Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Filecoder
This threat is identified as Trojan:Win32/Filecoder!AMTB, a concrete detection of ransomware. It encrypts user files, deletes Volume Shadow Copies to hinder recovery, and demands a Bitcoin payment via a .onion address, as indicated by explicit ransom notes and instructions found within the sample.
Relevant strings associated with this threat:
- [C:\Users\dennis\Desktop\Software\BSS_ransomware\BSS_ransomware\obj\Debug\BSS_ransomware.pdb (PEHSTR)
- kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion (PEHSTR_EXT)
- Your important files were encrypted on this computer (PEHSTR_EXT)
- To retrieve the private key. you need to pay (PEHSTR_EXT)
- bitcoins. (PEHSTR_EXT)
- Death\obj\Release\ssvchost.pdb (PEHSTR_EXT)
- README_encrypted.txt (PEHSTR_EXT)
- Do not try to recover data, it's wasting your time. (PEHSTR_EXT)
- Every 7 days the price doubles. (PEHSTR_EXT)
- vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- \RESTORE_DLL_FILES.HTML (PEHSTR_EXT)
- \delete.bat (PEHSTR_EXT)
- Ransom.Properties.Resources (PEHSTR_EXT)
- 1.aaf .aep .aepx .plb .prel .prproj .aet .ppj .psd (PEHSTR)
- ,SOFTWARE\Policies\Microsoft\Windows Defender (PEHSTR)
- svhost.exe (PEHSTR)
- C:\Decoder.hta (PEHSTR)
- Data recovery.hta (PEHSTR)
- System.Security.Cryptography (PEHSTR)
- /deletevalue {current} safeboot (PEHSTR)
- bcdedit.exe (PEHSTR)
- /C shutdown /r /f /t 0 (PEHSTR)
- ,X/MHvS8r2rsf+xMoFoVuXNN9VP7QeQZAsvpVldZEujE= (PEHSTR)
- Windows.old (PEHSTR)
- testRansome.pdb (PEHSTR)
- Data.txt (PEHSTR)
- .txt.doc.docx.xls.xlsx.ppt.pptx.pst.ost.msg.em.vsd.vsdx.csv.rtf.123.wks.wk1.pdf.dwg.onetoc2.snt.docb.docm.dot.dotm.dotx.xlsm.xlsb.xlw.xlt.xlm. (PEHSTR)
- CashCat.g.resources (PEHSTR)
- &CashCat.Properties.Resources.resources (PEHSTR)
- J\Documents\GitHub\CashCatRansomwareSimulator\CashCat\obj\Debug\CashCat.pdb (PEHSTR)
- CashCat.exe (PEHSTR)
- stubAES.Resources (PEHSTR_EXT)
- .dsfdsf (PEHSTR_EXT)
- You Successfully Paid Part/All Of Your Outstanding Balance (PEHSTR_EXT)
- http://www.fusionpak.xyz/mal/verify.php (PEHSTR_EXT)
- C:\Users\Samb2\Desktop\DUMB-master\DUMB\obj\Release\DUMB.pdb (PEHSTR_EXT)
- component/app.xaml (PEHSTR_EXT)
- CyptedReady.ini (PEHSTR_EXT)
- component/mainwindow.xaml (PEHSTR_EXT)
- Ransome Ware.g.resources (PEHSTR_EXT)
- Ransome_Ware.Properties.Resources (PEHSTR_EXT)
- Your Windows Computer Has Contracked (PEHSTR_EXT)
- ReadME-Decrypt.txt (PEHSTR_EXT)
- https://paxful.com (PEHSTR_EXT)
- mailto:MREncptor@protonmail.com (PEHSTR_EXT)
- vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
- secret.txt (PEHSTR_EXT)
- Ransomware.pdb (PEHSTR_EXT)
- Ransomware2.0 (PEHSTR_EXT)
- Ransomware2._0.Properties.Resources (PEHSTR_EXT)
- Now pay me the ransomware. BTC Address: (PEHSTR_EXT)
- Corona.pdb (PEHSTR_EXT)
- Your personal files are being deleted. Your photos, videos, documents, etc... (PEHSTR_EXT)
- Encryption Complete (PEHSTR_EXT)
- .PATPAT (PEHSTR_EXT)
- patpatware.Properties.Resources (PEHSTR_EXT)
- Still locked. Just pay. (PEHSTR_EXT)
- Unlocked. Thanks for paying. (PEHSTR_EXT)
- password.txt (PEHSTR_EXT)
- .locked (PEHSTR_EXT)
- MALWARE.pdb (PEHSTR_EXT)
- Encrypter.pdb (PEHSTR_EXT)
- \d78b6f30225cdc811adfe8d4e7c9fd34\Encrypter.exe (PEHSTR_EXT)
- \d78b6f30225cdc811adfe8d4e7c9fd34\Decrypter.exe (PEHSTR_EXT)
- ._____TBTT_____ (PEHSTR_EXT)
- encryptor.Properties.Resources (PEHSTR_EXT)
- encryptor.pdb (PEHSTR_EXT)
- To decrypt more, contact: programiletisim1@gmail.com (PEHSTR_EXT)
- .zeronine (PEHSTR_EXT)
- .CONTI (PEHSTR_EXT)
- HOW_TO_DECRYPT.txt (PEHSTR_EXT)
- $RECYCLE.BIN (PEHSTR_EXT)
- !!!READ_ME!!!.txt (PEHSTR_EXT)
- READ_ME.txt (PEHSTR_EXT)
- cmd.exe /C ping 1.1.1.1 -n 10 -w 3000 > Nul & Del /f /q "%s" (PEHSTR_EXT)
- c:\111\hermes\cryptopp (PEHSTR_EXT)
- delete shadows /all /quiet (PEHSTR_EXT)
- vssadmin.exe (PEHSTR_EXT)
- READ_ME.TXT (PEHSTR_EXT)
- HELP_PC.EZDZ-REMOVE.txt (PEHSTR_EXT)
- encrypted_key.bin (PEHSTR_EXT)
- @protonmail.com (PEHSTR_EXT)
- !!!Readme!!!Help!!!.txt (PEHSTR_EXT)
- data1992@protonmail.com (PEHSTR_EXT)
- shutdown.exe (PEHSTR_EXT)
- taskkill.exe (PEHSTR_EXT)
- System.IO.Compression (PEHSTR_EXT)
- If you wanna support me, you can send me a beer money via cryptocurrency. Thanks a lot. (PEHSTR_EXT)
- JonCrypt.pdb (PEHSTR_EXT)
- \Desktop\README.txt (PEHSTR_EXT)
- C:\Windows\Logs\kekw.exe (PEHSTR_EXT)
- https://cdn.discordapp.com/attachments/734517412287873038/746088022356918463/ (PEHSTR_EXT)
- Dont_Worry.txt (PEHSTR_EXT)
- paycrypt@gmail_com (PEHSTR_EXT)
- .wncry (PEHSTR_EXT)
- Cryptolocker.txt (PEHSTR_EXT)
- Help to decrypt.txt (PEHSTR_EXT)
- All encrypted files for this computer has extension: .9465bb (PEHSTR_EXT)
- Rebooting/shutdown will cause you to lose files without the possibility of recovery (PEHSTR_EXT)
- <.onion (PEHSTR_EXT)
- restoremanager@airmail.cc (PEHSTR_EXT)
- https://we.tl/t-ccUfUrQOhF (PEHSTR_EXT)
- Your files are NOT damaged! Your files are modified only. This modification is reversible (PEHSTR_EXT)
- http:// (PEHSTR_EXT)
- .onion/ (PEHSTR_EXT)
- sysnative\vssadmin.exe (PEHSTR_EXT)
- cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q (PEHSTR_EXT)
- vssadmin delete shadows /all (PEHSTR_EXT)
- Read-Me-Now.txt (PEHSTR_EXT)
- /c vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
- How Recovery Files.txt (PEHSTR_EXT)
- If you want restore files write on e-mail - jimmyneytron@tuta.io (PEHSTR_EXT)
- .rapid (PEHSTR_EXT)
- ! How Decrypt Files.txt (PEHSTR_EXT)
- .guesswho (PEHSTR_EXT)
- rapid@airmail.cc (PEHSTR_EXT)
- SCHTASKS /DELETE /TN (PEHSTR_EXT)
- networkauto.top (PEHSTR_EXT)
- gate.php (PEHSTR_EXT)
- .crypt (PEHSTR_EXT)
- RANSOM.txt (PEHSTR_EXT)
- .shit (PEHSTR_EXT)
- How__to__decrypt__files.txt (PEHSTR_EXT)
- sicck@protonmail.com (PEHSTR_EXT)
- cmd.exe /c taskkill /f /im (PEHSTR_EXT)
- cmd.exe /c ping 127.0.0.1>nul & del /q (PEHSTR_EXT)
- cry_demo.dll (PEHSTR_EXT)
- cmd_shadow (PEHSTR_EXT)
- If you do not pay, we will publish private data on our news site. (PEHSTR_EXT)
- How_To_Decrypt.txt (PEHSTR_EXT)
- .ini.encrypted (PEHSTR_EXT)
- mARASUF@cock.li (PEHSTR_EXT)
- !INFO.HTA (PEHSTR_EXT)
- Rasomware2.0 (PEHSTR_EXT)
- .Dusk (PEHSTR_EXT)
- cyber.duskfly@protonmail.com (PEHSTR_EXT)
- REPLACE_COMMAND_LINE (PEHSTR_EXT)
- \system32\cmstp.exe (PEHSTR_EXT)
- ig.exe (PEHSTR_EXT)
- DeletedItems.txt (PEHSTR_EXT)
- Starting fake svchost.exe... (PEHSTR_EXT)
- Infecting computer... (PEHSTR_EXT)
- HOW_TO_DECYPHER_FILES.txt (PEHSTR_EXT)
- HOW_TO_DECYPHER_FILES.hta (PEHSTR_EXT)
- All of your network computers files is encrypted (PEHSTR_EXT)
- HELP_DECRYPT_YOUR_FILES.txt (PEHSTR_EXT)
- Cryptor_noVSSnoPers.pdb (PEHSTR_EXT)
- Cryptor.exe (PEHSTR_EXT)
- teiuq/ lla/ swodahs eteled exe.nimdassv c/ dmc (PEHSTR_EXT)
- cmd.exe /c vssadmin Delete Shadows /All /Quiet (PEHSTR_EXT)
- @tuta.io (PEHSTR_EXT)
- \cryptopp800\sha_simd.cpp (PEHSTR_EXT)
- repter@tuta.io (PEHSTR_EXT)
- YOU HAVE BEEN ATTACKED. PLEASE CONTACT ON THIS EMAIL IF YOU WANT TO GET YOUR FILES BACK. (PEHSTR_EXT)
- encrypt.exe (PEHSTR_EXT)
- $\__READ_ME_TO_RECOVER_YOUR_FILES.txt (PEHSTR)
- .encrp (PEHSTR)
- ?C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb (PEHSTR)
- \CryptoSomware.pdb (PEHSTR_EXT)
- ransomware.pdb (PEHSTR_EXT)
- ransomware.exe (PEHSTR_EXT)
- ransomware.g.resources (PEHSTR_EXT)
- ransomware.Properties.Resources (PEHSTR_EXT)
- install\obj\Release\install.pdb (PEHSTR_EXT)
- Users\Public\pay.jpg (PEHSTR_EXT)
- .crypted (PEHSTR_EXT)
- ransomback.png (PEHSTR_EXT)
- UpdateDecrypter.exe (PEHSTR_EXT)
- userPrivateIdKey.txt (PEHSTR_EXT)
- UnluckyWare.exe (PEHSTR_EXT)
- Bytelocker.Properties (PEHSTR_EXT)
- @READ_ME@.txt (PEHSTR_EXT)
- wal.bmp (PEHSTR_EXT)
- Ransomware Demonstration.exe (PEHSTR_EXT)
- RansomwareDemonstration.Properties.Resources (PEHSTR_EXT)
- This is a demonstration of ransomware applications. Do not use unethical (PEHSTR_EXT)
- bck 4.0 2020//11/6 fix 5.virus by znkzz (PEHSTR_EXT)
- paymeplease@sj.ms (PEHSTR_EXT)
- justfile.txt (PEHSTR_EXT)
- INSTRUCTION.txt (PEHSTR_EXT)
- HOW_TO_RETURN_FILES.txt (PEHSTR_EXT)
- taskkill /im (PEHSTR_EXT)
- .exe /T /F (PEHSTR_EXT)
- .encCould not send packet to . (PEHSTR_EXT)
- This program executes potentially dangreous operations (PEHSTR_EXT)
- We're going to encrypt ALL THE THINGS. Type 'YES' to continue. (PEHSTR_EXT)
- Instructions.txt (PEHSTR_EXT)
- RIP Your personal files if you dont pay... (PEHSTR_EXT)
- .himr (PEHSTR_EXT)
- \Microsoft\Windows\SystemRestore\SR" /disable (PEHSTR_EXT)
- /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
- /set {default} recoveryenabled no (PEHSTR_EXT)
- cipher.exe (PEHSTR_EXT)
- encTest.exe (PEHSTR_EXT)
- r2block_Wallpaper.jpg (PEHSTR_EXT)
- r2bWallpaper.jpg (PEHSTR_EXT)
- BMI DataSender.pdb (PEHSTR_EXT)
- encTest.pdb (PEHSTR_EXT)
- .r2bbb.rar.zip.exe.dll.cub.iso.vdi.msi (PEHSTR_EXT)
- Encryption Completed !!! (PEHSTR_EXT)
- .onion.pet/http/get.php (PEHSTR_EXT)
- /v NoRunNowBackup /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- /v DisableTaskMgr /t REG_DWORD /d 0 /f (PEHSTR_EXT)
- CHOOSE YOUR KEYFILE.txt (PEHSTR_EXT)
- .beethoven (PEHSTR_EXT)
- @yandex.ru (PEHSTR_EXT)
- Select * from Win32_ComputerSystem (PEHSTR_EXT)
- Locker.exe (PEHSTR_EXT)
- 84s)UHg-)IPSvAn:R#f80gi(.resources (PEHSTR_EXT)
- SNg'G9h\]\[vSUuq9qJOkk$(SS!.resources (PEHSTR_EXT)
- READ_ME.html (PEHSTR_EXT)
- http://trustmordor.pw/readme.php?id= (PEHSTR_EXT)
- NOTHERSPACE_USE.Properties.Resources (PEHSTR_EXT)
- Web\crypt\joise\obj\Debug\NOTHERSPACE_USE.pdb (PEHSTR_EXT)
- NOTHERSPACE_USE.exe (PEHSTR_EXT)
- Rasomware2.0.exe (PEHSTR_EXT)
- Rasomware2._0.Properties (PEHSTR_EXT)
- Rasomware2.0.pdb (PEHSTR_EXT)
- love.Properties.Resources (PEHSTR_EXT)
- DISK_ENCODER.exe (PEHSTR_EXT)
- DISK_ENCODER.pdb (PEHSTR_EXT)
- .fmfgmfgm (PEHSTR_EXT)
- deReadMe!!!.txt (PEHSTR_EXT)
- kill.bat (PEHSTR_EXT)
- killme.bat (PEHSTR_EXT)
- .cring (PEHSTR_EXT)
- @protonmail.ch (PEHSTR_EXT)
- Encrypted.php (PEHSTR_EXT)
- /C sc delete VSS (PEHSTR_EXT)
- DecryptionInfo.auth (PEHSTR_EXT)
- .onion.cab/data.php (PEHSTR_EXT)
- NOTHERSPACE_USE.pdb (PEHSTR_EXT)
- NOTHERSPACE_USE.Properties (PEHSTR_EXT)
- test.txt (PEHSTR_EXT)
- Message to be written in test.txt (PEHSTR_EXT)
- Povlsomware 2.0 (PEHSTR_EXT)
- @forgetit.com (PEHSTR_EXT)
- locked.zip (PEHSTR_EXT)
- Ionic.Zlib (PEHSTR_EXT)
- Build.exe (PEHSTR_EXT)
- AlbCry 2.0 (PEHSTR_EXT)
- Ransomware.Properties.Resources (PEHSTR_EXT)
- Razy_5._0.Ransomware (PEHSTR_EXT)
- sendBack.txt (PEHSTR_EXT)
- All your files are encrypted. (PEHSTR_EXT)
- preventchangedesktop.bat (PEHSTR_EXT)
- Let_sBuildRansom.Resources (PEHSTR_EXT)
- !README!.hta (PEHSTR_EXT)
- @tutanota.com (PEHSTR_EXT)
- HOW TO BACK YOUR FILES.exe (PEHSTR_EXT)
- Requirements.pdb (PEHSTR_EXT)
- .EXTEN (PEHSTR_EXT)
- 0RxwEQwgtkSWC9sNTT.exPcKrbSb12M75mfcs (PEHSTR_EXT)
- MvfdfvKNUdwvxfpM4P.2vpl5uS9L0Q3cXZgoO (PEHSTR_EXT)
- Gorgon.Properties.Resources (PEHSTR_EXT)
- .ZIEBF_4561drgf (PEHSTR_EXT)
- temp10.png (PEHSTR_EXT)
- B6541265123.Properties.Resources (PEHSTR_EXT)
- B6541265123.exe (PEHSTR_EXT)
- Mammoti.Properties.Resources (PEHSTR_EXT)
- mammoti.jpg (PEHSTR_EXT)
- ALL FILES LOADED... (PEHSTR_EXT)
- Rasomware2._0.Ransomware2.resources (PEHSTR_EXT)
- Rasomware2._0.Properties.Resources.resources (PEHSTR_EXT)
- unknowndll.pdb (PEHSTR_EXT)
- helpmedecode@tutanota.com (PEHSTR_EXT)
- decryptioner@airmail.cc (PEHSTR_EXT)
- friendly.cyber.criminal (PEHSTR_EXT)
- .jcrypt (PEHSTR_EXT)
- Niros.Properties.Resources.resources (PEHSTR_EXT)
- m@ai@l.@ro@tb@la@u.@eu@ (PEHSTR_EXT)
- Cur@ren@tVer@sion\R@un (PEHSTR_EXT)
- mally@mailfence.com (PEHSTR_EXT)
- fake.pdb (PEHSTR_EXT)
- \ENCRIPTAR\x64\Release\ENCRIPTAR.pdb (PEHSTR_EXT)
- \__READ_ME_ (PEHSTR_EXT)
- sammy70p_y61m@buxod.com (PEHSTR_EXT)
- i.imgur.com (PEHSTR_EXT)
- tantoporciento.com (PEHSTR_EXT)
- ransomware@gmail.com (PEHSTR_EXT)
- )bcdedit /set {default} recoveryenabled no (PEHSTR)
- eiklot@hi2.in (PEHSTR_EXT)
- How_Recover_Files.txt (PEHSTR_EXT)
- JesusCrypt (PEHSTR_EXT)
- SendServerInfo@hitler.rocks (PEHSTR_EXT)
- mail.cock.li (PEHSTR_EXT)
- vssadmin delete shadows /all /quiet & wmic shadowcopy delete (PEHSTR_EXT)
- Your computer was infected with a ransomware virus (PEHSTR_EXT)
- read_apis.txt (PEHSTR_EXT)
- Ransom\Release\Ransom.pdb (PEHSTR_EXT)
- For unlock your files follow the instructions from the readme_for_unlock.txt (PEHSTR_EXT)
- Alphaleonis.Win32.Network (PEHSTR_EXT)
- 2kHjgBUx6QQSkwRnLs5c/AdbjroDU4j5AanCabrpjBLnKCWGKwmlWQZR (PEHSTR_EXT)
- GRSYnKNx1qRCoiCPQqL6MjUHEEOXkMOWITh/CacwQDMEEn2SlxDDisLvybdjw9y1Q== (PEHSTR_EXT)
- C:\Users\Steve\source\repos\CryptoLocker\Release\fluffy.pdb (PEHSTR_EXT)
- //blockchain.info/ (PEHSTR_EXT)
- \del.bat (PEHSTR_EXT)
- FILES_BACK.txt (PEHSTR_EXT)
- /deny *S-1-1-0:(OI)(CI)(DE,DC) (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- delself.bat (PEHSTR_EXT)
- ShellExecuteW (PEHSTR_EXT)
- Microsoft\Windows\Start Menu\Programs\Startup\h.vbs (PEHSTR_EXT)
- CreateObject("WScript.Shell") (PEHSTR_EXT)
- eicar.com (PEHSTR_EXT)
- taskkill /f /IM explorer.exe (PEHSTR_EXT)
- !P%@AP[4\PZX54(P (PEHSTR_EXT)
- cryptmanager@protonmail.com (PEHSTR_EXT)
- cmd.exe /c vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- ReadMe_Decryptor.txt (PEHSTR_EXT)
- taskkill /f /im sqlserver.exe (PEHSTR_EXT)
- cmd.exe /c wmic shadowcopy delete (PEHSTR_EXT)
- Your computer was infected with a ransomware virus (PEHSTR_EXT)
- HKLM\SOFTWARE\recfg\sk_key (PEHSTR_EXT)
- ynet.co.il (PEHSTR_EXT)
- output.txt (PEHSTR_EXT)
- :\Windows\Temp\desktop.jpg (PEHSTR_EXT)
- SavitarRW.exe (PEHSTR_EXT)
- SavitarRW\SavitarRW\obj\Debug\SavitarRW.pdb (PEHSTR_EXT)
- bcdedit /set {default} recoveryenabled no (PEHSTR_EXT)
- We can fix it and restore files. (PEHSTR_EXT)
- Decryption.helper@aol.com (PEHSTR_EXT)
- Decryption.help@cyberfear.com (PEHSTR_EXT)
- EnCrypt.Properties.Resources (PEHSTR_EXT)
- EnCrypt.pdb (PEHSTR_EXT)
- EnCryptExeName (PEHSTR_EXT)
- SOFTWARE\FCVdDodDeiWxLDNDX (PEHSTR_EXT)
- SOFTWARE\RRansom (PEHSTR_EXT)
- https://iplogger.com/ (PEHSTR_EXT)
- BigCashForYou.exe (PEHSTR_EXT)
- At the moment, your system is not protected. (PEHSTR_EXT)
- To get started, send a file to decrypt trial. (PEHSTR_EXT)
- Malicious code executed (PEHSTR_EXT)
- Xinfecter.exe (PEHSTR_EXT)
- schtasks /create /sc minute /mo (PEHSTR_EXT)
- vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
- locked@onionmail.org (PEHSTR_EXT)
- liveteam@onionmail.org (PEHSTR_EXT)
- Your network has been breached and all data was encrypted. Please contact us at: (PEHSTR_EXT)
- https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ (PEHSTR_EXT)
- bin\RuntimeBrokerPY.exe (PEHSTR_EXT)
- \EncryptDecryptFiles\obj\Debug\Colinware.pdb (PEHSTR_EXT)
- \___RECOVER__FILES__.Sology.txt (PEHSTR_EXT)
- All of your files have been encrypted. (PEHSTR_EXT)
- floxen\source\repos\RanSom\obj\Debug\RanSom.pdb (PEHSTR_EXT)
- RanSom.pdb (PEHSTR_EXT)
- Lokkit v1\Lokkit v1\obj\Release\Lokkit v1.pdb (PEHSTR_EXT)
- RANSOMWARE.pdb (PEHSTR_EXT)
- Example_RANSOMWARE.Encryption (PEHSTR_EXT)
- start info.txt (PEHSTR_EXT)
- ransomware001.pdb (PEHSTR_EXT)
- <target directory> [/v] [/s] [/o] [/a] [/r] [-c <number>] [-d <second>] (PEHSTR_EXT)
- TPF2.Properties.Resources.resources (PEHSTR_EXT)
- TapPiF.Properties (PEHSTR_EXT)
- YOU BECOME THE VICTIM OF TAF.G MALWARE! (PEHSTR_EXT)
- @Please_Read_Me@.exe (PEHSTR_EXT)
- \ShellLocker Ransomware\ShellLocker\ShellLocker\bin\ShellLocker.pdb (PEHSTR_EXT)
- \startRans.bat (PEHSTR_EXT)
- \recoveryKey.txt (PEHSTR_EXT)
- \Programs\Startup\startVs.bat (PEHSTR_EXT)
- \windows\system32\shutdown /r /t 0 (PEHSTR_EXT)
- System.Security.Cryptography (PEHSTR_EXT)
- \rounc.pdb (PEHSTR_EXT)
- CurrentVersion\Run (PEHSTR)
- C:\TEMP\ransombear.exe (PEHSTR_EXT)
- C:\TEMP\LaunchRansombear.dll (PEHSTR_EXT)
- C:\WINDOWS\system32\cmd.exe /c C:\ransombear.exe (PEHSTR_EXT)
- NBA_LOG.txt (PEHSTR_EXT)
- Unhook module: %ntdll.dll (PEHSTR_EXT)
- We recommend to you turn off or disable all antivirus and use your computer only for sending money until decryption does not complete (PEHSTR_EXT)
- C:\HELP-RANSOMWARE.txt (PEHSTR)
- Gpowershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File (PEHSTR)
- alpacino.pdb (PEHSTR)
- /c2/receiver (PEHSTR_EXT)
- \\.\PhysicalDrive (PEHSTR_EXT)
- shellexecute=DEAD97.exe (PEHSTR_EXT)
- YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN (PEHSTR_EXT)
- [f\0# (SNID)
- \README.txt (PEHSTR)
- \Windows (PEHSTR)
- README.txt (PEHSTR_EXT)
- .onion (PEHSTR_EXT)
- main.erase (PEHSTR_EXT)
- main.doEncrypt (PEHSTR_EXT)
- os.(*Process).kill (PEHSTR_EXT)
- main.Run (PEHSTR_EXT)
- vssadmin delete shadows //all //quiet & wmic shadowcopy delete (PEHSTR_EXT)
- \source\repos\Morgan\Morgan\obj\Release\Morgan.pdb (PEHSTR_EXT)
- look at any file with .raz extension (PEHSTR_EXT)
- AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- Bazek Ransomware.pdb (PEHSTR_EXT)
- Bazek Ransomware.exe (PEHSTR_EXT)
- CashCat.pdb (PEHSTR_EXT)
- CashCat.exe (PEHSTR_EXT)
- NOSU.pdb (PEHSTR_EXT)
- NOSU.Resources.resources (PEHSTR_EXT)
- K.G.B - Burhan Alassad (PEHSTR_EXT)
- &VoidCrypt encrypted all of your files. (PEHSTR)
- %There is no way to recover any files. (PEHSTR)
- 'Each file has been encrypted using RSA. (PEHSTR)
- 3There is nothing left on your system except the OS. (PEHSTR)
- self_deleting_script.vbs (PEHSTR_EXT)
- BlackStriker.pdb (PEHSTR_EXT)
- majordom\client\majordom\majordom\obj\Debug\majordom.pdb (PEHSTR_EXT)
- EnternalRed\obj\Debug\JPG-Datei.pdb (PEHSTR_EXT)
- .encrypted (PEHSTR)
- recover files,view here.txt (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- /c vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
- \x64\Release\Big Ransomware.pdb (PEHSTR_EXT)
- \ransom_note.txt (PEHSTR_EXT)
- onion/chat (PEHSTR_EXT)
- WannaDecryption.pdb (PEHSTR_EXT)
- Decryption completed! (PEHSTR_EXT)
- Start Menu\Programs\Startup (PEHSTR_EXT)
- ussadmin.exe celete shadows /all (PEHSTR_EXT)
- /h1:LYDUdQBzWPgCOuwoGl3qPECiKXwqE0+tA9JM1kvIpfw= (PEHSTR)
- main.setWallpaper (PEHSTR)
- -Prince-Ransomware/filewalker.EncryptDirectory (PEHSTR)
- Command & Control (PEHSTR_EXT)
- Pay the ransom to get the decryption key. (PEHSTR_EXT)
- killing Cmdexec (PEHSTR_EXT)
- cmd /c "vssadmin Delete Shadows /All /Quiet" (PEHSTR_EXT)
- cmd /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (PEHSTR_EXT)
- cmd /c "taskkill /F /IM (PEHSTR_EXT)
- encv2.pdb (PEHSTR)
- vcry\x64\Release\vcry.pdb (PEHSTR_EXT)
- All your personal informations, datas, Files, Documents, Pictures, Logins, Videos etc.. all were completely ENCRYPTED (PEHSTR_EXT)
- INC-README.txt..windowsprogram filesappdata$recycle.binINC.log.dll (PEHSTR_EXT)
- exe (PEHSTR_EXT)
- taskkill /f /im explorer.exe (PEHSTR_EXT)
- Desktop wallpaper changed successfully. (PEHSTR_EXT)
- Failed to create flash window. Error code: (PEHSTR_EXT)
- Screen flash complete. (PEHSTR_EXT)
- Failed to set autostart registry value. Error code: (PEHSTR_EXT)
- %s.enc (PEHSTR_EXT)
- C:\nodecryptor.txt (PEHSTR)
- BAll your important files have been encrypted! Your data is locked. (PEHSTR)
- vssadmin delete shadows /all /quiet >nul (PEHSTR_EXT)
- bcdedit /set {default} recoveryenabled no >nul (PEHSTR_EXT)
- svchost_log.txt (PEHSTR_EXT)
- files encrypted. Check README (PEHSTR_EXT)
- cmd /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /f (PEHSTR_EXT)
- ransomeware.ps1 (PEHSTR_EXT)
- UniKeyNT.exe (PEHSTR_EXT)
- vssadmin delete shadowstorage /all /quiet (PEHSTR_EXT)
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- \Desktop\readme.txt (PEHSTR_EXT)
- .heartbreaker (PEHSTR)
- github.com/saaaarwar/mimicore (PEHSTR)
- bitcoins.com (PEHSTR)
- C:\Windows\System32\drivers\etc\hosts (PEHSTR_EXT)
- encryption_log.txt (PEHSTR_EXT)
- .LockedA (PEHSTR_EXT)
- DontDeleteThisFolder\Enc.key (PEHSTR_EXT)
- .ENCRYPT (PEHSTR_EXT)
- main.deleteVSS (PEHSTR_EXT)
- main.encryptFile (PEHSTR_EXT)
- main.scanAndEncrypt (PEHSTR_EXT)
- main.shouldEncrypt (PEHSTR_EXT)
- main.shouldExclude (PEHSTR_EXT)
- .encrypted (PEHSTR_EXT)
- ransom.txt (PEHSTR_EXT)
- Your files have been encrypted. (PEHSTR_EXT)
- ransom.jpg (PEHSTR_EXT)
- taskkill /im explorer.exe (PEHSTR_EXT)
- Global\RansomLord_2025 (PEHSTR_EXT)
- PAY_UP.txt (PEHSTR_EXT)
- DisableAntiSpyware /t REG_DWORD /d 1 /f (PEHSTR_EXT)
- ransom_note.txt (PEHSTR_EXT)
- program files\vmware\vmware tools\vmtoolsd.exe (PEHSTR_EXT)
- program files\oracle\virtualbox guest additions\vboxservice.exe (PEHSTR_EXT)
- shutdown /s (PEHSTR_EXT)
- %m/%d/%y (PEHSTR_EXT)
- TouchMeNot_.txt (PEHSTR_EXT)
- log.txt (PEHSTR_EXT)
- System compromised. (PEHSTR_EXT)
- llm-ransom/llm.go (PEHSTR_EXT)
- main.serverip (PEHSTR_EXT)
- main.model (PEHSTR_EXT)
- .getenv (PEHSTR_EXT)
- io.popen (PEHSTR_EXT)
- bit32.bxor (PEHSTR_EXT)
- USERPROFILEREADME.txt (PEHSTR_EXT)
- config.txt (PEHSTR_EXT)
- bcdedit /set {default} recoveryenabled No (PEHSTR_EXT)
- send $100 to [attacker's email address]. (PEHSTR_EXT)
- d.encrypted (PEHSTR_EXT)
- /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F (PEHSTR_EXT)
- /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA (PEHSTR_EXT)
- Global\BlackFLMutex (PEHSTR_EXT)
- Global\FSWiper (PEHSTR_EXT)
- BlackField_ReadMe.txt (PEHSTR_EXT)
- Encryption Completed (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)487a718afc173510afccd83813bafb7d5e0ded2e2848d01468dcce873f78568712e897b7c585b80749575ab75cac9813324b55a27356127afce9b6a3e756c718Immediately isolate the infected system from the network. Remove the detected malware and restore data from verified backups. Conduct a full system scan with updated antivirus, patch all operating system and software vulnerabilities, and educate users on phishing and suspicious file handling.