decrypt.pdb (PEHSTR_EXT)
- Screenshot of other customers who have paid and received decryption (PEHSTR_EXT)
- Vssadmindeleteshadows/all/quiet (PEHSTR_EXT)
- Take this seriously, this is not a joke! Your company network are encrypted and (PEHSTR_EXT)
- your data has been stolen and downloaded to our servers. Ignoring this message (PEHSTR_EXT)
- .NITROGEN (PEHSTR_EXT)
- files on this computer have been encrypted using military-grade AES-256 encryption (PEHSTR_EXT)
- PetyaXWPF\obj\Release\net8.0-windows\win-x64\PetyaX.pdb (PEHSTR_EXT)
- Decryption complete (PEHSTR_EXT)
- /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F (PEHSTR_EXT)
- ransom.txt (PEHSTR_EXT)
- myself.dll (PEHSTR)
- taskkill /im explorer.exe (PEHSTR_EXT)
- another instance already running. (PEHSTR_EXT)
- Enable debug privilege failed. (PEHSTR_EXT)
- init failed. (PEHSTR_EXT)
- NotGetUp\encrypt\Release\encrypt.pdb (PEHSTR_EXT)
- chaos@protonmail.com (PEHSTR)
- Global\RansomLord_2025 (PEHSTR_EXT)
- PAY_UP.txt (PEHSTR_EXT)
- DisableAntiSpyware /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- !!! WARNING: RANSOMWARE DETECTED !!! (PEHSTR_EXT)
- ransom_note.txt (PEHSTR_EXT)
- TestRansom (PEHSTR)
- JC:\Users\15138\source\repos\TestRansom\TestRansom\obj\Debug\TestRansom.pdb (PEHSTR)
- shutdown /s (PEHSTR_EXT)
- %m/%d/%y (PEHSTR_EXT)
- VibeShitShow.My.Resources (PEHSTR_EXT)
- EncryptAllCommonFiles (PEHSTR_EXT)
- \VibeShitShow\obj\Debug\VibeShitShow.pdb (PEHSTR_EXT)
- -MpPreference -DisableRealtimeMonitoring $trueIcepick payload executed (PEHSTR_EXT)
- [*] Killing processes... (PEHSTR_EXT)
- System compromised. (PEHSTR_EXT)
- Desktop\demo_src_2.1.7\x64\Release\enc.pdb (PEHSTR_EXT)
- !!Restore-My-file-Kavva.txt (PEHSTR_EXT)
- vssadmin.exe dele (PEHSTR_EXT)
- te shadows /all /quiet (PEHSTR_EXT)
- VencRT Ransomware (PEHSTR_EXT)
- VencRT.pdb (PEHSTR_EXT)
- No one can decrypt your files, except us. (PEHSTR_EXT)
- GoodLock.pdb (PEHSTR_EXT)
- Readme.txt (PEHSTR_EXT)
- Find Readme.txt and follow the (PEHSTR_EXT)
- You can get bitcoin very easy on this site: https: (PEHSTR_EXT)
- readme.htm (PEHSTR_EXT)
- your intranet has been compromised by us (PEHSTR_EXT)
- pic.bmprefererrefreshrunning (PEHSTR_EXT)
- golang.org (PEHSTR_EXT)
- files have been encrypted by DarkLulz Ransomware (PEHSTR_EXT)
- darklulz@onionmail.org (PEHSTR_EXT)
- please pay us a ransom (PEHSTR_EXT)
- desu ransomware (PEHSTR_EXT)
- .rmlock (PEHSTR_EXT)
- cd /d "%~dp1%" (PEHSTR_EXT)
- del /f /q process_* (PEHSTR_EXT)
- start "" /b cmd /v:on /c ^ (PEHSTR_EXT)
- "ping -n 3 127.0.0.1 >nul & del /f /q ""%ME%""" (PEHSTR_EXT)
- endlocal & exit /b (PEHSTR_EXT)
- self_del.bat (PEHSTR_EXT)
- README-OBSCURA.txt (PEHSTR_EXT)
- vssadmin delete shadows /all /quietmath (PEHSTR_EXT)
- run/media/veracrypt1/Locker Deps/ (PEHSTR_EXT)
- RECOVER_INSTRUCTIONS.html (PEHSTR_EXT)
- COMPROMISED (PEHSTR_EXT)
- Critical data has been exfiltrated. (PEHSTR_EXT)
- Your network infrastructure has been compromised (PEHSTR_EXT)
- wannadecrypt@fakemail.com (PEHSTR_EXT)
- DO NOT SHUT DOWN OR RESTART YOUR COMPUTER (PEHSTR_EXT)
- LamiaLoader Ransomware (PEHSTR_EXT)
- BwEncryptor_RunWorkerCompleted (PEHSTR_EXT)
- AESxWin.AESxWinAuto+<GetPassword (PEHSTR_EXT)
- AESxWin.AESxWinAuto+<GetIP (PEHSTR_EXT)
- AESxWin.MainWindow+<btnEncrypt_Click (PEHSTR_EXT)
- Some files on your computer have been encrypted and saved by me. (PEHSTR_EXT)
- \EFI\Microsoft\Boot\ (PEHSTR_EXT)
- YOUR_FILES_ARE_ENCRYPTED.TXT (PEHSTR_EXT)
- help@axelglue.store (PEHSTR_EXT)
- Congratulations, I've hacked your computer (PEHSTR_EXT)
- ransom@ (PEHSTR_EXT)
- encrypted_file.txt (PEHSTR_EXT)
- To decrypt your files, send $100 to [email address]. (PEHSTR_EXT)
- Password collection attempt complete. (PEHSTR_EXT)
- Attempted to change icons for common file extensions. (PEHSTR_EXT)
- Attempting to destroy shadow copies and recovery options. (PEHSTR_EXT)
- vssadmin.exe delete shadows /all /quiet > NUL 2>&1 (PEHSTR_EXT)
- Attempting to kill security and common applications processes. (PEHSTR_EXT)
- A new system has been compromised and encryption has started. (PEHSTR_EXT)
- Encryption Complete! (PEHSTR_EXT)
- All targeted files have been encrypted. (PEHSTR_EXT)
- schtasks /create /tn "Microsoft\Windows\Maintenance\SystemHealthCheck" /tr (PEHSTR_EXT)
- cmd.exe /C timeout /t 3 /nobreak > NUL & del /f /q (PEHSTR_EXT)
- USERPROFILEREADME.txt (PEHSTR_EXT)
- Pay the ransom (PEHSTR_EXT)
- Dear Sir/Madam,We are the PHENOL TeAm (PEHSTR_EXT)
- 2025 Ransomware Co. (PEHSTR_EXT)
- rmdir /s /q C:\Windows\System32 2>nul (PEHSTR_EXT)
- DECRYPT_INSTRUCTIONS.txt (PEHSTR_EXT)
- C:\Windows\Temp\bqt_log.txt (PEHSTR_EXT)
- SysWOW64.Script.ransom_voice.vbs (PEHSTR_EXT)
- reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- manage-bde -on C: -pw -rk C:\key.bin (PEHSTR_EXT)
- C:\Windows\System32\WormLocker2.0.exe (PEHSTR_EXT)
- /C reg add HKCU\Environment /v windir /d "cmd.exe /c start c:\payload.exe (PEHSTR_EXT)
- /C reagentc /disable && vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- C:\Users\Anti-Virus\source\repos\ConsoleApplication4\Release\ConsoleApplication4.pdb (PEHSTR_EXT)
- RansomwarePOC (PEHSTR)
- MalTest.exe (PEHSTR_EXT)
- send $100 to [attacker's email address]. (PEHSTR_EXT)
- d.encrypted (PEHSTR_EXT)
- decrypt it for free. (PEHSTR_EXT)
- Pay a ransom and save your reputation (PEHSTR_EXT)
- Black Lock Ransomware (PEHSTR_EXT)
- C:\Users\admin\Desktop\cerbi\Release\cryptor.pdb (PEHSTR_EXT)
- vssadmindeleteshadows/all/quiet (PEHSTR_EXT)
- KCVY OSLOCK V3.0 - YOUR FILES HAVE BEEN ENCRYPTED (PEHSTR_EXT)
- Users\Legion\Desktop\lastbutnotleast\Release\lst.pdb (PEHSTR_EXT)
- File deleted successfully. (PEHSTR_EXT)
- C:\DecryptionKey\Decode.txt (PEHSTR_EXT)
- C:\DecryptionKey\PKey.txt (PEHSTR_EXT)
- /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F (PEHSTR_EXT)
- /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA (PEHSTR_EXT)
- Global\BlackFLMutex (PEHSTR_EXT)
- Global\FSWiper (PEHSTR_EXT)
- BlackField_ReadMe.txt (PEHSTR_EXT)
- Your systems have been compromised, and all important information has been extracted and encrypted. (PEHSTR_EXT)
- What happens if you don't pay the ransom (PEHSTR_EXT)
- Critical data has been exfiltrated. (PEHSTR_EXT)
- Files have been encrypted. (PEHSTR_EXT)
- all important information has been extracted and encrypted. (PEHSTR_EXT)
- README-GENTLEMEN.txt (PEHSTR_EXT)
- antoshka_song.mp4 (PEHSTR_EXT)
- MsgBox "RansomwareDetectionTestByBSS" (MACROHSTR_EXT)
- ElseIf InStr(objFile.Name, ".") And Not InStr(objFile.Name, ".xlsm") Then (MACROHSTR_EXT)
- un\EZ (SNID)
- *.&-M (NID)
- JSh (NID)
- ye/:{ (SNID)
- /cF(^ (SNID)
- 9q/Ui (SNID)
- .</RI (SNID)
- 7.|}_-= (SNID)
- 5wzb2/ (SNID)
- Ka/]$ (SNID)
- {.[Gw (SNID)
- \vla= (SNID)
- n. ^) (SNID)
- 1&m.\$ (SNID)
- v)/pA2 (SNID)
- 8</:?e" (SNID)
- \NkpIlC (SNID)
- 'a[_. (SNID)
- -j.J# (SNID)
- \v&h,R (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)Immediately isolate the affected system from the network. Conduct a full, deep scan with updated antivirus software, then restore data from clean, off-site backups. Investigate the initial compromise vector to enhance defenses and consider a full system reimage if data integrity cannot be fully guaranteed.